Like many this year, our Microsoft workforce had to quickly transition to a work from the home model in response to COVID-1 9. While nobody could have predicted the world’s current state, it has provided a very real-world test of the investments we have constructed implementing a Zero Trust security model internally. We had about 97 percent of our workforce at the peak successfully running from home, either on a Microsoft issued or personal device.

Much of the credit for this success goes to the Zero Trust journey we started over three years ago. Zero Trust has been critical in making this transition to a work-from-home model relatively friction-free. One of the major components to our Zero Trust implementation is ensuring our employees have access to applications and resources regardless of their locating. We enable employees to be productive from anywhere, whether they’re at home, a coffee shop, or at the agency.

To make this happen, we needed to make sure most of our resources were accessible over any internet linkage. The preferred method to achieve this is through modernizing applications and services employing the cloud and modern authentication systems. For legacy applications or services unable to migrate to the cloud, we use an application proxy service which serves as a broker to connect to the on-premise environment while still enforcing strong authentication principles.

Strong authentication and adaptive access policies are critical ingredients in the validation process. A big part of this validation process included recruiting machines in our machine handling system to ensure merely known and healthy devices are immediately retrieving our resources. For customers on devices that are not enrolled in our handling system, we have developed virtualization alternatives that allow them to access resources on an unmanaged device. One of the early impacts of COVID-1 9 was device shortages and the inability to procure new hardware. Our virtualization implementation likewise helped offer fasten access for new employees while they waited for their device’s arrival.

The output of these efforts, working in partnership with a VPN configuration that enables divide tunneling for access to the few remaining on-premises applications, has made it possible for Microsoft employees to work anywhere in a time when it is most critical.

Implementing an internet-first model for your applications

In this blog, I will share some recommendations on implementing an internet-first approach plus a few of the things we learned in our efforts here at Microsoft. Because every company has its own unique culture, surroundings, infrastructure, and threshold for change, there is no one-size-fits-all approach. Hopefully, you will find some of this information useful, even though they are only to validate you are already on the right path.

Before I jump in, I merely want to mention that this blog will assume you’ve completed some of the foundational factors required in order a Zero Trust security model. These include modernizing your identity system, corroborating sign-ins with multi-factor authentication( MFA ), registering machines, and ensuring compliance with IT security policies, etc. Without these protections in place, moving to an internet-first posture is not possible.

As previously mentioned, your apps may be required to modernized by migrating them to the cloud and implementing modern authentication services. This is the optimal path to internet accessibility. For apps that can’t be modernise or moved to the cloud( belief legacy on-premises apps ), you can leverage an app proxy to allow the connection over the internet and still maintain the strong authentication principles.

Secure access via adaptive access policies

Once your apps are accessible via the public internet, you will want to control access based on conditions you select to enforce. At Microsoft, we use Conditional Access policies to enforce granular access control, such as involve multi-factor authentication, based upon consumer context, machine, locating, and session danger knowledge. We also enforce machine management and health policies to ensure the employee comes from a known and healthy device once they have successfully achieved strong authentication.

Depending on your organization’s size, you might want to start slow by implementing multi-factor authentication and device enrollment first, then ramping up to biometric authentication and full machine health enforcement. Check out our Zero Trust guidance for identities and devices that we follow internally for some additional recommendations.

When we rolled out our machine enrollment policy, we learned that using data to measure the policy’s impact allowed us to tailor our messaging and deployment schedule. We enabled “logging mode”, which let us enable the policies and collect data on who would be impacted when we moved to enforcement. Using this data, we first targeted consumers who were already applying compliant machines. For customers that we knew were going to be impacted, we crafted targeted messaging alerting them of the upcoming changes and how they would be impacted. This slower, more measured deployment approach allowed us to monitor and respond to issues more quickly. Using this data to shape our rollout helped us minimize the impact of significant policy implementation.

Start with a hero application

Picking your first application to move out to the public internet can be done in a few different ways. Do you want to start with something small-scale and non-critical? Or perhaps you want to “flip the switch” to cover everything at once? We decided to start with a hero application that proved it works at scale. Office 365 was the obvious selection because it the broadest coverage since most employees use it daily, regardless of what role they are in. We were confident if we could implement Office 365 successfully, we could be successful with most of our portfolio.

Ultimately, it will boil down to your environment, threshold for support participations, and corporation culture. Choose the track that works best for you and push forward. All tracks will help provide valuable data and experience that will help later.

Prioritize your remaining apps and services

Prioritizing the apps and services you modernize next can be challenging, especially without granular visibility into what employees are accessing in your environment. When we started off our pilgrimage, we had hypothesis about what people were retrieving but no data to back it up. We constructed a dashboard that reported actual traffic volumes to applications and services still routing to on-premises applications and services to provide the visibility we lacked. This gave us much-needed information to help prioritize apps and services based on impact, complexity, risk, and more.

We likewise applied this dashboard to identify which application or service proprietors we needed to coordinate with to modernize their resources. To coordinate with these owneds, we created work items in our undertaking tracking system and designated the owner a deadline to provide a plan to either modernize or implement a proxy front end solution. We likewise generated a tracking dashboard for all these tasks and their status to build reporting easier.

We then worked closely with owners to provide guidance and best practices to drive their success. We conduct weekly office hours where application and service owners can ask questions. The partnership between these application and service proprietors and the teams working on Zero Trust helps us all drive towards the same common goals–frictionless access for our employees.

A quick note on what we learned through the dashboard–the on-premises applications and services people were still retrieving were not what we were expecting. The dashboard surfaced several items we were unaware people were still utilizing. Fortunately, the dashboard helped remove a layer of cloud we were unaware even existed and has been invaluable in driving our prioritization tries.

As I mentioned at the beginning of this blog, every company is unique. As such, how you think about Zero Trust and your investments might be different than the company across the street. I hope some of the insight provided above was helpful, even if it is just to get you thinking about how you would approach solving some of these challenges inside your own organization.

To learn more about how Microsoft IT( Use of information technologies ), check out IT Showcase. To learn more about Microsoft Security Solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Likewise, follow us at @MSFTSecurity for the latest news on cybersecurity.

The post Empowering employees to securely work from anywhere with an internet-first model and Zero Trust showed first on Microsoft Security .

Read more: microsoft.com