The Security Interviews: Talking identity with Microsoft’s Joy Chik

Identity is your ‘front door’

“You could say, from the security angle, that everything starts with identity, just because we’re a front door control plane for everything,” she says.

Added to this, the sheer scale of Microsoft’s worldwide installed base gives Chik the opportunity to really lead on identity issues, given most enterprise users will run into her teams’ work at some point in their working day.

“That magnitude, that sense of responsibility if you will, to protect our customers both on the commercial side and on the consumer side, is to me both humbling, but also has that fulfilment in terms of impact,” she says.

“It’s [also] definitely a challenge because you can never say mission accomplished, the job is done. It’s always a journey, or you could say it’s a race, because attackers are getting more and more sophisticated and they are innovating, for lack of a better word.”

Of course, with identities and, more specifically, credentials, one can make the argument that cyber criminals don’t really need to innovate that much, when they can easily and quickly deploy brute-force or phishing and social engineering attacks to get people to let their guard down. Microsoft’s statistics bear this out.

“A year ago, our data shows there were about 1,000 password attacks happening in the world per second,” says Chik. “If you fast forward just one year, that has increased fourfold. So there are four thousand password attacks every single second as we speak.”

“As an industry, and as users, we all need to know that attacks are heightening, and we need to do more to stay ahead. It is really a race to stay ahead of attackers and continue to innovate so that we can prevent bad things from happening, rather than just detecting that they happened”

Joy Chik, Microsoft

The reason for this volume boils down to the fact that passwords are still the main way we access online services, even though their inherent insecurity has long been known, and is proven time and time again.

Of course, there are cromulent strategies to bolster password security – everybody makes a big deal out of multifactor authentication (MFA) and, in some instances, Microsoft turns it on for customers by default. It is not necessarily crossing a line in making that decision either, because MFA has been proven to drastically reduce the attack surface.

However, even MFA is not infallible, says Chik, especially in the face of a determined threat actor who is familiar with the latest tools. Such as generative artificial intelligence (GenAI).

“With generative AI [emerging], these attacks are becoming more sophisticated. In a traditional phishing attack you get a suspicious email that sounds like it could come from Microsoft, but you can probably catch it – there are grammar mistakes, it’s pretty boilerplate,” says Chik. “But with GenAI, things are a lot more tailored.

“As an industry, and as users, we all need to know that attacks are heightening, and we need to do more to stay ahead. It is really a race to stay ahead of attackers and continue to innovate so that we can prevent bad things from happening, rather than just detecting that they happened.”

AI: A market-maker for identity?

But as we know from the past 12 months of coverage, AI is as useful a tool to defenders as it may be to attackers, and the industry – including Microsoft – has had a few years’ head start.

“For Entra, we have been using AI to detect anomalies, for example,” says Chik. “You just signed into your laptop on the Microsoft Wi-Fi [she’s right, I did] and it’s trusted, it’s probably okay.

“But imagine if you signed on from a random café, or if your credentials have been stolen and suddenly you’re signing in from other countries. The AI engine can detect that there’s a deviation happening from your usual sign-on pattern and alert, and [from there] it depends on the company you work for if it applies policies that will prompt you for MFA. With things like that we are using data to do more real-time risk assessment.”

But the use of AI doesn’t stop with anomaly detection. Microsoft is also using it to help customers solve for some of the complexities inherent in identity policy and management.

“As an industry, we have a lot of identity policy settings, but one of the things customers don’t necessarily know is what set of policies to turn up to protect their environment,” says Chik. “Imagine if you could use it [AI] to ask what policies to deploy. Because we already have enough data signals to know what’s in your environment, we can recommend or even turn on policies for enterprise customers. I think that’s super powerful.”

This is not a pipe dream for the identity team, either – the feature is already live as part of Microsoft’s Security Copilot service, which was rolled out in an Early Access Programme to select customers at the end of October 2023.

Billed as the world’s first GenAI-powered security product, the Security Copilot service also encompasses a wide range of features such as extended detection and response (XDR) via Microsoft 365 Defender and threat intelligence via Microsoft Defender Threat Intelligence. Microsoft claims preview customers were able to save up to 40% of the time spent on core security operations tasks when using it.

Into the passwordless future

In February 2004, Microsoft supremo Bill Gates took to the stage at the annual RSA cyber conference and predicted that the traditional password would soon die off, unable to meet the challenges of modern-day online services.

In the event, the password continues to rage against the dying of the light, even as the likes of Google – alongside Apple, Microsoft and others – continue to bang the drum.

But there can be no denying that the concept of the passkey – a biometric or passcode-based login option – which is being championed by all three companies, is a strong one, and Google’s adoption of passkeys is a surefire sign that the winds of change are picking up. Chik is also an enthusiastic advocate of the passkey, as you might expect.

“We believe that we need to move together as an industry [and] we are definitely adding passkey support as part of Windows, and into our authenticator apps. That’s absolutely coming,” she says.

Traditionally, there are three so-called “factors” to authentication – something you know, something you have, and something you are. Passkeys remove the need to know something (your password) in favour of authenticating using something you have (your device) and something you are (you).

Chik describes them as forming part of an individual’s “bond” with their device. They can take several forms, either biometric, such as fingerprint identification or facial recognition, a simple PIN like those used at ATMs on the rare occasions one still needs physical cash, or a swipe pattern as have been used to unlock Android smartphones for years.

“But the key thing, I think, is that passkeys can be passed to your device to authenticate you elsewhere, so rather than just one use – if you only used it to unlock your smartphone it wouldn’t be very interesting – is it lets you launch different apps across devices,” she says. “It removes a headache [for users], but more importantly, it’s a great user experience and it’s more secure.”

Passwordless authentication, which has come to Microsoft’s product family via the Microsoft Authenticator application, has already seen strong adoption on the consumer side, where the number of users is already measured in the millions. “I actually don’t remember the last time I used a password because I just use Authenticator,” observes Chik.

“On the consumer side, we can manage that for our customers and turn it on. On the commercial side, we provide the tools for IT and security teams to turn on passwordless – because that’s a three- or four-step process,” she says.

This process encompasses discovery exercises such as figuring out where passwordless might best be used within the organisation, and where it might be safer to rely on older methods, educating and supporting users through the deployment process.

Enterprise users will also need to be sure that there are failsafes in place should somebody be locked out of their system having lost their phone and access to Microsoft Authenticator. Microsoft handles this with a form of temporary access pass that enables the stricken user to get up and running again.

Shift left

For Chik and the Microsoft identity team, the future is looking bright. “Identity will probably continue to be a main battleground from a security perspective,” she says.

“The key thing we want to help our customers with is how to shift left – and when I say shift left, I mean doing more than helping them detect that something bad is happening, but proactively helping them to be secure,” she says.

And it is through investment in AI tools and technology such as Security Copilot, and the removal of friction around outmoded identity options by taking on some of the legwork for enterprise customers, that Microsoft hopes to give its vast installed base the means to ward off malicious actors before they breach the castle walls.