Q&A: Microsoft's JG Chirapurath

JG Chirapurath

As director of identity and security at Microsoft, can you explain why the decision was taken to lump these two disciplines together?

When we formed the identity and security division around nine months ago, few vendors at the time were bringing these two efforts together, but we saw them coming together in two ways. When a company loses identities, that opens up a security threat. And on the other side, if there is a security vulnerability somewhere, the hackers tend to go for things like identity, and other information. So the approach of keeping security solutions apart from identity solutions didn't make any sense for our customers.

What are the major trends in security that have affected your work in the division?

We aren't seeing hacks for sport happening anymore. We're seeing commercially motivated attacks targeted at enterprises and other organisations. They are multi-country, co-ordinated and fairly sophisticated in what they're trying to achieve. And secondly, rather than attacking the operating system, they're trying to exploit vulnerabilities in applications to go after the information, because that's the currency that can be turned into profit

Can you explain Microsoft's new Business Ready Security initiative?

Yes, I am observing another dynamic at play - information is fighting two opposing forces. One says 'protect the information' and the other says 'give access to it'. We need to collaborate with the information but also protect it. If you're only focused on protecting it, you'll do a poor job of ensuring people collaborate with it. And if you take an identity-centric mindset you'll get great collaboration but no protection. There is a grey line between access and protection, so we've been working on these problems in the past year and called this effort Business Ready Security. If I had to define it in one phrase I would say 'protect everywhere but access anywhere'.

How have you tried to achieve this goal?

We realised to make it a reality we have to do two things well. The first is to be well integrated in our own house. With that we've got Stirling, an integrated suite of Forefront products on the client, server and edge. It's good not because it will provide you easier management, but because the real benefit of that integration is when a threat is felt on the edge, that event will be absorbed and well understood and analysed and then that information can be presented to all other tiers of the suite. The second truism about our approach is that it's not just a Microsoft challenge, but all the actors in the industry must put a strong foot forward to counter the threats. We produce a bunch of assets producing information, like Exchange, Dynamics and SharePoint, but that's not the be all and end all, which means our solutions must extend beyond Microsoft's boundaries.

How are you enabling that?

Well, since Stirling is one of our most important initiatives we'll start there. We've made available Stirling's Security Assessment Sharing framework - the means by which separate Stirling products share information on security events with each other – through an API. This is available to anyone in the industry, partners or competitors, and we've already got 20 partners building on and integrating with Stirling. They're firms like Kaspersky Lab, Juniper Networks and RSA.

You also announced the first online security tool Microsoft has produced in Forefront Online Security for Exchange. How big an issue is security for firms looking to invest in cloud computing products?

Perhaps the number one blocker we've seen to mass adoption of cloud computing services is the issue around identities. In many ways it's an existential question for enterprises: What happens to them? Who is viewing them? Is my data going to be mixed in with everyone else's when I move to the cloud? This is why we announced Geneva first, last year. These technologies allow you to use the identities you've already built and federate them to the cloud. It was critical for us to ensure there was a solution which allowed everything to be kept in sync, and ensure all these things work together.