Microsoft updated several security products that it says helps businesses deploy a zero-trust approach as they prepare for the new hybrid-work normal.
As organizations prepare for the “next great disruption,” where some employees work in office settings while others work remotely, a zero-trust security framework becomes increasingly important, according to Vasu Jakkal, corporate VP of security at Microsoft. In a blog post, she outlines Microsoft’s three-step approach to zero trust and the products that accompany each step.
Jakkal will also deliver a keynote address next week during the RSA Conference.
Zero trust essentially assumes a breach will happen. And as such, it provides a framework to ensure that only verified users and devices are allowed access to corporate resources and restrict data on a least-privilege basis. A handful of technologies support zero trust, including multi-factor authentication, endpoint device management, and network segmentation.
“One of the most important first steps in a zero-trust journey is to establish strong authentication,” Jakkal wrote. “Monitoring logins for suspicious activity and limiting or blocking access until additional proof of identity is presented drastically reduces the chances of a breach.”
Zero Trust Step 1: Multi-Factor AuthenticationThis first step requires multi-factor authentication. And to enable this step, Microsoft recently launched passwordless authentication and Temporary Access Pass in its cloud identity product, Azure Active Directory (Azure AD).
Today, it also announced new features for Azure AD Conditional Access, Microsoft's real-time access policy engine, which gives admins more granular access controls. This includes GPS-based named locations and device filters that can restrict access from specific countries or regions based on GPS location. It also secures the use of devices from Surface Hubs to privileged access workstations.
Microsoft also expanded granular adaptive access controls with the general availability of Azure AD Conditional Access and Identity Protection for business-to-consumer apps and users.
“We also believe that for comprehensive protection through zero trust we need to have end-to-end integration across device management and identity,” Jakkal wrote. To this end, the vendor rolled out public preview of filters in Microsoft Endpoint Manager. This integration between Microsoft Endpoint Manager and Azure AD Conditional Access allows admins to target policies and applications to users on specific devices.
And to help secure data on mobile devices, Microsoft announced new conditional launch settings with App Protection Policies in Microsoft Endpoint Manager that can block access or wipe data based on conditions such as maximum OS version, jailbroken/rooted devices, or require Android devices to pass SafetyNet attestation.
For device management users can configure Android Enterprise-enrolled devices with Azure AD shared device mode in Microsoft Endpoint Manager. This share-device mode allows single sign-in, single sign-out, and data clearing across applications and increases privacy between users while reducing the number of steps an employee needs to take to access work apps.
Finally, Microsoft added capabilities to its BitLocker data-at-rest security service, including integration with Microsoft Endpoint Manager, role-based access controls (RBACs) for BitLocker recovery passwords, recovery password search, and recovery password auditing.
Zero Trust Step 2: Grant Least-Privilege AccessThe second step in Microsoft’s zero-trust approach involves least-privilege access. This became more difficult while employees worked from home during the pandemic, often using their own personal devices to connect to corporate networks and accessing new cloud-based applications and services so that they could work remotely.
“This new normal has exposed the most challenging cybersecurity landscape we’ve ever encountered, and least privileged access helps to ensure that only what must be shared is,” Jakkal wrote.
Microsoft had already added automated discovery and vulnerability management for unmanaged endpoint and network devices via Microsoft Defender for Endpoint. And today it announced that these threat and vulnerability management capabilities will also support Linux devices.
Zero Trust Step 3: Assume BreachThe third step in Microsoft’s zero-trust approach — assume breach — requires technologies that hunt for threats across platforms and clouds. To this end, Microsoft today made available converged portal for Microsoft 365 Defender, which unifies extended detection and response (XDR) capabilities across endpoints, email, and collaboration tools.
Microsoft also added a feature to its Azure Sentinel cloud-native security information and event management (SIEM) platform that lets users deploy connectors, detections, playbooks, and workloads for both first- and third-party integrations as one package. And it integrated Microsoft Teams into Azure Sentinel, which means security analysts can create a Teams call directly from an incident.
Additionally, the vendor added new anomaly detections including user and entity behavioral Analytics (UEBA) to Azure Sentinel that are powered by configurable machine learning. This can provide additional context while threat hunting or when fused with incidents.
It also previewed several threat monitoring capabilities. This includes a public preview of the SAP threat monitoring service for Azure Sentinel, which supports SAP running in any cloud or on-premises. Over the next few weeks Microsoft will make available an integration between Microsoft Information Protection and Cloud App Security to provide better visibility across and security for sensitive data in the cloud.
And finally, the vendor announced that eDiscovery support for Microsoft Graph connectors will be available this summer as a developer preview. Microsoft Graph connectors allow threat investigators to query across more than 130 systems from Microsoft 365 and its partners using the same eDiscovery tools.