数字化转型方略 第12期 2021/07/15


微软的首席信息安全官(CISO)Bret Arsenault在微软工作了31年,他说他在公司里只有一次得到同事的公开喝彩:那次是废掉了微软每71天必须更换密码的内部政策。

微软的首席信息安全官(CISO)Bret Arsenault在微软工作了31年,他说他在公司里只有一次得到同事的公开喝彩:那次是废掉了微软每71天必须更换密码的内部政策。

"That's the first time I've been applauded as a security person and executive," Arsenault tells ZDNet. "We said we're turning off password rotation within Microsoft, because we had eliminated that part of it."


As Microsoft's CISO, Arsenault is responsible for protecting both Microsoft products and its internal networks used by its 160,000 employees. After adding vendors into the mix, he's responsible for about 240,000 accounts globally. And getting rid of passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.


Microsoft updated its password policy in stages. In January 2019, it moved to one-year expiry, using telemetry to validate effectiveness. In January, 2020 it moved to unlimited expiry based on the results.


Microsoft also stopped recommending to customers to implement a 60-day password expiration policy in 2019 because people tend to make small alterations to existing passwords or forget new good ones.


For Arsenault, rather than make the conversation about putting MFA everywhere, he framed the change as being about eliminating passwords.


"Because nobody likes passwords. You hate them, users hate them, IT departments hate them. The only people who like passwords are criminals – they love them," he says.


"I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to "we want to eliminate passwords". But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business," he says.

Arsenault表示,“开始我们有一个座右铭,就是让每个地方都使用MFA,事后来看,这个安全目标是对的,但方法错了。一定要从用户结果入手,所以改成‘我们要消灭密码’。最后的结果是简单的语言转变改变了我们的密码文化以及对于试图完成目标的看法。更重要的是,还改变了设计和产品,比如商用Windows Hello。”

"If I eliminate passwords and use any form of biometrics, it's much faster and the experience is so much better."


On Windows 10 PCs, that biometric security experience is handled by Windows Hello. On iOS and Android, access to Office apps is done through Microsoft Authenticator, which provides a smooth experience when logging into Microsoft Office apps. It taps into biometrics available on iPhones and Android phones.

Windows 10电脑的这种生物识别安全体验由Windows Hello处理。而在iOS和安卓系统上,访问Office应用程序是通过Microsoft Authenticator(微软鉴证器)完成的,Microsoft Authenticator为登录Microsoft Office应用程序提供了流畅的体验,使用了iPhone和Android手机上的生物识别技术。

"Today, 99.9% of our users don't enter passwords in their environment. That said – progress over perfection – there are still legacy apps that will still prompt [for a password]," he says.


However, that's not the end of the battle. Just 18% of Microsoft's customers have enabled MFA.


This figure seems absurdly low given that enabling MFA is free for Microsoft customers, yet as ransomware shows, there can be mult-imillion dollar consequences when just one key internal account is comprom启用MFA对微软客户来说是免费的,所以18%这个数字似乎低得离谱,而勒索软件显示,泄露一个关键的内部账户可能会有几百万美元的后果。

Protecting accounts with MFA won't stop attackers completely, but it does make their lives harder by shielding an organization from the inherent weaknesses in usernames and passwords to protect accounts, which can be phished or compromised through password-spraying attacks.


The latter technique, which relies on password re-use, was one way the SolarWinds attackers breached targets besides breaking into the firm's software build systems to spread a tainted software update.


Microsoft is moving towards a hybrid mode of work and, to support that shift, it's making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.


But how do we get more organizations to enable MFA in critical enterprise products from Microsoft, Google, Oracle, SAP and other crucial software vendors?


For organizations looking to enable MFA, Arsenault recommends targeting high-risk accounts first and to work on progress rather than perfection. The biggest problem is legacy applications, but seeking perfection risks getting bogged down.


"Everyone has brownfield apps that can't support modern authentication, such as biometrics, and so I think what a lot of people should and need to do is take a risk-based approach: first get MFA enforced for high-risk/value groups like admins, HR, legal group and so on, and then move to all users. It can be a multi-year journey, depending how quickly you want to do something," he says.


Then there's the difficult question about SolarWinds and how Microsoft, which has a $10 billion cybersecurity business, got caught out by Russian government hackers. Microsoft in February claimed it was only minimally harmed by the incident, but it was nonetheless breached. Microsoft president Brad Smith called the hack a "moment of reckoning" because customers, including Microsoft itself, can no longer trust the software they get from trusted vendors.

同时也有一个难题,SolarWinds以及俄罗斯政府黑客盯上了拥有100亿美元网络安全业务的微软。微软在2月份曾称在这次事件中只受到了很小的伤害,但却还是被入侵了。微软总裁Brad Smith称这次黑客攻击是个“认识真相的时刻”,包括微软在内的客户不能再信任从可信供应商那里得到的软件。

"Certainly, we used SolarWinds Software in our environment and we identified and remediated the impacted versions and we've been public about that there was access. We continue to modify how we do supply chain programs and how we evaluate what's in supply chain and how quickly we can go do those things," says Arsenault.


According to Arsenault, Microsoft had seen the supply chain threat coming for a long time.


"You see a lot of people doing stuff to protect their front doors, but then their backdoors are wide open," he says.Arsenault表示,“大家看到很多人都在做保护自己的事情,但他们的后门却大开。”

"The part we've seen coming along is that the supply chain is the weak point, right. You have limited visibility into your suppliers. I think [US president Joe Biden's] executive order will help in this space. But getting to the view of how we think about suppliers, we need a way to get that visibility in a scalable way.


"I want to take the Zero Trust concept for information workers and apply that to the software supply chain, which is no line of code that was ever written wasn't from an attested identity, from a healthy device," he says.