Why Every Business Should Strive For Zero Trust
Arsenault has been a zero-trust evangelist since he began moving Microsoft and its 163,000 employees toward the security framework more than four years ago.
“The idea with zero trust is to assume a breach position — assume you’ve already been breached, and then what are you going to do?” he said. “And that’s protect, detect and respond. We really simplified it. It’s got to be about a healthy device, strong identity and consistent telemetry, and I asked every one of my vendors to show me how they make that happen. So, that’s resulted in this ‘zero trust or bust, no exceptions’ model that we have across the entire company and that we hold everyone accountable to.”
Every organization should be striving to do the same, Arsenault said, noting that the further along an organization was in its zero-trust journey when the pandemic began, the easier its shift has generally been to all-remote work environments. That’s because the zero-trust concept eliminates the network as a security control point, replacing it with a focus on authenticating valid users as they seek access to one network resource or another—and that renders the physical location of an employee irrelevant, at least from a security standpoint.
Most security professionals recognize the superiority of zero trust over legacy perimeter-based security, yet few have made it very far toward adopting it. One reason is that it’s a big change, requiring, for example, deploying multifactor authentication for all employees, which can elicit worker protest.
Progress, Not Perfection, Should be CISOs’ Goal
Perhaps a bigger reason for the lack of progress is perfectionism, Arsenault said.
“I see perfection getting in the way of progress with so many people,” he said. “When we started our multifactor journey a long time ago, we kept looking for the perfect system, and then finally, working with Microsoft’s Hello for Business team, we got the idea where we’d just do facial recognition and then expand it into other forms of MFA. The idea was, as opposed to smart cards and all these things that made us really secure but created a lousy user experience, we wanted a great user experience that was also secure, and to have all the telemetry to tell us how it was working. I was always amazed at the people who were willing to not do any MFA until they could have 100 percent MFA.”
It’s also vital to get real-time data on users’ experiences with the tools they’re using. It’s useful to simply ask people what they like, but even more important is seeing how users are actually using the solutions, “to have all the telemetry from our users: Is it working? Is it not working? And not just count on consumer surveys, but actual real telemetry. We got to this model where the telemetry told us that users loved it and IT actually trusted it. If I can get to that with everything we do, then I feel really good about it.”
One way to get employees to warm up to MFA is to emphasize the device freedom it allows them, he said. In most environments, security teams ensure device safety by controlling the devices employees use, but that’s less necessary in a zero-trust environment, Arsenault noted: “If you’d rather use your own device, that’s fine. If you want to use your home computer and we’ll install a virtualized environment on it, that’s OK. We give them a lot of choices.”
Why Microsoft’s VPN Barely Noticed All-Remote Work
When it sent employees home 15 months ago, Microsoft made a 72-hour transition from a company with 10 percent of its employees working remotely to one with more than 90 percent of workers doing so. Yet because of its progress on zero trust, the change was fairly uneventful. Activity on its corporate virtual private network spiked less than 5 percent, for example, even as most companies were relying on their VPNs as their employees’ primary network access point.
In fact, Arsenault warned that many IT leaders may have a harder time with their return-to-work programs than they did when the pandemic began.
“If you were already on a digital transformation with your workforce, it was much easier to make that transition to remote work,” he said. “As people return, it will be interesting. The return to work is a lot more work because people are responsible for what they do in their own homes, but as they return, now you have social distancing, you have to have these sanitary environments and all these other things that you didn’t have to plan for. It’s much more work.”