Well, we’ve survived a year in a pandemic and we’ve had to adapt the way we work in significant ways. At the same time, the bad guys have become more savvy and have adapted their tools to do us harm. So, the challenge is twofold for organizations in 2021: First, employees, partners and customers need the flexibility to work from anywhere, using whatever tools necessary to get things done. But equal to that need is that of an increased level of security. Particularly, as many now rely on resources that may or may not be housed behind our own strong network firewalls.
That’s why Zero Trust, the security strategy that combines maximum flexibility with maximum security, is critical when it comes to Identity Access Management (IAM). (My colleague Dan Callahan has written several posts on Zero Trust strategy. This one provides a good jumping-off point.) At their annual Ignite conference this week, Microsoft pointed out the ways Zero Trust serves IAM well. They also emphasized that implementing Zero Trust should be simple for IT staff and seamless for end users.
Pssst! What’s the password?
Well, if Microsoft has their way, you will no longer need passwords at all. They just achieved a major milestone in their goal to have all users and organizations forego passwords altogether: Their “passwordless” solution is now generally available to the public. Organizations can now begin to rollout passwordless authentication across their hybrid environments. (There are already more than 200 million passwordless users since the initial public preview in 2019.) According to Microsoft, “Users get a familiar, simple to use authentication experience that offers industry best security and works across an increasingly broad set of devices and services.”
In addition to increased security and simplicity for both users and admins alike, they’ve also simplified the rollout with expanded policies defining with authentication methods specific users or groups can use. And there are also new reporting capabilities, so admins can see the usage and adoption of authentication methods across their organization. To help you simplify and secure remote access, they’ve released the preview of Temporary Access Pass in Azure AD, which is a time-limited code used to set up and recover a passwordless credential.
Treat your guest like they’re one of your own
Organizations are collaborating and connecting with more external users than ever before in our new hybrid work environment. A strong Zero Trust approach requires that requests for access from these external users (customers, partners, and vendors) are treated the same as those from employees: Verify every request, and allow access to only the data they need and only when they need it. With Microsoft Azure AD, you have the ability to apply consistent access policies to all external users.
Generally available starting this month, Microsoft is introducing Azure AD External Identities. This is a set of capabilities specifically for securing and managing identity and access for customers and partners. And with automated guest access reviews for Microsoft Teams and Microsoft 365 groups, Azure AD will prompt you to review and update access permissions for guests on a regular schedule. Now it will be much harder to neglect removing access to sensitive resources that your guest users no longer need.
Coming soon: Decentralizing identity
In another push to enhance Zero Trust, Microsoft also announced this week that Azure AD verifiable credentials will be entering the preview phase very soon for developers. (Watch the video from Microsoft Ignite here.) The idea of decentralized, verified credentials is groundbreaking. The value to individuals being able to control (allow or restrict access to and manage) their own identifiable information and personal data is obvious.
But organizations benefit as well: Verifiable credentials will allow organizations to confirm information about someone—e.g., their education and professional certifications; ID badges; government-issued documents—without having to actually store any of that data. Clearly, this alleviates the inherent risk of having an individual’s private information compromised through a security breach. Because the digital information is verified by a known party, it is more trustworthy; and the verification process will only take minutes instead of days or weeks. For the security of both employees AND organizations, this is nothing short of a win-win.
The new features announced at Microsoft Ignite this week are promising, and should go a long way in strengthening your organization’s defenses.