How do you protect the IT infrastructure of the Canton of Zurich? Correct, with a holistic strategy and the Zero Trust approach from Microsoft. The basis for the project at the Office for Informatics of the Canton of Zurich was the protection of identities. Once the identities in this complex and regulated environment at the AFI ZH were secured, further projects could be realized based on that.
As an IT service provider for the administration of the Canton of Zurich, the Office for Informatics is the central competence center for informatics. The office was established in January 2018 to centrally, standardized, and efficiently provide and operate the IT basic services of the cantonal administration. Thanks to a secure basic infrastructure and trustworthy applications, the AFI advances the entire canton.
The situation before baseVISION: Challenges for the AFI ZH
- As a public-law administration, the AFI ZH is subject to cantonal data protection regulations
- Review by data protection officers and strict requirements regarding cloud solutions
- Obligation to keep the data in Switzerland
- Dependencies and complex environment
- No unified solution for identity protection
- Conventional IT infrastructure based on Windows 10
- Two-factor authentication must be ensured at all times
Together with baseVISION AG, a holistic and continuous solution was developed. The basis of the project was the protection of identities.
The vision: How security is increased with the protection of identities
- Protect the over 100,000 users and ensure their identities
- The basis of the vision is the Zero Trust approach to increase security
- Introduce hybrid entity and Azure AD
- Utilize the potential of the M365 suite (introduce E3 and the necessary security products of the E5 license)
«Dank dem durchgängigen und langfristigen Ansatz der baseVISION und einer klaren Roadmap konnte die Identität strukturiert geschützt werden, so dass alle rechtlichen Aspekte eingehalten wurden.»
Our solution: Implement Zero Trust model in practice
Microsoft’s Zero Trust model is based on three pillars. These three pillars were also the principle in the transformation of the AFI ZH.
Vertify explicity
Vertify explicity
With the introduced services, data can be collected and evaluated. Before entering the system, the identity is checked multiple times: Where does this user come from? Is there a risk? Who is behind it? Can the device be trusted?
- Introduction of Azure AD as a basis for the use of cloud services
- Consistent Two-Factor Authentication
- Conditional Access Policies
- Windows Hello for Business
- Design and setup of a 2-Tier Windows Public Key Infrastructure (PKI) with HSM integration
Use least privilege access
Use least privilege access
This approach was achieved by limiting access. Just-in-time and just-enough-access (JIT/JEA) and risk-based adaptive measures were introduced.
- Privilege Identity Management
- Admin account concept
Assume breach
Assume breach
This idea has always been in the background when it comes to protecting infrastructures. A foundation should be created that enables continuous monitoring and automatic threat detection.
- Secure onboarding
- Focus on possible attacks during implementation
«Die langfristige Zusammenarbeit mit ihren Kunden zeigt auf, dass die baseVISION die Philosophie von Microsoft verstanden hat und ihre Services optimal mit den Microsoft Technologien abstimmt. Die Services können so angepasst und langfristig sinnvoll bei Kunden eingesetzt werden können.»
Leading companies rely on us.
