TEC: The New Integrated Identity Perimeter and Defenses

[MUSIC PLAYING] All right. Hey, I'm Alex Weiner. I'm the VP of Identity Security at Microsoft and I'm going to talk today about sort of a trusted version. And we're going to go all over the place and talk about lots of things that are happening in the world. And one of the things I want to really anchor on is the fact that, in a lot of ways, the systems that we have used in the past to defend us are exactly the systems that attackers are going after now. And we have to kind of think differently about how we defend ourselves. So this is a picture on the day that I'm recording this. This is Is a picture from 27 years ago exactly. 27 years ago, I started a Microsoft. And it's an interesting story as to how I started at Microsoft because I was a hacker. And I was up really late one night working on a college project. And I got curious about some Microsoft source code so I actually did an FTP port scan and found an open port and then once I was in the network I was in and I had access to all kinds of source. This was back in 1994. And then I got curious about I was doing some research on this newfangled world wide web thing and I got curious about that. So I did a port scan for port 8080. And I found a little web server, which turns out to have been running under the desk of a person who later became a friend of mine. They were doing some experiments on the web and had sort of unbeknownst that the corporate IT folks had managed to punch a hole out in the MSN team. Now what's interesting about this is that it sort of illustrates a bunch of things about zero trust. Like the model that we had back then was, well, if you're on the corporate network, you must be like sitting in an office in a building that we own. You must be in a situation where we know that device and you're a good person. But of course even then, the idea that somebody was on my network you know inferred that I was a good actor was not really a valid assumption. So if we fast forward many years later, we're talking about zero trust and write papers around zero trust and you can find them at the link there. The principles here are pretty straightforward right it's like don't assume that your network is the safe / don't assume that you're in any safer environment than you would be if that request was coming from somewhere else. So verify explicitly. Always certainly privileged access and be ready for attacks if they come. And this is good guidance and it remains strong guidance. And we built some architectural guidance here as well. And really, the idea here is that if you care about an asset, if you care about that resource, then you never want to let a request get to that resource except that you have verified who it's coming from, the device that's coming from, all the things about the context of that request. And then you're asserting your less privileged access policy informed by risk, informed by governance. And you can read all about that stuff there and I'm going to say if you look at this and you'd say, all right, this big fancy zero trust architecture. What should I go do? The fact is that for most people and I'll show you this in a minute if you haven't done MFA, yet you haven't really started. Multifactor off is sort of the number one thing that we would look to you to say am I dealing with the right actor? Do I have a strong credential sitting behind that actor? So we can see this for users statistically it's like provable. Multifactor auth is the most basic effective defense you can possibly have. If we look at an actor that is or usually is using MFA, there are about 2 and 1/2 times safer than one who is using it when there's risk and there are over 20 times safer than folks who are not doing MFA at all. So again, if you're not using MFA, the likelihood of compromise is about 20x higher than people who are doing MFA. So I think everybody would get that like there should be no surprises here that MFA is the thing that you need to do. That we all understand that passwords alone are not enough, and that there's all kinds of different ways to intercept passwords and compromise them. And we'll talk about some of that in a minute. When we look at this over time, we've been driving this message, driving this message, driving this message. How do we get MFA adoption up? So we started tracking MFA usage. And this is really looking at if I have a user who presents a strong auth claim. They could be doing that because they have on-prem MFA. They can be doing it because they've misconfigured ADFS. We're very generous in this description. Our denominator here is every active user in a month. Our numerator is the active users who carry an MFA claim at any time in that month. So it's not every session, it's any session. And that number, when we started measuring it in 2017, was only about one half a percent. By 2018, through a bunch of publicity campaigns and such, we got it up to about 1 and 1/2%. And now we're up to a whopping 26%. So 26% of users are now presenting an MFA claim at least once a month. It's huge progress. It's also totally inadequate progress when you think about the fact that we've been deploying MFA systems broadly. For example, in consumers, since 2012, the fact that it