Identity, Distributed Workforce, Zero trust

‘Everyone had to rethink security’: What Microsoft learned from a chaotic year

Corporate Vice President of Security, Compliance and Identity Vasu Jakkal spoke to SC Media about lessons from  a tumultuous year. (Microsoft)

The last year brought rapid growth shifts to remote work, combined with a frantic pace of mega-vulnerabilities that called into question fundamental approaches to supply chain and patch management.

This added up to a hefty lift, even for a company the size of Microsoft. Corporate Vice President of Security, Compliance and Identity Vasu Jakkal said Microsoft learned a lot from the year that brought COVID and, in particular, the Solarigate/SUNBURST campaign that the company dubbed Nobelium.

Jakkal talked to SC Media about what the company learned during the year that was.

A lot of things happened in 2020 to Microsoft and, really, to everyone. What changed? What assumptions did you operate off of before the pandemic that didn't hold up after all the chaos started?

Microsoft Corporate Vice President of Security, Compliance and Identity Vasu Jakkal (Microsoft)
Vasu Jakkal, Microsoft

Jakkal: Overnight, all employees became remote employees. It was not a subset, it was not a one off, it was across the world. We had to empower employees to get their work done, and secure them where they were, not only in the U.S. but internationally.

Remote work is here to stay, which we're seeing through hybrid networks. And related to that is learning to see networks as perimeterless, essentially. Pre-pandemic, we still had buildings and corporate networks and robust walling off, and now everybody has home networks and we don't know how secure they are. We're using devices and we are interchanging devices based on how we use them. So I think we were thrown into a perimeterless world and we had to adapt to that pretty quickly. That was the biggest change. 

And now we're seeing it's all going to be different. Hybrid is going to have to adopt the best of remote and the best of pre-remote to bring that flexibility.  That's changing the dynamics of the networks and how we engage. 

The other thing we realize was how critical identity is for security, as the first point of access. Our CISO has a saying: Hackers don't break in, they log in. And they log in using password spraying, in many cases, or they log in entering the network from a different access point. Preventing that and having a robust identity, starting with cloud, was another big learning point for us. We moved to passwordless identity. We're almost 100% passwordless in our own environment.

Some might assume that a company like Microsoft would go into the pandemic completely prepared for that kind of work from home. But it sounds like you're saying that you struggled with it too – that everyone struggled.  

I believe everyone had to rethink how they think about security. The good news for us is we were already on that journey even before the pandemic; we just had to accelerate a lot of that adoption. That was the good news. We have a built-in defense in depth architecture, we had started with zero trust.

So, between the massive hacking campaigns and the pandemic, what did Microsoft learn over the past year?

Nobelium was such an inflection point. As new attack surfaces emerge, and an attack sophistication is escalating, it was no surprise that we saw it. And that's not an outlier. We believe that's going to be the norm. We're seeing more and more, not just depth, but also breadth across the threat landscape, with more prolific threats. 

We've identified four key things that we believe should be top of mind for defenders. The first one is use the tools that you already have; you'll be surprised at how many organizations have tools, but the adoption is not there yet. And right now, just across our customers, there's just 80% of [multi-factor authentical]  adoption. I think there's a lot of opportunity for us to embrace the tools that we have, especially on identity and password protection.

The second one is zero trust. We talk a lot about this , but we believe it is critical for where we are headed, with an increasingly perimeterless world.  The third one is embracing migrations to the cloud with built-in, automated,  robust detections and protections that can be quickly updated. Please embrace the cloud and take advantage of it. And then lastly I'll end with the subject that's closest to my heart: investing in people, skilling, diversity and inclusion. We continue to have massive gaps in talent.

You mentioned not just the severity of the attacks, but the the increased frequency of major breaches over the past year. Do you see that as continuing?

I do believe that we're going to continue to see this pace of attacks and sophistication of attacks. I believe that Nobelium was truly a moment of reckoning for us. And this is why we need to have long-lasting frameworks,  zero trust, defense in depth, some open standards that we work with the community on, as well as just sharing intelligence and treating security as a team sport.

I would say start with what's already there. What are the foundations that are built-in, because even if it was a Band-Aid, there's goodness there that we can leverage.  But in many cases, we're going to have to rethink the architecture, because there's a difference between built quickly and built to last. This is why hybrid is a big inflection point. It likely is never going to go back to the way things were. So I think it's an opportunity to take these frameworks like zero trust and say, 'well ,what worked, what hasn't worked and how do we go back and re-architect what we need here?' In some cases, this is going to be a three-to-five year journey for many of these systems. That’s what we’re hearing. It's not going to be overnight. 

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.