How Plow Networks implemented a Zero Trust Security Model.

Plow Networks had a mixed bag of users with non-standard identities. Some were plowgroup.com, while others were plow.net, and the email addresses didn’t always match so you never really knew what login to use for which system. From an administrative perspective this was time consuming to maintain. So, Plow Networks replaced non-standard identities with a single identity model and authentication converted to single-sign-on.

Plow Networks began by converting workgroup-based machines to Azure AD joined machines. Previously, Plow Networks did not have a decent inventory control platform. Additionally, they had no centralized control over the access into their workstations. Multi-factor authentication (MFA) was also rolled out and baseline conditional access policies were put into place.

Plow Networks did not have a Mobile Device Management (MDM) solution in place, so they implemented Microsoft Intune to allow for remote wiping of termed employees equipment, as well as enforcement of security standards on all Plow Networks equipment. Intune was chosen due to its integrations into the Zero Trust model and its Windows 10 policies. Additionally, Plow Networks enforced policies such as ‘known folder move’ and automatic login with OneDrive to act as a modern and scalable roaming profile solution that would also work in any future jump-boxes/end user equipment.

Because Plow Networks had AzureAD joined machines now with Intune being automatically rolled out, the next step was to implement AutoPilot. AutoPilot allowed for new machines to be automatically enrolled in the Zero Trust model and existing machines reloaded/reset in the field. When combined with the business’s Intune policies, their staff was right back to working within the hour.

Plow Networks moved away from their existing antivirus solution (BitDefender) in lieu of ‘Defender for Endpoint’. The main reasons being the lack of vulnerability management in BitDefender and, more importantly, the lack of communication between it and their authentication provider (AzureAD). Plow Networks now has visibility to every vulnerability on their monitored devices and can let staff know when their software needs to be updated. At this point, Plow Networks also began the testing and implementation of their attack surface reduction policies.

A remote jump box instance was built out in Plow Networks’ ‘Azure Virtual Desktop’ that abides by their security standards and has all the same policies as their end user devices. This allows an end user who isn’t near any protected equipment to still use a trusted and secured environment for work.

With Plow Networks’ devices reporting their telemetry into the AzureAD security graph, it was time to enable their risk-based security policies. These policies use Microsoft’s AI to calculate risk based on all the elements within the authentication context to determine an overall score for policy enforcement.

Plow Networks removed all global admins and implemented a privileged identity management solution with AzureAD. This means all administrative promotions must be documented and is monitored by all other administrative staff.

Conditional access policies were changed to take compliance standards into account when determining risk. Additionally, Plow Networks’ Jamf instance was integrated into their conditional access system.