US Cybersecurity Executive Order: Zero Trust architecture for critical infrastructure
The US Executive Order on Improving the Nation’s Cybersecurity requires US Federal Government organizations modernize cybersecurity and adopt a Zero Trust architecture. This is especially urgent for the 16 critical infrastructure sectors identified by the US Cybersecurity and Infrastructure Security Agency (CISA). Organizations in the critical infrastructure sectors are responsible for systems considered so vital to the US their incapacitation or destruction would have a debilitating effect on the security, economy, and public health of the nation. In these critical scenarios where seconds matter, Microsoft is uniquely positioned to secure US critical infrastructure.
We think globally at Microsoft when applying our cloud compute to the critical infrastructure sector. Microsoft provides cloud scale capabilities to automate security, resiliency, and availability of critical systems from edge to cloud and back. Microsoft has two security superpowers—an integrated approach and our incredible artificial intelligence and automation. We offer solutions that modernize security for your legacy Operational Technology (OT) running in Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) systems architectures. Microsoft also offers solutions for security, resiliency, and availability across your hybrid environment. Our integrated set of solutions offer built-in Zero Trust controls that make implementing a Zero Trust architecture for your critical infrastructure organization achievable at scale.
Broadest range of cloud innovation across US government data classifications. Microsoft has multiple options for where data resides and how it’s managed. We combine security, compliance, and identity management across clouds and platforms. You can choose from any of our Azure commercial regions around the world and Azure Government, with eight regions separate from the worldwide fabric built exclusively for US government agencies and their partners. Azure Government Secret regions are built exclusively for US government agencies and partners working within Secret enclaves, and we’ve recently announced the general availability of Azure Government Top Secret. At the end of the day, it’s important to remember each of these US government-only regions provide consistent experience for governance, security, apps, data, development, and operations. Most of our critical infrastructure customers use all three of these clouds depending on the classification of the workload.
A Zero Trust architecture is central to enhance critical infrastructure security. The Zero Trust model teaches us to “never trust, always verify” with three guiding principles:
1. Verify explicitly. Always authenticate and authorize based on all available data points.
2. Use least privileged access. Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive policies, and data protection.
3. Assume breach. Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
Our Zero Trust industry-leading solutions outlined below provide a comprehensive solution to secure your critical infrastructure organization.
Identity. Azure Active Directory (AAD) provides greater control over identity threats. Capabilities like role-based access control (RBAC), multi-factor authentication (MFA), and identity protection will help ensure the right users are getting the appropriate level of access. The hybrid world is largely perimeter-less, therefore, wrapping protections around identity and devices is critical. AAD integrates with Microsoft password-less technologies including Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys. Enable Single Sign On with AAD to all apps including SaaS apps, custom built cloud apps, and on-prem apps. AAD can be easily synchronized with on-premises Active Directory (AD). AAD Application Proxy enables users to access on-premises web apps from a remote client. Microsoft Defender for Identity protects on-premises identities with cloud power and intelligence at each stage of the attack life cycle and identity hygiene is reflected in Microsoft Secure Score.
Endpoints. Microsoft Defender for Endpoint is a holistic, cloud-delivered endpoint security solution, including the services and tools you use to manage and monitor mobile devices, desktop computers, virtual machines, embedded devices, and servers. Azure offers several Internet of Things (IoT) services providing Zero Trust capabilities, such as Azure IoT Hub, Azure IoT Hub Device Provisioning Service (DPS), Azure Device Update for IoT Hub, and Azure Defender for IoT. Microsoft offers edge platforms including runtimes such as Azure IoT Edge and Azure IoT platform Software Development Kits (SDKs), and operating systems including Azure RTOS and Windows 10 IoT Enterprise. Microsoft also offers lightweight endpoint security agents that interoperate with Azure IoT Hub and Azure Defender for IoT, with support for both Microsoft and Linux IoT platforms. For device builders to reflect their device offers Zero Trust capabilities, they should obtain the Edge Secured-core certification, one of the certifications in the Azure Certified Device program. Microsoft also offers Zero Trust devices ready to meet your needs, including Azure Sphere and Azure Percept.
Data. Ultimately, security teams are focused on protecting data wherever it lives or travels. Data encryption controls are built-in to Microsoft services from Azure Virtual Machines to storage, Azure SQL, Azure CosmosDB and Azure Data Lake Analytics. Azure Key Vault enables you to safeguard and control cryptographic keys and other sensitive information used by cloud apps and services. Microsoft Information Protection (MIP) in Microsoft 365 provides a unified and consistent approach to inspecting and classifying data across locations and repositories. Azure Information Protection (AIP) is part of the MIP solution and extends the labeling and classification functionality to the cloud.
Applications. Applications and APIs provide the interface by which data is consumed. They may be legacy on-premises, lift and shifted to cloud workloads, or modern SaaS apps. Implement real-time protection against cyberthreats, anomalies, and grant appropriate access for every app based on the user and the device they are utilizing from any network location. Microsoft Cloud App Security is our Cloud Access Security Broker (CASB) solution and uses user and entity behavioral analytics (UEBA) and machine learning (ML) to detect unusual behavior across cloud apps, enabling us to identify ransomware, compromised users, or rogue apps, analyze high-risk usage and remediate automatically to limit the risk to your organization.
Infrastructure. Infrastructure (whether on premises servers, cloud based VMs, boxes, or micro services) represents a critical threat vector. While the Microsoft cloud is a secure place for sensitive data and critical services, some customers still require data be stored and processed on-premises, and here Microsoft offers a rich array of hybrid cloud options. Provisioners of critical infrastructure can extend Azure services and capabilities to their environment of choice, from the datacenter to edge locations and remote offices using Azure hybrid cloud solutions such as Azure Arc and Azure Stack. Azure Arc enables customers to extend Azure management and security to any infrastructure. Azure Stack enables customers to deploy hybrid and edge infrastructure along with Azure services and capabilities in their datacenter, remote offices, or edge locations.
Network. All data is ultimately accessed over network infrastructure. Networking controls provide critical “in pipe” controls to enhance visibility and help prevent attackers from moving laterally across the network. Networks should be segmented (including deeper in-network micro segmentation) and real time threat protection, end-to-end encryption, monitoring, and analytics should be employed. For network security you can establish secure connections using Azure Virtual Networks with network security groups, Azure VPN Gateway, and Azure ExpressRoute. Protect and ensure availability of your apps, protect against network layer threats with services like Azure Firewall, Azure Web Application Firewall, and Azure Distributed Denial of Service (DDoS) Protection.
Threat protection & security management. It is equally important to continuously monitor the state of security, especially as cloud workloads change dynamically. Microsoft Defender integrates Security Information and Event Management (SIEM) and Extended Detection and Response (XDR) tools providing end-to-end threat visibility across all your resources. Microsoft Defender is delivered in two tailored experiences, Microsoft 365 Defender for end-user environments and Azure Defender accessed within Azure Security Center. Azure Security Center will help you monitor the security state of Azure resources and hybrid workloads, providing a dynamic security score card and compliance dashboards for key US regulatory frameworks.
Azure Sentinel is our cloud native SIEM and security orchestration, automation, and response (SOAR) technology. Sentinel makes it easy to collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. It uses the power of AI to ensure you are identifying real threats quickly. Sentinel automatically detects multistage attacks by identifying combinations of anomalous behaviors and suspicious activities observed at various stages of the kill-chain and uses the MITRE ATT&CK framework to establish a common industry nomenclature. Use our Azure Sentinel Zero Trust TIC 3.0 Workbook automation to set up and help audit your Zero Trust environment. Use Azure Lighthouse and Sentinel to investigate attacks across multiple tenants. We recommend using a distributed deployment and centralized management model. This is where you deploy Sentinel workspaces within the tenant that belongs to the customer or subsidiary (data stays locally within the customer’s or individual subsidiary’s environment) and manage it centrally from within a service provider’s, or from a central security operations center (SOC) unit’s tenant within an organization.
Microsoft enables critical infrastructure customers to achieve Zero Trust in a hybrid IoT world. We tackle security from all angles—inside-out and outside-in. It’s why we combine security, compliance, identity, and management across clouds and platforms. We have over 4,000 cleared engineers, developers and consultants supporting our sovereign cloud activities delivering this mission capability.
Microsoft’s product architectural coherence and comprehensive approach to Zero Trust provides critical infrastructure organizations the opportunity to take advantage of innate alignment of tools and guidance to achieve accelerated adoption. To guide you, our Cloud Adoption Framework provides a rich repository of implementation guidance and best practices to help accelerate the cloud adoption journey. We encourage you to use the Microsoft Zero Trust Assessment tool to help you determine where you are in your Zero Trust implementation journey and the Zero Trust Guidance Center to help reach key milestones.
Related blog posts
- EO Strategies for Securing Critical Software & Classifying Agency Data – Microsoft in Business Blogs
- The Cybersecurity Executive Order: What’s Next for Federal Agencies? – Microsoft in Business Blogs
- Mapping the Cybersecurity Executive Order Milestones – Microsoft in Business Blogs
- Powering critical infrastructure with Microsoft cloud technology – The Official Microsoft Blog