As more organizations shift to the cloud, identity has become our most valuable digital asset. Digital identity can take on many forms, but for most it is the email address and different passwords we use to access online services or applications. This is the currency threat actors use to penetrate networks and steal credentials. Between January and December 2021, Microsoft detected and blocked more than 25.6 billion attempts to hijack enterprise customer accounts by brute-forcing stolen identities[i].
Cyber criminals use basic tactics of spear-phishing, social engineering attacks, and large-scale password sprays to steal easily guessed passwords to gain fast and easy access to customer accounts. The simplicity and low cost for cyber criminals to use identity-focused attacks makes them convenient and effective for bad actors. In the case of enterprise attacks, penetrating an organization’s network allows attackers to gain a foothold they can use to move either vertically, across similar users and resources, or horizontally, gaining access to more valuable credentials and resources.
Identities are the common dominator across today’s many networks, endpoints, and applications. In the Zero Trust security model, they function as a powerful, flexible, and granular way to control access to data.
In a recent Zero Trust adoption survey, 66%[ii] of organizations have currently implemented or are in the process of implementing strong identity; however, all organizations should be prioritizing this strategy.
At Microsoft, we recommend four steps for implementing strong identity for a Zero Trust security model:
- Multi-factor authentication (MFA): With the evolution of hybrid work, employees and external contractors need to connect to organization resources from inside and outside the corporate network, including from BYOD devices. Weak login credentials can provide attackers with easy entry to gain unchallenged access to corporate resources. MFA adds an additional layer of defense by requiring users to provide two or more forms of authentication to access an account. MFA can be in the form of something the user has such as a phone or other trusted device, something that makes up who they are such as a fingerprint or biometric, or something they know such as a password. MFA reduces the effectiveness of identity attacks by more than 99%[iii], and yet, as of December 2021, only 22% of users are using strong authentications[iv]. Because we believe strong authentication is so critical to security, we have made MFA available across our solutions and services for free.
- Policy-based access: Organizations need ways to restrict access to applications and systems in certain circumstances. When user, device or session risk is detected, access policies can decide whether to block access to a requested resource or request more information for granting access. Azure AD conditional access can enforce policies for granting or blocking access and enforce session-controls that limit what users can do with their access.
- Secure access to SaaS and on-premise apps: Organizations need solutions that balance productivity and accessing resources securely. Having multiple usernames and passwords for different apps and services is a security risk, especially when you don’t control access to the app. By connecting sign-in experience for all your apps, on-prem, cloud and third-party SaaS apps, you gain better control, visibility and simplify the user experience. Azure AD has an app gallery of thousands of pre-integrated third-party SaaS apps to simplify single sign-on for your users, and you can add your own customer apps easily to the portal.
- Identity Protection: A compromised identity credential is all hackers need to enter an organization and move laterally to access critical business systems and data. Organizations need a way to rapidly detect compromised identities and proactively prevent them from being misused. Azure AD identity protection uses adaptive machine learning to indicate potentially compromised identities and generates alerts that enable administrators to evaluate detected issues and take appropriate action.
All of these steps are the basics to building a strong Zero Trust security model, and in today’s climate, the speed and sophistication of threat actors far exceeds the speed that organizations are moving. The need to act is immediate. To learn more about Zero Trust and how your organization can get started, leverage the Zero Trust Deployment Center for Identity and watch this webinar to examine important considerations for achieving seamless secure access.
Julie Jeffries, Director, Security Business Group, Microsoft Canada.
[i] Cyber Signals Microsoft Corporation 2022
[iii] Based on Azure Active Directory protection telemetry as of August 2021.
[iv] Cyber Signals Microsoft 2022
Print this page
- Privacy bill sets out rules on use of personal data, artificial intelligence
- Quebec court approves $200.9M settlement against Desjardins over data breach