Warning: Use of undefined constant ENVIRRA_DEFAULT_VW_ABOVE_SHARE_ENABLE - assumed 'ENVIRRA_DEFAULT_VW_ABOVE_SHARE_ENABLE' (this will throw an Error in a future version of PHP) in /var/www/vhost/qosit.eu/home/html/qositblog/wp-content/plugins/envirra-extensions/social-share/social-share.php on line 78
In my last post Microsoft security: Azure solutions, I indicated I would follow Microsoft Secure´s website as a guideline structure so I will move on to review the first section, Microsoft Secure: Identity
From my point of view:
There´s no such thing as absolute security, there are only highly complex layers of discouragement.
Given an infinite amount of time, money, tenacity, and resources, just about anything can be hacked . Wikipedia keeps an interesting list, comprised primarily of North American companies that have suffered data breaches  exhibiting how commonplace they are. Hence, it only makes sense for me to start with the first line of defense, identity access management.
So, what is identity access management?
A grossly oversimplified definition would be: a framework for handling digital identities – whether they are for physical users, applications, or network resources – and their access to digital assets. Why is this relevant? Data and apps are moving to the cloud at an accelerated pace  as per Forbes´ illustration below, now more than ever careful consideration should be given to identity access management. The primary object of the exercise is to minimize the exposed surface attack area regardless where the data resides: on-premise or in the cloud.
There are many commercial identity solutions, some of the better-known market offerings are Oracle IdM, Dell Identity Manager, CA Identity Suite, and VMware Workspace One. I will focus on the solution I´m familiar with, Microsoft Identity and Access Management or IAM.
Firstly, it´s worth pointing out the position Microsoft occupies on Gartner´s Magic Quadrant for Access Management as per the illustration below. This privileged spot coupled with the fact that Microsoft´s IAM integrates seamlessly with Office 365, Active Directory Service (on-premise)/Azure Active Directory, and provides the ability to extend protection to BYODs (bring your own devices) it´s self-evident Microsoft offers the most comprehensive one-stop-shop solution in the market.
The subject of Identity Access is vast and my blog would be endless if I didn´t focus, so allow me to expand and interpret Microsoft Identity´s page.
Approaches and tools to set up a robust MFA implementation
We´ve already defined identity access management and its purpose…. now let´s elaborate on recommended approaches and tools to set up a robust MFA implementation:
Multi-Factor Authentication (MFA) such as PINs & biometric security protocols:
These are methods above and beyond traditional passwords that greatly enhance security. Once a user is challenged for a password and even if the password provided is correct, a second authentication request can be sent to a predetermined device requiring a fingerprint or an iris scan. This adds a critical protection layer to the authentication process that is highly unlikely to be hacked. Azure Multi-Factor Authentication benefits are fast to reap, it´s easy to use and simple to set up, it can hyper scale since it resides on Microsoft´s cloud infrastructure, it provides the highest strength industry authentication, and it´s backed by a 99.9% SLA. Gone are the days of sourcing, setting up, distributing, and supporting token generating keychains  and their corresponding infrastructure vulnerable to man-in-the-middle attacks.
Simplified access to devices and apps
Enterprises can leverage Windows 10 Hello for Business to require end-users use PINs and biometrics as opposed to traditional passwords. Passwords are tied to an account and can be used to access resources from anywhere, unless for example, Azure Active Directory conditional access is properly configured and implemented. Windows 10 Hello PINs on the other hand are credentials that are tied to a device (Windows Hello for Business), in other words, even if the end-user´s PIN was compromised, the unauthorized user would also have to possess the device where the PIN was created to gain access to secured network resources. PINs are backed by a hardware  chip (Trusted Platform Module or TPM) that performs physical security procedures to prevent PINs tamper resistant, many laptops ship with TPMs. Also, PINs can be as complex as a password combining alphanumeric characters as per the organization´s IT policies.
I strongly recommend readers an occasional visit to Microsoft´s Intelligence Report website and download the latest report. It´s a window to the latest threat trends by category, encounter rates, exploits, and ransomware which has had a new-found following since NotPetya, WannaCry, and Locky .
I hope this article provided value and additional resources to your collection, the next topic we´ll be reviewing is threat protection which is equally fascinating.
Thank you for your time, best regards.
 List of hacked government agencies grows: State Department, White House, NOAA & USPS (Computer World)
 List of data breaches (Wikipedia)
 Roundup Of Cloud Computing Forecasts, 2017 (Forbes)
 RSA SecurID (Wikipedia)
 Why a PIN is better than a password (Microsoft)
 The top 10 worst ransomware attacks of 2017, so far (Techrepublic)
Warning: Use of undefined constant ENVIRRA_DEFAULT_VW_BELOW_SHARE_ENABLE - assumed 'ENVIRRA_DEFAULT_VW_BELOW_SHARE_ENABLE' (this will throw an Error in a future version of PHP) in /var/www/vhost/qosit.eu/home/html/qositblog/wp-content/plugins/envirra-extensions/social-share/social-share.php on line 109