![\"Bar](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2023\/01\/Graph-PNG-1024x518.png\")
<\/figure>\n\n\n\nFigure 1: Growth in password-related attacks between 2018 and 2022<\/em>.<\/p>\n\n\n\n Clearly, bad actors aren\u2019t standing still. So, neither can we.<\/p>\n\n\n\n As organizations look for opportunities to do more with less, they\u2019re no doubt considering how security teams can contribute. With that in mind, I\u2019d like to share five identity priorities for 2023 that will pay off in ways you can actually measure:<\/p>\n\n\n\n By adopting the latest identity innovations, you can better protect both your digital estate and your budget.<\/p>\n\n\n\n While credential attacks are still devastatingly effective, cybercriminals are also escalating in ways that are much harder to detect; for example, bypassing basic multifactor authentication and manipulating users into giving up their credentials or second factors. They\u2019re also infiltrating organizations through their suppliers, scouring GitHub repositories for credentials embedded in code, and stealing tokens. The most sophisticated and well-funded attackers are even attempting to take over the infrastructure that issues tokens.<\/p>\n\n\n\n Protecting user accounts is critical but no longer enough. You now must protect every layer of your identity ecosystem, including non-human or workload identities, plus the infrastructure that provides, stores, and manages all your identities. Your best bet is a Defense in Depth approach that requires close collaboration between your security operations center (SOC) and identity teams:<\/p>\n\n\n\n To assist your Defense in Depth approach, Microsoft provides unified, customizable experiences across Microsoft Entra<\/a>, Microsoft Defender for Identity<\/a>, and Microsoft Sentinel<\/a>.<\/p>\n\n\n\n The first step you can take\u2014and your best return on investment\u2014is to turn on multifactor authentication<\/a>, a feature included with every subscription to Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra.2<\/sup> In our experience, of all accounts compromised in a single month, more than 99.9 percent didn\u2019t use multifactor authentication. Employing phishing-resistant multifactor authentication methods such as Windows Hello, FIDO 2 security keys and passkeys, and certificate-based authentication (CBA) will further reduce your risk. We also recommend blocking legacy authentication, because less secure protocols like POP and IMAP can\u2019t enforce multifactor authentication.3<\/sup><\/p>\n\n\n\n Where to start: <\/strong>Learn more about Azure AD<\/a> and Microsoft Defender<\/a>.<\/p>\n\n\n\n It may be tempting to stick with legacy technologies when they\u2019re tested, familiar, and do an okay job for now, like an old car that manages to get you to and from work even with the engine warning light flashing. You may be understandably worried about business disruption and the cost of transitioning from old to new, but \u201cpatchwork quilts\u201d of inflexible and poorly integrated technologies are expensive to maintain and leave gaps in your defenses. And since cybercriminals continue to innovate their tactics, your risk will only increase.<\/p>\n\n\n\n Modern, cloud-native identity solutions such as Microsoft Entra are more resilient, more scalable, and more secure against modern threats. They\u2019re also better equipped to accommodate the rapid changes to products, services, and business processes necessary to compete in today\u2019s unpredictable business environment. You can significantly increase business agility, better fortify your environment against future threats, and<\/em> save money by taking advantage of the advanced, integrated features available in Microsoft Entra.<\/p>\n\n\n\n Modernization is less daunting if you break it down into well-defined, time-bound projects with clear benefits. Start by migrating off of Active Directory Federation Services<\/a> (AD FS) to simplify your environment and retire those on-premises servers (if CBA has been a blocker for you, it\u2019s now available in Microsoft Entra).4<\/sup> Next, connect pre-integrated applications to Azure AD to gain advantages such as single sign-on.5<\/sup> Finally, inventory your security environment, consolidate any redundant tools to reduce your management burden, and apply your subscription savings to other priorities.<\/p>\n\n\n\n Where to start: <\/strong>If you\u2019re using AD FS, explore the benefits of modernizing identity and access capabilities<\/a>.<\/p>\n\n\n\n As any sports fan knows, highly skilled defenders are far more effective when they communicate and work together. You can strengthen your overall security posture by integrating tools that currently operate in silos. For example, many organizations employ network access solutions that recognize device- and network-related risks and prevent bad actors from crossing the network to compromise on-premises and legacy web-based applications. But many of these tools lack in-depth identity awareness, which can weaken your secure access posture.<\/p>\n\n\n\n Applying a Zero Trust<\/a> approach means explicitly verifying every access request using every available signal. You can get the most detailed picture of session risk by combining everything the network access solution knows about the network and device with everything the identity solution knows about the user session.<\/p>\n\n\n\n If your network access vendor is part of the Microsoft Secure Hybrid Access program, you can integrate their solution with Azure AD.6<\/sup> This way, the on-premises applications and custom or legacy web-based apps you\u2019re protecting with your network access solution also gain many of the same benefits that pre-integrated apps enjoy.7<\/sup><\/p>\n\n\n\n Where to start: <\/strong>Learn how to integrate your network access solution with Azure AD<\/a>.<\/p>\n\n\n\n Security awareness and mitigation efforts often focus on protecting your organization from external threats, such as hackers employing stolen or easily guessed credentials. But threats can be internal, too. For example, users tend to accumulate access to apps and resources they no longer need. Similarly, organizations sometimes forget to remove access granted to external collaborators when projects or contracts end. Organizations even discover still-active accounts of former employees that retain access to critical resources.<\/p>\n\n\n\n This is where identity governance comes in. Because governance helps to reduce internal risk\u2014whether from simple neglect or actual malfeasance\u2014it\u2019s critical for organizations of every size, geography, and industry. Microsoft Entra Identity Governance<\/a> is a complete identity governance solution that helps you comply with regulatory requirements while increasing employee productivity through real-time, self-service, and workflow-based entitlements. It extends capabilities already available in Azure AD by adding Lifecycle Workflows, separation of duties, and cloud provisioning to on-premises apps. Because it\u2019s cloud-delivered, Microsoft Entra Identity Governance scales to complex cloud and hybrid environments, unlike traditional on-premises identity governance point solutions.<\/p>\n\n\n\n If you already have an identity governance solution in place, you\u2019ll save money, reduce complexity, and close security gaps by consolidating multiple point solutions and adopting a solution that grows with you.<\/p>\n\n\n\n Where to start: <\/strong>Learn more about the Microsoft Entra Identity Governance Preview<\/a> and try it for free<\/a> today.<\/p>\n\n\n\n Identity verification for customers and employees is a significant expense for many organizations. When people apply for school admissions, loans, and jobs, a lot of time goes into the manual collection and verification of documents to prove age, citizenship, income, skills, professional experience, and more. If you collect and store such information in a centralized database, then you\u2019re responsible for everything it takes to fully secure and protect it. This not only creates risk for you, but it also creates risk for your employees or customers\u2014they naturally want control over who accesses their personal information and how it gets used.<\/p>\n\n\n\n Verifiable credentials introduce the concept of a per-claim trust authority. The trust authority populates a credential with a claim about you that you can store digitally. For example, a loan officer can confirm your current employment by requesting digital credentials issued by your employer and verifying them in real time. Our standards-based implementation, Microsoft Entra Verified ID<\/a>, helps organizations reduce the burden of identity verification and simplify processes such as new employee onboarding. Since we launched it in August 2022, customers worldwide<\/a> have already started using it to streamline verification processes.<\/p>\n\n\n\n Verified ID is currently available to all Azure AD customers at no additional charge. You can use APIs to create custom apps with simple and privacy-respecting identity verification built in.8<\/sup><\/p>\n\n\n\n Where to start: <\/strong>Learn more about Verified ID<\/a>.<\/p>\n\n\n\n As you kick off the new year, the strategies outlined in this blog can help you navigate tough decisions on where to focus your energies and how to empower your organization to do more with less. Our recommendations come from serving thousands of customers, collaborating with the industry, and protecting the digital economy from ever-evolving threats. We look forward to continuing our partnership with you\u2014from day-to-day interactions to joint deployment planning to direct feedback<\/a> that informs our strategy. As always, we remain committed to building the products and tools you need to defend your organization throughout 2023 and beyond.<\/p>\n\n\n\n Learn more about Microsoft Entra<\/a>. <\/p>\n\n\n\n To learn more about Microsoft Security solutions, visit our website<\/a>. Bookmark the Security blog<\/a> to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity<\/a> for the latest news and updates on cybersecurity.<\/p>\n\n\n\n 1<\/sup>Your Pa$$word doesn’t matter<\/a>, Alex Weinert. July 9, 2019.<\/p>\n\n\n\n 2<\/sup>How it works: Azure AD Multi-Factor Authentication<\/a>, Microsoft. August 25, 2022.<\/p>\n\n\n\n 3<\/sup>New tools to block legacy authentication in your organization<\/a>, Alex Weinert. March 12, 2020.<\/p>\n\n\n\n 4<\/sup>Overview of Azure AD certificate-based authentication<\/a>, Microsoft. October 18, 2022.<\/p>\n\n\n\n 5<\/sup>What is single sign-on in Azure Active Directory?<\/a> Microsoft. December 7, 2022.<\/p>\n\n\n\n 6<\/sup>Secure hybrid access through Azure AD partner integrations<\/a>, Microsoft. July 8, 2022.<\/p>\n\n\n\n\n
1. Protect against identity compromise using a \u201cDefense in Depth\u201d approach<\/h2>\n\n\n\n
\n
2. Modernize identity security to do more with less<\/h2>\n\n\n\n
3. Protect access holistically by configuring identity and network access solutions to work together.<\/h2>\n\n\n\n
4. Simplify and automate identity governance<\/h2>\n\n\n\n
5. Verify remote users in a cheaper, faster, more trustworthy way<\/h2>\n\n\n\n
Microsoft can help you secure more with less<\/h2>\n\n\n\n
\n\n\n\n