Interview At Microsoft's recent Ignite event in Atlanta, The Reg sat down with Brad Anderson, Corporate Vice President of Enterprise Client and Mobility.
Brad Anderson is a Microsoft veteran who oversees how Windows and mobile devices are managed in business. A decade ago it was simple: firewall-protected network, Windows PCs, and System Center, Microsoft's suite of IT administration tools, managing those PCs through mechanisms like Group Policy, which lets you set PC configuration centrally and have it enforced on all PCs in the organisation.
Things look different today. "Now I have got my cloud services outside of the perimeter and that network-based perimeter is no longer effective," says Anderson.
Microsoft is pursuing an alternative idea, which it calls identity-based security. This is based on Azure Active Directory (AAD), as used by Office 365. Businesses using Active Directory on-premises can set up synchronisation with AAD using various tools.
"All of our cloud services build on top of Azure Active Directory for authentication and access," says Anderson. "We do more than 45 billion authentications every month through AAD, which is largely driven by usage of office 365.
"What we have been building is this concept of what we call the Microsoft security graph. With these cloud services, there are signals or telemetry that comes back, that allows us to see what is working, what is not working, what is being used. We have taken all that signal and we call that the intelligent security graph.
"We know that more than 75 per cent of breaches come from compromised user credentials. So one of the core things that organisations have to do is to ensure that when someone presents a set of credentials it actually is who the person says they are.
"We now have the ability to be able to assess risk based upon a whole list of factors. So we can take a look at the user’s identity, the device they are working on, the app that they are using on the device. We can also take a look at telemetry coming in from our partner ecosystem. You can now build a conditional access policy that says when you will allow access based upon all those risk factors.
"If we think that there is something suspicious we can automatically pop up a multi-factor authentication challenge which then blocks any attacks that are coming in through compromised user credentials.
A feature of Microsoft's Enterprise Mobility Suite, called Azure AD Application Proxy, lets businesses use this same mechanism for on-premises web applications, while still having them authenticate using Active Directory. A partnership with Ping Identity announced in September 2016 further extends the range of legacy applications that can be covered.