Case Study Office for Information Technology Canton of Zurich
How do you protect the IT infrastructure of the canton of Zurich? That’s right, with a holistic strategy and Microsoft’s Zero Trust approach. The basis for the project at the Office for Information Technology of the Canton of Zurich (AFI ZH) was the protection of identities. Once identities had been secured in this complex and regulated environment at the AFI ZH, it was possible to build on this.
As the IT service provider for the administration of the Canton of Zurich, the Office of Information Technology is the central competence center for information technology. The office was founded in January 2018 to provide and operate the basic IT services of the cantonal administration in a centralized, standardized, and efficient manner. Thanks to a secure basic infrastructure and trustworthy applications, it moves Switzerland’s largest canton forward.
The situation before baseVISION: Challenges faced by the AFI ZH
- The AFI ZH is subject to the cantonal data protection regulations
- Audited by data protection authorities and strict requirements regarding cloud solutions
- Obligation to keep data within Switzerland
- Dependencies and complex environment
- No uniform solution for identity protection
- Conventional IT infrastructure based on Windows 10
- Two-factor authentication must be guaranteed at all times
Together with baseVISION a holistic approach and an end-to-end solution were elaborated. As a first step, the focus of the project was on identity.
The Vision: How to increase security with identity protection
- Protect the more than 100,000 users and secure their identities
- Base the vision on the Zero Trust approach to increase security
- Introduce hybrid entity and Azure AD
- Leverage the potential of the M365 range (introduce E3 and the necessary security features of the E5 license)
«Thanks to baseVISION’s consistent and long-term approach and a clear roadmap, identities were protected in a structured way and in compliance with all legal aspects.»
Daniel Bühlmann, Project Lead and chairman of the board at baseVISION AG
Our Solution: Zero Trust Modell put into practice
Microsoft’s Zero Trust model is based on three pillars. These three principles were also the basis for the transformation of AFI ZH.
Vertify explicity
Use least privilege access
Assume breach
The Microsoft services that were introduced make it possible to collect and evaluate data. Before entering the system, a user’s identity is checked several times: Where is this user coming from? Is there a risk? Who is behind it? Can the device be trusted?
This approach was implemented by limiting access. Just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive measures were introduced.
This idea has always been in the background when it comes to infrastructure protection. A basis should be created that allows for the continuous monitoring and automatic detection of threats.
- Introduction of Azure AD as a basis for the use of cloud services
- End-to-end-two-factor authentication was implemented
- Conditional Access policies
- Windows Hello for Business
- Design and development of two-tied Windows Public Key Infrastructure (PKI) infrastructure with HSM connection
- Privilege Identity Management
- Admin account concept
- Secure onboarding
- Focus on possible attacks during implementation
Vertify explicity
The Microsoft services that were introduced make it possible to collect and evaluate data. Before entering the system, a user’s identity is checked several times: Where is this user coming from? Is there a risk? Who is behind it? Can the device be trusted?
- Introduction of Azure AD as a basis for the use of cloud services
- End-to-end-two-factor authentication was implemented
- Conditional Access policies
- Windows Hello for Business
- Design and development of two-tied Windows Public Key Infrastructure (PKI) infrastructure with HSM connection
Use least privilege access
This approach was implemented by limiting access. Just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive measures were introduced.
- Privilege Identity Management
- Admin account concept
Assume breach
This idea has always been in the background when it comes to infrastructure protection. A basis should be created that allows for the continuous monitoring and automatic detection of threats.
- Secure onboarding
- Focus on possible attacks during implementation
«baseVISION’s long-term cooperation with its customers shows that it has understood the Microsoft philosophy and optimally aligns its services with Microsoft technologies. The services can therefore be adapted and used effectively by customers in the long term»
Daniel von Büren, Technical Specialist for Security & Compliance, Microsoft
Most beneficial Microsoft technologies used
- Azure AD
- Conditional Access
- Windows Hello for Business
- Azure Application Proxy
- Privileged Identity Management
- Microsoft security Baselines