The number of data breaches involving stolen or weak passwords has gone from 50% to 81% during the past three years.*
This alarming trend clearly illustrates that securing access based on passwords alone is not enough.
Sue Bohn is a Partner Director of Program Management in the Identity Division at Microsoft. She leads the Identity Customer and Partner Success Team, which drives deep engineering relationships with customers and partners.
Sue has spent twenty-five years in various marketing, evangelism, and engineering roles across the Developer, Business Solutions, Windows, and Cloud + AI divisions in Microsoft.
Our Head of Security and Mobility, Mathew Richards, recently sat down with Sue to talk about how deploying conditional access and multi-factor authentication (MFA) can seriously boost security in your organisation.
Mat Richards: Hi Sue, thanks so much for joining us today. Can I start by asking you about your experience with the development of conditional access and multi-factor authentication (MFA) from Microsoft?
Sue Bohn: Thanks Mat. So, I work in the Identity division here at Microsoft. We are responsible for several commercial products including Azure AD and Azure AD B2C, on-premises products such as Active Directory and Microsoft Identity Manager, and our consumer-facing Microsoft Account identity services for services like Outlook.com and Xbox Live.
Within the Azure AD cloud service, we’ve built a number of security features including Azure MFA, conditional access and Identity Protection.
“With conditional access we’ve made MFA more user-friendly and created more ways to manage risk.”
MR: It’s a simple question, but one that some of our clients may still want to know – what exactly is conditional access?
SB: To start, conditional access is Microsoft’s name for what the industry refers to as adaptive authentication. Historically, we always had to rely on MFA for strong authentication, so we see adaptive authentication as the next stage in maturity for intelligent identity-driven security. We haven’t abandoned MFA by any means, but we’ve made it more user-friendly and created more ways to manage risk.
Imagine a common scenario where users move through their working week and they trigger different login or access scenarios to their systems – whether it’s accessing different apps, using different devices or working from different places – conditional access ensures that you’re able to continuously verify and re-verify access.
Since a user’s login situation is evaluated each and every time, the feature reduces the overall number of prompts they receive on a daily basis. That’s a good thing for two reasons:
MR: Can you elaborate on some of the typical conditions and controls that are available with the conditional access capability?
SB: In its briefest form, controls and conditions in conditional access work together to form a set of ‘if /then’ statements that are evaluated during the authentication process. The ‘if’ part refers to the conditions and the ‘then’ part is the controls.
For conditions, there are a few main scenarios:
For controls, there a number of options based on your risk tolerance. You can approve and allow access, you can challenge the user to provide more information with a multi-factor authentication (MFA) prompt, you could allow some form of limited access, or, finally, you could just flat out block them.
To provide some context on what it allows companies to do, our customer, Korn Ferry, who use conditional access to ensure that data is retrieved only by users, devices, and apps that meet access requirements, told us they really liked the fact that they can treat their employees that work outside the office more strictly than those inside. They didn’t feel like they had to make a choice between mobility and security – they could have both.
MR: What do you see as the most common (typical) conditional access scenarios that most organisations will be using?
SB: When you think of it in technical terms, there are probably three main scenarios an organisation should look to set up first.
The first scenario is simply to control secure access across multiple devices, especially useful for organisations with a bring your own device (BYOD) policy or organisations that want seamless B2B partner access. In these cases, when a user is trying to access sensitive data from an unknown mobile device, your organisation can use conditional access to stipulate an MFA prompt that bolsters security. This is perfect is you want to promote enterprise mobility without putting your security at risk.
Scenario two is granting access to a distributed workforce. In this instance, organisations want to control access based on where the user is logging in from – are they on the corporate network or logging in from an unfamiliar location? Are there suspicious geographical locations you want to block, or is the user logging in from the UK and then 10 minutes later logging in from China? Again, you can set up the location conditions on your system and stipulate what access controls you want to put in place.
This scenario is used at George Washington University, where they use micro location/geographical conditions to manage students’ access to both digital assets and physical buildings. For example, if a student logged in from one specific campus and then two minutes later tried to enter a residence hall at another campus, the University is able to detect this and challenge that action.
“It’s really important to us that security doesn’t come at the cost of mobility or usability […] we want security tools to be invisible.”
And then finally, the third scenario is for handling risky users and risky sign-ins using a combination of Azure AD Conditional Access and Azure AD Identity Protection. We know that about 80% of all attacks come from compromised credentials, so it’s super important to help customers with that challenge.
When Microsoft learns of customer credentials that we know have been compromised, we immediately issue a high-risk event and move the user to High Risk. If you have an Azure AD Identity Protection user risk policy, such users will be forced to remediate themselves through a secured (MFA challenged) password reset. This automatically closes the risk (user and sign-in) without your IT admin having to do anything. This also brings down your help desk cost since the users automatically remediate themselves.
Similarly, IT admins can define the end user experience around risky sign-ins (e.g. sign-ins from unfamiliar locations or Anonymous IPs). IT admins can choose to allow, block or MFA challenge such risky sign-ins. This can be done in conjunction with Azure AD Conditional Access where sign-in risk (from Azure AD Identity Protection) just becomes one of the conditions within conditional access, allowing IT admins to have even more granular risk-based policies.
MR: You’ve mentioned MFA a lot – is this the most important tool to put in place to boost security in your organisation? If I was the CISO for a large organisation, what should I be asking my IT department to switch on tomorrow?
SB: We know that basically if you use MFA, you can prevent 99.9% of all credential attacks and, as I mentioned earlier, that is the predominant type of attack that we see. It’s relatively straight forward to put in place and control through conditional access, so one of the first things you should do is turn on MFA for all your IT admins.
It’s also worth mentioning the risks posed from legacy authentication, the original form of authentication used by apps like:
So, for example, if you’re using Exchange, that means your authentication goes back to Exchange, whereas in contrast, modern authentication (MA) is actually performed against the identity provider – in this case, that would be Azure AD.
Password spray attacks (which involve an attacker ‘spraying’ forced password breaches across thousands of accounts) are particularly focused on legacy authentication protocols and our intelligence clearly shows us that bad actors are exploiting the hole in legacy authentication, so we strongly advise this is one of the first things you block through conditional access.
Take a proactive and pre-emptive approach to cyber security.
MR: What are the top tips or tricks that may be useful for any organisation currently in the middle of deployment or considering deployment for either conditional access or MFA?
SB: I’d say the most important tips are:
I’d also strongly recommend reading our recent whitepapers on Azure AD data security.
MR: We know it’s an essential thing for vendors to constantly stay ahead of the game when it comes to cyber security. We see Microsoft doing that a lot, which is great…
Are you able to share any nuggets on the roadmap for where conditional access and MFA are evolving?
SB: Sure. Well, first off, I really appreciate the compliment that you feel we’re producing a lot of value. At Microsoft we always say that we feel like we’re on a moving walkway because you don’t always feel like you’re moving fast enough, but then when you scan off to the distance, you realise you’re moving pretty fast – there’s always more code to write, I guess.
“We have delivered support for hardware OATH tokens for Azure MFA, […] This way we can enable strong authentication from anywhere, from any device.”
In the long-term it’s really important to us that security doesn’t come at the cost of mobility or usability – in fact, we want, as much as possible, for security tools to be invisible. In the short term there are three categories of work that we’re investing in:
To address this, we have delivered support for hardware OATH tokens for Azure MFA, currently in public preview. This will deliver the end user a temporary authentication code that they can use on an additional device or terminal. Users can now have up to five devices in any combination of hardware or software-based OATH tokens and the Microsoft Authenticator app. This way we can enable strong authentication from anywhere, from any device.
MR: Sue, thanks so much for talking to us about conditional access and how organisations can combine it with MFA to provide an immediate security boost. It’s also great to see the roadmap you are putting in place to keep us secure in the future.
Watch our on-demand webinar to discover why conditional access and multi-factor authentication are key to securing your organisation’s assets.
Or, take our new Security and Privacy Scorecard to find out how you score on security in your organisation. It takes just a couple of minutes to complete and you’ll receive a free report with expert insights and improvement recommendations tailored to your score.
* Citing the 2017 Verizon Data Breach Investigations Report (DBIR)
Visualise your current security and privacy position, and gain an improvements roadmap.Learn more
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.