This content is part of the Conference Coverage: RSAC 2019: Coverage of the premiere security gathering

Microsoft promotes zero-trust security over firewalls

Microsoft told RSA Conference attendees a zero-trust model is better than firewalls for protecting corporate data -- a stance that some said doesn't go far enough.

SAN FRANCISCO -- Microsoft believes the IT world would be a much safer place if companies dumped their firewalls and took a zero-trust security approach to protect the data and applications their employees access regularly.

On Wednesday, Microsoft told RSA Conference attendees firewalls were no longer useful as a first line of defense. What has made the trusted technology obsolete is the variety of devices employees use to access corporate data from far-flung places outside corporate offices. Employees also no longer seek entry to applications sitting only in private data centers. Today, business software could just as easily live in a public cloud or exist as an online service.

Those conditions didn't exist when security companies introduced the firewall 30 years ago, when the internet was in its infancy. To combat today's cyberthreats, a more innovative approach is needed. And, according to Microsoft, that approach is zero-trust security.

"I honestly believe this is a game changer -- whether it's a Microsoft solution or another vendor that does zero trust," Matt Soseman, a security architect at Microsoft, told attendees at a packed tech session. "I think that this can lower cybersecurity risk and increase posture, regardless of the solution."

Microsoft sells firewall and zero-trust technologies.

Microsoft's view of zero trust

As described by Soseman, zero trust is a bunch of security technologies that work in tandem to identify people trying to access the corporate network and determine whether their PCs, smartphones or tablets are safe.

With zero trust, a username and password would trigger a multifactor authentication app requiring other forms of identification, such as a series of numbers sent to a smartphone. Security apps would also check the accessing device for compliance with corporate policy. For example, if the system's operating system lacked certain safeguards, the corporate network would deny access.

Other products that companies could use as part of a zero-trust security architecture would check for abnormalities. The accessing device, for example, could have an unauthorized browser or anonymous IP address, or it could seek entry to the network from an unfamiliar location. Other security triggers could include failed attempts across multiple accounts over a short period. 

Companies have a wide variety of technology options for whatever type of zero-trust architecture fits their businesses. Soseman described several different scenarios in which zero-trust technology denied access to devices, allowed read-only access to data or told device users to update software to receive permission to enter the network.

Eric Hanselman, an analyst at 451 Research, said zero-trust discussions, like the one led by Microsoft, encourage companies to deploy more exacting identity-based controls that can stand in for some firewall features.

"The reality of zero trust in practical applications is that it augments, rather than replaces, firewalls," Hanselman said. For most companies, "there are still architectural requirements for firewalls to deliver protection."

Microsoft offered nothing radical

Microsoft's stance on zero trust versus firewalls is not groundbreaking. At RSA Conference last year, Akamai Technologies' CSO, Andy Ellis, rang that same bell, telling attendees that corporate firewalls should not be considered the primary means of security.

For some attendees, Microsoft's talk did not move the zero-trust model forward. A senior database security manager with a major technology provider based in California said he was disappointed with Soseman's talk.

"Most of the things he talked about doing are traditional security," said the database security manager, who requested anonymity. "I was looking for a more radical solution."

He wanted to hear more about using cloud-based machine learning in a zero-trust architecture. He was also looking for information on how a company could use microsegmentation to bolster a zero-trust deployment. Both areas could potentially improve the zero-trust model, which Forrester Research introduced 10 years ago.

Also, not everyone believes firewalls are ineffective, outmoded technology. The products have evolved over the years, and most vendors have virtualized versions that act as a traffic cop close to an application sitting in the cloud.

"People say firewalls are going to go away," Nikesh Arora, CEO of firewall maker Palo Alto Networks, said in an RSA keynote. "I have bad news for people: Firewalls are not going away. They'll be around for a while."

Dig Deeper on Network security

Enterprise Desktop
Cloud Computing