Archive

Archive for the ‘Identity and access management’ Category

Barracuda and Microsoft: Securing applications in public cloud

June 18th, 2020 No comments

This blog was written by a MISA partner. To learn more about MISA, visit our website.

Barracuda Cloud Application Protection (CAP) platform features integrations with Microsoft Azure Active Directory (Azure AD) and Azure Security Center. A component of CAP, Barracuda WAF-as-a-Service is built on Microsoft Azure and provides advanced WAF capabilities in an easy to deploy and manage solution.

In our last blog, I spoke about how Barracuda and Microsoft are working together to remove barriers to faster public cloud adoption. The post focused on remote access, networks, and secure connectivity to public cloud. The topic of this blog post is to share some thoughts on how web applications in public cloud are secured. 

Accelerating digital transformation

As I mentioned last time, digital transformation is fundamentally changing today’s enterprises, making digital assets—data and applications—key to doing business. Organizations are increasingly competing based on their digital agility, and of course web applications are central to how digital businesses operate today.

In order to develop and update applications faster, organizations are deploying DevOps processes and agile methodologies, and they are moving their infrastructure to the cloud. However, while applications are developed and deployed faster than ever, secure coding practices have not kept pace, resulting in a constantly growing number of open vulnerabilities that can be exploited.

At the same time, the threat environment is continuously evolving and becoming more challenging. Hackers are getting more sophisticated; they are now professional criminals or even nation states. In addition to manual hacking attacks, bots and botnets are increasingly used to attack enterprise infrastructures through web applications. These automated exploits are often executed as Distributed Denial of Service (or DDoS) attacks, at both network and application layer. And of course, malware is constantly getting more advanced. The growth in the number of unprotected application vulnerabilities, coupled with the increase in hacking and malware, has resulted in a perfect storm of data breaches. So, application security is a key requirement for successful digital transformation. A recent Microsoft Build 2020 blog post focused on how Microsoft is helping developers build more secure applications.

Is the latest health crisis going to slow down the digital transformation process? In fact, it appears the opposite is occurring—it is acting as a catalyst. In the last blog, we discussed how the sudden increase in remote work is accelerating the network evolution. In addition, similar changes are occurring in the applications landscape.

As people stay at home due to government orders, they are increasingly transacting online. Brick-and-mortar stores are closed, and to stay in business retailers and other businesses are shifting all their operations online.

Leveraging public cloud for web applications

Such rapid scaling of online operations is difficult and expensive to achieve using traditional datacenters. Fortunately, public cloud providers such as Microsoft Azure provide robust platforms that allow customers to quickly scale up application infrastructure—now things can be completed in days or even hours, instead of weeks or months. And of course, the flexibility that comes with public cloud deployments is especially valuable now, as there is a lot of uncertainty about how long lockdowns will continue and whether online capacity would need to be reduced in the future.

We have seen a significant increase in hacking, DDoS, and bot attacks during the last couple of months, so in addition to scaling up online capacity, it is critically important to ensure security and availability. Using a complete application security platform is the best way to protect applications from all attack vectors, including hacking, DDoS, bots, and even API attacks.

Types and number of online threats in the public cloud.

In the new report, Future shock: the cloud is the new network,1 published in February, Barracuda surveyed 750 IT decision makers responsible for their organizations’ cloud infrastructure. We learned that organizations are well on their way to moving their infrastructure to public cloud, with 45 percent of IT infrastructure already running in the cloud today and rising to an estimated 76 percent in 5 years.

At the same time, the top concern restricting an even faster adoption of public cloud is security, with 70 percent of the respondents indicating that security concerns restrict their organizations’ adoption of public cloud.

If you look at the type of security issues that are the biggest blockers to public cloud adoption, the top two are sophisticated hackers and open vulnerabilities in applications. Also on the list are DDoS attacks and advanced bots/botnets, and from conversations with both customers and analysts since the onset of COVID-19, it appears that both DDoS attacks and bot attacks have spiked up even higher.

Barracuda Cloud Application Protection (CAP) platform is a comprehensive, scalable and easy-to-deploy platform that secures applications wherever they reside.

 

About Barracuda

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-enabled, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers’ journey. More than 150,000 organizations worldwide trust Barracuda to protect them—in ways they may not even know they are at risk—so they can focus on taking their business to the next level. For more information, visit barracuda.com.

View our integration videos

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Future shock: the cloud is the new network, Barracuda, February 2020

The post Barracuda and Microsoft: Securing applications in public cloud appeared first on Microsoft Security.

Protecting your organization against password spray attacks

April 23rd, 2020 No comments

When hackers plan an attack, they often engage in a numbers game. They can invest significant time pursing a single, high-value target—someone in the C-suite for example and do “spear phishing.” Or if they just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge volume of people and spend less time on each one which is called “password spray.” Last December Seema Kathuria and I described an example of the first approach in Spear phishing campaigns—they’re sharper than you think! Today, I want to talk about a high-volume tactic: password spray.

In a password spray attack, adversaries “spray” passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that’s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user’s password—discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.

Three steps to a successful password spray attack

Step 1: Acquire a list of usernames

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!

Step 2: Spray passwords

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top. Wikipedia lists the top 10,000 passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.

Protecting your organization against password spray attacks

Figure 1:  Password spray using one password across multiple accounts.

Step 3: Gain access

Eventually one of the passwords works against one of the accounts. And that’s what makes password spray a popular tactic—attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.

Even if the vast majority of your employees don’t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.

Configure Azure Active Directory (Azure AD) Password Protection

Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won’t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user’s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

Begin your passwordless journey

The best way to reduce your risk of password spray is to eliminate passwords entirely. Solutions like Windows Hello or FIDO2 security keys let users sign in using biometrics and/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA) across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and/or something they have (such as a trusted device).

Learn more

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. For more information about our security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Protecting your organization against password spray attacks appeared first on Microsoft Security.

Turning collaboration and customer engagement up with a strong identity approach

April 6th, 2020 No comments

In these challenging times, it’s even more apparent that modern companies are managing a blended workforce that encompasses not only their full-time staff and customers but also their contractors, consultants, subsidiaries, suppliers, partners, and soon-to-be customers. Balancing friction-less collaboration and highly targeted engagement with privacy and security is not easy, but you don’t have to go it alone.

Now more than ever, reusing rather reinventing is critical. When it comes to connecting to business partners or your customers, consumers, or citizens, you don’t need to create an identity management solution from scratch—you can leverage cloud based identity and access management (IAM) and customer IAM (CIAM) for better engagement with all of your cohorts.

The new world of work

Even before workers transitioned home in large numbers, IT leaders were facing rapidly transitioning work models fueled by an increase in remote working, freelancer exchanges and platforms, and a geographically-distributed workforce—trends that are only accelerated today by the uncommon circumstances imposed by COVID-19. Concurrently, interconnected and complex supply chain bring partners and suppliers directly into the business, where closer coordination is more important than ever. To get an idea for just how “into the business” that means, according to February 2020 Microsoft research, powered by Pulse, IT executives reported that 55 percent of external users outside their organizations belong to other businesses—for example, commercial customers, partners, and suppliers. And 98 percent of those respondents agreed that deepening collaboration and engagement with customers and business partners is how their company will be successful.

The net is that with all these entities logging into multiple corporate networks and segments, for many CISOs, “insider risk” includes a much broader set of actors than just the full-time workforce. And those CISOs are very concerned about insider risk—with 97 percent recently reporting that as their top concern. That’s why a flexible IAM solution is so important right now, because implemented properly, it allows companies to engage and interact effectively with all cohorts while also keeping organizations and data private and secure. Let’s take a closer look at how.

Turning external collaboration up

There are many benefits of using a trusted CIAM solution, here’s a short list of the ones I’ve heard from CISOs are the most valuable.

  • Persistent identities—Almost everyone already has a digital presence and at least one associated ID from Google, Facebook, or Microsoft. Using persistent IDs means that customers and partners can re-use their exiting identity and don’t have to worry about creating an entirely new login and password. This reduces friction and improves security.
  • Data transparency—When people use the same ID across multiple business and organizational systems, both they and the company have a more efficient method for reporting on data use and access. It also means that when a user request that their history be wiped or corrected, they can easily confirm that appropriate action has been taken.
  • Better audit trails—Using those same IDs also supports compliance reporting, audit trails, and forensic investigations. Rather than having to stitch together multiple IDs to determine the path of an incident, like a data exfiltration event, security professionals can follow activity of a single target ID. This also streamlines compliance reporting activity reducing burdens on already overworked staff.
  • Improved security—Allowing partners and customers to bring their own ID also means that robust, enterprise-ready security can be brought along. Advanced technologies like multi-factor authentication (MFA) and conditional access with step-up authentication can be applied to all users, even those that don’t work for large companies with mature identity programs.
  • Enhanced experience—The best security professionals know that technology that makes users’ lives easier is the most effective. All of the above directly impact security, but if customers and partners aren’t excited about using a solution, they’ll go around it. Make sure low friction end-user experiences are supported across varied experiences from artificial intelligence (AI)-led guidance to new product and service recommendations.

In the coming days, we will share more guidance on how to collaborate securely with your business partners and other external users. Learn more about how security professionals can adapt to the increasing usage of collaboration applications and leverage risk-based Conditional Access for real-time deflection of dynamic attacks today. We hope these recommendations will help you enable uninterrupted operations for your organization in these challenging times. Stay safe and be well.

The post Turning collaboration and customer engagement up with a strong identity approach appeared first on Microsoft Security.

Making it easier for your remote workforce to securely access all the apps they need, from anywhere

March 31st, 2020 No comments

Since I published my last blog, Five identity priorities for 2020, COVID-19 has upended the way we work and socialize. Now that physical distancing has become essential to protect everyone’s health, more people than ever are going online to connect and get things done. As we all adjust to a new daily routine, the organizations we work for are turning to technology to help us collaborate and stay productive. In these challenging times, identity can make life simpler, both for people working from home and for IT administrators charged with keeping their environments secure.

In my previous blog, I advised connecting all applications and cloud resources to Azure Active Directory (Azure AD). If you’re like most organizations, your employees use a lot of apps, from popular software-as-a-service (SaaS) apps—including collaboration services like Zoom, Cisco Webex, Workplace from Facebook, or Box—to legacy web and on-premises applications. Making Azure AD the control plane across all your apps helps ensure your employees working from home have secure, seamless access to the tools and resources they need, while protecting those tools and resources from unauthorized access.

Making it easy for remote workers to access the apps they need

When you connect your apps to Azure AD, your employees only need to sign in once to access them, and they only need one set of credentials. To make on-premises web apps available without a cumbersome VPN, you can use Azure AD Application Proxy, while tools from our secure hybrid access partners like can provide access to. To get productive from wherever they are, your employees simply go to the My App Portal, where they can find all the apps they have your permission to use.

Screenshot showing apps in the My Apps portal.

Figure 1: Users can sign in once and access all the apps they need in a central place, the My Apps portal.

Enabling consistent, strong security across all your apps

With Azure AD, enabling productivity doesn’t shortchange security. Once you’ve connected your apps to Azure AD, you can apply custom security policies across your entire digital estate. Since even complex passwords get stolen, we recommend enforcing multi-factor authentication (MFA) for all accounts and applying Conditional Access policies for adaptive granular access controls. For example, when a user signs in, policies can determine whether to allow, limit, or block access based on their location, whether their device is compliant, and which app they’re trying to access.

Additionally, Microsoft Intune App Protection Policies can provide application-level controls and compliance, while maintaining a great user experience on any device. Intune app configuration policies can help keep work data safe by controlling or stopping people from sharing work data outside of trusted apps assigned to them.

Increasing IT efficiency with self-service and automation​

To reduce the burden on IT, Azure AD offers several tools to simplify management. Self-Service Password Reset lets users manage passwords on their own. Pre-integrated applications make it easy to enable single sign-on (SSO) with just a few clicks (Figure 2). Some companies, to help serve their communities. Automated provisioning of user accounts and apps makes onboarding significantly faster, so those new workers can get productive right away. For one customer, Mattress Firm, adding a new employee to their HR system automatically provisions their Azure AD user account and assigns them access to the appropriate applications within four hours.

Screenshot showing apps in the Azure AD Gallery.

Figure 2: Configure your apps for secure, seamless access with just a couple clicks.

Get free assistance connecting your apps to Azure AD

Many of our customers are moving rapidly to enable secure remote work during this current crisis, and we want to make sure you have everything you need. If you have subscriptions to Office 365 or Azure, you can use Azure AD to configure secure SSO for your 10 most critical apps for free. A license for Microsoft 365 gives you full access to Azure AD. For all our customers, we also offer complimentary deployment assistance through our FastTrack program.

As unprecedented numbers of people work remotely, the right tools, including Azure AD, can help keep them both protected and productive. Whatever your circumstances, we’re here to help. You can reach us via Twitter: @AzureAD.

Learn more

Learn how to use Azure AD to connect your workforce to all the apps they need from anywhere.

 

*This offer includes MFA via the Microsoft Authenticator app only.

The post Making it easier for your remote workforce to securely access all the apps they need, from anywhere appeared first on Microsoft Security.

Defending the power grid against supply chain attacks—Part 2: Securing hardware and software

March 23rd, 2020 No comments

Artificial intelligence (AI) and connected devices have fueled digital transformation in the utilities industry. These technological advances promise to reduce costs and increase the efficiency of energy generation, transmission, and distribution. They’ve also created new vulnerabilities. Cybercriminals, nation state actors, and hackers have demonstrated that they are capable of attacking a nation’s power grid through internet-connected devices. As utilities and their suppliers race to modernize our infrastructure, it’s critical that cybersecurity measures are prioritized.

In the first blog in the “Defending the power grid against cyberattacks” series, I walked through how the accelerated adoption of the Internet of Things (IoT) puts utilities and citizens at risk of attack from nation state actors. In this post, I’ll provide guidance for how utilities manufacturers can better protect the connected devices that are deployed in the energy industry.

Protect identities

If your organization supplies the energy industry, you may be targeted by adversaries who want to disrupt the power supply. One way they will try to access your company resources is by stealing or guessing user credentials with tactics like password spray or phishing. According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of breaches are the result of weak or compromised passwords. Attackers target multiple people at a time, but they only need to succeed once to gain access.

Securing your company starts with safeguarding your identities. At the bare minimum, you should apply multi-factor authentication (MFA) to your administrative accounts. A better option is to require all users to authenticate using MFA. MFA requires that users sign in with more than just a password. The second form of authentication can be a one-time code from a mobile device, biometrics, or a secure FIDO2 key, among other options. MFA reduces your risk significantly because it’s much harder for an attacker to compromise two or more authentication factors.

Figure 1: You can use Conditional Access policies to define when someone is promoted to sign in with MFA.

Secure privileged access

In a supply chain attack, adversaries attack your organization to gain access to data and applications that will allow them to tamper with your product or service before it reaches its intended destination. Bad actors want to infiltrate your build environment or the servers that you use to push software updates. To accomplish this, they often target administrator accounts. Securing your administrative accounts is critical to protect your company resources. Here are a few steps you can take to safeguard these accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to you administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks.

  • Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

Safeguard your build and update environment

Bad actors don’t just target user accounts. They also exploit vulnerabilities in software. Many attacks take advantage of known vulnerabilities for which there are available patches. Keep software and operating systems up-to-date and patched to reduce your risk. Retire any technology that is no longer supported by the publisher and implement mandatory integrity controls to ensure only trusted tools run.

You also need to protect the software that your team writes. A proven and robust Secure Development Lifecycle (SDL) will guide your developers to build software that includes fewer vulnerabilities. Microsoft’s SDL includes 12 practices. For example, Microsoft SDL recommends that security and privacy requirements be defined at the beginning of every project. The guidelines also provide tips for managing the security risk of third-party software, performing threat modeling, and penetration testing, among other recommendations. By building security into the entire software process, the software you release will be more secure and less vulnerable to attack.

Assume breach

My recommendations will reduce your risk, but they won’t eliminate it entirely. To protect your company and customers, you’ll need to adopt an assume breach mindset. It’s not a matter of if you’ll be breached but when. Once you’ve accepted that you can’t prevent all attacks, put processes and tools in place that enable you to detect and respond to an incident as quickly as possible.

Endpoint detection and response solutions, like Microsoft Threat Protection, leverage AI to automate detection and response and correlate threats across domains. When incidents are detected, you will need an appropriate response. The National Institute of Standards and Technology (NIST) provides an incident response guide. You can also learn from Microsoft’s Security Response Center (MSRC), which shared how it developed an incident response plan.

Figure 3: An overview of an incident in Microsoft Threat Protection.

A good communication plan is an important component of a response plan. You will need to let customers know there was an incident and how you plan to address it. As the MSRC notes, “Clear, accurate communication builds confidence in the incident response process, maintains trust with customers, protects your brand, and is essential for fast effective response.”

Centralized IoT device management

In addition to operating a number of generation plants, utilities operate a network of thousands of substations and hundreds of thousands of miles of transmission and distribution lines. This requires them to deploy a large number of IoT devices to safely and efficiently deliver electricity to their customers. To effectively manage this network of IoT devices, suppliers should provide their customers with centralized IoT device management to update firmware, install security updates, and manage accounts and passwords.

Build trust

Protecting critical infrastructure from a destabilizing attack will require collaboration among utilities and suppliers in the industry. Device manufacturers and software publishers have a vital role to play in protecting critical infrastructure. By instituting and maintaining the security practices that I’ve recommended, you can dramatically reduce the risk to your organization and to the power grid.

Stay tuned for the final post in this series, “Part 3: Risk management strategies for the utilities industry,” where I’ll provide recommendations specifically for utilities.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks—Part 2: Securing hardware and software appeared first on Microsoft Security.

Empower Firstline Workers with Azure AD and YubiKey passwordless authentication

March 12th, 2020 No comments

At the end of February, Microsoft announced the FIDO2 passwordless support for hybrid environments. The integration of FIDO2-based YubiKeys and Azure Active Directory (Azure AD) is a game changer. It combines the ubiquity of Azure AD, the usability of YubiKey, and the security of both solutions to put us on the path to eliminate passwords in the enterprise. Think about that for a moment. Imagine never being asked to change your password again, no more password spreadsheets or vault apps. No more phishing and password spray! Would it be too much to compare it to the moon landing? Probably. But it’s at least as monumental to security as the introduction of passwords themselves. Now think about how much passwordless authentication will improve everyday work for Firstline Workers. Today I’ll share why usability and user experience are so important and how you can modernize work (and security) while reducing costs for Firstline Workers. I’ll also provide advice on transitioning your hybrid environment to passwordless.

User experience matters

Do you want to know why attackers have been so successful? Because they’ve paid attention to user experience. The tools they use to trick users to hand over passwords have been carefully updated to feel legitimate to users. One tool even has a Help Desk, if you can believe that! And it’s working. Many users don’t even realize they’ve given up their password. Bad actors can focus on usability because the economics of hacking are cheap. They don’t have to be present to interrupt a sign-in, and they only need one password to gain access and move laterally to increase privileges. They don’t need a high success rate to achieve a good payoff, which allows them to take the time to get it right. They use that time to research companies for good targets and improving the user experience of their phishing attempts.

Yubico understands the importance of usability and makes security tools accessible and easy to use. Our flagship product, YubiKey, was designed with these principles in mind. The YubiKey is a hardware token with a cryptographic element that supports FIDO2 standards. It is not a password storage device, nor does it contain any personal information. With traditional passwords, the server requests a password, and if the user hands over the password, the server has no way to validate if that user should have that password. With a YubiKey, the server sends a challenge to the user. The user plugs the key in and touches it to sign the challenge. It requires the user to be physically present, so it eliminates remote takeovers of accounts. The ability to work from anywhere in the world is what enables cybercrime.

 

Equally important is its simplicity. Users don’t need to find a code on a separate device or remember complicated passwords or a PIN. The same key can be used across all their devices and accounts, and you can attach it to a keychain. (Take a look at this video to see it in action.)

Transform the Firstline Worker experience, securely

The biggest opportunity for the Azure AD and YubiKey integration to make a real difference is with Firstline Workers. Firstline Workers are more than 2 billion people worldwide who work in service- or task-oriented roles across industries such as retail, hospitality, travel, and manufacturing. They are often mobile, and many serve as the first touchpoint with your customers. Incredibly important to your business, they have been underserved by the cloud revolution. Firstline Workers typically aren’t issued a computer, and the computers they do use may not have a lot of connectivity. This makes it difficult to stay connected to corporate communications or interact digitally with coworkers. It can also prevent them from efficiently doing their jobs. For example, it can be challenging to serve customers if an employee needs to sign into an available computer to answer a question.

One call center reduced the steps to sign in from 13 steps to six—that’s a 60 percent reduction.

There are a lot of hidden costs to password resets. To reduce this time, Firstline Worker passwords often never change. They have developed the same familiar bad habits as office workers: they write down passwords or reuse the same one across multiple sites. Lurking in the wings are the bad actors who just need one password to infiltrate your organization.

YubiKey reduces that risk and empowers your Firstline Workers. With a YubiKey users can easily move from device to device. This can dramatically improve the work experience. It also drives better business outcomes. One call center that implemented YubiKey authentication cut its sign-in process from 13 steps to six—that’s a 60 percent reduction. Reducing time spent signing in can drive huge costs reductions.

The Azure AD and YubiKey integration can support your digital transformation goals in the field. Firstline Workers will easily access the information they need whether that is for customer service or building new products—with significantly less risk of an account takeover.

Transition your hybrid environment to passwordless

YubiKey is a good fit for companies who are invested in Microsoft technology because the device includes several generations of solutions. It works with legacy applications (we can protect anything from Windows XP on up) and cloud solutions like Azure and Office 365. It can support one-time passwords (OTP) with Active Directory or smart card capabilities. If you use Active Directory Federation Services to authenticate, there is a plugin that integrates with on-premises. It’s also compatible with cloud-based authentication, and we are working with Microsoft on integration with Azure Active Directory. Our latest YubiKey 5 Series supports the following authentication technologies:

  • FIDO2
  • U2F
  • PIV
  • Yubico OTP
  • OATH HOTP

As a first step towards passwordless, no matter your environment, start by implementing multi-factor authentication (MFA) everywhere, using the YubiKey as a hardware-based backup to a username and password.

Learn more

Yubico is committed to developing new technology to help users trust what they are doing online. We are working with Microsoft to build the latest and greatest into Azure AD. Join us at one of our co-hosted workshops with Microsoft where we will walk you through how you can plan your journey towards eliminating passwords.

Read Alex Simons’ blog announcement about Azure Active Directory support for FIDO2 security keys.   For more information on Microsoft Security solutions, visit https://www.microsoft.com/en-us/security/business.

The post Empower Firstline Workers with Azure AD and YubiKey passwordless authentication appeared first on Microsoft Security.

Microsoft identity acronyms—what do they mean and how do they relate to each other?

March 2nd, 2020 No comments

As a security advisor working with one to three Chief Information Security Officers (CISOs) each week, the topic of identity comes up often. These are smart people who have often been in industry for decades. They have their own vocabulary of acronyms that only security professionals know such as DDoS, CEH, CERT, RAT, and 0-Day (if you don’t know one or several of these terms, I encourage you to look them up to build your vocabulary), but they often find themselves confused by Microsoft’s own set of acronyms.

This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

  • Just-in-time privileged access to Azure AD and Azure resources.
  • Time-bound access to resources.
  • An approval process to activate privileged roles.
  • MFA enforcement.
  • Justification to understand why users activate.
  • Notifications when roles are activated.
  • Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

  • Making it harder for attackers to penetrate a network and obtain privileged account access.
  • Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
  • Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

  • PIM is a capability to help companies manage identities in Azure AD.
  • PAM is an on-premises capability to manage identities in Active Directory.
  • MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

The post Microsoft identity acronyms—what do they mean and how do they relate to each other? appeared first on Microsoft Security.

Changing the Monolith—Part 4: Quick tech wins for a cloud-first world

February 13th, 2020 No comments

You may have heard that identity is the “new” perimeter. Indeed, with the proliferation of phishing attacks over the past few years, one of the best ways to secure data is to ensure that identity—the primary way we access data—can be trusted.

How do we secure identity?

Start by evaluating how users are authenticating to all applications inside and outside the organization. I say all applications, because it doesn’t take much effort for a hacker to pivot from a low-value, non-sensitive application to a high-value and highly-sensitive application, quickly gaining access to confidential or restricted data.

Similarly, Multi-Factor Authentication (MFA) must be enforced for all users as well, not just highly privileged users. Remember that it is simple for bad actors to pass-the-hash, run a Golden Ticket Attack, or use other techniques to elevate their privileges and gain access to sensitive data.

Modern authentication encourages us to reduce vulnerable legacy authentication methods, including Kerberos and NTLM. Additionally, modern authentication requires that we rely on more than one factor of authentication for all users. These factors range from something you know (password or one-time password), something you have (hardware token or soft token), or something you are (biometrics like 3D facial recognition or fingerprint matching).

Image of a worker approving a sign-in from his phone.

Start with MFA.

Requiring MFA for all applications, whether on-premises or in the cloud, is a great start. When using MFA, consider enforcing an authenticator app or a one-time password mechanism as they are typically not as susceptible to man-in-the-middle attacks, compared to text-back codes or phone calls that may be intercepted with spoofing.

The least vulnerable MFA mechanisms include FIDO2, which utilizes a biometric device or USB hardware token like YubiKey, and machine learning systems that can provide conditional access based on Zero Trust and time-of-authentication context.

Here is the context commonly evaluated by machine learning authentication systems:

  • Can an authentication token be obtained?
  • Does the user have a valid username, password, and a second form of authentication (MFA), like a biometric validation (fingerprint or 3D facial recognition) through an authenticator app?
  • What is the risk score of the user?
  • Is the user authenticating from two places at nearly the same time (Impossible Traveler)?
  • Has the user’s password been discovered on the Dark Web because of an account and password database breach?
  • Is this a reasonable time for the user to be signed in based upon past behavior?
  • Is the user signing-in from an anonymous source like a Tor exit node?
  • What is the risk score of the device?
  • Has the device experienced unresolved risk in the last several days?
  • Has the machine been exposed to malware?
  • Is the machine running a high-risk application?
  • Are the antimalware signatures up to date?
  • Are all the critical and high software patches applied?
  • Are there sensitive documents on the device?

With the enforcement of MFA, a single, unified MFA reduces the success of phishing attacks due to password reuse or social engineering. With web-based Authentication-as-a-Service (AaaS) applications, MFA is easy to implement across the enterprise. Modern operating systems now enforce multifactor authentication by default, including Windows 10 Hello, macOS, iOS, and Android. Most modern on-premises and cloud applications should be able to consume SSO authentication standards like SAML or OpenID and OAth2 authorization.

Moving toward a secure SSO posture

Implementing a single identity source for all applications leads the organization to a better and less time-consuming and complicated user experience, and an arguably more secure SSO posture by:

  • Reducing the number of passwords that users need to remember or save—quite often insecurely—to access their applications.
  • Introducing pass-through authentication and authorization, so that once a user authenticates to an operating system, they have unprompted access to both on-premises and cloud apps, using the same security token created when they signed in to the operating system using MFA.
  • Reducing the threat of untimely termination/missed identity decommissioning by decreasing “identity sprawl,” which is what you encounter when your organization has multiple identities in multiple applications per user. That is sometimes the result of non-integrated entities or not yet integrated entities and affiliates. B2B approaches to SSO can be explored to solve the problems associated with not integrating a business unit or operating group into the organization’s core directory.

Image of a hand hovering over a keyboard.

Considering user satisfaction is critical.

MFA and SSO together increases user satisfaction, making the CISO a business enabler rather than a productivity and collaboration roadblock. Cloud-based MFA and SSOP directory systems have been shown to be more available than on-premises directory or federation services with many cloud providers providing 99.9 percent uptime. A three-nines Service Level Agreement (SLA) is challenging to achieve on-premises with limited IT staff and budget!

Stay tuned

Stay tuned for the next installment of my Changing the Monolith series. In the meantime, check out the first three posts in the series:

Also, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Changing the Monolith—Part 4: Quick tech wins for a cloud-first world appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other

February 13th, 2020 No comments

Today, we have another interesting story for the Voice of the Customer blog series. Tony Miller and Jon Sider of Mattress Firm deployed Azure Active Directory (Azure AD) to create a secure authentication experience for employees, including their Firstline Workforce. Much like sleep and a good mattress provide the foundation for a productive and enjoyable life, Tony and Jon show how Azure AD provides the secure foundation for a connected omnichannel experience. They were able to cut internal costs, quickly onboard their Firstline Workers, connect their employees to each other, and deliver a better authentication experience.

Read more from Tony and Jon to learn how you can use Azure AD to improve your customer experience.

Azure AD simplifies user provisioning and protects Firstline Workers’ identities

As America’s largest specialty mattress retailer, Mattress Firm aims to deliver a personalized experience to all our customers no matter how they interact with us. An exceptional customer experience requires a connected workplace. When a customer makes a purchase online and then visits a store for a second purchase, our sales associates, or “Firstline Workers,” should understand their full story and total lifetime value. If a customer needs to change the delivery time of a mattress, it should be easy for a customer services rep to contact the driver and reschedule the delivery. These connection points are invisible to the customer but can turn an ordinary interaction into a great one. To help us realize this aspiration, we deployed several Microsoft 365 products—one of which was Azure AD—to securely and simply unite communication across corporate and all the stores.

The foundation of strong cross-company collaboration is secure and simple user authentication. Our sales associates access several different software-as-a-service (SaaS) and on-premises apps to communicate and complete tasks. Many of these apps require a separate account, which meant users signed into multiple accounts throughout the day. We were concerned that some were reusing passwords, opening us up to risk. Our identity team was also overburdened. They were responsible for setting up accounts for each user, updating permissions as needed, and revoking accounts when users left the company. To resolve these challenges, we deployed Azure AD, which allowed us to decrease the size of the identity team, deliver a simpler user access experience to our employees, and gain more visibility into security threats.

Migrated identity and access management from Okta to Azure AD

Before we selected Azure AD, we investigated various identity and access management (IAM) options. We had previously deployed Okta, which fulfilled many of our requirements. However, we were simultaneously increasing our investment in Microsoft 365. We reviewed both Okta and Azure AD and discovered that Azure AD delivers better controls and security for Office 365 and its data than Okta at a much lower cost in addition to single sign-on (SSO) to other applications. At that point it was an easy sell, and we migrated all our users to Azure AD.

Decreased the size of the identity team

We are a large company with over 8,500 employees, stores in 49 states across the country, and 73 distribution centers across the biggest markets. Our physical footprint allows us to deliver a mattress within an hour to 89 percent of the population. Like many retailers we have a lot of employment churn. Each day, we process between 10-100 user identity status changes. Before Azure AD, a team of 12 people were responsible for provisioning the right accounts and access to each user. Twelve people is a large team, but it was required because for each change—whether that was a new hire, a promotion, or someone leaving the company—an identity team member needed to manually grant access or change privileges to them one at a time. This took a lot of time, and it was error prone.

Once we deployed Azure AD and set up automated provisioning, the onboarding process sped up significantly. Today, someone in human resources sets up a new employee in our HR system and within four hours the employee is onboarded to all their accounts. Our Identity Manager was able to redeploy most of the people on the provisioning team to higher priority work. Now there are just two people who manage the environment. We’ve realized a huge costs savings from this transition—about $500,000 per year in hard dollars, but tons of soft costs saved!

Infographic explaining Azure AD automated provisioning, with Azure AD in the middle; Active Directory, Cloud HR, and SCIM surrounding it.

Azure AD automated provisioning simplifies the process of provisioning the right access and applications to each user.

Delivered a simpler and more secure user access experience

Our users have also benefited from the rollout of Azure AD and automated provisioning. We enabled SSO so users can sign in once and access all the apps they need for work. We integrated Azure AD with about 40 apps, including Workday, Back Office, Salesforce, our VOIP administrator, Citrix, Tools video, Microsoft Dynamics 365, Concur, Tableau, WebEx, our benefits portal, our 401K provider, and all the Office 365 apps. Our employees love the new process. It is now rare that they must use another account to access work apps.

Infographic showing apps connected to Azure Active Directory.

With Azure AD SSO, users sign in once and have access to all their apps.

Azure AD has also given us peace of mind. Our customers provide a full set of information when they purchase a mattress from us. They trust us to protect their first-party data. Azure AD offers tools to better safeguard our identities. We control access to the first-party data based on employment status. We also enabled Multi-Factor Authentication (MFA) to Workday and off-premises sign-ins. That means whenever a user attempts to sign in to Workday or if they attempt to access any other system from off-site, we force a second form of authentication. Users get a secure code from the Microsoft Authenticator app, which validates their identity with Azure AD. This significantly reduces our security risk, and employees find it easy to use—a win for everybody.

We also enabled conditional access policies to reduce or block access when sign-in circumstances are risky. For example, Azure AD can evaluate the riskiness of a client app or the location of a user trying to gain access. If the risk is high enough, we can block access or force a password reset to confirm identity. Another good example of our conditional access approach is the leave of absence policy. While users are on a leave, we limit the apps they can access to the ones they really need: Workday and our benefits portal. These flexible, customizable policy strike the right balance between enabling productivity while minimizing our exposure.

Infographic showing signals (user, location, device, app, real-time risk) being verified (allowed, requiring MFA, or blocked).

Azure AD can evaluate user and location, application, device, and real-time risk before allowing access.

Improved threat visibility

Security doesn’t end with our access policies. Azure AD also provides tools that Security Operations (SecOps) use to better understand security incidents. The Azure AD authentication logs and the Office 365 application access information provides useful insights. We now better understand when users try to access applications with VPNs or from unauthorized networks. This intelligence informs our security strategy and policies.

Azure AD has provided the foundation for a secure and connected employee experience. As we operationalize communication tools like Microsoft Teams, we are confident that the information that employees share is less likely to get compromised. Employees are empowered to work together to meet and exceed customer expectations. We rest easy because our customer data is more secure.

Azure Active Directory

Protect your business with a universal identity platform.

Get started

Learn more

I hope you’re able to apply Mattress Firm’s learnings to your own organization. For more tips from our customers, take a look at the other stories in the Voice of the Customer blog series. Also, check out the Mattress Firm case study to see how other Microsoft 365 solutions have helped them improve the customer experience.

Here are several additional resources:

Finally, bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Mattress Firm deployed Azure Active Directory to securely connect Firstline Workers to their SaaS apps and to each other appeared first on Microsoft Security.

5 identity priorities for 2020

January 28th, 2020 No comments

Today, Joy Chick, Corporate Vice President of Identity, shared five priorities central to security that organizations should prioritize in 2020 as they digitally transform. These priorities are based on many conversations with our customers, including:

  1. Connect all applications and cloud resources to improve access controls and the user experience.
  2. Empower developers to integrate identity into their apps and improve security.
  3. Go passwordless to make security effortless for users.
  4. Enable boundary-less collaboration and automated access lifecycle for all users.
  5. Start your Zero Trust journey to protect your organization as you digitally transform.

To learn more about these priorities, and how decentralized identity is poised to offer greater verifiability and privacy, read Joy’s post, 5 identity priorities for 2020—preparing for what’s next.

Also bookmark the Security blog to keep up with our expert coverage on security matters and follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post 5 identity priorities for 2020 appeared first on Microsoft Security.

Go passwordless to strengthen security and reduce costs

December 12th, 2019 No comments

We all know passwords are inherently unsecure. They’re also expensive to manage. Users struggle to remember them. It’s why we’re so passionate about eliminating passwords entirely. Passwordless solutions, such as Windows Hello, FIDO2 security keys, and the Microsoft Authenticator app, provide more secure and convenient sign-in methods. But transitioning your organization to passwordless authentication takes time and careful planning. You may wonder where to start and how long it will take to realize benefits. Today, we examine:

  • How biometrics improve security while safeguarding user privacy.
  • The cost reductions Microsoft realized from passwordless migration.
  • Steps you can take to better secure your organization and prepare for passwordless.

Image of three devices, one showing Windows Hello, another Microsoft Authenticator, and finally FIDO2 Security Keys.

Microsoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys.

Biometric technology improves security and safeguards user privacy

The goal of user authentication protocols, including passwords, is to verify user identity. But just because a user knows a password doesn’t mean they are the person they claim to be. In fact, 81 percent of breaches leverage stolen or compromised passwords.1 Passwords are not unique identifiers.

To improve security, we need a better way to uniquely identify users. This is where biometrics come in. Your iris, fingerprint, and face are unique to you—nobody else has the same fingerprint, for example. Passwordless solutions, like Windows Hello, rely on biometrics instead of passwords because biometrics are better at accurately identifying a user.

Biometrics, like other personal identifying information (PII), may raise privacy concerns. Some people worry that technology companies will collect PII and make it available to other entities. Or that their biometric image might get stolen. That’s why Microsoft and other security companies in the Fast IDentity Online (FIDO) Alliance developed the FIDO2 standard to raise the bar for securing credentials. Rest assured, Microsoft uses FIDO2-compliant technology that does NOT view, store, or transfer ANY biometric images.

Here’s how it works:

  • When a user creates a biometric sign-in, Windows Hello uses an algorithm to create a unique identifier that is stored locally on the device, encrypted and secured, and never shared with Microsoft.
  • Each time a user signs in, the biometric is compared against the unique identifier.
  • If there is a match, the user is authenticated to the device.

Technologies like Windows Hello are secure, convenient, and safeguard user privacy.

Image of a PC screen showing Windows Hello.

Users can sign in to Windows Hello with a fingerprint scan. The fingerprint image is turned into a unique identifier stored on the device. It does not get stored by Microsoft.

Improve security, reduce costs, and increase productivity

To help you think about the costs associated with passwords, we’ll share some numbers from Microsoft’s own experience rolling out passwordless to its users. After about a year since Microsoft began this journey, most users don’t use a password to authenticate to corporate systems, resources, and applications. The company is better protected, but it has also reduced costs.

Passwords are expensive because users frequently forget them. For every password reset Microsoft incurs, soft costs are associated with the productivity lost while a user can’t sign in. The company also incurs hard costs for every hour a Helpdesk administrator spends helping a Microsoft user reset their password.

Microsoft estimated the following costs before rolling out passwordless to its employees:

  • $3 million a year in hard costs.
  • $6 million a year in lost productivity.

As of today, Microsoft has achieved the following benefits from its passwordless rollout:

  • Reduced hard and soft costs by 87 percent.
  • As Microsoft costs go down, attackers’ costs go up, so the company is less of a target.

Going passwordless starts with Multi-Factor Authentication

Whether you’re ready to roll out a passwordless authentication strategy today or in a few years, these steps will help get your organization ready.

  • Step 1: Define your passwordless and biometrics strategy—At Microsoft, we allow more than one biometric factor to choose from for authentication, which gives people options and helps us meet accessibility needs.
  • Step 2: Move your identities to the cloud—Leverage Azure Active Directory (Azure AD) user behavior analytics and security intelligence to help protect your identities, uncover breach patterns, and recover if there is a breach.
  • Step 3: Enable Multi-Factor Authentication (MFA)—MFA increases security by requiring more than one factor of verification, usually in addition to a password. By enabling MFA, you can reduce the odds of account compromise by 99.9 percent.2 But passwords don’t have to be a factor. With passwordless authentication, the biometric identifier is one factor of verification and the device possession is another, removing the risk of passwords from the equation.
  • Step 4: Pilot passwordless—Start a pilot test with your riskiest users or groups.

Image of the Microsoft Authenticator app being used.

The Microsoft Authenticator app can be used to augment a password as a second factor or to replace a password with biometrics or a device PIN for authentication.

If you aren’t ready to go passwordless, enable MFA to reduce your odds of a breach. We also recommend that you ban the most easily guessable passwords. Azure AD processes 60 billion authentications in a month and uses the telemetry to automatically block commonly used, weak, or compromised passwords for all Azure AD accounts, but you can add your own custom banned passwords, too.

Learn more

Microsoft passwordless solutions include Windows Hello, the Microsoft Authenticator app, and FIDO2 security keys from select partners. Each can help you accomplish the following:

  • Stronger security.
  • Reduced costs over time.
  • Increased attacker costs.
  • More productive users.

Read more about Microsoft passwordless solutions.

Watch the CISO Spotlight Series: Passwordless: What’s it worth?

 

12018 Verizon Data Breach Investigations report
22018 Microsoft Security Research

The post Go passwordless to strengthen security and reduce costs appeared first on Microsoft Security.

Microsoft Security—a Leader in 5 Gartner Magic Quadrants

December 3rd, 2019 No comments

Gartner has named Microsoft Security a Leader in five Magic Quadrants. This is exciting news that we believe speaks to the breadth and depth of our security offerings. Gartner places vendors as Leaders who demonstrate balanced progress and effort in all execution and vision categories. This means that Leaders not only have the people and capabilities to deliver strong solutions today, they also understand the market and have a strategy for meeting customer needs in the future. Microsoft was identified as a Leader in the following five security areas:

  • Cloud Access Security Broker (CASB) solutions1
  • Access Management2
  • Enterprise Information Archiving3
  • Unified Endpoint Management (UEM) tools4
  • Endpoint Protection Platforms5

Given this, Microsoft Security doesn’t just deliver strong security products in five crucial security areas only. We provide a comprehensive set of security solutions that are built to work together, from identity and access management to threat protection to information protection and cloud security.

Our products integrate easily and share intelligence from the trillions of signals generated daily on the Microsoft Intelligent Security Graph. And they work with non-Microsoft solutions too. You can monitor and safeguard your assets across clouds—whether you use Microsoft Azure, Amazon Web Services, Slack, Salesforce, or all the above.

By unifying security tools, you get visibility into your entire environment across on-premises and the cloud, to better protect all your users, data, devices, and applications. Today, we’ll review the five areas where Microsoft is recognized as a Leader in security.

A Leader in CASB

Our cloud security solutions provide cross-cloud protection, whether you use Amazon Web Services, Azure, Google Cloud Platform—or all three. We also help you safeguard your data in third-party apps like Salesforce and Slack.

Gartner named Microsoft a Leader in CASB based on the ability to execute and completeness of vision. Cloud App Security provides rich visibility into your shadow IT, enables you to identify and remediate cloud native attacks, and allows you to control how your data travels across all your cloud apps—whether they’re from Microsoft or third-party applications.

As Gartner says in the CASB Magic Quadrant, “platforms from leading CASB vendors were born in the cloud and designed for the cloud. They have a deeper understanding of users, devices, applications, transactions, and sensitive data than CASB functions designed to be extensions of traditional network security and SWG security technologies.”

We work closely with customer to improve our products, which is one of the reasons our customer base for Cloud App Security continues to grow.

Gartner graph showing Microsoft as a Leader in Cloud App Security.

A Leader in Access Management

Azure Active Directory (Azure AD) is a universal identity and access management platform that provides the right people the right access to the right resources. It safeguards identities and simplifies access for users. Users sign in once with a single identity to access all the apps they need—whether they’re on-premises apps, Microsoft apps, or third-party cloud apps. Microsoft was recognized for high scores in market understanding and customer experience.

Gartner says, “Vendors that have developed Access Management as a service have risen in popularity. Gartner estimates that 90 percent or more of clients based in North America and approximately 65 percent in Europe and the Asia/Pacific region countries are also seeking SaaS-delivered models for new Access Management purchases. This demonstrates a preference for agility, quicker time to new features, elimination of continual software upgrades, reduction of supported infrastructure and other SaaS versus software benefits demonstrated in the market.”

Gartner graph showing Microsoft as a Leader in Access Management.

A Leader in Enterprise Information Archiving

Enterprise information archiving solutions help organizations archive emails, instant messages, SMS, and social media content. Gartner recognized us as a Leader in this Magic Quadrant based on ability to execute and completeness of vision.

Gartner estimates, “By 2023, 45 percent of enterprise customers will adopt an enterprise information archiving (EIA) solution to meet new requirements driven by data privacy regulations; this is a major increase from five percent in 2019.”

Gartner graph showing Microsoft as a Leader in Enterprise Information Archiving.

A Leader in Unified Endpoint Management (UEM)

Unified Endpoint Management (UEM) solutions provide a comprehensive solution to manage mobile devices and traditional endpoints, like PCs and Macs. Microsoft’s solution, Microsoft Intune, lets you securely support company-provided devices and bring your own device policies. You can even protect company apps and data on unmanaged devices. We have seen rapid growth in Intune deployments and expect that growth to continue.

Gartner noted that, “Leaders are identified as those vendors with strong execution and vision scores with products that exemplify the suite of functions that assist organizations in managing a diverse field of mobile and traditional endpoints. Leaders provide tools that catalyze the migration of PCs from legacy CMT management tools to modern, UEM-based management.”

Intune is built to work with other Microsoft 365 security solutions, such as Cloud App Security and Azure AD to unify your security approach across all your clouds and devices. As Gartner writes, “Achieving a truly simplified, single-console approach to endpoint management promises many operational benefits.”

Gartner graph showing Microsoft as a Leader in Unified Endpoint Management.

A Leader in Endpoint Protection Platforms

Our threat protection solutions provide tools to identify, investigate, and respond to threats across all your endpoints. Gartner named Microsoft a Leader for Endpoint Protection Platforms, recognizing our products and our strengths and ability to execute and completeness of vision. Azure Advanced Threat Protection (ATP) detects and investigates advanced attacks on-premises and in the cloud. Windows Defender Antivirus protects PCs against software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.

Gartner says, “A Leader in this category will have broad capabilities in advanced malware protection, and proven management capabilities for large-enterprise accounts.”

Gartner graph showing Microsoft as a Leader in Endpoint Protection Platforms.

Learn more

Microsoft is committed to helping our customers digitally transform while providing the security solutions that enable them to focus on what they do best. Learn more about our comprehensive security solutions across identity and access management, cloud security, information protection, threat protection, and universal endpoint management by visiting our website.

1Gartner “Magic Quadrant for Cloud Access Security Brokers,” by Steve Riley, Craig Lawson, October 2019

2Gartner “Magic Quadrant for Access Management,” by Michael Kelley, Abhyuday Data, Henrique, Teixeira, August 2019

3Gartner “Magic Quadrant for Enterprise Information Archiving,” by Julian Tirsu, Michael Hoech, November 2019

4Gartner “Magic Quadrant for Unified Endpoint Management Tools,” by Chris Silva, Manjunath Bhat, Rich Doheny, Rob Smith, August 2019

5Gartner “Magic Quadrant for Endpoint Protection Platforms,” by Peter Firstbrook, Dionisio Zumerle, Prateek Bhajanka, Lawrence Pingree, Paul Webber, August 2019

These graphics were published by Gartner, Inc. as part of larger research documents and should be evaluated in the context of the entire document. The Gartner documents are available upon request from Microsoft. Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

The post Microsoft Security—a Leader in 5 Gartner Magic Quadrants appeared first on Microsoft Security.

Zero Trust strategy—what good looks like

November 11th, 2019 No comments

Zero Trust has managed to both inspire and confuse the cybersecurity industry at the same time. A significant reason for the confusion is that Zero Trust isn’t a specific technology, but a security strategy (and arguably the first formal strategy, as I recently heard Dr. Chase Cunningham, Principal Analyst at Forrester, aptly point out).

Microsoft believes that the Zero Trust strategy should be woven throughout your organization’s architectures, technology selections, operational processes, as well as the throughout the culture of your organization and mindset of your people.

Zero Trust will build on many of your existing security investments, so you may already have made progress on this journey. Microsoft is publishing learnings and guidance from many perspectives to help organizations understand, anticipate, and manage the implications of this new strategy. This guidance will continue to grow as we learn more. A few highlights include:

In previous posts of this series, we described Microsoft’s vision for an optimal Zero Trust model and the journey of our own IT organization from a classic enterprise security to Zero Trust. Today, we focus on what a good strategy looks like and recommended prioritization (with a bit of history for context).

Zero Trust security continuously validates trustworthiness of each entity in your enterprise (identities, applications and services, devices) starting each with a trust level of zero.

Evolution of security strategy

The central challenge of cybersecurity is that the IT environment we defend is highly complex, leading security departments (often with limited budgets/resources) to find efficient ways to mitigate risk of advanced, intelligent, and continuously evolving attackers.

Most enterprises started with the use of a “trusted enterprise network,” but have since found fundamental limitations of that broad trust approach. This creates a natural pressure to remove the “shortcut” of a trusted enterprise network and do the hard work of measuring and acting on the trustworthiness of each entity.

Network or identity? Both (and more)!

The earliest coherent descriptions of the Zero Trust idea can be traced to proposals in the wake of the major wave of cybersecurity attacks. Beginning in the early 2000s, businesses and IT organizations were rocked by worms like ILOVEYOU, Nimda, and SQL Slammer. While painful, these experiences were a catalyst for positive security initiatives like Microsoft’s Security Development Lifecycle (SDL) and began serious discussions on improving computer security. The strategy discussions during this timeframe formed into two main schools of thought—network and identity:

  • Network—This school of thought doubled down on using network controls for security by creating smaller network segments and measuring trust of devices before network controls allow access to resources. While promising, this approach was highly complex and saw limited uptake outside a few bright spots like Google’s BeyondCorp.
  • Identity—Another approach, advocated by the Jericho Forum, pushed to move away from network security controls entirely with a “de-perimeterisation” approach. This approach was largely beyond the reach of technology available at the time but planted important seeds for the Zero Trust of today.

Microsoft ultimately recommends an approach that includes both schools of thought that leverage the transformation of the cloud to mitigate risk spanning the modern assets and (multiple generations of) legacy technology in most enterprises.

Prioritizing and planning Zero Trust

Microsoft recommends rigorous prioritization of Zero Trust efforts to maximize security return on investment (ROI). This default prioritization is based on learnings from our experience, our customers, and others in the industry.

  1. Align strategies and teams—Your first priority should be to get all the technical teams on the same page and establish a single enterprise segmentation strategy aligned to business needs. We often find that network, identity, and application teams each have different approaches of logically dividing up the enterprise that are incompatible with each other, creating confusion and conflict. See the CISO workshop video, Module 3 Part 3: Strategy and Priorities, for more discussion of this topic.
  2. Build identity-based perimeter—Starting immediately (in parallel to priority #1), your organization should adopt identity controls like Multi-Factor Authentication (MFA) and passwordless to better protect your identities. You should quickly grow this into a phased plan that measures (and enforces) trustworthiness of users and devices accessing resources, and eventually validating trust of each resource being accessed. See the CISO workshop video, Module 3 Part 6: Build an Identity Perimeter, for more information on identity perimeters.
  3. Refine network perimeter—The next priority is to refine your network security strategy. Depending on your current segmentation and security posture, this could include:
    • Basic segmentation/alignment—Adopt a clear enterprise segmentation model (built in #1) from a “flat network” or fragmented/non-aligned segmentation strategy. Implementing this is often a significant undertaking that requires extensive discovery of assets and communication patterns to limit operational downtime. It’s often easier to do this as you migrate to the cloud (which naturally includes this discovery) than it is to retrofit to an existing on-premises environment.
    • Micro-segmenting datacenter—Implement increasingly granular controls on your datacenter network to increase attacker cost. This requires detailed knowledge of applications in the datacenter to avoid operational downtime. Like basic segmentation, this can be added during a cloud migration or a net new cloud deployment easier than retrofitting to an on-premises datacenter.
    • Internet first clients—A simple but significant shift is when you move client endpoints from being on the internet part-time to full-time (versus sometimes on corporate network and sometimes remote). This is a straightforward concept, but it requires having already established a strong identity perimeter, strong endpoint security and management over the internet, publishing legacy applications to your internet clients, dedicated administrative workstations, and potentially other initiatives before “rolling back” the firewalls from clients.

What good looks like

Zero Trust is a model that will ultimately be infused throughout your enterprise and should inform virtually all access decisions and interactions between systems.

Expanding on the three principles of Zero Trust from the Zero Trust vision paper—Verify Explicitly, Least Privilege Access, and Assume Breach—the hallmarks of a good enterprise Zero Trust strategy include:

  • Continuously measure trust and risk—Ensure all users and devices attempting to access resources are validated as trustworthy enough to access the target resource (based on sensitivity of target resource). As technology becomes available to do it, you should also validate the trustworthiness of the target resources.
  • Enterprise-wide consistency—Ensure that you have a single Zero Trust policy engine to consistently apply your organizations policy to all of your resources (versus multiple engines whose configuration could diverge). Most organizations shouldn’t expect to cover all resources immediately but should invest in technology that can apply policy to all modern and legacy assets.
  • Enable productivity—For successful adoption and usage, ensure that the both security and business productivity goals are appropriately represented in the policy. Make sure to include all relevant business, IT, and security stakeholders in policy design and refine the policy as the needs of the organization and threat landscape evolve. For more information, see Meet Productivity and Security Goals.
  • Maximize signal to increase cost of attack—The more measurements you include in a trust decision—which reflect good/normal behavior—the more difficult/expensive it is for attackers to mimic legitimate sign-ins and activities, deterring or degrading an attacker’s ability to damage your organization.
  • Fail safe—The system operation should always stay in a safe state, even after a failed/incorrect decision (for example, preserve life/safety and business value via confidentiality, integrity, and availability assurances). Consider the possible and likely failures (for example, mobile device unavailable or biometrics unsuccessful) and design fallbacks to safely handle failures for both:
    • Security (for example, detection and response processes).
    • Productivity (remediation mechanisms via helpdesk/support systems).
  • Contain risk of attacker movement into smaller zones—This is particularly important when you’re reliant on legacy/static controls that cannot dynamically measure and enforce trustworthiness of inbound access attempts (for example, static network controls for legacy applications/servers/devices).

Into the future

Over time, we expect Zero Trust will become accepted and commonplace where people simply learn it in “Security 101” (much like the least privilege principle today). Zero Trust is expected to evolve as we all become more comfortable with what this new normal entails and have ideas on how to optimize efficiency and address the attackers’ ongoing attempts to find a chink in the new armor.

Zero Trust

Reach the optimal state in your Zero Trust journey.


Learn more

Our next blog will discuss how to make Zero Trust real in your enterprise starting with technology available today, which you may already have deployed or have access to! In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Zero Trust strategy—what good looks like appeared first on Microsoft Security.