The cloud era has fundamentally changed the way businesses must think about security. For a long time, we built security around the perimeter. But today, the boundaryless landscape demands that we start with the individual.
In our journey with customers co-designing our products and services, Microsoft has learned that our identity solutions need to do more than just support employee productivity. We have to take things further to ensure our solutions empower our customers to work more closely with their business partners and nurture deeper relationships with their customers, who want help not just securing their personal information, but also protecting their privacy. The problems our customers need to solve, and the scenarios they want enabled for the future, have shaped the design principles guiding our identity strategy.
Embrace open standards
The world of cloud and devices is inherently heterogenous. Our customers, their partners, and their customers will use many devices, apps, and services from many different vendors. The complexity of managing and securing such a mixed environment could be overwhelming if not for open standards. For example, OAuth 2.0, OIDC, and SAML enable single sign-on across apps and clouds from multiple vendors, SCIM enables automated user provisioning, and the new standards from the FIDO alliance make signing in more secure. This is why every API and protocol Azure AD supports is based on open standards and why Microsoft is actively engaged in all the major identity standards bodies.
Offer industry-leading security
Our goal is to create an identity system that’s secure and private from the ground up. This means blocking every avenue of attack that we can. Enabling MFA reduces credential-based security breaches by more than 99 percent, but there’s still risk from people mishandling their passwords or getting tricked into handing them over. Adopting FIDO with the recently ratified WebAuthN standard makes it possible to eliminate passwords altogether, replacing them with a biometric device or a phone. If you have a Microsoft Account, you can go passwordless today. Soon, passwordless sign-in will be an option on every Microsoft platform and application, as well as for third party applications that integrate with Azure AD.
We now put the full power of the cloud behind every authentication request. Using Azure AD Conditional Access as a starting point, organizations can implement a Zero Trust security strategy that examines not only the identity of the user, but also the type and health of their device, the properties and reputation of the network they’re connecting from, the app they’re using, and the sensitivity of the data they’re trying to access. This not only makes security stronger, it also improves the user experience. For example, we can employ cloud-scale machine learning algorithms, which process trillions of signals daily, to learn each user’s common behavioral patterns and flag authentication attempts that are abnormal or high risk. This way, policies invoke MFA or other additional measures only when necessary, making the experience less interruptive to users.
Make governance easier and more automatic
Implementing strong governance strengthens security guardrails, but most customers find the task daunting. Granting access is easy. Remembering months later to remove access for each person who may have changed roles is not. Identity systems should make it easier to assign the right access to the right people, for example, by automating user access provisioning and deprovisioning based on a user role, location, and business unit. It should be easier for employees and partners to request access when they need it. And most importantly, the system should prompt administrators to review access permissions on a regular cadence or when people change roles. And all of these processes should be driven and informed by world class machine learning and AI which constantly monitor for unusual patterns and unrecognized risks.
Deliver a comprehensive solution, not building blocks
One of the key things we’ve learned from our enterprise customers is that they’re sick and tired of cobbling together identity solutions based on mix and match sets of identity building blocks acquired from a myriad of vendors. They want a holistic solution that supports all their applications and all their different identities while giving them security and control without the gaps that inevitably occur when multiple point solutions are patched together. We’ll do this by delivering a completely integrated identity and access management suite that gives them a single place to go to manage—and protect—all identities, whether they belong to employees, business partners, or customers and all of the resources, they need to access.
Give people control over their information
A holistic solution that accepts identities people bring with them is a necessary prerequisite to the vision of decentralized identity. Microsoft believes everyone has the right to own and control their digital identity—one that securely and privately stores all personal data. To achieve this vision, we need to augment existing cloud identity systems with one that individuals, organizations, and devices can own so they can control their digital identity and data. We believe a standards-based decentralized identity system can unlock a new set of experiences that empowers users and organizations to have greater control over their data—and deliver a higher degree of trust and security.
Taking the next step
Everyone in the identity division at Microsoft is passionately committed to ensuring the systems we build empower people to do their best work and live their best lives.
If one thing is clear, though, these identity initiatives are a journey. Over the coming months, we’ll invite you to participate in a series of technology previews, where your feedback will help shape how identity services will take us closer to a world without passwords, where organizations can easily manage and secure complex environments, and individuals can worry less and stop making trade-offs among ease of use, privacy, and security. Working together as an industry, we’re building a better path to security and privacy, anchored around the one constant in this fast-moving, heterogenous world—you.