Identity = Security + Productivity + Batman
I have a cool job. It’s hard to think of one that could be more fun. I get to work on the amazing (if insanely busy) team responsible for protecting four billion consumer and enterprise accounts from unauthorized access and fraud. Each day, our machine learning and heuristic systems provide risk scores for 18 billion login attempts for over 800 million distinct accounts, 30 million of which are discernibly done by adversaries (criminal actors, hackers).
It’s cool being on the front lines, and the icing is that I get to talk to brilliant people all over the world who are in the fight with us. When I talk to CISOs and CTOs and their staff about the scope of cybercrime, everybody wants to appear confident and competent, but nearly everyone is just freaking out. Hard to blame them—it’s a cacophony of issues: news reports of accounts hacked by the hundreds of millions, the near impossibility of finding qualified staff, every vendor in the world showing another solution, while security blogs and research articles show all the cases where solutions have failed us. And ultimately, it’s their jobs on the line if anything goes sideways.
I have so much respect for these folks—the CISO, the CTOs, the SOC staff. They’re all like Batman—fighting a never-ending crime wave and a never-ending cast of villains—only without the mask, cape, infinite budget or plot armor. The only thing they do get is the guarantee of another episode, week after week. I understand account security deeply. It’s what I do. It’s all I do. These folks must do this also, plus wrangle budgets, and understand their company’s actual business and politics, and understand enough about competing approaches to make sound decisions about what to do!
In many organizations, there’s a compounding tension between the security folks (MAKE EVERYONE WEAR TIN FOIL HATS!) and the operations staff (PLEASE DON’T MAKE ME EXPLAIN HELPDESK BUDGET INCREASES AGAIN!). It’s the same old story—security versus usability. IT folks argue for user simplicity, and security folks try to ensure protection of the crown jewels. To improve one, you have to harm the other. But that’s a false economy.
When I took on account security for Microsoft’s consumer identity system, I quickly came to understand that security creates usability, and vice versa. For example, have you ever pulled cash out at your home bank with the friendly teller nearby and the security dude standing there? How about in a really sketchy dive bar with a couple of thugs looking like extras from the Mos Eisley Cantina watching your back? Which scenario makes you focus more on the task at hand? Feeling safe makes us more productive. If you feel like you need to juggle your pepper spray, have 911 on the ready and keep your head on a swivel, you aren’t going to have an easy time putting in your PIN.
In consumer identity, good security measures decrease user attrition, increase user engagement and reduce costs. Good security stays out of the way of good users—or even helps them—while increasing confidence and productivity. Risk-based security challenges, security notifications, prevention of use of easily guessed passwords, activity pages, fraud reduction, phish intercept, malware detonation—all these security practices have direct benefits for our customers. We benefit from increased acquisition due to an improved reputation and decreased attrition due to fewer hacked accounts, more confidence and easier recovery.
As a security-conscious identity professional, you want to help your organization be more secure. Everyone else—users, executives, IT folks, helpdesk—wants productivity, productivity, productivity. But the kick is that identity is like super healthy candy. Or pizza that works out for you. Or tequila that hydrates you and gets you to your flight on time. You get the idea. It’s the rare technology that radically enhances both security and productivity, not just one or the other. And as an identity professional (or superhero, let’s be honest), you have superpowers at your disposal.
|Superpower||Productivity increase||Security increase|
|Single sign-on||Wow, one login for all my apps!||Wow, no more account sharing, multiple accounts written down, departmental account leaks or failure to remove credentials.|
|Provisioning/de-provisioning||I can do my job because I have access to my apps from day one!||No ad hoc provisioning resulting in loads of unused entitlements, entitlement sharing or over-permissioning.|
|Self-service password reset||I can get right back into my account and get back to work!||No ad hoc helpdesk processes, unpredictable social vectors or passwords known to phone support.|
These are just a few of many examples where we see both productivity and security rise with good identity management. Together as an industry, we’re innovating hard in FIDO and blockchain and more to develop password-less identity systems, doubling down on machine learning defense systems, participating in standards-based intelligence sharing to protect all of our users, and continuously simplifying these experiences to make them more approachable. Your superpowers will keep growing!
I do identity security. And if you’re doing identity right, you’re doing security too. I look forward to seeing all of you at Identiverse 2018! In the meantime, stay safe out there, superhero.
By Alex Weinert
General Manager Identity Security and Protection, Microsoft