How Plow Networks implemented a Zero Trust Security Model.

Services and Solutions

Multi-Factor Authentication (MFA)

Mobile Device Management (MDM)

Industry

IT Consulting

Organization size

11-50 employees

The challenge: network complexity and associated risk

Plow Networks believed that a network-centric approach to security and access was no longer sufficient to protect the company’s assets.

Traditional VPNs come with security drawbacks, including increased risk of unauthorized remote access to sensitive data and access to all applications on the corporate network from any authenticated device. This approach to remote access created unnecessary security risks to the business that they weren’t willing to accept.

The approach: agility, simplicity, and a better user experience

Plow Networks set out to adopt a Zero Trust security strategy that would eliminate the traditional corporate VPN and move away from a perimeter-based security model. This would not only enhance security posture that Plow Networks was seeking, but allow users an easier work experience overall.

Plow Networks path to Zero Trust

With the transition to Zero Trust security, the goal was to safeguard Plow Networks’ applications and data, and prevent lateral movement on the network, while also providing improved user experience. Here’s how Plow Networks got there:

Early 2019: Implementation of single-identity model

Plow Networks had a mixed bag of users with non-standard identities. Some were plowgroup.com, while others were plow.net, and the email addresses didn’t always match so you never really knew what login to use for which system. From an administrative perspective this was time consuming to maintain. So, Plow Networks replaced non-standard identities with a single identity model and authentication converted to single-sign-on.

Mid 2019: Azure AD/MFA enforcement/conditional access

Plow Networks began by converting workgroup-based machines to Azure AD joined machines. Previously, Plow Networks did not have a decent inventory control platform. Additionally, they had no centralized control over the access into their workstations. Multi-factor authentication (MFA) was also rolled out and baseline conditional access policies were put into place.

Late 2019: Intune rollout

Plow Networks did not have a Mobile Device Management (MDM) solution in place, so they implemented Microsoft Intune to allow for remote wiping of termed employees equipment, as well as enforcement of security standards on all Plow Networks equipment. Intune was chosen due to its integrations into the Zero Trust model and its Windows 10 policies. Additionally, Plow Networks enforced policies such as ‘known folder move’ and automatic login with OneDrive to act as a modern and scalable roaming profile solution that would also work in any future jump-boxes/end user equipment.

Early 2020: AutoPilot implemented

Because Plow Networks had AzureAD joined machines now with Intune being automatically rolled out, the next step was to implement AutoPilot. AutoPilot allowed for new machines to be automatically enrolled in the Zero Trust model and existing machines reloaded/reset in the field. When combined with the business’s Intune policies, their staff was right back to working within the hour.

Mid 2020: Vulnerability Management/Defender for Endpoint

Plow Networks moved away from their existing antivirus solution (BitDefender) in lieu of ‘Defender for Endpoint’. The main reasons being the lack of vulnerability management in BitDefender and, more importantly, the lack of communication between it and their authentication provider (AzureAD). Plow Networks now has visibility to every vulnerability on their monitored devices and can let staff know when their software needs to be updated. At this point, Plow Networks also began the testing and implementation of their attack surface reduction policies.

Mid 2021: Remote jump box

A remote jump box instance was built out in Plow Networks’ ‘Azure Virtual Desktop’ that abides by their security standards and has all the same policies as their end user devices. This allows an end user who isn’t near any protected equipment to still use a trusted and secured environment for work.

October 2021: Sign-in risk policies implemented

With Plow Networks’ devices reporting their telemetry into the AzureAD security graph, it was time to enable their risk-based security policies. These policies use Microsoft’s AI to calculate risk based on all the elements within the authentication context to determine an overall score for policy enforcement.

November 2021: PIM implementation

Plow Networks removed all global admins and implemented a privileged identity management solution with AzureAD. This means all administrative promotions must be documented and is monitored by all other administrative staff.

March 2022: Compliance enforcement or denial of access

Conditional access policies were changed to take compliance standards into account when determining risk. Additionally, Plow Networks’ Jamf instance was integrated into their conditional access system.

Business benefits of moving to a Zero Trust security posture

1. Accurate inventory of infrastructure

2. Flexibility when moving apps, data and services

3. Improved end-user experience

4. Streamlined security policy creation

5. Improved monitoring and alerting

6. An excellent investment against lost or stolen data

More stories

Lobbying firm empowers their users to work wherever they want with Microsoft Modern Workplace.

Read more »

Buffkin Baker logo

Recruiting company keeps colleagues connected using Microsoft Teams with Business Voice.

Read more »

State agency boosts employee productivity by outsourcing their IT functions using CompletePath®.

Read more »

Follow Plow Networks