The New Business Imperative: Identity Protection
My journey to my current role as the CVP of Microsoft’s Identity Division started with an engineering internship on Microsoft’s Exchange team in 1996. I’ve had the honor of partnering with countless businesses to help them transform their operations technologies from being hosted in a server down the hallway to a highly scalable data center in the cloud.
I’ve had a front row seat to the dramatic evolution of business and technology in the last 20 years. Presently, this evolution is being driven by two opposing technology trends: the transformative power of the cloud, and the mounting cost of cybercrime.
In the early days of my career, we experienced the Internet by trading email and geeking out on news groups with other “early adopters.”Now we live online, with dozens of online identities, constantly logging into everything from social media pages and corporate email to apps and shopping networks. For most of us, the Internet is literally “in our pocket” all the time – the ultimate realization of “information at your fingertips.” The Internet has become an indispensable utility as we go through our daily banking, shopping, communicating and working.
What we don’t always appreciate is that each one of our accounts – every single online identity – presents criminals with an opportunity to take value from the things those accounts guard, and sabotage our lives. Cybercriminals are patient, and persistent. On average, an attacker will lurk on a network for 140 days before they are detected. Acquiring someone’s credentials and using them to gradually elevate permission has become the most effective means of reaching lucrative company data.
Identities are the New Perimeter
Companies face remarkable pressure to ensure that their employee and customer data are protected. Proven benefits in productivity, efficiency, and cost savings are driving the economy’s mobile first, cloud first digital transformation. Realizing these benefits requires secure authentication in the new paradigm. Users are made more productive with highly personal and relevant information delivered at the right time and device. SaaS apps running on third party data centers and accessed by personal, mobile devices on remote networks are the norm in this brave new world. To realize this promise in a world where you don’t own the device, the service, or the point of access requires embracing identity as the control plane, and protecting your data and identities in a cloud first, mobile first paradigm.
Cybercriminals are patient, and persistent. On average, an attacker will lurk on a network for 140 days before they are detected
We all know that a single breach in trust can bring the largest business to a halt. To see this in action, look no further than the headlines on your favorite news site. Every week we hear about new data breaches and identity thefts where a single compromised credential leads to a staggering data loss.
• In 2016, more than three billion customer data records were lost to high-profile attacks
• More than 60 percent of all data breaches in 2016 can be traced back to compromised identities
As the Internet has graduated from basic websites to a constellation of services working together, establishing trusted identities has become critical for the web-based economy to function. Recent cyber attacks show how well criminals know that a compromised identity is the best way to gain illicit access.
The good news is that businesses have more identity management and security tools at their fingertips than ever before. Until fairly recently, preventing unauthorized access to data meant locking down a perimeter firewall and applying unique authentication and access control policies to every website, app or service on a network. This often led to increased support calls, decreased productivity and insecure work-arounds, such as carrying sensitive information on thumb drives.
Today, the tools available to secure a cloud first environment are both simpler and more effective against modern attacks. Strong policy-driven authentication systems backed by cloud intelligence and machine learning, rich device compliance solutions which ensure that when a device goes missing, the data on it remains safe, and document encryption technologies which don’t just keep documents from prying eyes, but allow you to know who opened the document are all available to the modern security administrator, and can even work together to create an integrated defense network around the key assets in your company.
Great tools are not enough. We must adopt the right mindset in our battle against unauthorized access.
As I meet with CEOs and Chief Information Security Officers, I am encouraged to see more and more executives adopting an “assume breach” mindset. These leaders recognize that businesses need to shift their thinking on identity management to better secure their networks and information, which will in turn lead to increased productivity.
Companies that assume they’ve already been breached are more vigilant about monitoring login patterns and abnormal network interactions. They use the power of machine learning to quickly identify threats and anomalies before they culminate in more damaging attacks. Many of these capabilities may even be built into the same solutions used to manage and verify identities so that criminals cannot access the network in the first place:
• I have worked with a major financial company whose excellent internal forensics joined with my team’s detection systems to detect an attack in flight and stop the attacker before they were able to do harm. This response combined deep industry and company knowledge from the customer with our anomaly detection to quickly triangulate and intercept the attack.
• We have worked with governments who sustain ongoing and determined attack to establish access policies that allow us to quickly identify “outlier” requests for challenge and scrutiny.
• Another services company benefitted tremendously from assisted analysis of on premises traffic – because they assumed the bad guys were already there, they were able to detect and shutdown the breach as soon as it did happen.
Conditional Access is Key
Using risk-based conditional access to improve identity management is quickly becoming standard procedure, in part because we’re finding new ways to reduce the burden on the user. Thanks to new authentication capabilities like biometric systems, users may no longer need to enter a password to enjoy the increased protection of multi-factor authentication.
An intelligent access management solution combines smart local authentication with conditional access criteria based on things like location, app or device compliance, and session risk scoring. These tools allow IT to embrace the reality of users defining the new corporate boundary.
By embracing new security paradigms and technologies along with the new productivity paradigms, creating more transformative user experiences and increasing employee productivity can simultaneously reduce risk. Embracing identities as their perimeter, adopting an assume breach mindset, and setting conditional access polices can go a long way toward helping your business stay out of the headlines.