Microsoft has more than 6.5 trillion different security signals each day coming into its ecosystem. As such, the technology giant knows a thing or two about keeping data safe for its customers. So what are the key security principles guiding today’s ever-evolving technology landscape?

“Things have changed,” said Bret Arsenault (pictured), corporate vice president and chief information security officer at Microsoft. “In this idea where there was this perimeter and you did manage everything through the network, that was great. But in a client-to-cloud world we have today — with mobile devices and proliferation of cloud services and [internet of things] — the model just doesn’t work anymore.”

So what does work? Arsenault went into some detail in a talk with John Furrier, host of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, at theCUBE’s studio in Palo Alto, California. They discussed the ways security has evolved, key principles for security and building trust with clients. The full interview transcript is here.

Building security in from the ground up

Microsoft did have a security division at one point, but the company changed tactics to build security into its products from the ground up, according to Arsenault. That ensures that everything is security-focused all of the time. In fact, security should be embedded into a product so that the security component seems like it has disappeared altogether, he added.

“We really thought the better way to do it was make security baked into all the products that we do,” Arsenault said. “Everything has security baked in. So we stepped back and really changed the way we thought about it to make it easier for developers, for end users, for admins. It’s just a holistic part of the experience.”

Making security the cultural environment of a company and the products it makes helps simplify the process around protecting data. It also offers ways to innovate. For example, getting rid of passwords altogether is actually more secure in the long run when a person becomes the password by using a biometric security model (think voice and fingerprint recognition), according to Arsenault.

“When you do the biometric model … the user experience is so much better,” he said. “The entropy’s harder in the biometric, which makes it harder for people to break in. But also, more importantly, it’s bound locally to the device, so you can’t run it from somewhere else. And that’s the big thing that I think people misunderstand in that scenario, which is you have to be local to that to make it actually work.”

Making sure security can evolve with a customer’s practices and issues is also important. Automation and diversification of the data is incredibly important to help understand everything going on with customers and their actions. For example, authentication data should be mapped to email data, which should be mapped to end point data, which is then mapped to service data and the like, Arsenault pointed out.

“As an example, we update 1.2 billion devices every single month,” he said. “We do 630 billion authentications every single month. And so the ability to start correlating those things in movement gives us a set of insights to protect people like we never had before.”

While security is important, building trust with customers is undeniably essential as well — and real trust isn’t earned easily. Transparency helps customers understand how their data is used or not used, which is key in helping to protect them, Arsenault explained. Building a high level of trust can help maintain client confidence even if security does eventually get breached.

“You put … one drop of water in the bucket every time, and that’s how you build trust over time,” he said. “That’s where you make sure you have operational rigor and process around that.”

Here’s the complete video interview, one of many CUBE Conversations from SiliconANGLE and theCUBE:

Photo: SiliconANGLE