At Microsoft, our shift to a Zero Trust security model—which began more than seven years ago—has helped us navigate many challenges.
The increasing prevalence of cloud-based services, mobile computing, internet of things (IoT), and bring your own device (BYOD) in the workforce have changed the technology landscape for the modern enterprise. Security architectures that rely on network firewalls and virtual private networks (VPNs) to isolate and restrict access to corporate technology resources and services are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.
The shift to the internet as the network of choice and the continuously evolving threats led us to adopt a Zero Trust security model internally here at Microsoft. Though our journey began many years ago, we expect that it will continue to evolve for years to come.
The Zero Trust model
Based on the principle of verified trust—in order to trust, you must first verify—Zero Trust eliminates the inherent trust that is assumed inside the traditional corporate network. Zero Trust architecture reduces risk across all environments by establishing strong identity verification, validating device compliance prior to granting access, and ensuring least privilege access to only explicitly authorized resources.
Zero Trust requires that every transaction between systems (user identity, device, network, and applications) be validated and proven trustworthy before the transaction can occur. In an ideal Zero Trust environment, the following behaviors are required:
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Source : https://www.microsoft.com/insidetrack/blog/implementing-a-zero-trust-security-model-at-microsoft/
Global enterprises are facing a serious security crisis as misconfigured Access Management Systems (AMS) expose sensitive employee data and grant potential access to restricted facilities. The vulnerabilities found across healthcare, education, manufacturing, and government industries put organizations at heightened risk of data breaches, financial losses, and compliance violations.
In some cases, attackers could manipulate credentials to bypass security systems entirely, raising urgent concerns over both digital and physical security, according to a report by cybersecurity firm Modat.
The findings suggest that hundreds of thousands of sensitive employee records have been exposed, including biometric information, identification details, photographs, and work schedules. In some cases, these vulnerabilities could allow unauthorized individuals to bypass physical security measures and gain entry into restricted facilities.
Access Management Systems are crucial in modern security and yet they can often present significant vulnerabilities,” the report said. “Some systems offer comprehensive access control features, but their network-connected nature can create potential attack vectors.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
Enterprise security operations teams find themselves stretched thin and contending with an escalating cyber threat landscape today. Many are understaffed and underfunded, leaving CISOs on edge about the consequences for the enterprise — and their careers.
A recent survey from Adaptavist about fallout from last summer’s CrowdStrike outage found that two out of five (39%) IT leaders “warn that excessive workloads” could lead to a major incident for their companies. “The ongoing war for IT talent is likely exacerbating these issues,” the survey’s writers concluded.
John Price, CEO at Cleveland-based security firm SubRosa, underscored the reality many CISOs and their teams currently face.
“The sheer volume of alerts, coupled with the complexity of modern attack surfaces, has created a near-constant state of overwhelm for many security professionals,” he said. “We are operating still in a reactive security mindset. In some cases, a successful cyberattack can be the driving force behind getting the budget you need.”
Cutting (and delegating) workload bloat
Given this situation, security specialists encourage CISOs to consider new ways of engaging their overstretched teams — and helping them keep sharp.
One of the most effective ways to minimize security risk when working with suboptimal resources and people is to “strictly triage what your team is doing,” said Jim Boehm, an expert partner at consulting firm McKinsey.
“This would amount to robust demand management,” Boehm said, suggesting that team tasks that could be discarded could include architecture board review meetings and “chasing things for an internal audit.”
“Why have four or five people in an hour-long [review] meeting where they are just going to argue?” Boehm asked. “I would rather them review the security posture of a potential acquisition. It’s all about taking a risk-based look at everything, not just your assets and controls but what your people are doing.”
Boehm also suggested embracing the LOB dual-embedding mechanisms within DevSecOps. Ideally, that could help reduce security issues by training non-security colleagues in security thinking.
“Developers, for example, hate to be considered engineers. They hate constriction. They want to be artists [and deliver] no documentation,” Boehm said.
Stay updated with SOC News for cutting-edge security innovations and expert industry insights!
