With the rapid spread of COVID-19, organizations around the world are forced to close offices and let employees work from home. For Microsoft and its 166,000 employees, this decision fell on the shoulders of CISO Bret Arsenault and experts in the business continuity and resiliency team.
Microsoft has done pandemic plans in the past, Arsenault told Dark Reading, but “when it really fits the real situation, each plan is interesting.” Before COVID-19, less than 20% of Microsoft employees were remote. He said that during the pandemic, this number jumped to 97%.
The shift to remote work has enabled most IT leaders to deal with new security challenges, some of which have always existed when organizations consider long-term remote work strategies. Of course, these obstacles vary from company to company, and a key challenge for Microsoft is to ensure the safety and efficiency of its employees so that other companies can continue to operate as usual.
“I think one of the most important things for us [was] To understand humbly, as an organization, we are not affected like the service or transportation industries. We have a responsibility to keep things going so that the business can continue to operate,” Arsenault said. “But we are also responsible to our people. “
The decision to send most Microsoft employees home within 48 hours prompted him and his team to think about how to better understand how employees work. In some ways, the company has the required systems; in other cases, it has implemented changes.
One of the adjustments involved a system that uses telemetry to better understand what the employee’s remote experience is like. Arsenault said that this is an extension of the same system, which is used to evaluate the broad shift in the use of multi-factor authentication (MFA) across the company and to better understand how this adjustment affects security and productivity.
“We extended it to things we haven’t done before, such as checking daily VPN usage and checking Teams calls… How many Teams calls are happening, how many are done in meetings, and how many are as two-party calls Done,” he called it “the equivalent of a corridor conversation that didn’t happen.”
Microsoft looked at these data to understand remote work in different regions, different job functions, individual contributors and managers. Do people work longer? Are they on vacation? Last summer, 5,000 interns almost arrived; all worked remotely. This data helps to handle logistics work and ensures that interns work efficiently and get a good experience when they are not on campus.
Zero Trust: “Progress beyond perfection”
This telemetry is part of the process that Microsoft began implementing its zero trust strategy five years ago. Zero trust is a growing topic in today’s security field. It refers to an environment in which each network segment, application, and data resource is its own boundary and requires identity verification. The idea is to limit the range of attackers through the external network boundary by giving each resource its own resources.
“We believe that the enterprise network is not the right boundary for the most effective control plane we will consider-identity and device health will be more important,” Arsenault said of the company’s reasons for starting this process. Although telemetry can help security practitioners detect and respond, it can also help inform employees of their experience during COVID-19.
For a company of Microsoft’s size, zero trust is a big project because it needs to apply this technology to hundreds of thousands of devices, many of which run macOS, iOS, Android, and other operating systems.
“We are not a Windows-only store,” Arsenault continued. “I run hundreds of thousands of non-Windows endpoints. I run a lot of Linux. I think I run 31 different operating systems.”
In addition, he does not want employees to use several different solutions to achieve zero-trust work. He chose two-Windows Hello for Business and the Authenticator application-to achieve the most consistent experience possible.
Arsenault said that organizations that are curious about zero trust or start the process themselves may see its limitations play a role around legacy systems, which he calls the “biggest problem” of zero trust. He explained that almost all Microsoft systems have MFA installed, including guest systems, but there are still places where people are prompted to enter passwords.
“You can… decide that you will treat the legacy system as a separate function, you will go beyond perfection and say,’Well, in some cases people still need to enter a password,'” he continued.
Some legacy systems will not be updated, but organizations can isolate these systems and accept that they will have a different experience. Instead of waiting to solve this problem, it is better to work on a system that can be updated.
Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology journalist. She has previously reported on Microsoft for InformationWeek, and has reported on finance in insurance and technology… View full bio