CONSTRUCTION GIANT GAINS COMPETITIVE EDGE WITH ZERO-TRUST APPROACH TO SECURITY

Written By Noreen Tenorio

When The Walsh Group—one of the largest construction contractors in the United States—moved to the cloud, it realized it needed better ways to manage who accesses its systems. The company set up identity as the control plane—with Microsoft Azure Active Directory at the center and a zero-trust security stance to better protect access to all its resources. Now, The Walsh Group CIO says the company leads the industry in securing access to its hybrid environment, giving it a competitive advantage.

Like many organisations, The Walsh Group has been moving some of its IT to the cloud to take advantage of the lower total cost of ownership and reduced management overhead. But in doing so, it lost some control over how people sign in to use the systems because the company no longer hosts them in its own datacenters.

TRUST NOTHING

Today, the group is developing a zero-trust approach to enterprise security. Central to this are the conditional access features of Microsoft Azure Active Directory (Azure AD). As an example, The Walsh Group successfully blocked access to its IT from outside North America—the only continent it operates in.

But, after noticing an increase in sign-in attempts from employees on vacation, The Walsh Group broadened the list of countries people can sign in from, but with added protection through conditional access. Now, if Microsoft Intune recognizes the vacationer’s sign-in device as compliant, the employee can sign in using multifactor authentication.

THE CHALLENGE OF KNOWING WHO’S WHO

Rewind to 2014, when identity management was emerging as a key area of corporate IT security. The Walsh Group turned to Microsoft for help in implementing a zero-trust strategy.

The initial requirement was a more secure way for employees at The Walsh Group to reset their own passwords, which was the most frequent ticket for the IT team. By providing a self-service option, IT staff would have more time for higher-value work, and people who forgot their passwords could reset them more quickly and securely and get right back to work.

A long-term Microsoft customer, The Walsh Group began working with the Microsoft Azure team to see how the company could benefit from Azure AD and its self-service password reset feature. The Walsh Group became an early adopter of Azure Active Directory Identity Protection and spent months working on its features with Microsoft.

A SECURITY ROADMAP EMERGES

Working with Microsoft on the self-service password reset project revealed two things: First, The Walsh Group had several areas where it could improve security across its hybrid infrastructure; second, it could plug these gaps with the tools available through its Microsoft 365 E5 subscription, which includes Office 365, Windows 10, and Enterprise Mobility + Security.

A WINDOW INTO HYBRID IDENTITY

Visibility across the enterprise is a recurring theme in The Walsh Group’s relationship with Microsoft. It deployed Microsoft Advanced Threat Analytics early on to identify what Nottoli calls blind spots in its networks—both on-premises and in the cloud.

Using tools like Azure AD Connect Health, the IT team gained transparency into some security issues related to Active Directory Federation Services. And the team used Microsoft Cloud App Security to identify the applications that employees use and what needed protecting or improving through single-sign on. Today, the team helps secure around 100 enterprise applications with Azure AD Identity Protection.

AN END-TO-END SECURITY STACK

The moral of the story is that The Walsh Group used the security and management capabilities built into Microsoft 365 to achieve a greater level of control over its hybrid environment than it could achieve on-premises. With the privileged account management features in Azure AD Privileged Identity Management, for example, the team reduced the number of employees with of global admin rights from around 20 to just 3 or 4—another win for zero trust.

To protect its systems against malware and attacks across its cloud, email, and on-premises environments, The Walsh Group has deployed Azure Advanced Threat Protection (ATP), Office 365 ATP, and Microsoft Defender ATP, which mutually reinforce each other, helping to stop and detect threats at every level of the company’s IT infrastructure.

The company is introducing Microsoft Information Protection, which it uses with Microsoft Exchange Online mail flow rules and Office 365 Message Encryption to encrypt email based on its sensitivity


To find out more about how to improve your security for your business, no matter the industry, contact us today.

Noreen Tenorio
Previous

WE’RE HERE TO HELP MAKE SECURITY SIMPLE AGAIN
Next

AUSTRALIAN DATA BREACHES FOR Q2 2021