When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.
Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.
As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.
1. Trust in Zero Trust
Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.
The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.
Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.
2. Secure access to all apps
This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.
Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.
It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.
Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.
3. Go passwordless
We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.
Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.
Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”
4. Choose and build secure-by-design apps
Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.
Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.
Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.
5. Break collaboration boundaries
We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.
Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.
Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.
Get started on the future now: Explore verifiable credentials
During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.
Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.
Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.
Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.
Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.