As a large enterprise with global reach, Microsoft has the same security risks as its customers. We have a distributed, mobile workforce who access corporate resources from external networks. Many individuals struggle to remember complex passwords or reuse one password across many accounts, which makes them vulnerable to attackers. As Microsoft has embraced digital transformation for our own business, we shifted to a security strategy that places strong employee identities at the center. Many of our customers are on a similar journey and may find value in our current identity management approach.
Our goal is to reduce the risk of compromised identity and empower people to be efficient and agile whether they’re on our network or not.
Our identity management solutions focus on three key areas:
Read on for more details for each of these investment areas, advice on scaling your investment to meet your budget, and a wrap-up of some key insights that can help you smoothly implement new policies.
Securing administrator accounts
Our administrators have access to Microsoft’s most sensitive data and systems, which makes them a target of attackers. To improve protection of our organization, it’s important to limit the number of people who have privileged access and implement elevated controls for when, how, and where administrator accounts can be used. This helps reduce the odds that a malicious actor will gain access.
There are three practices that we advise:
- Secure devices—Establish a separate device for administrative tasks that is updated and patched with the most recent software and operating system. Set the security controls at high levels and prevent administrative tasks from being executed remotely.
- Isolated identity—Issue an administrator identity from a separate namespace or forest that cannot access the internet and is different from the user’s information worker identity. Our administrators are required to use a smartcard to access this account.
- Non-persistent access—Provide zero rights by default to administration accounts. Require that they request just-in-time (JIT) privileges that gives them access for a finite amount of time and logs it in a system.
Budget allocations may limit the amount that you can invest in these three areas; however, we still recommend that you do all three at the level that makes sense for your organization. Calibrate the level of security controls on the secure device to meet your risk profile.
Eliminating passwords
The security community has recognized for several years that passwords are not safe. Users struggle to create and remember dozens of complex passwords, and attackers excel at acquiring passwords through methods like password spray attacks and phishing. When Microsoft first explored the use of Multi-Factor Authentication (MFA) for our workforce, we issued smartcards to each employee. This was a very secure authentication method; however, it was cumbersome for employees. They found workarounds, such as forwarding work email to a personal account, that made us less safe.
Eventually we realized that eliminating passwords was a much better solution. This drove home an important lesson: as you institute policies to improve security, always remember that a great user experience is critical for adoption.
Here are steps you can take to prepare for a password-less world:
- Enforce MFA—Conform to the fast identity online (FIDO) 2.0 standard, so you can require a PIN and a biometric for authentication rather than a password. Windows Hello is one good example, but choose the MFA method that works for your organization.
- Reduce legacy authentication workflows—Place apps that require passwords into a separate user access portal and migrate users to modern authentication flows most of the time. At Microsoft only 10 percent of our users enter a password on a given day.
- Remove passwords—Create consistency across Active Directory and Azure Active Directory (Azure AD) to enable administrators to remove passwords from identity directory.
Simplifying identity provisioning
We believe the most underrated identity management step you can take is to simplify identity provisioning. Set up your identities with access to exactly the right systems and tools. If you provide too much access, you put the organization at risk if the identity becomes compromised. However, under-provisioning may encourage people to request access for more than they need in order to avoid requesting permission again.
We take these two approaches:
- Set up role-based access—Identify the systems, tools, and resources that each role needs to do their job. Establish access rules that make it easy to give a new user the right permissions when you set up their account or they change roles.
- Establish an identity governance process—Make sure that as people move roles they don’t carry forward access they no longer need.
Establishing the right access for each role is so important that if you are only able to follow one of our recommendations focus on identity provisioning and lifecycle management.
What we learned
As you take steps to improve your identity management, keep in mind the following lessons Microsoft has learned along the way:
- Enterprise-level cultural shifts—Getting the technology and hardware resources for a more secure enterprise can be difficult. Getting people to modify their behavior is even harder. To successfully roll out a new initiative, plan for enterprise-level cultural shifts.
- Beyond the device—Strong identity management works hand-in-hand with healthy devices.
- Security starts at provisioning—Don’t put governance off until later. Identity governance is crucial to ensure that companies of all sizes can audit the access privileges of all accounts. Invest early in capabilities that give the right people access to the right things at the right time.
- User experience—We found that if you combine user experience factors with security best practices, you get the best outcome.
Learn more
For more details on how identity management fits within the overall Microsoft security framework and our roadmap forward, watch the Speaking of security: Identity management webinar.