Microsoft is one of the world’s biggest identity platforms, processing billions of user logins every single day across millions of applications. These include Microsoft’s own suite of applications like Xbox, Skype, Office 365, and Azure – but also millions of business and consumer websites and applications that leverage the Azure Active Directory.
Microsoft’s Identity Security team is responsible for securing and protecting these platforms, including identity features such as multi-factor authentication, single sign-on, conditional access policies, and the global incident response for major identity-related cybersecurity breaches.
Alex Weinert, the Director of Microsoft’s Identity Security team, has been leading the fight to protect digital identities for a long time. He’s been at Microsoft for 27 years – “Since dinosaurs roamed the earth,” he notes – leading a range of teams across applications such as MSN, Xbox, and Active Directory.
Expert Insights recently interviewed Weinert to discuss digital transformation, the biggest risks in the identity space today, the future of identity technologies, and how organizations can get started with a Zero Trust framework.
The way we live, work, consume and communicate has been changed completely by digital transformation. Every interaction we make, from messaging friends and ordering food, to even buying a house, now requires interactions with dozens of digital systems.
In this landscape, our digital accounts have all the value in the world to attackers, Weinert says. And as a result, both the intensity and velocity of attacks are massively increasing, with an economic downturn likely to cause an even further increase in identity-driven attacks.
To secure these accounts, identity is critical. “You can have all of the security features you want, you can have the fanciest, row-level encryption with polymorphic algorithms. But if I can convince the system I’m you, it’s game over.”
The Modern Identity Challenges
The major threats to identity security today are mostly the same as ten years ago, Weinert says, with the big three being weak passwords, phishing, and password reuse. These three threats alone are responsible for millions of compromised accounts every month.
These threats are commonly caused by weak identity policies, such as enforcing password rules that can be easily exploited by attackers, or not authenticating users securely with multi-factor authentication. “MFA would stop all of those attacks,” Weinert says.
There are also more advanced emerging security threats for security teams to lose sleep over, Weinert says. He highlights three in particular: MFA bypass attacks, in which attackers can steal cookies, overload users with notifications, or carry out machine-in-the-middle attacks in order to bypass MFA controls; application identity attacks, in which third-party apps are granted access to critical systems; and supply chain attacks, which are hugely damaging and were responsible for the SolarWinds breach in 2020.
But these three attacks are “probably not how your organization will be compromised,” Weinert says. “It’s getting compromised because you have archaic password policies and no MFA. If you fix the MFA problem, then you have to worry about the other problems. Until you fix the MFA problem, you might as well not worry. Because it’s like you have the barn door open while you’re worrying about how good the lock is on the side door. It doesn’t matter.”
Pushing For Multi-Factor Authentication With FIDO
With this in mind, Microsoft is pushing hard for users and organizations to switch on MFA. They recently launched a new set of security controls for organizations which enforces the use of MFA for users by default, which Weinert says has improved MFA adoption.
Disruptions to working caused by the pandemic have also increased MFA uptake, as users have become increasingly security conscious. Cybersecurity insurance providers are also providing a big boost, as increasingly MFA implementation is required to reduce security premiums. When Microsoft started measuring MFA adoption in 2017, just 1% of companies had it switched on. With all of these factors in play, the overall adoption rate today is still just 25%.
“25%!” Weinert says. “That’s terrible. If I’m an attacker, why would I bother doing anything else? It’s just so easy.” But it’s important to have compassion for companies who have not switched to MFA, he adds. “Organizations have tight budgets and lots of priorities. They have executive pushback, and organizations tend to be resistant to change. I think there’s a lot of outdated impressions of what MFA means. Some people think MFA provides a terrible user experience.”
Changing the user experience and removing friction is therefore a critical way to improve adoption, he argues. “For me to get onto the laptop I’m on now, it’s extremely secure. It’s FIDO-based, with Windows Hello. The camera sees my face and does a biometric handshake. Biometrics, plus possession—I have the laptop—thatis my multi-factor authentication. It’s really, really easy,” Weinert says.
With these FIDO technologies in place, the direction of travel in the industry is toward passwordless, Weinert says. “It turns out all password attacks fail if there is no password.” Multi-device FIDO credentials, also known as Passkeys, back-up user credentials to their Microsoft, Apple, and Google devices, enabling every smart phone to become a highly secure key which enables passwordless authentication, fully integrated into the operating system experience.
“There’s huge help on the horizon,” Weinert says. “The work that is going on right now on by our collaborators and sometimes competitors, like Apple and Google, is really promising. And we’re doing it in Windows as well, where you can essentially have a token like your phone, and then you can sign into your session with that token. That changes the world in terms of ease of use and security. It’s just a much, much better position to be in.”
Microsoft’s Advantage And The Future Of Identity
The advantage Microsoft has when it comes to stopping these threats is three-fold, Weinert says. First is volume. Microsoft processes billions of users every single day, giving it almost unprecedented data into threat intelligence which it uses to power its security technologies.
Second is Microsoft’s spectrum of customers. Microsoft supports customers across almost all verticals, industries and use cases, allowing it to develop and create security controls for almost any use case.
Finally, Microsoft’s platform has a huge breadth of functionality to reduce complexity but can also integrate with third-party tools to support best-in-breed security technologies.
Microsoft has also recently released a new identity security platform, Microsoft Entra, which gives a glimpse into what the future of identity technologies looks like. Entra is a response to the digital transformation we have seen which means that our digital accounts and relationships need to support more than a single source of trust. For consumers, Entra “unlocks amazing scenarios” for the future of identity, Weinert says.
Think of your driving license. This is a decentralized identity card, issued by the state, which you own. You can take this into a bar and buy a beer, but you can also choose not to show it. “We don’t currently have that model for our digital identities,” Weinert says. “That system is missing.
One of the things Microsoft has launched with Entra is VerifiedID, which is essentially decentralized identity for digital accounts—a passport for the digital world. This can enable users to verify their identity when if they lose their device and need a new FIDO token. It can allow surgeons to verify their medical license digitally or employees to prove they are whom they say they are when accepting a remote role.
“Entra is really speaking to this theme, which is that identity is far more important now than just signing in,” Weinert says. “It’s about how we go about our daily lives and how we interact in our businesses. And we need the tools that reflect that sophistication. That’s where the future is going.”
Getting Started With Zero Trust
A major current theme in the identity world is Zero Trust, the security framework that argues organizations should continuously verify users and enforce a principle of least-privilege for all authenticated users. But while the concept can be clearly summarized, actually getting it implemented in practice is becoming a major challenge for security teams.
Microsoft is “deeply invested” in Zero Trust, Weinert says. The principles are clear, he says: “If you care about an asset, before you let someone have access to it, you need to verify that they are who they say they are, and they are coming from a device that you trust. And you need to make sure they can only do what they’re supposed to do, so you have a least-privilege access model.”
“When you think about how to implement that in a practical way, there needs to be a way to intercept requests, to evaluate those requests in a rich way, against policy, and then ideally to use that policy decision point to trigger policy enforcement.” The more granularly you can enforce those policies, the better your overall security posture will be, he says.
But Weinert argues that, in a world where it’s hard for organizations to adopt multi-factor authentication, starting with Zero Trust is best kept simple.
“When we talk about Zero Trust, it’s actually maybe most valuable to simply say: every request to any resource you care about needs to use multi-factor authentication and use some sort of device management. You can almost say that is Zero Trust, for the vast majority of people.”
“Single sign-on is a very easy way to do this. Put your policy checks in the single sign-on and make part of that policy check the requirement that device has current malware protection. If you did that, you’d be massively down the road in terms of getting started on Zero Trust.”
“For the average person, that’s the answer. Zero Trust equals strong device, strong identity. That’s it.”
You can read the complete Expert Insights Q&A with Alex Weinert here.