A world with no passwords

2. A world with no passwords Biju Mathew Principal Service Engineering Manager DSRE – Identity Security Operations THR2355R

3. 94,000,000 1,000,000,000 70,000,000 77,000,000 198,000,000 200,000,000 20,000,000 2,400,000 500,000,000 76,000,000 24,000,000 26,500,000 Brief history of breaches 117,000,000 145,000,000 35,000,000 68,700,000 143,000,000 32,000,000 76,000,000 130,000,000 4,300,00 4,000,000 412,000,000 85,200,000 43,500,000 32,000,000 65,000,000 28,000,000 160,000,000 36,000,000 25,000,000 1,370,000,000 49,611,709 40,000,000 80,000,000 100,544,934 50,000,000 50,000,000 55,000,000 77,000,000 1,000,000,000 70,000,000 92,000,000 198,000,000 200,000,000 3

4. Security world view Opportunities Risks Globalization can lead to“digital xenophobia” More lucrative targets give rise to more dangerous threat actors More surface area for attacks/exposure to harm, including supply chain The client-to-cloud world requires a control shift (Identity is the new perimeter) Globalization: more markets, customers, and business potential Always-on access provides more productivity Ability to analyze massive datasets at scale and speed Scalable, cloud based storage:efficient, cost effective, and secure Modern engineering: allows for more agility in building capabilities, features, and in responding to threats 4

5. IdentityManagement Risk Management Device Health Data and Telemetry Information Protection FY19 Digital security strategy FY19 Digital security strategy 11 EPICS All internet facing interfaces are compliant Tier1 Critical Services are Resilient Eliminate passwords through multi-factor authentication Protect the Administrators Simplify provisioning, entitlements, and access management Evolve endpoint protection Only allow access from healthy devices Detect threats through user behavior anomalies All Microsoft data is Classified, Labeled and Protected Security focus Balancing information protection, device health, identity management, and data telemetry with risk management as a foundation. Information Protection Information Protection Evolve cloud security capabilities and operations across the enterprise Evolve phishing protection Device Health Data & Telemetry 5 INVESTMENT PILLARS Identity Management 27 SERVICES Business response and crisis management Compliance Enterprise business continuity management Enterprise Security Governance LOB security assurance Red Team Penetration Testing Risk management office Security incident Response Supply chain security assurance Insider threat Administrator role services Authentication Certificate management Credential management Provisioning, entitlement management, and synchronization Endpoint Protection SAW HRE Vulnerability management Security Intelligence Platform Security monitoring Threat intelligence Data loss prevention COLLABORATIVE SERVICES: Emerging technology standards Security education and awareness Security Technology Evaluations Special Purpose Security Tools Engineering Venture integration security assurance 5

6. Why identity is important? of breaches involve credential theft of employees use non-approved apps for work of people re-use passwordsacross multiple accounts 81% 73% 80% of breaches are caused by credential theft of employees use non-approved apps for work of passwords are duplicates

7. Increasing complexity The past Current reality Network Identity Network Access Edge Basic Management Identity Network Access Edge Basic Management Endpoint Data Application Service Identity

8. Identity is the new perimeter Key investment areas Protect customers andservices from malicious useof elevated privileges Eliminate passwords through multi-factor authentication Simplify provisioning, entitlements, and access management Protect the admins Eliminate passwords Simplify provisioning

9. Protecting our administrators Secure device Protectedadmin Isolated identity Non-persistent access + + = JIT More secure elevated privileges (admin) SAW Max Elevation Time: 8 hours Elevate Accessing critical resources only from a Secure Device While logging in with an isolated smartcard based ALT Account Only when performing non-standard user duties, non persistently, through Elevation

10. Eliminate passwords “One of the biggest security issues is passwords.” ~ Satya Nadella Through strong and Multi-factor Authentication (MFA) Windows Hello for Business – Available on all Windows 10 Machines TODAY with improvements coming in RS4 and RS5 Microsoft Authenticator – Available TODAY across all mobile platforms, integral in corporate bootstrapping of MFA Biometric on Device + FIDO 2.0 Devices – Enabling ultimate flexibility for users and increase security across all forms of Identity and Auth (Coming soon) Microsoft Authenticator Approach to a password-less world Today Device + Biometric Achievesecurity promise Achieveend-user promise Enabling WH4B + Microsoft Authenticator Windows 10 (RS4) Feature Updates MFA + SSO for LOB Applications Removing Legacy/non-MFA Authentication Flows Windows 10 (RS5) Feature Updates Enforcing Modern Auth without Password

11. Leveraging Azure Password Protection • Leverage the power of the Azure cloud by enforcing a “banned password list” on premises • As users are trying to change their passwords, they get blocked from using easily guessable passwords, (like Password1) • This increases security for the IT Admin, and decreases cost for security incident responders

12. Please evaluate this sessionYour feedback is important to us! Please evaluate this session through MyEvaluations on the mobile appor website. Download the app:https://aka.ms/ignite.mobileApp Go to the website: https://myignite.techcommunity.microsoft.com/evaluations

13. Microsoft Core Services Engineering & Operations (CSEO) Find us in the Immersion Zone and at Expo Theater #5 Meet the IT pros who power and digitally transform the Microsoft enterprise

14. IT Showcase Learn how our IT pros are digitally transforming the Microsoft enterprise -white papers-technical case studies-articles-webinars-blog microsoft.com/itshowcase