Security

RSA 2021: How Zero-Trust Security Made Remote Work Possible for Microsoft

Sending most of its 163,000 employees home over three days would have been much harder with a legacy security approach, said CISO Bret Arsenault.

Bob Keaveney

Bob is the managing editor of BizTech magazine.

As businesses prepare to reopen their workplaces, what do they need to prioritize to keep employees and networks safe? For Bret Arsenault, CISO of Microsoft, the answer is pretty simple: Focus on the basics.

“The AI and Big Data stuff is amazing, and we massively leverage that here,” Arsenault said. “But you can’t forget the pedestrian part of the job. When I look at numbers like fewer than 20 percent of organizations have 100 percent multifactor authentication — you’ve got to get that done. People aren’t patching, and more than 60 percent of breaches are caused by failing to apply available patches. So, you still have to do the basics. That’s not sufficient but it’s necessary.”

Speaking at RSA 2021 with Rob Lefferts, corporate vice president of program compliance for Microsoft 365 security, Arsenault, who for several years has been moving Microsoft through a journey toward a 100 percent zero-trust security environment, offered several pieces of advice to companies getting ready to move past all-remote work environments.

Specifically, he said businesses should get back to the basics of security, including maintaining an updated security patching process; strive for progress over perfection; deploy automation for lower-level tasks as much as possible; and build a sense of “digital empathy” with the employees they’re protecting.

Why Every Business Should Strive For Zero Trust

Arsenault has been a zero-trust evangelist since he began moving Microsoft and its 163,000 employees toward the security framework more than four years ago.

“The idea with zero trust is to assume a breach position — assume you’ve already been breached, and then what are you going to do?” he said. “And that’s protect, detect and respond. We really simplified it. It’s got to be about a healthy device, strong identity and consistent telemetry, and I asked every one of my vendors to show me how they make that happen. So, that’s resulted in this ‘zero trust or bust, no exceptions’ model that we have across the entire company and that we hold everyone accountable to.”

Every organization should be striving to do the same, Arsenault said, noting that the further along an organization was in its zero-trust journey when the pandemic began, the easier its shift has generally been to all-remote work environments. That’s because the zero-trust concept eliminates the network as a security control point, replacing it with a focus on authenticating valid users as they seek access to one network resource or another—and that renders the physical location of an employee irrelevant, at least from a security standpoint.

Most security professionals recognize the superiority of zero trust over legacy perimeter-based security, yet few have made it very far toward adopting it. One reason is that it’s a big change, requiring, for example, deploying multifactor authentication for all employees, which can elicit worker protest.

Progress, Not Perfection, Should be CISOs’ Goal

Perhaps a bigger reason for the lack of progress is perfectionism, Arsenault said.

“I see perfection getting in the way of progress with so many people,” he said. “When we started our multifactor journey a long time ago, we kept looking for the perfect system, and then finally, working with Microsoft’s Hello for Business team, we got the idea where we’d just do facial recognition and then expand it into other forms of MFA. The idea was, as opposed to smart cards and all these things that made us really secure but created a lousy user experience, we wanted a great user experience that was also secure, and to have all the telemetry to tell us how it was working. I was always amazed at the people who were willing to not do any MFA until they could have 100 percent MFA.”

It’s also vital to get real-time data on users’ experiences with the tools they’re using. It’s useful to simply ask people what they like, but even more important is seeing how users are actually using the solutions, “to have all the telemetry from our users: Is it working? Is it not working? And not just count on consumer surveys, but actual real telemetry. We got to this model where the telemetry told us that users loved it and IT actually trusted it. If I can get to that with everything we do, then I feel really good about it.”

One way to get employees to warm up to MFA is to emphasize the device freedom it allows them, he said. In most environments, security teams ensure device safety by controlling the devices employees use, but that’s less necessary in a zero-trust environment, Arsenault noted: “If you’d rather use your own device, that’s fine. If you want to use your home computer and we’ll install a virtualized environment on it, that’s OK. We give them a lot of choices.”

Why Microsoft’s VPN Barely Noticed All-Remote Work

When it sent employees home 15 months ago, Microsoft made a 72-hour transition from a company with 10 percent of its employees working remotely to one with more than 90 percent of workers doing so. Yet because of its progress on zero trust, the change was fairly uneventful. Activity on its corporate virtual private network spiked less than 5 percent, for example, even as most companies were relying on their VPNs as their employees’ primary network access point.

In fact, Arsenault warned that many IT leaders may have a harder time with their return-to-work programs than they did when the pandemic began.

“If you were already on a digital transformation with your workforce, it was much easier to make that transition to remote work,” he said. “As people return, it will be interesting. The return to work is a lot more work because people are responsible for what they do in their own homes, but as they return, now you have social distancing, you have to have these sanitary environments and all these other things that you didn’t have to plan for. It’s much more work.”

Keep this page bookmarked for articles and videos from the event, and follow us on Twitter @BizTechMagazine and the official conference Twitter feed, @RSAConference.

Getty Images/ scyther5