Identity Beyond Borders – Protecting Your Identity Supply Chain

[MUSIC PLAYING] Hey, everyone. Thank you for joining my session today where I'll be discussing Identity Beyond Borders. So really we'll be talking about the evolution of identity and what that means for us as protectors. My name is Shinesa Cambric, and I'm a product manager leading a team that's focused around building protection and detection for emerging identity concepts at Microsoft. And when I say emerging identity concepts, I mean things like non-human identity and decentralized identity, and even external identities like B2C and B2B scenarios. My background is primarily as a security practitioner and I've been around long enough to have seen the transition of identity from being something that's an afterthought to now being a primary thought. And the goal of today's presentation is to take that a step further from being reactive with security around identity to being more proactive as we see digital identity evolve. So we'll talk through evolving identity, how we should be thinking about that, and then we'll take a look at a couple of features to protect this evolution of identity. Please stay towards the end for any questions. I'll hang around for Q&A. Thank you. In a 2022 Identity Defined Security Alliance survey, they identified that 98% of organizations said they'd had a tremendous increase in identities in their environment. These increases were being driven primarily by three things, the adoption of more cloud applications, which means more APIs connecting in and out of a system, an increase in third party providers, so thinking about things like managed service providers, cloud solution providers, and also a spike in machine identities such as bots and IoT devices. And these things highlight the importance and the impact of how digital identity is evolving. It's no longer just about human identities. Now we have this concept of the identity of things. So APIs, bots, smart devices, autonomous devices, and even business identity. And with these changes-- with this evolution, attacks are also evolving. Salt Security Research found that there had been a 200% increase in attacks against APIs in 2020. And just recently on Twitter, a cybersecurity researcher found that there was a drone-based attack being conducted against a financial institution and they were able to find this based on an anomalous device that was located on their network. So again, we have to start thinking about this as who or what is on the other side of a connection versus a human identity. And then when we start thinking about the concept of an identity supply chain, what really is that? What makes up an identity supply chain? So a portion of this to me is your infrastructure. So your identity providers, which could be a SaaS solution. It could be something that's on prem. It could be something else that's in the cloud. Then you have integration with APIs. So who are you connected to, who's connected to you? And then what are the identities with accessing your environment? So this includes devices, partners, suppliers, and employees. And then thinking beyond that, we need to consider third, fourth, and fifth party vendors and suppliers. So what are those indirect connections to your environment? At Microsoft, we've found that attackers are now taking advantage of those trust relationships. So thinking about six degrees of separation, they'll start at one end in order to get to somebody else that's towards another end. So attacks may be through you, they could be to you. And so that's why it's important to understand what are the components within that identity supply chain. Another thing that we've seen an increase of is attacks that are using small and medium sized businesses. So again, if you're thinking you're connected to large partners with very strong security posture, who are they connected to and who are they connected to? Because we've seen that 70% of small businesses are completely unprepared for a cyber attack and history shows that we can't afford to assume that the people that you're connected to, the entities that you're connected to, have a strong security posture. We need to abide by the tenets of never trust, always verify, and then again, thinking through attacks may be coming to you or through you. So with this context, and as protectors, over the years I've been asked about a few principles that may help with addressing security and identity. And it's easy to make this complex with technical jargon and a list of security controls. But what I found that works is the same wisdom that my parents and grandparents have shared with me about life in general also apply to cybersecurity. So there's three simple tenets that we'll discuss. You are the company you keep, don't accept wooden nickels, and DDDT, which is don't do dumb things. So let's dive into a few of those. So in this first principle, you are the company you keep, this really boils down to you and your reputation are impacted by those you're connected to. So a few minutes ago, we talked about the abuse of trust, and third, fourth, and fifth party partners, and what their security posture may mean to your security posture. It's important to know which identities exist in your environment, what's their purpose, and then making sure you have visibility to what they're doing. But then not only concerning yourself about your environment, but your partner's environments and the strength of their security. Because essentially, their security posture is your security posture. Again, attackers may be coming to you or they may be coming through you. So our next principle of don't accept wooden nickels really translates to abide by zero trust. We want to verify Identity every time, using strong authentication and policies that help us to enforce just in time and just enough access. We want to make sure we're reducing the footprint of what an Identity has access to at any given point in time, and that we know