Recently Microsoft posted a long but very good blog post titled Building Zero Trust Networks with Microsoft 365. This post was very interesting to me because it lays out a road map to where most large corporations (including Microsoft itself) are trying to get to. I highly recommend reviewing the entire post. To set the stage, I’ll give you some history on how the Microsoft corporate network has evolved over the years and is now a zero trust network utilizing most, if not all, the tools described in the post.
I started with Microsoft in the 90’s, and in those days all network resources resided on the internal network with security provided first by Lan Manager and then On-Premise Active Directory accounts. To access any resource, employees had to be connected to the MS network (either physically or via VPN) with a PC enrolled in the on premise Active Directory (AD). This type of network is known as a perimeter network – the idea being to lock out the bad guys by not allowing them on the network. This worked pretty well back in the day when only corporate devices where accessing the network. In fact, I only know of one successful attack on the MS network (if interested, read about that attack here). Today, this type of network is obsolete for the following reasons:
- Users want/need to be able to access corporate resources from their own devices. I, myself, used my own PC when I worked for Microsoft because I wanted a more powerful PC than they supplied me.
- Users want/need/demand access to corporate resources from anywhere at any time. Gone are the days of going to the office and working 9 to 5. Back in the late 90’s, I was one of the first employees in my group allowed to work from home when I wanted. They allowed this because they knew I was more productive working my own hours and I was always available when needed. This would not have been possible without a home network and VPN access. Today, this is expected.
As time moved on, resources like email were made accessible via the Internet without a VPN connection, but this was replaced with Exchange by locating access servers in the DMZ. Other resources such as file shares or SharePoint still required VPN. Then, the iPhone came along which ushered in the BYOD (Bring Your Own Device) movement and corporations like Microsoft were forced to start offering access to resources via the Internet, no longer requiring VPN.
Currently at Microsoft, at least 90% of network resources are available via the Internet. All that is needed is a user account and an enrolled device. Note the difference: above I state that an on-premise AD account along with an AD joined device was needed. Now, the device can be enrolled in Azure Active Directory (AAD) (obviously hosted in the cloud) which automatically enrolls the device in Microsoft Intune (also hosted in the cloud) that allows Microsoft to verify the health of the PC before allowing it to connect to resources. User accounts are still provisioned in on premise AD but are synced to AAD and when you access those resources hosted online, AAD is used for single sign on. At Microsoft, Multi Factor Authentication (MFA) is now required for access to any online resource, including email, and conditional access is utilized to provide even more security.
All of what I’ve discussed about how Microsoft’s network is designed is what I discuss daily with customers who are interested. Zero Trust Networks are exactly what they do – trust no one or no device and evaluate each connection for security and health as it is made. Bringing this back to Planet Technologies, I’m proud to say we live what we preach. While there is an on-premise AD, it is there for legacy systems and my devices are enrolled in AAD/Intune which allow me access to our online resources.
Planet Technologies has complete offerings around helping customers to migrate to Zero Trust Networking. Please contact us if we can be of service. Follow us on Twitter at @PlanetCloudStrt