Monday, February 21, 2022

US Government sets forth Zero Trust architecture strategy and requirements

A Microsoft Post 

To help protect the United States from increasingly sophisticated cyber threats, the White House issued Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity, which requires US Federal Government organizations to take action to strengthen national cybersecurity.1 Section 3 of EO 14028 specifically calls for federal agencies and their suppliers “to modernize [their] approach to cybersecurity” by accelerating the move to secure cloud services and implementing a Zero Trust architecture.

As a company that has embraced Zero Trust ourselves and supports thousands of organizations around the globe on their Zero Trust journey, Microsoft fully supports the shift to Zero Trust architectures that the Cybersecurity EO urgently calls for. We continue to partner closely with the National Institute of Standards and Technology (NIST) to develop implementation guidance by submitting position papers and contributing to communities of interest under the umbrella of the National Cybersecurity Center of Excellence (NCCoE).

Microsoft helps implement Executive Order 14028

The memo clearly describes the government’s strategic goals for Zero Trust security. It advises agencies to prioritize their highest value starting point based on the Zero Trust maturity model developed by the national Cybersecurity & Infrastructure Security Agency (CISA). 

Microsoft’s position aligns with government guidelines. Our maturity model for Zero Trust emphasizes the architecture pillars of identities, endpoints, devices, networks, data, apps, and infrastructure, strengthened by end-to-end governance, visibility, analytics, and automation and orchestration.

Flow chart showcasing identities and endpoints as their authentication and compliance requests are intercepted by the Zero Trust Policy for verification before being granted access to networks and the data, apps, and infrastructure they’re composed of.

To help organizations implement the strategies, tactics, and solutions required for a robust Zero Trust architecture, we have developed the following series of cybersecurity assets:

New capabilities in Azure AD to help meet requirements

A blog by my colleague Sue Bohn, Guidance on using Azure AD to meet Zero Trust Architecture and MFA requirements, provides a great summary of how Azure AD can help organizations meet the requirements outlined in EO 14028. We recently announced two additional capabilities developed in response to customer feedback: cloud-native certificate-based authentication (CBA) and cross-tenant access settings for external collaboration.

Certificate-based authentication

Phishing remains one of the most common threats to organizations. It’s also one of the most critical to defend against. According to our own research, credential phishing was a key tactic used in many of the most damaging attacks in 2021. To help our customers adhere to NIST requirements and effectively counter phishing attacks, we announced the preview of Azure AD cloud-native CBA across our commercial and US Government clouds.

CBA enables customers to use X.509 certificates on their PCs or smart cards to authenticate applications using Azure AD natively. This eliminates the need for additional infrastructure such as Active Directory Federation Services (ADFS) and reduces the risk inherent in using on-premises identity platforms.

Cloud-native CBA demonstrates Microsoft’s commitment to the federal Zero Trust strategy. It helps our government customers implement the most prominent phishing-resistant MFA, certificate-based authentication, in the cloud so they can meet NIST requirements. Read the documentation on Azure AD certificate-based authentication to get started.

Cross-tenant access settings for external collaboration

Our customers have told us they want more control over how external users access apps and resources. Earlier this month, we announced the preview of cross-tenant access settings for external collaboration.

This new capability enables organizations to control how internal users collaborate with external organizations that also use Azure AD. It provides granular inbound and outbound access control settings based on organization, user, group, or application. These settings also make it possible to trust security claims from external Azure AD organizations, including MFA and device claims (compliant claims and hybrid Azure AD joined claims). Consult the documentation on cross-tenant access with Azure AD External Identities to learn more.

More capabilities coming soon

We’re continuing to work on new capabilities to help government organizations meet Zero Trust security requirements:

  • The ability to enforce phishing-resistant authentication for employees, business partners, and vendors for hybrid and multi-cloud environments.
  • Comprehensive phishing-resistant MFA support, including remote desktop protocol (RDP) scenarios.

Resources for your Zero Trust journey

Microsoft is committed to helping the public and private sectors with a comprehensive approach to security that’s end-to-end, best-in-breed, and AI-driven.

To advance your Zero Trust implementation, we offer the following:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Executive Order (EO) 14028 on Improving the Nation’s Cybersecurity.