Microsoft’s Ann Johnson: ‘Identity is the new perimeter’

14 Jun 2019

Ann Johnson. Image: Microsoft

Ann Johnson of Microsoft wants to see passwords eradicated as well as solve the cybersecurity skills shortage.

As corporate vice-president of Microsoft’s cybersecurity solutions group, Ann Johnson oversees the go-to-market strategies of infosec solutions for one of the largest tech companies on our planet.

Prior to joining Microsoft, her executive leadership roles included CEO of Boundless Spatial, president and COO of vulnerability management pioneer Qualys, and vice-president of worldwide identity and fraud sales at RSA Security, a subsidiary of EMC Corporation.

‘As soon as we get passwords out of the ecosystem in its entirety, the better the security industry is going to be’

Future Human

She challenges business leaders to rethink traditional norms and promotes a shift in how we address the enormity of threats by combining AI, machine learning (ML), automation and the power of people.

Microsoft analyses more than 6.5trn signals daily, processes 630bn authentications monthly, and scans 470bn emails for malware and phishing monthly.

Is the cybersecurity challenge already a race against the bad guys when it comes to AI, ML and deep tech?

Identity is the new perimeter and we identify identity as the human, the device, the data, the application – and all of these have a unique identity and all of these need to be updated, hashed and healthy.

In the context of ML, we take all of those variables and put them in the ML engine and assign risk based on where the user is, what they are trying to access, how they authenticate and what device they are on.

What we find with bad actors is that we are not seeing yet, in any meaningful way, production of malware that adapts in the wild that you would expect, but potentially in the future. We are not seeing yet any meaningful corruption with AI models or putting malicious data into ML engines to try to train it incorrectly.

I do expect that there will be attack vectors and we are doing a tremendous amount of work with Microsoft Research to make sure we build those defences. But the good news is that we are not seeing it in any meaningful or wholesale way today, and that’s why I don’t think it is quite a race.

I think the bad actors are always interested in keeping the costs of attacks low. Phishing still accounts for around 76pc of breaches we see. So, it is almost like they don’t have to change their attack vectors and don’t have to innovate as much, and can spend less money and still be effective.

That’s my theory on why they, the bad actors, have not moved to AI and ML yet, because I don’t think they’ve had to yet. I think that they absolutely will, and I think it is when companies get more mature about their defences.

What we are seeing is cybercrime gangs going after very unsophisticated targets – industries or sectors where they know there isn’t a lot of talent or investment – so there are still a lot of entities they can attack using phishing, and that will be the way it will be for a while. But it is only a matter of time before they start to do more innovation around ML and AI. They already are, we just haven’t yet seen it in any meaningful way.

What is your feeling on passwords? Will they ever go away?

As an industry, we are taking some pretty big steps to get away from the password. We have to. As I said, 76pc of breaches start with compromised passwords through a phishing attack of some sort or a brute-force attack.

At the end of the day, it is relatively frictionless and straightforward to move end users, particularly consumers, away from passwords. I can’t think of any new smartphone on the market that doesn’t have some sort of biometric that can be natively integrated into applications.

Firstly, for consumers, I would encourage everyone to stop using passwords and to use multifactor authentication. Microsoft itself is on a mission to be password-less and what we are doing as a company is, we have moved 80pc of our internal users away from passwords and we are aggressively moving the other 20pc. The problem is getting the legacy applications that are sitting at the back-end to be able to hash and sync the passwords, and obviate them from the user. Passwords may still exist in the application, but its hash is obviated from the end user, so that the end user is logging in with a biometric or a certificate or something that is non-password.

As soon as we get passwords out of the ecosystem in its entirety, the better the security industry is going to be.

With more than 2,500 cybersecurity jobs unfilled in Ireland and a projected shortfall of more than 3m globally by 2021, there simply aren’t enough defenders to keep pace with the growing cybercrime challenge. Not only that, but there is a diversity challenge. Would you agree?

Women are about 11pc to 15pc of cybersecurity professionals, depending on what study you look at. We need to attract more women into cybersecurity careers.

We also need to attract people with diverse backgrounds. I often say our teams need to be as diverse as the problems we are trying to solve. But I don’t categorise diversity as just ethnicity or race or gender; it is also socioeconomic background, educational background, it is career background.

When you think about ML and solving complex problems, you can’t solve a complex problem with groupthink. If all your people have the same educational and socioeconomic background, you are not going to solve complex problems.

Even if we didn’t have a talent shortage, there is a real need in the industry to get away from that homogenised thinking we’ve had … and the talent shortage is really driving this home.

Want stories like this and more direct to your inbox? Sign up for Tech Trends, Silicon Republic’s weekly digest of need-to-know tech news.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years