Microsoft’s Joy Chik On ‘Acceleration’ Of Internal Security Across Identity, Network, Supply Chain
Chik, president of identity and network access at Microsoft, tells CRN that the tech giant’s Secure Future Initiative is succeeding at ‘strengthening’ Microsoft’s corporate security in the wake of major nation-state attacks in recent years.
Microsoft’s massive engineering effort to lock down its internal corporate cybersecurity in the wake of major nation-state attacks is producing strong results, just shy of a year into the initiative, according to Microsoft executive Joy Chik.
In an interview with CRN, Chik, president of identity and network access at Microsoft, said that the tech giant’s Secure Future Initiative is making big strides around “hardening” the identity systems that attackers have been relentlessly targeting.
On the whole, “we feel we’re not only strengthening [Microsoft’s internal] security — but also we’re sharing a lot of these learnings with our customers, in terms of what they [can] do for their applications, what are the best practices,” she said.
[Related: Nadella To Microsoft: Prioritize Security Over New Features]
Chik also serves as Microsoft’s executive sponsor for the Secure Future Initiative (SFI), which was announced at the start of November 2023.
The initiative was launched after an Exchange Online breach was discovered in June 2023, which saw the compromise of email accounts belonging to multiple U.S. government agencies. The Homeland Security-appointed Cyber Safety Review Board released findings in April that pinned the China-attributed breach on “avoidable errors” by Microsoft.
Then this past January, Microsoft disclosed the hack of senior executive accounts, attributed to a Russia-linked threat group.
Chik acknowledged the significance of both attacks in speaking with CRN, saying that each has informed Microsoft’s efforts to bolster its own security. That has ultimately led to the company’s broad, coordinated effort around SFI — involving 34,000 Microsoft engineers — and produced “acceleration” in the advancement of the company’s internal cybersecurity, she said.
On Monday, Microsoft issued a report to provide updates on the progress of the SFI, pointing particularly to improvements in identity, tenant and network security.
Chik spoke with CRN about the major updates in the report, where Microsoft is looking to go next with the initiative and how it’s aiming to help customers improve their security through the efforts, as well.
What follows is an edited and condensed portion of CRN’s interview with Chik.
What have been the biggest areas of focus for Microsoft as part of this initiative so far?
SFI really started last October/November, after we had the Storm-0558 [incident] — the Microsoft consumer account signing key that’d been infiltrated. We used that as a moment to think about, “How can we think security holistically?” Not just protecting the identity infrastructure, but also, how do we think about protecting the software supply chain? How can we continue strengthening our secure by design effort using the secure design lifecycle, SDL process, etc.?
And then in January we had the Midnight Blizzard [incident], the Russian nation-state sponsored attack. It kind of further informs us [on] how do we look at the terrain — whether it's identity or the network, or whether it's a production environment, whether it's the engineering system from the software supply chain — how do we look at this holistically, end-to-end, from the protection perspective? …
The [initiative] is a coordinated Microsoft engineering effort that spans over 34,000 engineers across the company. It’s probably the largest cybersecurity project that we’re embarking on in one coordinated manner. I think the acceleration is really doing it in such a coordinated fashion.
In terms of the identity security updates you mentioned in your report this week, how specifically does that help Microsoft to protect Microsoft?
I think the CSRB report kind of pointed out [with] the Storm 0558 incident, [that how] we were protecting the identity signing keys in software was not sufficient. We know nation state-sponsored attacks are escalating at an exponential level. And we know they [use] sophisticated mechanisms to infiltrate secrets. One of the key updates is we completed an update for both Microsoft Entra — which is our commercial identity system — and the Microsoft Account, which is MSA for both our public and U.S. government cloud.
[That is meant] both to generate and store — but also continuously, automatically rotate — the access token signing key [through use of] the Azure Managed Hardware Security Module, HSM.
The goal is to continue to drive that hardening of the identity system — such that we can avoid any human touch, so that it can be rotated automatically on an ongoing basis.
I also mentioned managed identity — we all know passwords are inherently insecure, and we want to make sure we continue to drive the broader adoption of these standard identity libraries across all services at Microsoft.
That [means] broader adoption across not just key workloads, but across commercial and consumer services across Microsoft. So I think that’s some of the significant progress, where we feel we’re not only strengthening [Microsoft’s internal] security — but also we’re sharing a lot of these learnings with our customers, in terms of what they [can] do for their applications, what are the best practices.
What are some of the major updates outside of identity?
[Along with] hardening all your systems, reducing your attack surface, or potential attack surface, is equally valuable. So as a result of that, we eliminated over 730,000 unused applications, 5.75 million inactive tenants. So we kind of spring cleaned and removed this potential attack surface. But we also have a new policy to enforce higher security defaults for the new creation of the tenants, to reduce the privilege for the new creation of the applications [and do] stricter reinforcement of the lifecycle management of these tenants and applications. So these are the things that not only we do, but we think that moving forward, it would be a great example to share with our customers in terms of best practices. This definitely uses that secure by default mindset.
Identity is your front door, and of course, you want to make sure there's no lateral movement to your production environment. But network is equally important. So how do we segment and isolate a network? Is there a way to reduce that blast radius in the event [of a breach], to reduce the impact? And protecting the engineering system is all about the software supply chain. The integrity of the code, the integrity of the deployment to our production systems, is equally important.
Going back to identity security, what remains to be done in that area?
We always think of security as a journey, not a destination. We will continue to harden our infrastructure by using the latest threat signals. … We'll continue to use AI and machine learning, based on the threat signal we get — so you can actually construct a better attack graph to understand the [attackers’] behavior and then be able to build layers of defense into our system. Identity is the key, but we also think you need to build layers of different defense around that.
Identity is the foremost important one. But we do think these layers — of network, the software supply chain, the production systems, the apps, reducing the privilege — they all equally apply to strengthening the entire environment. [And that’s not] just for the Microsoft corporate environment, but our production environment, and therefore, for our customers as well.
Looking back at the start of the initiative compared to now, do you feel like there is a pretty radical difference in the areas you’ve been working on?
I would just say that security has always been top priority for all of us — especially [those of us who] work on all these key Microsoft cloud services. You can say, what's the difference? And I would say, it's the acceleration and then the focus. The acceleration is the SFI as a framework, to apply that across Microsoft in a coordinated manner. [Microsoft CEO] Satya [Nadella] and his leadership team [hold a weekly] SFI update to review and discuss the issues and challenges we need to work through. So I think that increased [momentum], at the company level, to drive that focused investment in an accelerated way.
In terms of partners and customers, what should the major takeaways be for them from the initiative so far?
The journey we are on — our customers have their own version of that. So one is, how can we use SFI and the principle of secure by default to make sure we have the right trade-off between security and productivity, to bake that into our products by default. And the second is, as we are on the journey to do all these workstreams - whether identity or production environment or the network or engineering system — there will be developer persona, there'll be the IT persona, there's a SecOps persona. How can we use all the learnings so that we can share this learning with our customers?
[Plans for mandatory] MFA is a great example. The reason we're doing so for Azure — the reason we're doing so for any new tenant you can create — is [that] we want to increase the secure-by-default posture.
So both the product innovation as well as best practices, I think, are [areas] that we’ll continue to work on with our customers — as well as sharing all the learnings and the lessons with them.