In this era of digital transformation, Microsoft has shifted to a security strategy that places strong employee identities at the center. People these days are looking for identity-management approach. Hence, Microsoft is aiming to reduce the risk of compromised identity and empower people to be efficient and alert whether they’re on a right network or not.
Microsoft being a large enterprise with global reach, has the same security risks as its customers. Many individuals strive hard to remember unique and complex passwords or reuse one password across many accounts. This activity makes their account vulnerable to hackers.
The key areas where Microsoft’s identity management solutions focus upon:
- Securing administrator accounts.
- Eliminating passwords
- Simplifying identity provisioning.
Secures administrator accounts
Any administrator has the access to most sensitive data and systems, which makes them a target of attackers. To improve protection of the administrators, it’s important to limit the number of people who have privileged access and execute important controls for when, how, and where administrator accounts can be used. This helps reduce the risk that a malicious actor will gain access to your device. To secure administrator’s account, here are three practices that are advised:
- Secure devices- Set up a separate device for administrative tasks that is updated with the most recent software and operating system. You can also prevent administrative tasks from being executed remotely and set the security controls at high.
- Isolated identity- from a separate namespace that cannot access the internet and is different from the user’s information worker identity an administrator identity should be established.
- Non-persistent access- Do not provide rights to administration accounts by default.
Since past few years the security community has recognized that passwords are not safe. Users struggle to create and remember a number of complex passwords, and attackers acquire passwords through methods like password spray attacks and phishing.
Microsoft issued smartcards to each employee when it first announced the use of Multi-Factor Authentication (MFA) for its workforce. This was one of the very secure authentication methods. Eventually Microsoft realized that eliminating passwords was a much better solution to stay protected.
Steps that can be taken to prepare for a password-less world:
- Enforce MFA– with MFA enforcement you will require a PIN and a biometric for authentication rather than a password.
- Reduce legacy authentication workflows– apps that require passwords should be kept into a separate user access portal and users should be migrated to modern authentication flows.
- Remove passwords– Create regularity across Active Directory to enable administrators to remove passwords from identity directory.
Simplifying identity provisioning
It is the need of the hour to set up the identities with access to exactly the right systems and tools. If you provide too much access, you put the organization at risk in case your identity is compromised. For this, these two approaches are taken into consideration:
- Set up role-based access– Identify the tools, systems, and resources that each role needs to do their work. Make access rules that make it easy to give a new user the right permissions when he sets up his account or changes role.
- Establish an identity governance process– Ensure that as people move roles they don’t carry forward access they no longer carry access that is not needed by them in future. Establishing the right access for each role becomes very crucial in this case.
As you take steps to improve your identity management, keep in mind the plan for enterprise-level cultural shifts as strong identity management goes hand-in-hand with healthy devices. It is advised to not to put governance off until later as identity governance is crucial to ensure that companies can audit the access privileges of all accounts. You will surely get the best outcome if you combine user experience factors with security best practices.