To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, which requires US Federal Government organizations to take action to strengthen national cybersecurity.1 Section 3 of EO 14028 specifically calls for federal agencies and their suppliers “to modernize [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a
Zero Trust architecture.
As a company that has embraced Zero Trust ourselves and supports thousands of organizations around the globe on their Zero Trust journey, Microsoft fully supports the shift to Zero Trust architectures that the Cybersecurity EO urgently calls for. We continue to partner closely with the
National Institute of Standards and Technology (NIST) to develop implementation guidance by submitting
position papers and contributing to communities of interest under the umbrella of the
National Cybersecurity Center of Excellence (NCCoE).
The memo clearly describes the government’s strategic goals for Zero Trust security. It advises agencies to prioritize their highest value starting point based on the
Zero Trust maturity model developed by the national Cybersecurity & Infrastructure Security Agency (CISA).
Microsoft’s position aligns with government guidelines. Our
maturity model for Zero Trustemphasizes the architecture pillars of identities, endpoints, devices, networks, data, apps, and infrastructure, strengthened by end-to-end governance, visibility, analytics, and automation and orchestration.
To help organizations implement the strategies, tactics, and solutions required for a robust Zero Trust architecture, we have developed the following series of cybersecurity assets:
- Cloud Adoption Framework: A rich repository of documentation, implementation guidance, and best practices to help accelerate cloud adoption.
- Interactive guide on the Cybersecurity EO: Clear, concise guidance to help organizations better understand near- and long-term milestones, build a strategic response aligned to security modernization priorities and Executive Order requirements, and determine how technology partners can help accelerate the journey.
A blog by my colleague Sue Bohn,
Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements, provides a great summary of how Azure AD can help organizations meet the requirements outlined in EO 14028. We recently announced two additional capabilities developed in response to customer feedback: cloud-native certificate-based authentication (CBA) and cross-tenant access settings for external collaboration.
Certificate-based authenticationPhishing remains one of the most common threats to organizations. It’s also one of the most critical to defend against. According to
our own research, credential phishing was a key tactic used in many of the most damaging attacks in 2021. To help our customers adhere to NIST requirements and effectively counter phishing attacks, we announced the preview of
Azure AD cloud-native CBA across our commercial and US Government clouds.
CBA enables customers to use X.509 certificates on their PCs or smart cards to authenticate applications using Azure AD natively. This eliminates the need for additional infrastructure such as Active Directory Federation Services (ADFS) and reduces the risk inherent in using on-premises identity platforms.
Cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy. It helps our government customers implement the most prominent phishing-resistant MFA, certificate-based authentication, in the cloud so they can meet NIST requirements. Read the documentation on
Azure AD certificate-based authentication to get started.
Cross-tenant access settings for external collaborationOur customers have told us they want more control over how external users access apps and resources. Earlier this month, we announced the preview of
cross-tenant access settings for external collaboration.
This new capability enables organizations to control how internal users collaborate with external organizations that also use Azure AD. It provides granular inbound and outbound access control settings based on organization, user, group, or application. These settings also make it possible to trust security claims from external Azure AD organizations, including MFA and device claims (compliant claims and hybrid Azure AD joined claims). Consult the documentation on
cross-tenant access with Azure AD External Identities to learn more.
More capabilities coming soonWe’re continuing to work on new capabilities to help government organizations meet Zero Trust security requirements:
- The ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.
- Comprehensive phishing-resistant MFA support, including remote desktop protocol (RDP) scenarios.
Written by
Joy Chik President, Identity & Network Access