Multi-factor authentication adds another layer of protection to the sign-in process. After all, if you only use a password to authenticate users, it leaves an insecure vector for attack. What if the password was weak? Or if it was exposed elsewhere? Are you sure that person signing in is really the user? When you require a second form of authentication that isn’t easy to obtain, you are building another layer of security.

Therefore, ensuring you use the right type of MFA service is of critical importance. Different MFA solutions can have a dramatic impact on cost, user experience and your resilience to service outages and attacks. In this post we’re going to look at some of these factors and make some recommendations to ensure your MFA solution enables your organisation, and your people, to be productive safely.

1.      Optimise security processes to bring down costs

A vulnerable entry point for cyber attackers is to use credential-based attacks to access networks and steal data or spread ransomware. However, multi-factor authentication stops 99.9 percent of credential-based attacks. That’s why MFA really is one of the most fundamental security measures. At Microsoft, we deploy MFA to protect our customers, our data, systems, and our business. Azure AD MFA is used across our consumer platforms like Outlook.com and Xbox, as well as thousands of other online services. In fact, its foundational to our five steps to secure your identity infrastructure.

Online retailer Asos uses Azure AD (including MFA) to protect identity as the new perimeter. By automating, provisioning and deprovisioning user accounts across its SaaS landscape, they have reduced costs and errors, all while improving productivity.

“Our service desk spends much less time setting up users and creating or deleting accounts, which gets our costs down,” says Mark Lewis, Infrastructure Architect at ASOS. “We made our lives easier by adopting Azure Active Directory—we’ve saved time and money, improved the employee experience, and enhanced the security of our entire SaaS ecosystem.”

Where cost may be a blocking factor, in Azure AD the options to use SMS and phone-based MFA are free. In the case where certain users might be specifically targeted, you can selectively upgrade people to P1 or P2 licensing models and nudge people towards using the Microsoft Authenticator app with a one-time-password or notification-based MFA.

These days, it’s easy to enable MFA for all with one click. However, you don’t have to take a single, big-bang approach. You can onboard users into MFA in batches that are digestible by your service desk. Typically, 10 percent of any given batch will need support, so the ability to onboard in batches has a dramatic impact on the cost of deploying MFA. For employees, using multi-factor authentication when paired with single sign-on can increase productivity as they can access everything they need without re-entering passwords.

And if there is still resistance, this is one of those measures which business leaders should by now expect. We’ve seen the reports of the cost and reputational damages that security breaches can have on organisations. Leaders should be challenging IT to ensure the safety of their customers, employees, systems and data. And MFA is one of the critical elements to delivering that.

2.      Balance security and productivity with multi-factor authentication

Pre-cloud, security was ring-fenced around the data centre and the physical office, with the network perimeter as the main defence. Often, these featured early methods of MFA – such as one-time passcode fobs or smart cards. However, on-premise environments can be open to attack through misconfigured web and VPN services, lack of patching, as well as credential hygiene issues.

As organisations move to hybrid cloud-based environments, they can take advantage of existing Zero Trust capabilities with the knowledge that we will be investing a further $20 billion in our security solutions over the next five years to help defend against ransomware and other threats. With MFA in Azure AD you are consolidating your identity services into a strong and highly trusted environment. You’re not only increasing your resilience to ransomware and supply chain attacks, but also other outages that can occur on-premises.

For Durham University, they used MFA and Azure AD to ensure their staff and students could keep learning remotely. They use single sign-on to access everything they need whilst keeping their intellectual property secure. “By migrating to Azure AD, we’ve moved the responsibility of high availability to Microsoft, who, let’s face it, are scaled to do a better job than we could. Our services are much more resilient.” Says Craig Churchward, Technical Specialist for Windows Platform.

You can also maximise your ability to take advantage of new features as they are delivered, without any concerns for integration and support across vendors. Additionally, older platforms often involve backend server infrastructure, physical tokens and the man-hours needed to issue, replace and troubleshoot those tokens. With Azure AD MFA, users no longer need physical tokens. Additionally, there’s no server infrastructure to maintain. Your IT and security teams can focus on high-value tasks.

3.      Multi-factor authentication empowers secure hybrid working

A core tenant of Zero Trust is to never trust – always verify. Regardless of where the request originates or what resource it accesses, it is always fully authenticated, authorised, and encrypted before granting access. This helps build secure hybrid working. It makes it easier for employees to connect from anywhere, on different devices while protecting organisational data.

MFA and Conditional Access are key to Rabobank’s mobility strategy. “We require multi-factor authentication for mobile access today and have Conditional Access policies set up to require new device enrollments to happen on the corporate network. Most importantly, people can enroll and get access quickly—which is good, because we didn’t want to create this digital workplace and slow people down with security,” says Abe Boersma, Global Head of Workplace Services.

Identity is now recognised as one of the core services we use to secure the enterprise. Your identity stack, including your MFA service, is a key component of Microsoft’s security control plane. You can discover more in the guidance found in the Microsoft Cybersecurity Reference Architectures (MCRA) and Enterprise Admin Model.

4.      Build a strong security culture

A human-first security culture will help employees stay productive and secure in the hybrid workplace. One factor of this to have a strong password policy. At Microsoft, we see over 10 million username/password pair attacks every day. Build your strategy on updated password policy guidance from NIST, NCSC and Microsoft. Using technology such as Windows Hello for Business, the Microsoft Authenticator app and FIDO2 tokens alongside MFA will help to reduce successful credential attacks You can find out more about passwordless tech from Microsoft Security Team member, Alex Weinert in his blog; Your Pa$$word doesn’t matter.

If passwords are going to be with you for the foreseeable future, Azure AD Password Protection helps users select passwords that are not commonly known and Azure AD Self-Service Password reset will minimise the operational cost of passwords.

5.      Close the door on insecure legacies

From our research, we’ve seen most opportunistic attacks target legacy authentication protocols that bypass MFA. But there is an effective control to prevent this. Disabling legacy authentication and enabling MFA is one of the most impactful things you can do to prevent credentials from being compromised. Microsoft provides the tools to you accomplish this. In new Azure tenants, legacy authentication protocols are disabled by default, but many existing tenants still have this enabled.

Building a secure hybrid workforce

Multi Factor Authentication is becoming increasing important for an organisation’s cybersecurity. To stay resilient, organisations need to ensure employees can securely and easily access their work across devices, no matter where they are. MFA helps achieve this. Also, by modernising MFA organisations can increase resilience to attacks and service outages. They can also improve agility in adopting new features while supporting legacy systems.

Find out more

Build a modern security strategy

Security and mobility

Discover MFA

Resources to empower your development team

Secure Azure Active Directory users with Multi Factor Authentication

Manage identity and access in Azure Active Directory 

How Multi Factor Authentication provides secure access to resources

About the author

Gavin works within the Customer Success team at Microsoft. His aim is to make customers more productive, more secure, and ultimately more successful through features like Azure AD. Having seen what modern ransomware attacks can do up close, Gavin is passionate about helping keep an organisation’s customers, staff, systems and data safe. He is also a keen cyclist (on and off road), husband and father to three young children. You can catch him on Twitter @gvnshtn and on LinkedIn.

The post How multi-factor authentication empowers secure hybrid working appeared first on Microsoft Industry Blogs - United Kingdom.

At Microsoft, I’m constantly reminded of how advances in security technology can enable productivity and collaboration. How it can actually create and improve inclusive user experiences. We do this by adapting security policies and processes to reflect how users and consumers are utilising and engaging technology, and new ways of working, on an evolving basis.

What does this way of thinking mean? It means that a people-first approach is essential when considering the best approach to cyber resilience and business continuity. Especially as you navigate the next steps, and prepare you for the unexpected. It will also support your employees to do their best, no matter where they are, or what their circumstances.

Here are four shifts that will support your organisation on the journey to resilience and inclusivity.

1. Drive the future of security with digital empathy

The most successful organisations who empower their people to achieve more by being productive from anywhere, are the ones who are empathetic to the end-user experience. Sometimes this can be a friendly voice over a Teams call, or assisting them as they adapt to new ways of working.

Digital empathy also stretches to making digital solutions more inclusive. This means having tools and policies that adapt to people’s ever-changing circumstances.

Bring Your Own Device Policies

With more users becoming remote and working flexibly, it can be inconvenient for users to carry multiple corporate and personal devices. Its great to see financial institutions rethinking their approach to Bring Your Own Device (BOYD) policies. This offers flexibility and choice for users. It can also speed up the onboarding process and reduce costs in sourcing and maintaining devices.

Of course, this doesn’t come without risk. To protect users’ privacy and control access to corporate services and data, the devices need to be both ‘trusted and healthy’. By utilising a management tool like Intune to prevent unauthorised access and compromise you can:

• Manage at the device level. Mobile Device Management (MDM) lets you enroll devices for management. This includes all data that lives on the device. You have full control to ensure the device is compliant and can manage settings, certificates, and profiles.
• Another approach is Mobile Application Management (MAM). This works well for BYOD scenario. With MAM you can publish, push, configure, secure, monitor, and update mobile apps for your remote workers. This provides application-level controls and compliance, while maintaining the familiar user experience for end users.

2.      A Zero Trust security approach

As employees started working remotely en masse, the traditional type of ring-fenced security had its disadvantages. It often struggled to meet the need of a hybrid workforce, working from different locations, and from multiple devices. Therefore adopting a Zero Trust approach to business continuity and security became an imperative.

The key principles of Zero Trust are quite straightforward:

• Never trust
• Always verify
• Assume compromise

In a Zero Trust model, access by users and devices – both inside and outside the corporate network – is granted based on an evaluation of the risk associated with each request. The same security checks are applied to all users, devices, applications and data every time.

To start with Zero Trust, it’s important to realign around identity. This can benefit employees, as it makes it easier for them to use single sign-on or access data across multiple devices. For example, multi-factor authentication prevents 99 percent of credential theft and other intelligent authentication methods can make accessing apps easier and more secure than just using traditional passwords. This also helps create robust BYOD strategies that work in unison to enable users to be both secure, and productive.

Of course, it’s important to pair a Zero Trust strategy with advanced threat protection and information protection. This helps to detect and prevent lateral movement, and data loss, no matter where it resides.

3.      A people-led focus to a secure control environment

What normally works on-premise does not easily transfer to a cloud or hybrid operating model. particularly when accessing critical services and data from multiple sources.

For example, how is your Virtual Private Network (VPN) set up? It can often force all your network traffic through on-premises data centres, slowing down services and making it hard for employees to work. This may cause frustration. It can cause employees to look for workarounds, potentially bypassing safeguarding controls and policies, and downloading apps from the internet.

This scenario can be fixed by initiating split-tunnelling. This allows trusted cloud services like Microsoft 365 to be accessed straight over the internet. Your VPN can then be used to access critical apps and data that reside in your Data Centre, reducing the load.

In addition, a Cloud Access Security Blocker (CASB) gives you rich visibility over your shadow IT. It provides a centralised approach to monitor and protect access to data, on cloud based apps. As an example, we implemented Cloud App Security for more than 150,000 employees globally. Apps that don’t meet our stringent security standards are blocked. Popular and trusted apps are onboarded to our Azure Active Directory, making it easier for employees to access what they need securely.

4.      Providing resilient education to improve security

As cybersecurity matures, so do adversaries. They are adept at changing techniques and tactics, and at exploiting local or global events to lure victims via phishing campaigns. Using cloud-based security means you can take advantage of intelligent threat protection and analytics. For example, we collect and analyse over 8 trillion telemetry signals daily from a diverse set of products, services, and feeds around the globe. At the same time, you need to ensure your employees have the knowledge to protect themselves to reduce compromise. During times of crisis and change, users need to be warned to expect more phishing and social engineering attempts. It’s also useful to understand the psychology behind what makes people click.

This stretches beyond standard cybersecurity training. It’s about being empathic as I mentioned earlier, to what is going on inside and outside of the company. As much as we talk about external threats, we must be mindful to the increase in insider threats as well.

Insider threats

With all the changes that may be happening, we have to be mindful to how users are adapting and coping with the situation. We need to think about the stressors (fear and uncertainty about their jobs, balancing work and home life), and how this could impact a person.

Not all insider risks are malicious in intent. It can often come down to a lack of awareness of policies, knowledge, or frustration of not being able to work productively, that leads to mistakes. Conversely concerning behaviour, such as downloading or printing sensitive files, renaming files, using unapproved apps, or copying files onto external devices could be a sign of malicious intent.

While these behaviours don’t automatically arouse suspicion, it’s important to actively look for patterns of anomalous behaviour and mitigate them. With digital empathy, we can pre-empt and reduce some of the stressors or situations with wellbeing programmes and education that are empathetic and supportive to employees, reducing the chance of insider risks.

An effective security culture allows users to work productively while they help keep the business safe. Our built-in approach to security works across platforms, locations and tools – so it’s easier for your people to comply.

The future of security

One of the things we’ve learnt this year is to expect severe, but plausible scenarios. It can seem daunting to prepare for the extreme unknowns – but that’s what we have to do. Organisations are becoming more reliant on cloud and hybrid technologies. Therefore, successful strategies must include a people-based approach to cyber resilience. These four shifts, focussing on digital empathy and zero trust will help you to take advantage of innovative and integrated technologies that enable you to achieve more, with less.

Find out more

Get the guide to building resilience

How modern cybersecurity helps you stay productive and resilient

3 ways the banking sector can innovate in the new normal

Join the conversation at Envision

Digital technology is changing not just how organisations operate but how leaders lead. Join us at Envision, where executives across industries come together to discuss the challenges and opportunities in this era of digital disruption. You’ll hear diverse perspectives from a worldwide audience and gain fresh insights you can apply immediately in your organisation.

Connect with leaders across industries to get relevant insights on leadership in the digital era.

About the author

Sarah Armstrong-Smith is a Chief Security Advisor in Microsoft’s Cybersecurity Solutions Group. She principally works with FSI customers in the UK and strategic customers across Europe, to help them evolve their security strategy and capabilities to support digital transformation and cloud adoption.

Sarah has a background in business continuity, disaster recovery, data protection and privacy, as well as crisis management. Combining these elements means she operates holistically to understand the cybersecurity landscape, and how this can be proactively enabled to deliver effective operational resilience.

Sarah has been recognised as one of the most influential women in UK Tech and UK cybersecurity and regularly contributes to thought leadership and industry publications.

The post 4 ways to drive the future of security in the financial sector appeared first on Microsoft Industry Blogs - United Kingdom.

The link between secure data and trust is well established. It is also a topic that frequently comes up when I talk to our customers and partners. You cannot have trust without privacy, and you cannot have privacy without security. Many organisations now face the challenge of meeting the growing expectations of customers while maintaining productivity in a secure, ‘hybrid’ environment.

Clearly, it’s a narrow path, and this year in particular we’ve been learning how to walk it. So today, I’m going to share our learnings – that it’s possible to retain and even improve customer trust while effectively managing security and risk.

Simplify security to improve customer and employee experiences

Innovation and productivity are hugely important to organisations, especially in unpredictable times. So how can an effective security solution work with and enable them?

Our experience is that having an integrated approach built on a ‘zero-trust’ model can keep your digital real estate secure, without sacrificing creativity or impacting workflows.

What is zero trust? It’s when all users, devices, apps and infrastructure – both inside and outside your network – are presumed untrustworthy. So, by default, the same automated security checks are applied to all users, devices, applications and data, every time.

When we implemented zero trust at Microsoft, it enabled our employees to access the tools they needed to work with their customers, from anywhere.

We also use single sign–on using biometric based authentication wherever possible, focussing on multi-factor authentication. MFA reduces the risk of identity fraud by more than 99.9 percent. And single sign–on means employees only have to sign in securely on a device once (unless the conditions change) before accessing all the tools and apps they need to provide great customer experiences. 

Data security in the cloud

In a fast-changing threat landscape, it’s crucial to safeguard organisational data. Our own research suggests that criminals have even been exploiting COVID-19 for their own personal gain. For a company like Vodafone, they have to keep over 630 million customers’ data secure, while complying with government regulations. They also want to ensure they can continue delivering services to customers.

Alongside our zero-trust model, we’ve established a secure foundation, based on Azure. It has multi-layered security across physical data centres, infrastructure and operations. We have over 3,500 global cybersecurity experts working to safeguard assets and data. In the background, machine learning, behavioural analytics and application-based intelligence check out potential threats, while we all get on with our work. Integration combined with intelligence reduces thousands of alerts to a handful of incidents correlating those alerts. Information Protection (DLP) and Compliance helps us make sure we meet industry regulations and customer requirements while also helping protect, govern, and recover data.

Enable remote work security

Our security journey has changed how we manage identity and network access, and our ability to secure a remote workforce has improved. As I’ve outlined, at the core of zero trust is user identity and endpoint management. This makes it easy for our employees to securely access their work, no matter where they are.

The same foundation effectively supports any Bring Your Own Device scenario. This can reduce costs and make life easier, as your employees seamlessly use their own devices while staying secure.

Staying cyberstrong

What do I believe is the most important part of our security strategy? Our people. There’s nothing like creating a culture of security to keep organisations safe. That’s why it’s important to ensure everyone – from the top down – has good cybersecurity awareness and knowledge. It’s important to ensure everyone is comfortable to speak up if they’ve done something wrong, without fear of retribution. We incorporate fun web training that makes employees feel empowered to stay secure.

That said, we’re aware that there’s a looming security skills shortage, with 3.5 million unfilled positions predicted by 2021. At Microsoft, we’ve widened our search for talent, broadened our inclusion and diversity efforts, and are aiming to re- and up-skill current employees. Our security skills training is accessible to all and can be applied beyond typical office scenarios.

Meanwhile, automation takes on our more repetitive security tasks, such as low-level event handling. Azure Sentinel, for example, cuts alert noise by 90 percent, with just the most critical, thorny issues—the top 10 percent—escalated to professionals for them to address. Security Graph uses the cloud to connect all of Microsoft security products, services, and partners, collecting trillions of data points daily. This feeds threat intelligence across customers and partners. Ultimately, speeding up threat detection and incident response. 

Building customer trust with security

I believe security, when it is built-in and treated like an enabler rather than a pain point, frees up employees to be able to do their best work. Supported by AI and machine learning to help take over the low-level monitoring, your cybersecurity team can focus on higher–level tasks. This translates to better customer experiences and protection over your whole digital estate, including data. 

Find out more

10 tips for enabling zero trust security

How we enabled zero trust

Our remote working best practices

Optimise recruitment in cybersecurity

Security and risk management

How modern cybersecurity helps you stay productive and resilient

Resources for your development team

Security best practices and guidance

Microsoft Learn for Security Engineers

About the author

As National Technology Officer, Glen leads Microsoft’s technology vision and models its culture of learning, while developing strategies to protect and extend Microsoft Cloud into complex regulated markets. He will inspire leaders of state and enterprise, regulators and customers on how best to leverage innovation to drive digital transformation.

The post Leveraging security to build customer trust appeared first on Microsoft Industry Blogs - United Kingdom.

In order to manage the risks associated with BYOD, we worked with the Cabinet Office and NCSC to produce guidance on how you can use Microsoft technologies to mitigate the risks associated with employee access to systems and services remotely through unmanaged devices.

Improve employee access

Specifically, we’re looking at how you can access Microsoft 365 services in a way that helps you meet your obligations and leverages its features and capabilities. This guidance doesn’t suggest a BYOD policy is a one and done job. It does, however, draw on the broad experience across the UK government industry and draws heavily on already existing best practice.

The controls described in this document intend to help you understand why the specific security controls are used. It also provides step-by-step configuration guidance which your IT team can use to quickly set up and manage your data on personal devices. This allows organisations to understand how the features and capabilities in Azure Active Directory, Microsoft Intune, and Microsoft 365 can be used.

These factors all come together to ensure employees can securely access their work while keeping your organisation’s data secure on personal devices. It helps employees stay productive and collaborate together securely, no matter what device they are using.

Good, better, best blueprint for your BYOD policy

To support this effort, we’ve created a blueprint. This blueprint has been developed to support the use of BYOD scenarios where organisations are not able to provide corporate laptops or mobile devices.

The technical controls that are described in this document have been grouped into three categories, good, better, and best. The rationale for the groupings is described below:

Good

• Forms the minimum level of configuration that all organisations should meet.
• Available with Microsoft 365 E3 license.
• Can be implemented using simple configuration tasks.
• Browser-based access for PC and Mac.
• Approved apps for mobile devices.
• MFA and Restricted Session Controls in Exchange Online and SharePoint Online.

Better

• Forms the level that organisations should aspire to.
• Available with Microsoft 365 Security and Compliance Package components or M365 E5.
• Might require more complex configuration tasks.
• More flexible and granular control of user policies, session controls using Microsoft Cloud app.
• Lower residual risk than Good pattern.
• Browser-based access for PC and Mac.
• Approved apps for Mobile Devices.

Best

• Utilises Windows Virtual Desktop (WVD) to provide a solution that matches as closely as possible the same experience of working in the office on corporate IT, from any device.
• With good management it significantly reduces the unmanaged surface by providing a virtualised corporate desktop for home workers, utilising their personal computing device.
• Lowest risk approach compared to Good and Better patterns.

So which BYOD policy route is right for you?

The decision flow below aims to help you determine which of the patterns you should use. For example, if an organisation has Microsoft 365 Security and Compliance Pack (SCP) or M365 E5 licenses, then the control used in the Better solution will provide a lower residual risk and therefore should be used.

Reduce your risk security posture with BYOD

Having a strong BYOD policy improves barriers to work for your remote workforce. It also enables them to be able to connect, work, and meet together online no matter where they are, securely.

For your IT team, this guide provides thorough step-by-step instructions to set up BYOD controls while helping manage security. This means they can implement these controls across your digital estate quickly and remotely.

By using the guidance, you can enable your organisation to move to a lower risk security posture when utilising BYOD.

Find out more

Download the blueprint: BYOD Technical Guide

Watch the webinar: Security controls for remote work

Read more: 4 ways to protect your organisation and mitigate the threat of ransomware

About the authors

Stuart has been with Microsoft in the UK since 1998 and is the National Security Officer for Microsoft in the UK. Prior to that, he has worked as strategy consultant to a variety of UK Government customers, mostly within the defence arena, and run a number of Government Programs with the UK including the Government Security Program, the Security Co-Operation Program, and the Welsh Language Program. He still continues to run the UK GSP program today. Prior to joining Microsoft, Stuart worked as a consultant for ICL in their Power of 4 Consultancy, mostly focused in the defence and government spaces. Before ICL, he worked for Barclays Bank in a number of application development and IT infrastructure roles. He has been actively involved in computer security-related activities since the early 1980’s.

Nick is passionate about transforming every person and organisation to be more productive and more secure in his role as Security Product Marketing Lead within the Microsoft modern workplace team. A geek at heart, he spends his spare time experimenting with lasers and 3D printers with his two sons, keeping old computers alive (particularly Commodores), and learning about mechanics to keep an ageing British sports car on the road.

The post How to have secure remote working with a BYOD policy appeared first on Microsoft Industry Blogs - United Kingdom.