With cybercriminals hellbent on stealing passwords and compromising credentials, identity has become the new cybersecurity battleground, with Microsoft reporting more than 111 million password attacks a day.
The Redmond, Wash. tech giant’s analysis of identity attacks doesn’t stop there, as the company says password breach replay attacks grew to 5.8 billion per month in 2022, while phishing attacks rose to 31 million per month. Password spray attacks, meanwhile, continued to climb to 5 million per month.
Since 2018, those four attack methods have drastically increased, with password spray attacks alone skyrocketing 1,329%, according to Microsoft’s internal logs.
The company used that information in a blog post about five new identity priorities for the new year, which include using a “Defense in Depth” approach, modernizing identity security; configuring identity and network access solutions to work together; simplifying and automating identity governance; and verifying remote users more efficiently and securely.
Defense in depth
According to the blog from Joy Chik, Microsoft’s president of identity and network access, organizations should use a “defense in depth” approach that requires more than just protecting user accounts and includes protecting every layer of the identity ecosystem.
A defense in depth approach includes security posture management, real-time protection and remediation with identity and identity threat detection and investigation.
The first step towards a defense in depth approach is turning on multifactor authentication (MFA), which is included in Azure AD and Microsoft Entra, Microsoft’s identity security solution. According to Chik, 99.9% of compromised accounts didn’t use MFA. Other steps include using phishing-resistant multifactor authentication methods such as Windows Hello, FIDO 2 security keys, passkeys and certificate-based authentication. Also recommended is blocking legacy authentication protocols.
Modernize identity security
Rather than sticking with familiar legacy technologies, organizations should migrate to new cloud-native identity solutions that are better able to respond to modern threats and rapid changes to products, services and business processes.
To start, Chik recommends migrating off of Active Directory Federation Services (AD FS) to simplify environments and retire on-premises servers. Then, connect pre-integrated applications to Azure AD to gain advantages like single sign-on. Lastly, inventory the security environment and consolidate redundant tools to reduce management burden and apply subscription savings to other areas.
Configure identity and network access solutions to work together
Microsoft and Chik also urges organizations to integrate tools that have historically operated in silos, such as network access solutions and identity solutions.
“Applying a Zero Trust approach means explicitly verifying every access request using every available signal,” Chik writes. “You can get the most detailed picture of session risk by combining everything the network access solution knows about the network and device with everything the identity solution knows about the user session.”
Simplify and automate identity governance
To protect against both external and internal threats, Chick says organizations should keep tabs on who has access to what to help reduce internal risk. Pitching Microsoft Entra Identity Governance, Chick says the solution can help organizations comply with regulations and increase productivity through real-time, self-service and workflow-based entitlements.
“It extends capabilities already available in Azure AD by adding Lifecycle Workflows, separation of duties, and cloud provisioning to on-premises apps,” Chik writes. “Because it’s cloud-delivered, Microsoft Entra Identity Governance scales to complex cloud and hybrid environments, unlike traditional on-premises identity governance point solutions.”
More efficient verification of remote users
Lastly, Chik says advancements in identity solutions can help organizations save time and resources when verifying documents to prove the identity of someone applying for a job, loan, citizenship and more.
Manually collecting and storing that information creates more risk for the organization and its customers, she says, pitching Microsoft Entra Verified ID as a solution.
“Verifiable credentials introduce the concept of a per-claim trust authority. The trust authority populates a credential with a claim about you that you can store digitally,” Chik writes. “For example, a loan officer can confirm your current employment by requesting digital credentials issued by your employer and verifying them in real time.”
Read Microsoft’s blog to learn more about Microsoft Entra and the company’s other identity solutions.
