Bret Arsenault, chief information officer at Microsoft (CISO), who has worked at Microsoft for 31 years, claims to have been publicly acclaimed only once in the company: that was when he ended the Microsoft’s internal policy of changing passwords every 71 days.
“This is the first time that I have been applauded as a security official and leader,” he told . “We have said that we are turning off password rotation within Microsoft. “
As Microsoft’s CISO, Bret Arsenault is responsible for protecting both Microsoft products and its internal networks, used by its 160,000 employees. If you add the suppliers, he is responsible for about 240,000 accounts worldwide. Eliminating passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.
Finding the true value of multi-factor authentication
Microsoft has updated its password policy in stages. In January 2019, she switched to a one-year expiration, using telemetry to validate effectiveness. In January 2020, it switched to an unlimited expiration, depending on the results.
Microsoft has also stopped recommending that customers implement a 60-day password expiration policy in 2019, as people tend to make small changes to existing passwords (the infamous incremental passwords). or to forget the new ones if they are solid.
For Bret Arsenault, rather than making the conversation about setting up MFA authentication everywhere, he marketed it as the change that would allow for the elimination of passwords.
“If I remove the passwords and use biometrics, it’s much faster, and the experience is better”
“Because nobody likes passwords. You hate them, users hate them, IT departments hate them. The only people who love passwords are criminals – they love them, ”he says.
“I remember that our motto was to generalize the AMF; In retrospect, that was the right security goal, but the wrong approach. Focus on the outcome for the user and move on to “we want to eliminate passwords”. But the words you use matter. It turned out that this simple change of language changed the culture and the vision. More importantly, it changed our design and what we built, like Windows Hello for Business, ”he says.
“If I remove the passwords and use any form of biometrics, it’s a lot faster, and the experience is so much better. “
“99.9% of our users do not enter passwords in their environment”
On Windows 10 PCs, this biometric security experience is handled by Windows Hello. On iOS and Android, access to Office apps is through Microsoft Authenticator, which provides a smooth experience when signing in to Microsoft Office apps. It uses biometric data available on iPhone and Android phones.
“Today, 99.9% of our users do not enter passwords in their environment. That said – progress trumps perfection – there are still some old apps that will always ask for [un mot de passe] », He recalls.
Only 18% of Microsoft customers have activated the AMF
However, this is not the end of the battle. Only 18% of Microsoft customers have activated the AMF.
This figure seems absurdly low, given that AMF activation is free for Microsoft customers. Especially since, as ransomware shows, the consequences can run into millions of dollars when a single key internal account is compromised.
MFA’s account protection won’t completely stop attackers, but it will make their lives harder by protecting an organization from inherent weaknesses in usernames and passwords to protect accounts, which can be phished or compromised. by password spray attacks.
The latter technique, which relies on password reuse, was one of the means used by SolarWinds attackers to reach their targets, in addition to breaking into the company’s software creation systems to distribute an incorrect software update.
Implement Zero Trust everywhere
Microsoft is moving towards a hybrid way of working and, to support this evolution, towards a zero trust network design, which assumes that the network has been compromised, that the network extends beyond the home. company fire, and aimed at BYOD devices that could be used at home for work, or at work for personal communications.
But how do you get more organizations to activate MFA in core business products from Microsoft, Google, Oracle, SAP, and other critical software vendors?
For companies wishing to activate AMF, Bret Arsenault recommends targeting high-risk accounts first and working on progress rather than perfection. The biggest problem is with legacy apps, but the pursuit of perfection risks getting bogged down.
“Everyone has old apps that can’t support modern authentication, like biometrics, so I think what a lot of people should and should do is take a risk-based approach: you need to set up MFA for high risk / value groups like admin, HR, legal group and so on first and then move on to all users. It can be a multi-year project, depending on how quickly you want to do something, ”he explains.
Then there is the difficult question of SolarWinds and how Microsoft, which has a $ 10 billion cybersecurity business, got caught by Russian government hackers. In February, Microsoft reported that the incident had caused it minimal harm, but was nonetheless the victim of a compromise. Microsoft President Brad Smith called the hack a “watershed moment” because customers, including Microsoft itself, can no longer trust the software they get from vendors heretofore considered reliable.
“Certainly we used the SolarWinds software in our environment, identified and corrected the affected versions and publicly announced that it had been accessed. We continue to change the way we run supply chain programs and the way we assess what’s in the supply chain and how quickly we can do those things, ”says Bret Arsenault.
According to the CISO, Microsoft had seen the supply chain threat coming for a long time. “You see a lot of people doing things to protect their front doors, but their exit doors are wide open,” he says.
“The part that we saw coming is that the supply chain is the weak point. You have limited visibility on your suppliers. I think the executive order of US President Joe Biden will help in this area. But, to come to the way we think about suppliers, we need a way to get that visibility in a scalable way. “
“I want to take the concept of Zero Trust for information workers, and apply it to the software supply chain, that is, no line of code that has been written comes from ‘a proven identity, a healthy device,’ he adds.