微软:我们为什么要永远消灭密码

来源:ZDNet    2021-06-17 19:22:25

关键字: 多因素认证 MFA 密码 微软

微软的首席信息安全官(CISO)Bret Arsenault在微软工作了31年,他说他在公司里只有一次得到同事的公开喝彩:那次是废掉了微软每71天必须更换密码的内部政策。

微软的首席信息安全官(CISO)Bret Arsenault在微软工作了31年,他说他在公司里只有一次得到同事的公开喝彩:那次是废掉了微软每71天必须更换密码的内部政策。

"That's the first time I've been applauded as a security person and executive," Arsenault tells ZDNet. "We said we're turning off password rotation within Microsoft, because we had eliminated that part of it."

Arsenault告诉记者,“那次是我第一次作为安全人员和高管被喝彩。当时我们说在微软内部不再需要轮换密码,因为我们已经取消了这个做法。”

As Microsoft's CISO, Arsenault is responsible for protecting both Microsoft products and its internal networks used by its 160,000 employees. After adding vendors into the mix, he's responsible for about 240,000 accounts globally. And getting rid of passwords and replacing them with better options like multi-factor authentication (MFA) is high on his to-do list.

Arsenault作为微软的首席信息官负责保护微软的产品和旗下16万名员工使用的内部网络。他要负责连同供应商在内的全球大约24万个账户。在他的待办事项清单上的重要项目里,扔掉密码、用多因素认证(MFA)等更好的选择来取代密码的项目排在头几位。

Microsoft updated its password policy in stages. In January 2019, it moved to one-year expiry, using telemetry to validate effectiveness. In January, 2020 it moved to unlimited expiry based on the results.

微软分阶段更新了旗下的密码政策。2019年1月时,密码一年过期,利用遥测技术验证密码有效性。2020年1月时,根据有关结果转为密码无限期有效。

Microsoft also stopped recommending to customers to implement a 60-day password expiration policy in 2019 because people tend to make small alterations to existing passwords or forget new good ones.

微软还曾在2019年停止向客户推荐实施60天的密码过期政策,因为用户即便改密码也往往只会对现有的密码进行小的改动,或是忘记新的更好的密码。

For Arsenault, rather than make the conversation about putting MFA everywhere, he framed the change as being about eliminating passwords.

Arsenault没有把这次谈话内容定格在将MFA推广到各个地方使用,而是将这种改变看成是消除密码的契机。

"Because nobody likes passwords. You hate them, users hate them, IT departments hate them. The only people who like passwords are criminals – they love them," he says.

Arsenault表示,“没有人喜欢密码。员工讨厌密码,用户讨厌密码,IT部门讨厌密码。唯一喜欢密码的人是犯罪分子,只有他们喜欢密码。”

"I remember we had a motto to get MFA everywhere, in hindsight that was the right security goal but the wrong approach. Make this about the user outcome, so transition to "we want to eliminate passwords". But the words you use matter. It turned out that simple language shift changed the culture and the view of what we were trying to accomplish. More importantly, it changed our design and what we built, like Windows Hello for business," he says.

Arsenault表示,“开始我们有一个座右铭,就是让每个地方都使用MFA,事后来看,这个安全目标是对的,但方法错了。一定要从用户结果入手,所以改成‘我们要消灭密码’。最后的结果是简单的语言转变改变了我们的密码文化以及对于试图完成目标的看法。更重要的是,还改变了设计和产品,比如商用Windows Hello。”

"If I eliminate passwords and use any form of biometrics, it's much faster and the experience is so much better."

Arsenault表示,“如果取消了密码,使用生物识别技术等技术,会快得多,体验也好得多。”

On Windows 10 PCs, that biometric security experience is handled by Windows Hello. On iOS and Android, access to Office apps is done through Microsoft Authenticator, which provides a smooth experience when logging into Microsoft Office apps. It taps into biometrics available on iPhones and Android phones.

Windows 10电脑的这种生物识别安全体验由Windows Hello处理。而在iOS和安卓系统上,访问Office应用程序是通过Microsoft Authenticator(微软鉴证器)完成的,Microsoft Authenticator为登录Microsoft Office应用程序提供了流畅的体验,使用了iPhone和Android手机上的生物识别技术。

"Today, 99.9% of our users don't enter passwords in their environment. That said – progress over perfection – there are still legacy apps that will still prompt [for a password]," he says.

Arsenault表示,“时下99.9%的用户不用再输入密码。尽管如此,这只是第一步,还不够完美,还有一些传统应用程序仍然会提示输入密码。”

However, that's not the end of the battle. Just 18% of Microsoft's customers have enabled MFA.

然而,战斗还没有结束。只有18%的微软客户启用了MFA。

This figure seems absurdly low given that enabling MFA is free for Microsoft customers, yet as ransomware shows, there can be mult-imillion dollar consequences when just one key internal account is comprom启用MFA对微软客户来说是免费的,所以18%这个数字似乎低得离谱,而勒索软件显示,泄露一个关键的内部账户可能会有几百万美元的后果。

Protecting accounts with MFA won't stop attackers completely, but it does make their lives harder by shielding an organization from the inherent weaknesses in usernames and passwords to protect accounts, which can be phished or compromised through password-spraying attacks.

利用MFA保护账户不会完全挡住攻击者,但MFA确实会使加大攻击的难度,MFA使得一个组织免受用户名和密码固有弱点的影响,可以保护账户,利用钓鱼或快速猜测密码等手段则可以攻击账户导致安全泄露。

The latter technique, which relies on password re-use, was one way the SolarWinds attackers breached targets besides breaking into the firm's software build systems to spread a tainted software update.

快速猜测密码技术利用了密码重复使用的问题,SolarWinds攻击者黑进SolarWinds公司的软件构建系统,得以传播受污染的软件的更新入侵目标系统,也用到了这种技术。

Microsoft is moving towards a hybrid mode of work and, to support that shift, it's making a push towards a Zero Trust network design, which assumes the network has been breached, that the network extends beyond the corporate firewall, and caters to BYOD devices that could be used at home for work or at work for personal communications.

目前,微软正在转向混合工作模式,为了支持该转变,微软正在推动零信任网络设计的使用,零信任网络假定网络已经被入侵,网络延伸到了企业防火墙的外面并可以方便个人通信BYOD设备的使用,这解决了可能在家里用工作环境网络或在工作环境用家庭网络的问题。

But how do we get more organizations to enable MFA in critical enterprise products from Microsoft, Google, Oracle, SAP and other crucial software vendors?

但我们要如何才能在更多的组织中对微软、谷歌、甲骨文、SAP和其他关键软件供应商等众多关键企业产品上启用MFA呢?

For organizations looking to enable MFA, Arsenault recommends targeting high-risk accounts first and to work on progress rather than perfection. The biggest problem is legacy applications, but seeking perfection risks getting bogged down.

对于那些希望启用MFA的组织,Arsenault建议首先的目标是高风险账户,要努力取得进展,而不是追求完美。最大的问题是传统应用程序,但追求完美有可能陷入困境。

"Everyone has brownfield apps that can't support modern authentication, such as biometrics, and so I think what a lot of people should and need to do is take a risk-based approach: first get MFA enforced for high-risk/value groups like admins, HR, legal group and so on, and then move to all users. It can be a multi-year journey, depending how quickly you want to do something," he says.

Arsenault表示,“每个人都有些旧应用程序不能支持诸如生物识别技术的现代认证,因此我认为很多人应该而且需要做的是采取基于风险的方法:首先在高风险价值群体里实施MFA,例如管理员、人力资源、法律小组等群体,然后再转向所有用户。这可能是一个数年的旅程,这取决于想多快完成。”

Then there's the difficult question about SolarWinds and how Microsoft, which has a billion cybersecurity business, got caught out by Russian government hackers. Microsoft in February claimed it was only minimally harmed by the incident, but it was nonetheless breached. Microsoft president Brad Smith called the hack a "moment of reckoning" because customers, including Microsoft itself, can no longer trust the software they get from trusted vendors.

同时也有一个难题,SolarWinds以及俄罗斯政府黑客盯上了拥有100亿美元网络安全业务的微软。微软在2月份曾称在这次事件中只受到了很小的伤害,但却还是被入侵了。微软总裁Brad Smith称这次黑客攻击是个“认识真相的时刻”,包括微软在内的客户不能再信任从可信供应商那里得到的软件。

"Certainly, we used SolarWinds Software in our environment and we identified and remediated the impacted versions and we've been public about that there was access. We continue to modify how we do supply chain programs and how we evaluate what's in supply chain and how quickly we can go do those things," says Arsenault.

Arsenault表示,“当然,在我们的环境里使用SolarWinds软件,找到并修复了受影响的版本,并已经公开了有关的信息。通过也在继续修改供应链的计划以及如何评估供应链里的内容。”

According to Arsenault, Microsoft had seen the supply chain threat coming for a long time.

根据Arsenault表示,微软很早就看到供应链威胁的出现。

"You see a lot of people doing stuff to protect their front doors, but then their backdoors are wide open," he says.Arsenault表示,“大家看到很多人都在做保护自己的事情,但他们的后门却大开。”

"The part we've seen coming along is that the supply chain is the weak point, right. You have limited visibility into your suppliers. I think [US president Joe Biden's] executive order will help in this space. But getting to the view of how we think about suppliers, we need a way to get that visibility in a scalable way.

Arsenault称,“我们已经看到的部分,供应链是个薄弱环节。供应商的可见度有限。而美国总统乔-拜登的行政命令在这个领域将会有所帮助。但从供应商的角度而言,我们需要一种可扩展性的方法来提高这种可见度。”

"I want to take the Zero Trust concept for information workers and apply that to the software supply chain, which is no line of code that was ever written wasn't from an attested identity, from a healthy device," he says.

Arsenault表示,“微软想把信息工作者的零信任概念应用到软件供应链上,即是说,任何一行编写的代码无不来自经过认证的身份,无不来自健康的设备。”

    扫一扫

    分享文章到微信


    北京第二十六维信息技术有限公司(至顶网)版权所有. 京ICP备15039648号-7 京ICP证161336号京公网安备 11010802021500号
    举报电话:010-62641205-5060 举报邮箱:jubao@zhiding.cn 安全联盟认证