How Microsoft Does Security in 2022

Microsoft appear a variety of security products at its Ignite conference this calendar week, only 1 of the things that stood out was their firm belief that the way you run your security operations is as of import as the products you run.

Microsoft Master Information Security Officer Bret Arsenault (at elevation) was emphatic as he described Microsoft's own security environs and its approach to managing security for itself and its customers. He said the company resolves an enormous 20 billion security events per day.

"Users are both my outset line and my last line of defense force," Arsenault said, and noted that Microsoft has 125,000 employees plus 70,000 "badged" partners. He emphasized the tremendous claiming of managing such a large and diverse environment, wich includes 32 versions of its operating systems in use, 500,000 Linux environments, the 2nd largest Macintosh installed base anywhere (Apple tree is commencement), and the "N+1" next version of Windows. He said his primary goal is to protect the company, not to apply Microsoft products.

Microsoft Opportunity and Risks Ignite 18

Arsenault spent a lot of time on "opportunity and risk," and explained how e'er-on access, massive data sets, cloud-based storage, and modernistic engineering create many opportunities and significant security challenges. For instance, data sovereignty is a major issue, because the company has 596 locations, and Arsenault must consider data that may transcend borders. He said that money derived from cybercrime has surpassed that made in the illegal drug trade. He is also worried about the supply chain and whatsoever visitor'south ability to protect it.

Arsenault noted the shift to deject computing means that while network security remains of import, it is non sufficient, and said that "identity is the new perimeter."

Arsenault shared his own leadership principles, saying information technology is important to have simplified goals. His three main points: a leader needs to create clarity, generate free energy, and deliver success. On clarity, he said it is important to "put down the engineering pencil and pick upwardly a crayon"—in other words, to make things unproblematic for finish users. Arsenault emphasized that it'southward of import not to confuse a message that works for an engineering population with what works for the general user base.

To that end, he described his strategy as a three-legged stool: identity direction, data and telemetry, and device health.

In other words, Arsenault said, to connect to any of the services, you need a strong identity, ane verified by multi-factor hallmark. If yous have great identity, he notwithstanding needs to ensure that the device you lot are connecting from is secure. With twenty billion events a day, he needs bully data telemetry to track systems, improve them, and protect them.

Moving from the general to the more than granular, Arsenault said that he had identified five major pillars or principles as areas for investment this yr—risk management, identity management, device wellness, data and telemetry, and information protection—and within these pillars he focuses on 27 core services. He as well listed eleven "epics"—essentially short-term projects lasting 18-24 months—that will be completed, will fail, or will become futurity core services. He has a relatively pocket-sized squad of ix or ten people who look at emerging applied science to see what can assist the company with its security needs. Microsoft had 80 security vendors when he took over the CISO office viii years ago, Arsenault added.

One primal initiative over the by few years has been moving workloads to Azure. Arsenault said the company has moved 95 per centum of its workloads. In terms of process, the start thing to do is consider applications and decide if they still need them; of near 2,000 line-of-business applications, Arsenault said Microsoft found information technology could simply eliminate thirty pct. The next thing to do is discover applications that could be converted to a Software-as-a-Service solution; this worked for about 15 percent of Microsoft's applications. For those that remained, the next footstep was to virtualize all of the applications and take new or simple applications and motion them to Platform-every bit-a-Service, doing a "elevator and shift" to Infrastructure-as-a-Service offerings for most of the others.

In this process, more than applications moved to the cloud than he would have idea (including Microsoft'south SAP system), and suggested that companies should move to PaaS earlier than they might have planned.

It'south important to proceed moving during such an effort, Arsenault said, and to keep creating energy around the projection, as projects often finish progressing most halfway through. People will frequently use the 5 per centum of workloads that won't move to the deject as an excuse not to do the other 95 percent, and he said y'all need to create a sense of urgency to make the move happen (such as setting a date for endmost a information center).

Ane thing his team created was a DevOps Toolkit for Azure designed to monitor 250 controls on various applications to ensure everything is working. Arsenault said his group has made this available via open source, and believes these principles for enterprise direction volition be built into Azure in nigh 18 months.

Arsenault focused part of his talk on securing administrators, who typically accept the most admission to a system. He talked about reducing the number of standing admins; using a split identity system to requite them fewer privileges; and having them perform security tasks only on a "secure admin workstation," which he described as a "super secure device" with a special paradigm that flattens and rebuilds the car frequently, and which is created using a secure supply chain. These machines only run site code and are highly locked downwardly, with whitelists to decide to what and where they can connect. For connections to other services, administrators can connect to virtual machines.

Arsenault also talked near the importance of eliminating passwords. He has been using the company'south Authenticator app for quite some time, and said it's important to not "permit the perfect be the enemy of the good." This is really about eliminating prompting, he said, and while users of this app don't run into passwords, they are notwithstanding there under the surface (although in a few years, they may exist replaced with certificates instead). He suggested that security professionals inside companies stop talking about MFA and instead start talking about eliminating passwords, the goal existence to see this not every bit an extra layer, but rather equally something that eases access for users.

What really stood out for me in Arsenault's talk was that about of his ideas—simplifying your tools, moving what makes sense to the cloud, focusing on identity, decision-making administrative accounting, moving beyond traditional passwords—aren't new, or even controversial. The biggest claiming, instead, seems to be actually getting these things implemented in ways that don't interfere with the remainder of your IT footprint, and which are adequate—or even preferable—to your cease users. In a earth with more security threats than ever, it'south crucial to keep moving forward.