Learn how implementing Zero Trust security can help secure your business in a time of constant change.
As we approach the last week of Cybersecurity Awareness Month, I think about what is top of mind for myself and my peers in security. The past year has continued the 2020s major shift in the way organizations operate. Recent data shows that 81 percent of enterprise organizations have begun the move toward a hybrid workplace, with 31 percent of those surveyed already fully adopted. As the public and private sectors continue to enable hybrid work, the attack surface for cyber threats has expanded, and threat actors have been quick to exploit any vulnerabilities. In response, organizations have enforced various security controls to revamp their security postures. For example, the number of Microsoft Azure Active Directory (Azure AD) Conditional Access policies deployed has more than doubled over the last year. Figure 1: Rate of onsite versus remote work at Microsoft (Jan 2020 to Aug 2021). Organizations that don’t maintain basic security hygiene practices in the new workplace—applying updates, turning on multifactor authentication (MFA)—are placing their data, reputation, and employees’ privacy at much greater risk. On October 7,2021, we published the 2021 Microsoft Digital Defense Report (MDDR) with input from thousands of security experts spanning 77 countries. In the report, we examine the current state of hybrid work and recent trends in cybercrime. You’ll also get actionable insights for strengthening defenses across your entire organization. Along with basic security hygiene, adopting a Zero Trust security strategy protects your digital estate by applying a “never trust, always verify” approach. The prevalence of cloud-based services, IoT, and the use of personal devices (also known as bring your own device or BYOD) in hybrid work environments has changed the landscape for today’s enterprise. Unfortunately, security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to resources won’t cut it for a workforce that operates beyond traditional network boundaries. There is no one-size-fits-all approach to Zero Trust implementation, and that’s a good thing. It means you’re free to start anywhere. Organizations of all sizes begin in different areas, based on their immediate needs and available resources. Most organizations approach Zero Trust as an end-to-end strategy that can be completed over time. Figure 2: Zero Trust implementation areas (from the Microsoft Security Zero Trust Adoption Report). Zero Trust controls and technologies are deployed across six technology pillars. Each pillar in a control plane is interconnected by automated enforcement of security policy, correlation of signal and security automation, and orchestration: Identities can represent people, services, or IoT devices. As companies adapt for a hybrid workforce, we’ve seen more than a 220 percent increase in strong authentication usage (like MFA) in the last 18 months. Still, in Azure AD for the calendar year to date, we’re observing 61 million password attacks daily. Strong authentication can protect against 99.9 percent of identity attacks, but even better is passwordless authentication, which can provide the most usable and secure authentication experience. Legacy protocols, such as IMAP, SMTP, POP, and MAPI, are another major source of compromise. These older protocols do not support MFA; for that reason,99 percent of password spray and 97 percent of credential-stuffing attacks exploit legacy authentication. Once an identity has been granted access, data can flow to different endpoints —from IoT devices to smartphones, BYOD to partner-managed devices, on-premises workloads to cloud-hosted servers—creating a massive attack surface. With the Zero Trust model, enterprises can reduce provisioning costs and avoid additional hardware purchases for work-from-home use. For example, an administrator can grant access only to verified and compliant devices while blocking access from a personal device that’s been rooted or jailbroken (modified to remove manufacturer or operator restrictions) to ensure that enterprise applications aren’t exposed to known vulnerabilities.
