Microsoft HK Recommends Zero Trust Security Model For The Hybrid Workplace

Date : 23-Nov-2021
Location: Hong Kong


  • Microsoft, the company who powers the PC of many people globally, and beyond the cloud. 

Content Source:

Key Takeaways:

  • The onset of Covid-19 pandemic has brought a new trend for the technology landscape of the enterprise :  hybrid work environments. As a result of this paradigm shift, the enterprise security landscape has also shifted and evolved, made complicated by the trends of cloud-based services, mobile computing, IoT and “bring your own device” (BYOD), which interchange with each other.
  • The hybrid workplace is here to stay, therefore, enterprise must tackle new security challenges respectively.
  • The top two threats pertaining to hybrid workplace are:
    • Phishing -  responsible for almost 70% of data breaches.
    • Ransomware.


  • Zero Trust security model : trust no one, everybody is considered not just a visitor, but a potential attacker.
  • Conventional security model premises on the concept where security measures are deployed at perimeters which serve to prevent untrusted people from accessing the resources, hence that is the only security measure in place. As a result, attackers or spies who are able to penetrate the perimeters will gain full access to all resources inside the perimeters.
  • In Zero Trust, there is no clear boundary of perimeters, it is everywhere.
  • Using a house as analogy, when the house owner enters the house, he has to verify his identify again when he enters the bathroom, and again when he enters the kitchen, so on and so forth.
  • A Zero Trust security model requires more work to be done, albeit more flexibility when it comes to security enforcement.


  • Globally, 81% of enterprise organizations have begun the move toward a hybrid workplace, with 31% already fully adopted.
  • Less than 20% of Microsoft’s customers are using strong authentication such as multi-factor authentication (MFA).
  • Human-operated ransomware is a rising trend, deadlier that commodity ransomware due to the presence of human elements behind the scenes. Human-operated ransomware tend to be target-initiated, and usually results in more damage, as well as perpetual in nature.
  • Ransomware attackers are now offering ransomware as a service (RaaS), which uses a partner network to carry out an attack, making it tough to determine who the real bad actor is.
  • Hackers don’t break in, they log in. In Azure Active Directory, we observe 50 million password attacks daily, yet only 20% of users and 30% of global admins are using strong authentications such as MFA.Microsoft research shows that requiring strong authentication can protect against 99.9% of the identity attacks because the majority of the attacks are related to passwords. 

Case Studies:

Firewalls and VPNs are conventional security approaches - with the hybrid workplace paradigm shift,both are no longer sufficient for a workforce that regularly requires access to applications and resources that exist beyond traditional corporate network boundaries.

In other words, hybrid workplace entails a mixtual of cloud-based services, mobile computing, IoT and “bring your own device” (BYOD)  in the operating environment, making it difficult for firewalls and VPNs to setup effectively.

Best Practices:

  • To minimise risks related with hybrid workplace, regularly perform system patching, applying updates, or turning on multifactor authentication (MFA).
  • Move infrastructure to the cloud where security is more difficult to penetrate.
  • To achieve the most secure authentication,proceed to eliminate passwords altogether with passwordless authentication methods - such as using Biometrics authentications. Passwordless approach is part of the Zero Trust security model.


  • Firewalls and VPNs are conventional security approaches, not effective to protect a hybrid workplace.
  • Zero Trust security model is the solution - for example, the implementation of MFA and passwordless authentication.
  • MFA is not effective to protect against phishing, passwordless is.

passwordless authentication can stop phishing threats
Passwordless authentication can stop phishing threats

Photo by Franck on Unsplash