By Julie Jeffries, Director, Microsoft 365 and Security Business Group
While the pandemic caused most industries to rapidly shift to remote work, it also created new attack surfaces for cybercriminals to take advantage of. There have been many lessons learnt during this digital transformation, but a key takeaway is that the basics matter. According to our recent Digital Defense Report, password-based attacks remain the main source of identity compromise. In Azure Active directory, we observe 50 million password attacks dailyi.
The majority of security breaches today involve credential theft and lapses in cyber hygiene amplify the potential for risk to employees and organizations at large. This is why one of the primary components of a Zero Trust system is the ability to verify a user’s identity before access is granted to the corporate network. The need for strong identity is clear.
Identities are the common dominator across today’s many networks, endpoints and applications. In the Zero Trust security model, they function as a powerful, flexible and granular way to control access to data.
In a recent Zero Trust adoption survey, 66 per centii of organizations have currently implemented or are in the process of implementing strong identity, however, all organizations should be considering this strategy.
At Microsoft, we recommend four steps for implementing strong identity for a Zero Trust security model:
- Multi-factor authentication (MFA): With the evolution of hybrid work, employees and external contractors need to connect to organization resources from inside and outside the corporate networking, including from BYOD devices. Weak login credentials can provide attackers with easy entry to gain unchallenged access to corporate resources. MFA adds an additional layer of defense by requiring users to provide two or more forms of authentication to access an account. MFA can be in the form of something the user has such as a phone or other trusted device, something that makes up who they are such as a fingerprint or biometric, or something they know such as a password. MFA reduces the effectiveness of identity attacks by more than 99 per cent, and yet only 20 per cent of users are using strong authenticationsiii. Because we believe strong authentication is so critical to security, we have made MFA available across our solutions and services for free.
- Policy-based access: Organizations need ways to restrict access to applications and systems in certain circumstances. When user, device or session risk is detected, access policies can decide whether to block access to a requested resource or request more information for granting access. Azure AD conditional access can enforce policies for granting or blocking access and enforce session-controls that limit what users can do with their access.
- Secure access to SaaS and on-premises apps: Organizations need solutions that balance productivity and access resources securely. Having multiple usernames and passwords for different apps and services is a security risk, especially when you don’t control access to the app. By connecting sign-in experience for all your apps, on-prem, cloud and third-party SaaS apps, you gain better control, visibility and simplify user experience. Azure AD has an app gallery of thousands of pre-integrated third-party SaaS apps to simplify single sign on for your users, and you can add your own customer apps easily to the portal.
- Identity Protection: A compromised identity credential is all hackers need to gain entry into an organization and move laterally to access critical business systems and data. Organizations need a way to rapidly detect compromised identities and proactively prevent them from being misused. Azure AD identity protection uses adaptive machine learning to indicate potentially compromised identities and generates alerts that enable administrators to evaluate detected issues and take appropriate action.
All of these steps are the basis to building a strong Zero Trust security model, and in today’s climate, the speed and sophistication of threat actors far exceeds the speed that organizations are moving. The need to act is immediate. To learn more about Zero Trust and how your organization can get started, leverage the Zero Trust Deployment Center for Identity and this guide to examine important considerations for achieving seamless secure access.
i Based on Azure Active Directory protection telemetry as of August 2021
ii Zero Trust Adoption Report, July 2021, Hypothesis Group.
iii Based on Azure Active Directory protection telemetry as of August 2021.