Microsoft is a big proponent of Zero Trust architecture. For those unaware, this is a security model under which each request to an organizational resource is verified under the assumption that a breach has already happened, via "never trust, always verify" principles. The company has emphasized multiple times how it envisions a passwordless future in Zero Trust environments. Today, it has revealed how it is collaborating with federal agencies to drive the adoption of Zero Trust models under a recent Presidential Executive Order (EO).
The company has explained that EO 14028 - which was issued on May 12, 2021 - requires that it works with federal agencies and undertake significant investments to improve cybersecurity and proactively react to threats. As such, the Redmond tech giant is working with the National Institute of Standards and Technologies' National Cybersecurity Center of Excellence (NIST NCCoE) to drive Zero Trust adoption among organizations.
The goal is to develop and document Zero Trust architectures according to the NIST Special Publication 800-27 (SP 800-27), which will act as a form of guidance as to how organizations should implement these security models using commercially available and interoperable technologies. As such Microsoft is currently working on five scenarios that it believes will aid organizations the most.
One scenario is utilizing cloud-ready authentication apps as part of software as a service (SaaS). For legacy web apps that can't support modern authentication methods, Microsoft is encouraging Azure Active Directory (AD) Application Proxy, which it says is more restrictive than conventional VPN solutions. Other use-cases include the establishment of privileged-access workstations and "strongly authenticated" admin accounts for remote server administration, implementation of the segment cloud administration design pattern, and network microsegmentation via Azure. All of these scenarios also feature multi-factor authentication (MFA), continuous monitoring, and endpoint detection and response (EDR).
Microsoft has explained that:
The proposed example solutions will integrate commercial and open-source products to showcase the robust security features of Zero Trust architecture when applied to common enterprise IT use cases. The goal of this NCCoE project is to build several examples of a Zero Trust architecture—applied to a conventional, general-purpose enterprise IT infrastructure—that are designed and deployed using commercially available technology, and that are aligned with the concepts and tenets documented in NIST SP 800-207, Zero Trust Architecture.
The example solutions will be shared publicly in a NIST Special Publication (SP) 1800 series document. Each SP 1800 series publication generally serves as a “how-to” guide to implement and apply standards-based cybersecurity technologies in the real world. The guides are designed to help organizations gain efficiencies in implementing cybersecurity technologies while saving them research and proof-of-concept costs.
The Redmond tech giant has highlighted that the SP 1800 series of documentation will cover example solutions and approaches in detail, and will also offer guidance around the installation and configuration of modular components. Microsoft has "applauded" the fact that the White House recognizes the importance of Zero Trust models, and is pleased that "ambitious measures" from the private sector have been demanded in the recent EO.