Microsoft's CISO discusses key principles of cybersecurity

Microsoft has over 6.5 trillion different security signals entering its ecosystem every day, so Microsoft knows a lot about keeping customer data safe, so what are the key security principles that guide us in today's evolving technology landscape?

Bret Arsenault, Vice President and Chief Information Security Officer, Microsoft

"Something has changed," said Bret Arsenault, Microsoft's vice president and chief information security officer. "It used to be great to have a network that managed everything within the perimeter. But today, in this client-to-cloud world, with the rapid growth of mobile devices, cloud services and the Internet of Things , that model no longer works."

So what works? In a recent interview, Arsenault discussed the development of security, key principles, and gaining customer trust.

Security built from the ground up

According to Arsenault, Microsoft did have a separate security division, but Microsoft changed its strategy and decided to build security into every product from scratch, making sure everything is security-centric. In fact, security should be fully embedded in the product, and it will appear as if the security component has disappeared.

"We thought the better way was to bake security into everything we do," Arsenault said. "Security is built into everything. So we took a step back and changed the way we look at security and made it easier for developers, end users and administrators to implement security, and it's just one component of the overall experience."

Making security part of the corporate culture and part of the product helps simplify the process of data protection and provides innovative methods. Arsenault said that abandoning passwords is actually a safer way in the long run, especially when people use biometric security modes (such as voice and fingerprint recognition) as passwords.

"The user experience is much better when using biometric mode. In biometric mode, disorder is more difficult, which makes it more difficult to hack. More importantly, this method is locally bound to the device and cannot be manipulated from elsewhere. I think this is a very important point that people misunderstand about biometric technology. Only when it is placed locally can this method really work."

It is also important to ensure that security is evolving as customer practices and issues change. Automation and diversification of data is critical to help understand customers and their behaviors. For example, authentication data should be mapped to email data, which is mapped to endpoint data, which is mapped to service data, and so on, Arsenault noted.

“For example, we update 1.2 billion devices every month, and we do 630 billion authentications every month. So the ability to correlate things in motion gives us a range of insights to protect in ways that we haven’t been able to before.”

Security is important, but building trust with customers is also essential—and it’s not easy to truly gain customer trust. Arsenault explained that transparency can help customers understand how their data is being used or at rest, which is key to helping them protect their data. Building a high level of trust helps maintain customer confidence, even when security issues arise.

“Little things add up, and that’s how you build trust. You should make sure you have strict operations and processes in place in this regard.”