This content is part of the Conference Coverage: RSAC 2019: Coverage of the premiere security gathering
News Stay informed about the latest enterprise technology news and product updates.

Microsoft promotes zero-trust security over firewalls

Microsoft told RSA Conference attendees a zero-trust model is better than firewalls for protecting corporate data -- a stance that some said doesn't go far enough.

SAN FRANCISCO -- Microsoft believes the IT world would be a much safer place if companies dumped their firewalls and took a zero-trust security approach to protect the data and applications their employees access regularly.

On Wednesday, Microsoft told RSA Conference attendees firewalls were no longer useful as a first line of defense. What has made the trusted technology obsolete is the variety of devices employees use to access corporate data from far-flung places outside corporate offices. Employees also no longer seek entry to applications sitting only in private data centers. Today, business software could just as easily live in a public cloud or exist as an online service.

Those conditions didn't exist when security companies introduced the firewall 30 years ago, when the internet was in its infancy. To combat today's cyberthreats, a more innovative approach is needed. And, according to Microsoft, that approach is zero-trust security.

"I honestly believe this is a game changer -- whether it's a Microsoft solution or another vendor that does zero trust," Matt Soseman, a security architect at Microsoft, told attendees at a packed tech session. "I think that this can lower cybersecurity risk and increase posture, regardless of the solution."

Microsoft sells firewall and zero-trust technologies.

Microsoft's view of zero trust

As described by Soseman, zero trust is a bunch of security technologies that work in tandem to identify people trying to access the corporate network and determine whether their PCs, smartphones or tablets are safe.

With zero trust, a username and password would trigger a multifactor authentication app requiring other forms of identification, such as a series of numbers sent to a smartphone. Security apps would also check the accessing device for compliance with corporate policy. For example, if the system's operating system lacked certain safeguards, the corporate network would deny access.

Other products that companies could use as part of a zero-trust security architecture would check for abnormalities. The accessing device, for example, could have an unauthorized browser or anonymous IP address, or it could seek entry to the network from an unfamiliar location. Other security triggers could include failed attempts across multiple accounts over a short period. 

Companies have a wide variety of technology options for whatever type of zero-trust architecture fits their businesses. Soseman described several different scenarios in which zero-trust technology denied access to devices, allowed read-only access to data or told device users to update software to receive permission to enter the network.

Eric Hanselman, an analyst at 451 Research, said zero-trust discussions, like the one led by Microsoft, encourage companies to deploy more exacting identity-based controls that can stand in for some firewall features.

"The reality of zero trust in practical applications is that it augments, rather than replaces, firewalls," Hanselman said. For most companies, "there are still architectural requirements for firewalls to deliver protection."

Microsoft offered nothing radical

Microsoft's stance on zero trust versus firewalls is not groundbreaking. At RSA Conference last year, Akamai Technologies' CSO, Andy Ellis, rang that same bell, telling attendees that corporate firewalls should not be considered the primary means of security.

For some attendees, Microsoft's talk did not move the zero-trust model forward. A senior database security manager with a major technology provider based in California said he was disappointed with Soseman's talk.

"Most of the things he talked about doing are traditional security," said the database security manager, who requested anonymity. "I was looking for a more radical solution."

He wanted to hear more about using cloud-based machine learning in a zero-trust architecture. He was also looking for information on how a company could use microsegmentation to bolster a zero-trust deployment. Both areas could potentially improve the zero-trust model, which Forrester Research introduced 10 years ago.

Also, not everyone believes firewalls are ineffective, outmoded technology. The products have evolved over the years, and most vendors have virtualized versions that act as a traffic cop close to an application sitting in the cloud.

"People say firewalls are going to go away," Nikesh Arora, CEO of firewall maker Palo Alto Networks, said in an RSA keynote. "I have bad news for people: Firewalls are not going away. They'll be around for a while."

Dig Deeper on Network device security: Appliances, firewalls and switches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How do you view zero trust versus the use of corporate firewalls?
I think firewalls are still important, as it can be used as a boundary where multi-factor authentication is not required.

Theres Actually no reason to have multi-factor authentication in a closed enviroment in a trusted office, unless the office is processing very sensitive information.

Imagine a stolen laptop. If the server is configured to require multifactor authentication when the laptop is outside Corporate network, and skip multifactor authentication when inside Corporate network, the stolen laptop cannot be misused as you would need to gain physical access to the office to be able to use the stolen laptop.

The firewall is important as a physical boundary, which also helps separate networks and devices with different security policies.
Imagine the above zero trust system, where the normal office workers have access to sensitive information, but the receptionist and guests, does not have access to anything except internet.

Then theres no reason to enforce strict security policies for receptionists and guests, then its better to isolate these on a separate network(s) by using VLAN and a firewall, so even if the receptionist's PC is infected with a virus, it won't hurt the security of the office workers.

Also firewalls are important for other security boundaries, for example scoping in PCI DSS. If you implement zero trust model, you must implement PCI DSS level security for every computer in your facility, even for a customer-facing PC only being used to for example search for books in a library.
That means you are required to have a system where authorized personell unlock the search PC as soon as a customer is going to use it, and then Watch over the shoulder.

If you instead use a firewall to separate the networks into different security classes, you can have crap security on the "outside" PCs and super tight security on the "inside" PCs. The only requirement is that you must treat the "outside" PCs like they were part of internet.

Having the right security for the right job, and dynamically applying security depending on access rights (more access rights = tighter checks and tighter security), you also avoid developing a "Culture" in the Company where people might start Writing down passwords and bypassing security measures just because "I don't have access to anything important, just the internet, so why should I have a 16 character secure password?" - leading to the Culture spreading and also "secure" people (who have access to sensitive info) start doing it too.
Or "insecure" people might start connecting USB devices and such to bypass certain checks, causing "secure" people to start doing it too.

Thats why, only implement restrictions on the people and devices where its neccessary. This is where firewalls come in - they are important to physically isolate so devices with lesser restrictions and no sensitive info, cannot affect, access or infect devices with stricter restrictions and sensitive info.
Thanks for the good info. I agree that companies will buy firewalls or a long time.