Skip to content
  • Blog
  • Events
  • Help
  • Careers
  • Contact
New Signature
  • About
      • Company

        New Signature has built a record of leadership by delivering exceptional technology and web solutions.

        View Company

      • Awards

        As a company, we are regularly recognized within the IT industry as well as the communities we serve.

        View All Awards
      • News

        Learn about the newest company announcements, technologies, and products at New Signature.

        View News

      • Partners

        New Signature works with a number of outstanding technology companies to deliver the best experiences to our customers.

        View Partners
      • Leadership

        New Signature's executive team includes proven leaders from the most innovative and fast-growing technology fields.

        View Leadership

      • Industries

        Our solutions are tailored to empower organizations across a wide range
        of industries.

        View Industry Experience
    Close
  • Solutions
      • Intelligent Enterprise
        Solutions

        Going Digital
        Unleash cloud capability, deliver change and compete at speed with a Microsoft digital operating model, enabling you to work more efficiently as you transform your IT environment. Learn More

      • Featured Solution

        Secure Cloud
        In a world of constant threat, ensuring that your underlying cloud platform is protected is the first step on your organization’s journey towards a secure, compliant operating environment. Learn More
      • Intelligent Workplace
        Solutions

      • Secure Workplace

        Work Anywhere

        Endpoint Health

        Identity Health

        Teamwork Support



        VIEW WORKPLACE SOLUTIONS
      • Intelligent Cloud
        Solutions

      • App Factory

        Azure Accelerator

        Azure Launchpad

        Azure Launchpad for DevOps

        Application Health

        Platform Health

        VIEW ClOUD SOLUTIONS
    Close
  • Services
      • Begin your journey towards becoming a digital business with NS:GO, our unique end-to-end framework based on the Microsoft Cloud Adoption Framework.

        NS:GO DIGITAL OPERATING MODEL
      • Intelligent Enterprise

      • Consulting

        We go beyond just technology to help your organization understand how digital can help you uniquely differentiate and better serve your employees and customers.

        VIEW ENTERPRISE SERVICES
      • Intelligent Workplace

        • Identity

          Identity is your new first-line-of-defense. It’s vital to your users and clients that your identity platform is properly configured and secured.

          Endpoint

          Whether your devices are on-premises or remote, personal or business-owned, we can ensure they are properly managed and protected.

          Teamwork

          Today’s workforce is collaborating than ever before.  We can empower your current teams with tomorrow’s progressive technologies.

          VIEW WORKPLACE SERVICES
        • Intelligent Cloud

          • Platform

            The cloud is no longer some future-state. It’s the here and now. Adopting a cloud-first platform is one of the best ways to maintain a future-proofed competitive advantage.

            Applications

            We build cloud-native apps and modernize legacy systems with the power of Azure to give your organization a competitive edge.

            Data

            We can help your organization create secure, scalable data platforms to deliver simpler and more sophisticated insights to your business.

            VIEW CLOUD SERVICES
        Close
      • Client Stories
          • Case Studies

            Browse a comprehensive list of companies who have created successful partnerships and experienced transformative solutions with New Signature.

            View All Case Studies

          • Featured Case Study TalkTalk Modern Workplace

            New Signature worked with TalkTalk to define a new Modern Workplace solution based on Microsoft 365, which kept the user firmly at the center of the transformation.
            View Case Study

          • Testimonials

            We love transforming our customers businesses, take a look at what they have to say about New Signature.

            View Testimonials

          • Featured Testimonial Davis Construction

            With New Signature’s help, Davis was able to take a progressive step forward by migrating their private branch exchange (PBX) phone system to a Voice of Internet Protocol (VoIP) system.
            View Testimonial

        Close
      • Technologies
        • Learn more about the technologies that power New Signature solutions View All Technologies


          • Advanced Threat Analytics
          • Azure Active Directory
          • Azure IoT Suite
          • Azure Site Recovery
          • Cortana Intelligence Suite
          • DocuSign
          • Dynamics 365
          • Employee Self Service
          • Enterprise Mobility Suite
          • Exchange
          • ExpressRoute
          • Hyper-V
          • Microsoft 365
          • Microsoft Azure
          • Microsoft Azure Stack
          • Microsoft Identity Manager
          • Microsoft Intune
          • Microsoft Phone System
          • Microsoft Project
          • Microsoft Teams
          • Nintex
          • Office 365
          • OneDrive for Business
          • Operations Management Suite
          • Power BI
          • SharePoint
          • Skype for Business
          • SQL Server
          • System Center
          • System Center Configuration Manager
          • Visual Studio
          • Windows 10
          • Windows Server
          • Xamarin
          • Yammer

        • New Signature Microsoft Azure

          New Signature has Microsoft-certified Azure experts and consultants who assess your business, develop the virtual machines that you need to meet your goals and streamline your operations through the cloud. Learn More

        • New Signature Microsoft Licensing

          A Microsoft environment is not complete and usable until the proper licensing has been purchased and activated for your organization. Learn More

        Close
      • Explore
          • Guides & Ebooks

            Dive deeper into education with your team by leveraging our expert-developed guides and eBooks.

            View All Guides & Ebooks

          • Infographics

            Rich with statistics and information, our infographics are great tools for quick but insightful learning.

            View All Infographics
          • Podcast: Office Explorers

            Join Kat and Rob monthly as they chat with New Signature experts and explore the world of O365.

            Listen to Podcasts

          • Videos

            Visit our videos stream to access recorded webinars, service information and to learn more about us.

            WATCH ALL VIDEOS
          • Flyers

            Searching for information about our services? Our flyers are a great takeaway for all those details.

            VIEW ALL FLYERS

          • Featured Stream

            Learn more about the tooling and expertise required to unlock productivity and mobilize your teams.

            MODERN WORKPLACE
        Close
        Close
      Blog

      Identity Versus Security

      New Signature / Blog / Identity Versus Security
      February 5, 2019January 28, 2019| Reed Wiedower
      • Facebook
      • Twitter
      • LinkedIn
      • Print

      For folks in the security space, time moves slowly. Many of us who have been in the industry for years learned the old-fashioned way that no system is perfect, and that at best, any security measure merely delays the amount of time an attacker can gain access. Techniques honed over years that used to deal with physical defenses (walls, doors, locks) were ported into the digital world of keys, hashes and certificates. Even then, it was broadly understood that having physical access to a device ultimately meant it could be compromised. And that security through obscurity was to be avoided.

      In the past few years, however, many “traditional” pieces of security guidance have grown obsolete, or worse, counter-productive to their original intent. Most of these pieces of guidance grew out of early digital technologies (passwords, anti-virus signatures, monitoring systems) that transformed the way security was performed, and thus are tough to dislodge from a customer’s mindset. Many of them share a common thread: greater complexity.

      Let’s use the oldest example: account lockouts. As soon as folks created digital identity systems, other folks realized they could attempt to guess usernames and passwords to break into them. The solution from three decades ago was two-fold: a limit on the number of bad passwords that could be attempted before the account was “locked”, and a period of time before the account itself unlocked. Even better, folks added an expiration policy to passwords to ensure that a compromised password didn’t exist forever. Over time, customers who wanted “greater security” would tend to lower the number of bad passwords attempts, or lengthen the time until accounts were unlocked and always to shrink the password expiration policy. These systems began to break down around twenty years ago, as many of the identity systems began to connect to the internet. In an isolated environment, a malicious actor had to have access to the network, and was therefore attempting to steal a specific individual’s password. Once connected to the internet, the threat migrated from folks trying to steal information, to simply locking out *every* account in an environment and shutting all access down. These denial of service attacks forced the large identity providers to change their position: instead of lockout policies, Microsoft (and others) moved to a “monitor and mitigate” framework. If a malicious actor was attempting to brute-force attack usernames and passwords, and a certain number of failures occurred, an email could alert an administrator to look into the matter, and block the offending IP address from reaching the network. This then, was the state of security guidance in place fifteen years ago.

      Today, I continue to run into customers (and more ominously, auditors), that insist a “lockout policy” is a best practice for security. Yet implementing one would actually increase the risk of a DOS or DDOS attack on one’s organization. Education is the key here: by spreading information to all the stakeholders over time (and yes, it’s been 15 years so it’s a slow process!) we will hopefully get to a point where lockout policies, and even passwords themselves, are viewed as ancient history.

      Yet some of the examples today aren’t a matter of education, but of changing the very worldview security practitioners espouse. A classic example of this are highly privileged accounts. In the past, the recommendation for accounts that had powerful rights and permissions assigned to them, was to create a completely independent account on your identity system (e.g. in Active Directory, if one’s account was john.doe@contoso.com, the privileged account might me adm-john.doe@contoso.com) to ensure that regular day-to-day activities weren’t being performed by an account that could accidentally bring the entire network down. As identity systems matured, it was possible that these privileged accounts could be further restricted so that instead of always having every permission needed, that one had to go through an approval process (in the Microsoft cloud this function is called Privileged Identity Management (PIM)) to gain rights. This further lowered the chance that a malicious actor, or sheer accidents, could cripple a company. So far, so good…but wait.

      At the same time as identity services were increasing in power, advances in identification on the device level began to remove the need for folks to use passwords – with Windows Hello, for instance, one could log into a laptop with your face, or a short PIN that was tied to the device itself. Once logged into the machine, every action taken referenced the identity used earlier, eliminating password prompts and additional friction from the experience. Over time, it’s clear, folks will begin to move to a passwordless experience on their devices, which will eliminate the weakest link in the security chain: passwords. Even better: advanced identity systems could begin to look at patterns of behavior and suggest when folks weren’t acting normal. Logging in from Russia? Travelling between NYC and Washington DC in ten minutes? Accessing data from a known bad network? All of these scenarios can now be identified by modern identity systems and secured, whether passwords are in the mix or not. And yet! Once folks move to a single device model, with passwordless (whether using biometrics, or a phone device, or a physical USB key, or a PIN) options abounding, the separation of accounts becomes…challenging. Without passwords, how would one “credential up” to a highly privileged account? If identity systems are looking for aberrant behavior – what does having two (or more!) accounts look like?

      The answer, as you may have guessed, is to ultimately eliminate using multiple accounts and to go back to a single account per person. I can envision folks reading this and saying “well, that’s silly, we will never do that…it is obviously insecure!” But just as some folks needed to realize that a four digit pin, tied to a device, is more secure than a 12 digit password, used everywhere; having two accounts to perform tasks, rather than a single account per person, with lots of layered protections, ultimately makes less security sense. The good news is that through technologies such as PIM, we can prevent a “regular” user account from ever accidentally making an irreversible change. And beyond identity protection, we can also be much more granular with role based access control to shrink the total number of privileged accounts needed in the first place. In general, a decrease in complexity tends to lead to both a more secure system overall and one that breaks in a way that can be understood (and fixed) more quickly.

      This is only one example, but it drives home the point that there are many traditional security practices that in the modern world need to be updated. NIST has acknowledged that no one should use password expiration policies. Microsoft has lobbied against account lockouts. It’s only a matter of time before dual account use is seen as an unneccesary complexity that doesn’t move the security needle forward. Even standards used to protect desktops that lived in a single area, often insecure, are woefully different from the computers we stick in our pockets each day that every year accumulate more computing power. If a device is never truly off my person – perhaps that’s the greatest security benefit of all!

      Categories
      Microsoft Technology Updates
      Contact New Signature

      Blog Posts

      • Hunting USB Devices with Azure Sentinel – Part 2
      • Identity is Hard; Let’s Make It Easy
      • H is for Heterogeneity
      • Identity and Access Management: How to Get Started

      Events

      Thu 28

      Power Platform Series: Drive Organizational Productivity with Power Virtual Agents

      January 28 @ 10:00 am - 10:45 am EST
      Feb 16

      Cognizant’s Experience Lab for Continuous Testing with Azure

      February 16 @ 12:00 pm - 2:00 pm EST

      View More

      New Signature
      New Signature HQ
      901 K Street NW, Suite 450
      Washington, DC 20001
      Phone: 202-452-5923
      New Signature Canada HQ
      7th Floor, 5140 Yonge Street
      Toronto, ON M2N 7J8
      Phone: 416-971-4267
      New Signature UK HQ
      57 Bermondsey Street
      London SE1 3XJ
      Phone: +44 (0) 845-402-1752

      About

      • Company
      • Awards
      • News
      • Leadership
      • Partners
      • Industries

      Solutions

      • Intelligent Enterprise Solutions
      • Intelligent Workplace Solutions
      • Intelligent Cloud Solutions

      Services

      • GO
      • Intelligent Enterprise
      • Intelligent Workplace
      • Intelligent Cloud

      Client Stories

      • Client Stories
      • Testimonials

      Explore

      • Guides & Ebooks
      • Podcasts
      • Flyers
      • Infographics
      • Videos
      Copyright © 2021 New Signature
      • Blog
      • Events
      • Careers
      • Help
      • Anti Slavery
      • Privacy Policy
      • Contact
      • About
        • Company
        • Awards
        • News
        • Leadership
        • Partners
        • Industries
      • Services
        • GO
        • Intelligent Enterprise
        • Intelligent Workplace
        • Intelligent Cloud
      • Client Stories
        • Case Studies
        • Testimonials
      • Technologies
      • Explore
        • Guides & Ebooks
        • Infographics
        • Podcast: Office Explorers
        • Videos
        • Flyers
      • Blog
      • Events
      • Careers
      • Contact
      • Search
      Cookie Settings
      New Signature uses "Required Cookies" to run our website, "Functional Cookies" used by third parties to personalise marketing, including social media features.

      Change your preferences by clicking the “Cookie Settings” link at the bottom of every page. Learn more about cookies in our Cookie Policy and our Privacy Policy. By clicking the “Accept Cookies” button below, you consent to our use of cookies.

      Please note that “Required Cookies” will be set regardless of your consent.
      Cookie SettingsAccept Cookies
      Privacy & Cookies Policy
      Performance

      Performance Cookies provide Content Delivery Network assets that deliver faster site content delivery capabilities.

      Required

      These cookies are required mainly in order to deliver Multilanguage site capabilities.

      Functional

      Functional Cookies allow us to provided advanced media capabilities including videos, surveys and other multimedia capabilities.

      Disabling Functional cookies will block the playing of videos and other multimedia site components.

      Targeting

      Targeting Cookies are used to capture user information in order for New Signature to deliver better user experiences.

      Save & Accept