Networks provide users with access to the data they need, but they are also a major point of vulnerability. Dividing a network into segments with access controls at each hop can prevent attackers from moving laterally through the network once they gain access. Networks in a Zero Trust environment should also use end-to-end encryption to protect data while in transit.
The traditional network security model calls for constructing a perimeter surrounding the enterprise premises; this model has servers, workstations, and users inside the perimeter and firewalls protecting them by filtering out unwanted traffic. Remote users could connect to enterprise resources only by establishing a secured connection to a remote access server located in a screened subnet on the perimeter network. A Microsoft 365 installation places substantial and potentially vulnerable resources in the cloud outside the network perimeter, requiring a revised network security model.
Remote users might still connect to on-premises servers for some functions, but others will connect directly to cloud services. Also, the new emphasis on mobile devices means that users will be accessing enterprise resources from a wider variety of locations, including public locations, such as hotels and coffee shops, over which the company has no control.
The Microsoft 365 deployment process begins with an assessment and possibly redesigning the network to ensure that Internet bandwidth and proximity to the nearest Microsoft cloud endpoint are optimized. Also, adapting the security model to a network infrastructure that includes cloud services requires a shift in emphasis from perimeter security to endpoint security, in which the focus is placed more on securing the locations of the data and the locations of the users accessing the data than on the network medium connecting them.
Note Microsoft 365 Deployment
For a more detailed examination of the Microsoft 365 deployment process, see “Describe endpoint modernization, management concepts, and deployment options in Microsoft 365” in Chapter 2, “Describe Microsoft 365 apps and services.”
Endpoint network security means that the protective features built into the Microsoft 365 cloud services take on a more prominent role in the enterprise security strategy. Microsoft 365 administrators do not have control over the network traffic reaching the cloud services, nor can they erect a perimeter around every remote or mobile device that accesses the enterprise services. Therefore, instead of trying to block malicious traffic with firewalls, security comes from mechanisms such as multifactor authentication, Data Loss Prevention, and Cloud App Security.
This does not mean the networks cease to be vulnerable or can be left unprotected. Administrators must be wary of the threats that have always afflicted networks, including unauthorized packet captures, unprotected Wi-Fi networks, and rogue access points. For example, if an enterprise allows both managed and unmanaged devices to access company resources—regardless of the policies they use to control that access—it is still a good idea to keep the managed devices on a separate wireless network from the unmanaged ones. Also, appropriate security and encryption protocols must still protect internal Wi-Fi networks, and their administrative passwords and preshared keys must be modified regularly.
Infrastructure
Infrastructure is an inclusive term encompassing all of a network’s hardware and software, both physical and virtual, on premises and in the cloud, as well as the facilities and services that house and protect them. The infrastructure of a typical enterprise network presents many potential attack vectors, and administrators should make every attempt to block them. IT personnel can keep software products updated and use infrastructure monitoring technologies that detect unusual and problematic behavior, such as Security Information Event Management (SEIM) and Security Orchestration, Automation, and Response (SOAR).
Leave a Reply