Joy Chik, the president of identity and network access at Microsoft, has set out five priorities for 2023 that can help organisations defend themselves against identity threats.
“Microsoft can help you protect more with less,” said Chik, in a recent Microsoft Latin America blog post (in Spanish). “Our recommendations come from serving thousands of customers, collaborating with industry, and protecting the digital economy from ever-evolving threats.”
Microsoft’s reported monthly attack findings show the growth in password-related attacks between 2018 and 2022
1. Protect against identity compromise with a ‘Defence in Depth’ approach
Users must protect every layer of their identity ecosystem and the infrastructure that provides, stores and manages identities. Microsoft recommends a ‘Defence-in-Depth’ approach – via Microsoft Login, Microsoft Defender for Identity and Microsoft Sentinel’s multi-factor authentication – to reduce the amount of password attacks, of which 1,287 occurred every second in 2022. The approach monitors vulnerabilities within identity systems, allocates access and identifies threat activities.
“Last year, password breach replay attacks rose to 5.8 billion per month, while phishing attacks rose to 31 million per month and password spray attacks skyrocketed to five million per month,” said Chik. “In our experience, of all accounts compromised in a single month, more than 99.9 per cent did not use multi-factor authentication. Using phishing-resistant multi-factor authentication methos, such as Windows Hello, will further reduce your risk.”
2. Modernise identity security
Microsoft encourages organisations to invest in cloud-native identity solutions like Microsoft Entra rather than continuing to work on legacy technologies that leave gaps in defences and are costly to maintain.
“Microsoft Entra is better equipped to adapt to the rapid changes in products, services, and business processes required to compete in today’s unpredictable business environment,” said Chik.“You can significantly increase business agility, better harden your environment against future threats, and save money by taking advantage of the advances and integrated features available in Microsoft Entra.”
3. Protect access holistically
Users can strengthen their overall security by integrating tools that currently work independently. Microsoft recommends applying a zero-trust approach to verify each access request through tokenisation.“This provides the most detailed picture of session risk by combining everything the network access solution knows about the network and device with everything the identity solution knows about the user session,” said Chik.
4. Simplify and automate identity governance
To protect internal threats – which can be introduced from firms forgetting to remove access granted to external collaborators when projects end – the Microsoft Entra Identity Governance solution ensures that user access meets regulatory requirements. It allows businesses to incorporate life cycle workflows, separation of duties and cloud provisioning for on-premises applications, as well as cloud and hybrid environments.
5. Verify remote users quickly and reliably
Collecting and storing information in a centralised database allows security teams to be responsible for protecting all the data within it. According to Microsoft, this can be helpful for customers and employees across the public sector via verifiable credentials on Microsoft Entra Verified ID. This solution allows trusted authorities such as loan officers to complete a credential claim on users that is stored digitally by their employer.