MJFChat: Why Identity Should Be Core to Your Security Strategy

We’re doing a twice-monthly interview show on Petri.com that is dedicated to covering topics of interest to our tech-professional audience. We have branded this show “MJFChat.”

In my role as Petri’s Community Magnate, I will be interviewing a variety of IT-savvy technology folks. Some of these will be Petri contributors; some will be tech-company employees; some will be IT pros. We will be tackling various subject areas in the form of 30-minute audio interviews. I will be asking the questions, the bulk of which we’re hoping will come from you, our Petri.com community of readers.

Readers can submit questions via Twitter, Instagram, Facebook and/or LinkedIn using the #AskMJF hashtag. Once the interviews are completed, we will post the audio and associated transcript in the forums for readers to digest at their leisure. (By the way, did you know MJFChats are now available in podcast form? Go here for MJF Chat on Spotify; here for Apple Podcasts on iTunes; and here for Google Play.)

Our latest MJFChat — and first of 2021 — is all about demystifying the hot topic of identity. My special guest is the Corporate Vice President of Identity at Microsoft, Joy Chik.

Joy and team are responsible for Active Directory, Azure Active Directory, Microsoft Account (MSA), Microsoft Graph, Identity Protection and Identity Management suites which are delivered to customers as cloud services or on-premises products. From her LinkedIn profile: “If you’re one of the 2B+ users of Office365, Skype, Outlook.com, Windows, Xbox, Surface, or Azure every month then you’re interacting with our platform.” Given how key these products are to the security strategies of Microsoft and its customers, this chat couldn’t be more timely or needed.

If you know someone you’d like to see interviewed on the MJFChat show, including yourself, just Tweet to me or drop me a line. (Let me know why you think this person would be an awesome guest and what topics you’d like to see covered.) We’ll take things from there….

Transcript:

Mary Jo Foley:
Hi, you’re listening to the Petri.com MJF Chat show. I am Mary Jo Foley, AKA your Petri.com community magnate. And I am here to interview tech industry experts about various topics that you, our readers and listeners want to know about. Today’s MJF Chat, which is our very first one of 2021 is going to try to de-mystify a bit, the hot topic of identity and my special guest for this is Corporate Vice President of Identity at Microsoft, Joy Chik. Hi Joy, and thank you so much for doing this chat with me.

Joy Chik:
Thank you, Mary Jo. Glad to be here.

Mary Jo Foley:
Great. So for people who somehow don’t know who Joy is, I’ll give you a little background. Joy and her team are responsible for a lot of very key products at Microsoft, including Active Directory, Azure Active Directory, Microsoft Account, the Microsoft Graph, Identity Protection and Identity Management Suites, all of which are delivered to customers as cloud services or on premises products. And from Joy’s LinkedIn profile, there’s a little more detail that might be interesting. There she says, if you’re one of the 2 billion plus users of Office 365, Skype Outlook.com, Windows, Xbox, Surface, or Azure every month, then you’re interacting with our platform. So given how central these identity products are to Microsoft, it’s not surprising that they’re also at the core of Microsoft’s and many of its customers, security strategies. So let’s just jump right in Joy. I think it’d be useful for the listeners, if you could spell out exactly why Microsoft views identity as being core to security.

Joy Chik:
Absolutely. So Mary, if, you know, I think we can all agree on, the future is in the cloud. And therefore, you know, we just can no longer draw any barriers around our physical infrastructure, the way we used to. We cannot rely on any of the physical file walls like the VPNs. If the pandemic has taught us anything is, you know, we don’t own all the devices that people are using to connect to the corporate resources. And frankly, we don’t have control of all the applications they use. And the only common element in every computing scenario, I would say is identity, because at the end of the day, you have to sign in. And that makes identity really the gateway to any organizations digital estate. And frankly, simply put, you know, the service that secures access to everything for everyone is identity and identity centric security just has a ton of benefit. You know, we think about security, you know, using adaptive access policies of authentication that can automatically block attacks and protect the critical data and infrastructure. Also from identity perspective, you know, we think, it’s really important to balance the experience with security.

Joy Chik:
So a seamless user experience that let people, you know, to work and collaborate securely is very, very important. And then you get the benefit from identity centric security. And we also think about identity, not just about employees, which we typically do, but now we also think about you know, the customers of the enterprise, their partners, you know, there are many, many of these, the phone line workers and for all the digital resources, including ax data that we want to make sure that we secure access to all of that. And last but not least I would say that a simplified identity governance so that we can automate all those access control permissions, and also to audit it across both cloud and on-premise, you know, the hybrid environment is super, super critical. You know, the pandemic has taught us anything identity is very much the critical path, central to business success of our customers.

Mary Jo Foley:
Okay, great. That’s a great introduction. You touched a little bit on trends, in the space, but are there any kind of broader, higher level trends in identity that Microsoft is seeing right now that you think are worth calling out?

Joy Chik:
Yeah. There are a few things that we see, especially, you know, in the past year. First we actually see the acceleration of the macro trend. Like, you know, what we’ve been talking about digital transformation, which has shifted to identity centric, zero trust, security strategy. When you staff in place the adoption of a flexible work arrangement, you know, especially to a pandemic, many people work from home and they are remote access to many apps. That what really was, you know, kind of a really eye-popping fun play is that, you know, many of us in the past and when we talked to enterprise, their two year plans in terms of deployment strategy. And literally honestly, since last March, you know, some just became two month plans or frankly, two week plans. So that lasting acceleration is something we see front and center.

Joy Chik:
And the other part we also see is although, you know, with pandemic, which has created a ton o, economic uncertainty is many organizations still choose to invest in modernizing security. We see them actually have the accelerated adoption of Azure AD as well as the other security solutions that Microsoft partner with, you know, we see actually on our apps. You know, the partner security solutions like, including like a Zscaler or Palo Alto Networks or Cisco AnyConnect, are just, some of the fastest growing apps in the Azure AD ecosystem. And then based on my own conversation with customers, as well as some of the survey we’ve done with the cyber security leaders, we definitely see a, you know, prevention and a posture management rooted in a holistic end to end a security strategy that need was a zero trust is very much top of mind. Second, we also know recurring remote work and the remote access to all digital resources and last but not least to, you know, AI and automation, basically, how do we augment the human intelligence with the best machine learning tools? That’s the only way to, you know, secure all digital assets.

Mary Jo Foley:
Hmm. Okay. I want to dig in on zero trust because I think this is a very confusingly named term. Maybe that’s just me, but whenever I hear it, I get a little confused. So could you talk in high-level terms? What is zero trust and how does zero trust fit in with identity?

Joy Chik:
Absolutely. Zero trust is very much a security mindset and uses a set of principals. Because we used to assume, you know, everything behind the corporate firewall was safe. Well, we don’t have firewall anymore. And also for anything we know that’s, even within corporate network, you know, a breach happens. And in the cloud world, we really say the safest thing to assume is nothing is safe. So the three principles that we adhere to. One is verifying explicitly. Second is use least privileged access. And last but not least is always assume breach. And these are the three principles we apply to everything we do. On the identity perspective, you know, like use verified explicitly. That means to validate any access requests in the fullest context, beyond just a user account, the devices you are connecting from, then what network you use, the network that you’re connecting from, the application you access and then the data that you want to get access to.

Joy Chik:
So if there’s anything suspicious about any of the elements, like if a user is signing from a different location, that’s suspicious, or the device is not compliant, or they’re trying to access sensitive data, then we can ask for additional verification, which is like MFA or simply block access when it’s needed. And then on the least privileged access, what we really need is that we only want to grant access with the minimum level of access privilege to the user that they need to complete the task. And only for the duration of the time they need. So like, an analogy is you can let people into your building, but only during the hours they need to work, right? If on the physical access perspective and you really don’t want to let them into every building or every lab. And then the last principle in terms of assuming breach, you know, we should always assert that breach does happen.

Joy Chik:
So what it means is the our system should be ready to detect and remediate an attack. And so we always design all our infrastructure in the way, is one is how can we detect and how do we minimize the blast radius? And how do we remediate it as fast as possible. And identity is really the foundation of this zero trust security strategy, because that’s the place I would argue that really connects all the different parts of the security solutions together, in order for us to have an end to end visibility. And in our case Azure AD, conditional access, that is the security policy that makes it all happen because that examines all the full context of every authentication request and then make the appropriate access control action.

Mary Jo Foley:
Okay. That’s good. Thanks. if you were talking to somebody in IT who was just not all that familiar with a lot of these concepts that you’re talking about around zero trust and identity, and they said to you, okay, what are like the three things or the best or the easiest and quickest ways IT can actually implement identity into their security policies? What would you say?

Joy Chik:
Yeah, I would say three things. The first step I would say is it to connect your identities to the cloud. And the reason is that is the fastest way in order to get access to the cloud security, because we know as much as sometimes people might say, Hey, am I better off to be my own on premise or not. The cloud really gives us the unlimited compute power, as well as the just, the trillions of signals, that we gather that we can use machine learning and AI in order to recognize the attack guidance and frankly that we can do that ahead of any single organization can potentially recognize any of the attack signals. And so with Azure AD, one of the things that is, you know, I know a lot of our customers, you know, they have on premise infrastructure.

Joy Chik:
So using Azure AD Connect, you can synchronize on-premise identity to Azure AD so that you can manage all the security policies and govern identities in the cloud. That way you get the benefit from the cloud security, but you don’t have to rip and replace it on premise infrastructure. You can do that transition at your own pace. So that’s the first step, but once you connect your identity to the cloud, you know, and the next thing you really should do is turn on multifactor authentication. And frankly, I always tell our customers, if you only do one thing, please turn on MFA and turn on MFA for everyone, because the number one attack factor is still stolen credentials. Well, idenity, you know, people don’t log in for the sake of logging in. It really is about to access applications and data. So going further, we’re recommending connecting all apps behind a single identity solution.

Joy Chik:
And when I say all apps, it’s really not just cloud apps, it’s on-premise apps or your custom build sort of line of business apps, because that really helps to make identity as a control plane for all applications, as well as users. And because, you know, some of the, you know, sort of I would say kind of a miss is, you know, people think of Microsoft, only secures access to Microsoft, the fact is that Azure AD, the app gallery, we actually include thousands of third party app assets. Including like Adobe, you know, ServiceNow. Including even our competitors like Zoom, Slack, GSuite, if you name it, they are among some of the more popular apps in the Azure AD app gallery that’s being heavily used. The last point Mary Jo, I would just say is actually a Forrester study actually estimates by consolidate into a single identity solution and connecting all apps [inaudible] literally saves, you know, organizations about 10 minutes per week per employee. So it is quite significant.

Mary Jo Foley:
Hmm. Okay. That’s great. Another concept I wanted to ask you about, because I hear, Microsoft officials talk about this all the time is going passwordless. So how does this actually work in theory and in practice when it comes to identity?

Joy Chik:
Yeah, like we all know passwords are not secure. Just no matter how many characters in our passwords or how complicated it is or how often you change it, it just is not enough to keep us secure. Right. We know stolen credentials is the top way for bad actors to gain authorized access. So a strong authentication is very important. Passwordless authentication really means, it replaces the text passwords with something, you have, something you are or something you know, like example, would it be using Microsoft Authenticator app. That is something you have is your phone. And you can combine that with something you are, like your fingerprint or something, you know, like a pin number that stays on the device. In practice, you know, passwordless authentication really protects users from unintended actions. You know, just like when you accidentally clicking unefficiently. And at the same time, it improves the user experience because they don’t have to enter a password.

Joy Chik:
You know? So the fact that what we see is that there’s an incredible amount of adoption of passwordless authentication. Last year, we shared that over 150 million users across Azure AD, as well as our Consumer Identity Microsoft account has gone passwordless. And in that 150 million users is huge. And the last year alone passwordless usage in Azure AD itself has grown by more than 50%. And this is accross Windows, Hello for Business, Microsoft Authenticator, as well as FIDO two security keys. We have more coming exciting news to share this year. And we definitely look forward to that. We think this year is the year of passwordless.

Mary Jo Foley:
Hmm. Okay, good little tease there. I like that. How about now let’s talk about the Microsoft Graph, which is the centralized API. That seems like it’s pretty much key to everything Microsoft’s doing these days. So how does the Graph fit in with the overall identity and security thinking and strategies that you have?

Joy Chik:
Yeah, we made it a pretty big bet on our overall integrated solutions because you know, customers do recognize the value of solutions that you can share signals data across services. So Microsoft Graph provides basically that unified API service, if you will, for accessing data across like Microsoft 365, Windows 10, and Microsoft Security Compliance Identity Solutions, which is making it much easier for a developer to, you know, create you know, their integrated solutions on top of it and particular for security, this is super helpful because in the identity space we centralized our identity APIs behind Microsoft Graph. So customers, you know, they can not just only manage all the user and access policies from the Azure AD portal, but they can also writing code and automations to manage it through API service, so this type of flexibility is tremendously important for enterprise customers.

Mary Jo Foley:
Okay. I wanted to ask you a little bit about Azure Active Directory since that also is basically the core of identity at Microsoft. And I saw recently there was a blog post that said starting April 1st, this year, Microsoft is going to go from three nines to four nines or 99.99% guaranteed availability for Azure active directory, which is pretty amazing. So I’m curious what changed at Microsoft to enable this kind of higher level SLA guarantee for customers?

Joy Chik:
Yeah, I would say we’ve been on this journey. You know, I always say, you know, sort of my team is pretty clear. Our number one job is to make sure our service is secure and reliable, and it has always been top priority. You know, ever since the beginning of Azure AD, if you will above everything else we do. And we continue to invest heavily in the scalability and the elasticity of the service. Just to share some of the investments that we shared in the SLAs announcement, these are all cumulative in terms of set of investment well, and we’ll have more you know, sort of ongoing. Examples, some of them are like we moved our authentication service to what we call a more cellularized architecture, meaning we create more fine grain, domain isolation so that you can isolate failures to a much smaller percentage of total users.

Joy Chik:
In the past year alone, you know, we increased the number of domains over 5X, and we keep planning to go, you know, doing more and more over the next year. Another example is that we added another layer of resilience by rolling out this thing, we call Azure AD Backup Authentication Service, which runs parallel to the primary Azure AD service. The way to think about it is this is like the backup generator or uninterrupted power supply, you know, for your sort of power grid analogy. So if the primary system goes down, the backup service, automatically kicks in and takes over. So from the customer point of view, they don’t notice any difference and there’s no downside at all. And then another area in terms of application services, use our managed identity for Azure resource capability, where they can now also benefit from what we call integretaion with regional authentication endpoints.

Joy Chik:
Because again, similar to the find gray fault domain isolation, these regional endpoints provide a significantly more additional layer of resilience and protection. So even if the primary Azure AD authentication system has issues, it basically puts additional resilience. These are just some of the examples. But one thing, you know, I think that we feel really good about is that our investments have definitely been paying off, especially we see during last year, during pandemic, when it first started, you know, we see like entire nation states, like the education system went online and in matter of weeks. And you’re talking about, you know, like hundreds of thousands of accounts, if not in the millions and the services that, you know, we just automatically elastically scale out as well as, you know, onboard all the users with the no interruption. So I think that gives a testimony in terms of both the scale and the resilience. But of course you know, just running any cloud services, it is a journey while continuing to improve reliability in all of the areas accross the Microsoft Identity Services.

Mary Jo Foley:
Okay, great. Last question for you. You already touched on this a bit earlier, but we were talking about how 2020 and the pandemic basically changed some priorities for customers and Microsoft around identity and security. Are there any other things that we should be looking forward to in 2021 in terms of new priorities or updated priorities because of what’s been going on with the pandemic and customers changing their game plan.

Joy Chik:
Yeah. This past year, frankly just reaffirm just how important it is to invest in cloud identity. Both for our customers, as well as for Microsoft. You know, like around this time last year we authored our identity blog in terms of our priorities. So I told customers that their number one party is to connect all their apps into a single cloud identity solution. As a matter of fact, you know, customer who made that investment, were able to pivot to remote work much faster and painlessly when Covid hit versus the others would take a bit more time. And the companies who’s on this journey, they are not going back, they’re just an accelerating that option. And also flexible work arrangement frankly, is here to stay.

Joy Chik:
Right. We all hear that, that, you know,, we don’t think that, you know, we’ll ever go back to the way it was. I think that we all imagine some kind of hybrid environment to move forward. So remote work is going to continue to be front and center. So, you know, if anything, our customers just realize that they need to provide remote access to all apps, including legacy apps, that we’ve been helping them. And from all the conversation in the past year, we talk to customers about their priorities and the things, then their feedback and ability to our priorities, which you know, we author our blog. And I think in the coming weeks for 2021 is going to find things. Number one is to adopt a zero trust security strategy to protect against any attacks and identify compromise.

Joy Chik:
Second is connecting all apps to a cloud identity system so that you can give employees and the customers, partners secure access from anywhere to all apps. And third, as I said, this year is the passwordless year. And so that passwordless authentication, it’s secure, and it’s more user-friendly. The fourth is, you know, we also see as, attackers, you know, they attack obviously credentials, but they also move to attack the apps itself. So we think it’s important to secure user access to all apps, but important to make sure that apps themselves are also trustworthy. And last, but not least is you know, pandemic taught us anything, is the collaboration beyond organization boundaries is critical. So to enable secure collaboration across organization boundaries is absolutely the key. And we frankly, being in on this execution path relentlessly you know, in the past year and you know our industry inference also notice it.

Joy Chik:
So I’m pretty proud to say for the fourth year in a row, that Gartner has placed Microsoft in their leader’s quadrant for identity access management. As a matter of fact, in 2020, we are the leader. So it’s pretty exciting to see. Lastly Mary Jo, I would just say, like, along with these priorities, we also continued to invest in the centralized identity and the verifiable credentials because we believe that is the future of identity, as we see it. You know, last year we shared our work on a pilot called [inaudible] programs of the US Department of Defense. And we absolutely will have more to share in 2020.

Mary Jo Foley:
Okay, great. Well, thank you so much for all the information and for taking the time today, Joy. It was really exciting for me to finally get to interview you, something I’ve never gotten to do until now, which is kind of surprising.

Joy Chik:
Well, I’m very, very honored to be invited and thanks for having me

Mary Jo Foley:
Great. For everyone else listening right now to this or reading the transcript, I’ll be putting up more information soon on Petri about who my next guest is going to be. And once you see that you can submit questions directly on Twitter for the guests using the hashtag MJF Chat. In the meantime, if you know of anyone else or even yourself who might make a good guest for one of these MJF Chats, please don’t hesitate to drop me a note. Thank you very much.