Insight by Microsoft Federal

How agencies can benefit from Microsoft’s long experience with zero trust

This content is sponsored by Microsoft Federal.

One of the most widely lauded tenets of President Joe Biden’s recent cybersecurity executive order is the explicit endorsement of the zero trust approach to cybersecurity. It sets several rapid-paced deadlines for agencies to work toward adopting a zero trust posture in order to generally harden the security of the federal government.

But that doesn’t mean agencies have to accomplish this on their own.

“We want to partner with agencies to make sure they have all the tools and the resources that they need to meet both the immediate deadlines as well as those that are coming in the future months,” said Jason Payne, chief technology officer for Microsoft Federal. “We’re partnering deeply to provide all of our technical expertise on zero trust approaches and reference architectures. We have a series of these that have been published, which will help agencies implement standard patterns and practices, all the way from securing legacy applications through those that are cloud native or born in the cloud. Through our Fast Track program, Microsoft is providing resources through our engineering organization to actually help agencies on that journey as they need to implement these controls and zero trust architectures by the deadline specified in the EO.”

Partnering with industry gives federal agencies the opportunity to leverage the extensive experience in strengthening security postures through zero trust that vendors like Microsoft have invested in developing.

“We have been implementing zero trust for many years,” said Steve Faehl, chief technology officer of security for Microsoft Federal. “As Microsoft has been down this road before, we provide trusted planning opportunities, trusted resources, to where we can come alongside agencies and help them develop a strategy that’s risk prioritized, and very effective in modernizing security tactics and reducing risk from cyber threats.”

Microsoft already has a simple, three phase plan to help agencies adopt a zero trust architecture. The first phase centers on identification and monitoring. It includes enabling single sign-on to applications, setting up conditional access, connecting on premise infrastructure to the cloud, assigning workloads app identities, and monitoring cloud security postures, among other things.

“One of the first steps that any agency can take is to build on their existing capabilities around identity consolidation, using identity as that first pillar in zero trust, especially with the step to move to secure cloud as an accelerator for modernization,” Faehl said. “Having that identity in place gives you better telemetry downstream as well to provide more context to incident response activities. Additionally, many agencies have already taken great strides for zero trust and additional identity assurance, like multi factor authentication, for Microsoft 365. And for Azure, you can build on that identity strategy to use it throughout your environment, even for legacy applications and for multi cloud scenarios.”

That identity strategy is key to zero trust, because providing users only the bare minimum access they need to accomplish their mission allows for easy containment of a compromised device, which is increasingly a concern as the remote workforce adds more endpoints outside the traditional perimeter.

Once agencies take that first step, Microsoft can help them get further into the weeds with specific tools and controls that will help agencies reduce their risk and increase their protection. Microsoft also provides different configurations for a variety of different zero trust scenarios based on the nature of agency environments and the threats they’re likely to face.

“Really, one of the best things for zero trust is to take a look at it from a scenario based lens, instead of focusing on everything that relates to zero trust, because it’s a pretty big topic,” Faehl said. “If you can take a look at individual scenarios, figure out where is my highest risk? What scenarios do I need to solve for? And then build them together like building blocks, knowing that previous steps will actually decrease the amount of effort that it takes to achieve subsequent results?”

Something else to consider is that when people discuss zero trust, it’s often about the technical nature. But the hard part is really determining the processes that decide who gets access, and when. Especially in the new hybrid-workforce model that the federal government is largely moving toward, because micro-segmentation is a big part of zero trust, and determining how communication is going to happen between members of an organization is necessary before anyone can begin to set rules in place around that communication.

“As agencies realize the benefits of zero trust from a protection standpoint, as we look at incident response, and we look at investigations, there are all sorts of new tools, new signals that analysts can utilize to better respond to cyber threats,” Faehl said. “Agencies need to look at new modalities, and new ways of hunting, new ways of investigating security .”


Sign up for breaking news alerts