How to build a secure foundation for identity and access
The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Christina Richmond, a cybersecurity expert who formerly worked as a Program Vice President at IDC. The thoughts below reflect Christina’s views, not the views of her former employer or Microsoft, and are not legal advice.
Brooke: Christina, thanks for taking the time to share your extensive experience as a cybersecurity analyst and thought leader.
I’ll be asking you about topics that Microsoft customers typically consider in their end-to-end security journey, especially around the foundation of identity and access solutions as the first line of defense in a Zero Trust strategy. Here’s my first question:
What security basics should an organization build into any cloud platform for a strong security foundation?
Christina: I would expect to see a layered approach across the entire environment. Any cloud provider needs to secure their own infrastructure and extend to everything they are offering externally. In the shared responsibility model, the customer of the cloud platform needs to understand where their data is, which is their responsibility, and where the platform is being secured by the cloud provider. It’s important to see that the cloud provider’s physical infrastructure and digital assets are going through the same kind of security, layered approach, or in-depth defense that you would hope to see in any organization.
I also would want to see a cloud provider offer tools to help customers with their side of the shared responsibility model. For example, identity security is your responsibility as an organization, but a cloud provider can help by offering a strong identity and access management program. I would expect identity and data security to be very strong from a cloud provider because those are the new perimeter, and data, of course, is the lifeblood of the organization.
The other thing that I would hope for from a cloud provider is actionable insight into threat actors and the tools and tactics that they are using, plus the monitoring and response services that span a hybrid environment and multicloud environments.
Brooke: How should trust play into security decision-makers’ minds?
Christina: Trust means so many things to so many people. It’s not one thing. When I was at IDC, I defined digital trust solely in terms of security. Now, I look at it from a broader economic perspective, like how a company is transparent about how they are going to use customer data. It is about showing very high principles around their data security.
That would be evidenced by publishing what they do with your data and what choices you have as a consumer of that service. You can choose privacy and have different elections of privacy controls, so that would be transparency around data.
Digital trust involves having a very strong model of ethics around proper data usage, but also ethics more broadly in the community, so not just the data of their consumers but also the data of their partners. Digital trust also has to do with the brand. Do you feel good about a brand? If you see sustainability, strong diversity, equity, and inclusion, and they’re taking care of their organization and presenting a brand that is doing good in the community, that also builds trust.
I like it when organizations are very straightforward and transparent about what they are doing for their employees. “Here is our diversity equity inclusion framework, our mission statement, and what we are doing in the community to give back. Here is how we are being responsible partners for facial recognition, artificial intelligence, and machine learning.” I love it when there is an event in the media—it might be a negative event—and a company comes out right away and says, “This happened, and here is our stance on it” and they are very transparent.
Brooke: What are the most common gaps you are seeing for organizations when securing access?
Christina: There are a ton of gaps. Identities are really complicated. Administrators deal with so much complexity. They must look at multiple dashboards and onboard employees to work on software as a service (SaaS) platforms or cloud platforms or on-premises in their own data centers.
There is a gap in modernizing identity and having one dashboard for visibility. Visibility into apps and services that also need our access control is a huge gap. We do not know what we cannot see, and we cannot protect it if we do not see it. It is important to include those apps and services in identity lifecycle management, and it is a gap for many organizations because it is still new.
Brooke: What should organizations be doing to address the challenge of compromised passwords?
Christina: Before we talk about moving toward passwordless authentication, we need to look a little more deeply at multifactor authentication. It is important, but it is not enough. There are multiple authentication techniques, and we are used to getting a code and putting the code in. That is better than just putting a password in and having to personally manage hundreds of passwords, but there are other things that we can do to bolster multifactor authentication:
- Biometrics: We can use facial recognition or a fingerprint on our computer or phone.
- Time of access: Time and geolocation are coordinated.
- Behavior-based security: Consider how a person holds the phone and how much they shake or move it around and tell if it is in someone else’s hands.
- Hard token authentication: Users need a USB drive, keycard, RFID key fob, or another hard token to authenticate.
- Passwordless: It helps slow the hacker down because it is much harder to hack. I like passwordless. I just think it still needs a little bit more maturing.
Brooke: What are your thoughts on permissions management in a risk-reduction approach?
Christina: It’s important to have permissions management. There is permission creep, and we need to keep on top of it. Having visibility across your on-premises data center, your multiple data centers, and your multiple clouds is critical.
We lack visibility into identities and permissions, and we struggle with permission creep. We need a comprehensive, unified solution for full visibility and for remediating risk that continuously monitors unused or excessive permissions and is based on least privilege. Least privilege and Zero Trust are vastly different and both are important for varied reasons. Being able to manage all those permissions in a way that provides us with broader visibility and a unified view and does constant monitoring is a critical asset. This could mean flagging that this person or this resource is no longer using their permission, or a person has too much permission based on their title or other factors.
Brooke: Thank you, Christina. I’ve got one closing question on behalf of our readers. As an expert, what do you suggest as the three most important things that organizations should implement for a strong digital identity framework?
Christina: First, identity governance with self-service onboarding is important, so more automation and fewer legacy tools. Second, we need to be moving toward passwordless authentication, and we need to make passwordless easier on the users. Third, organizations need workload identity management because the supply chain is a mess when it comes to tracking who has access to what resource, for what reason, and how broad their permissions are. We need to be able to track that in real-time and do it seamlessly with automation. Permissions management needs to be built-in, but we need to treat workloads, apps, and services as identity so that we can fold that into our permission management and our broader identity access management tools.
Learn more
Learn more about Microsoft identity and access management, and solutions for securing access with Microsoft Entra.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.