Microsoft Looks at User Protection After Log-in

The patent highlights Zero Trust, the concept that cybersecurity shouldn’t stop at the gates to entry.

Photo by Connor Lin/The Daily Upside

Sign up for smart news, insights, and analysis on the biggest financial stories of the day.

Microsoft wants to protect the cloud after log-in. 

The company filed a patent application for a system to detect “anomalous post-authentication behavior” related to different workload identities, or the identifiers assigned to a specific task. Basically, this tech uses AI to determine if certain activity or actions taken represent a change in user behavior. 

Here’s how it works: This system records activity for a period of time after a user has logged into a platform, and stores them in what Microsoft calls “audit logs.” This system may pick up on behavioral and “state change(s),” such as abnormal actions taken by certain users. 

Those audit logs are then fed to an “anomaly prediction model,” which generates an “anomaly score” to determine whether certain sequences of actions are indicative of irregular behavior from that user. If the model determines that a user’s actions aren’t typical, “a mitigation action may be performed that mitigates the anomalous behavior.” For example, a user may be logged out or have their permissions to the system restricted. Alternatively, the system may notify an administrator to take further action if needed. 

As more people move from on-premise servers to cloud services, the transition period creates an entryway for bad actors to gain access to their systems “in an attempt to steal and/or hold ransom sensitive data, or to leverage the massive amount of computing resources for their own malicious purposes,” Microsoft said. 

But this way, security doesn’t stop at the door: If a bad actor is able to access a system with valid credentials, Microsoft’s system can catch them by monitoring the actions they take, allowing administrators to have additional security confidence. 

Photo via the U.S. Patent and Trademark Office.

Microsoft’s tech lines up with a common cybersecurity theme called Zero Trust, requiring all users to be continuously authorized, said Aubrey Turner, executive advisor at Ping Identity. Solutions similar to Microsoft’s already exist, said Turner, which look at signals such as device, location and reputation to decide the trustworthiness of users at any given moment. But Microsoft’s filing “goes a little further in terms of looking at the workload,” he said. 

But getting tech like this to work properly is “easier said than done,” Turner noted. Scaling something like this may present a challenge, since all Software-as-a-Service apps that rely on Microsoft’s cloud platform are built differently. False positives – and false negatives – also present an issue, he said. And as a machine learning-based system, it’s only as good as the data it’s built on.

“But that shouldn’t be a deterrent in my opinion, to build something like this when post-authentication is really where we need to focus,” Turner said. “When somebody has actually completed an account takeover and they’re logging in as you … this is where I think this workload identity comes in and is looking for those inconsistencies.” 

While a system like this could help mitigate digital threats from bad actors, it also implies a certain level of surveillance. This system would need to understand different user habits and activities to know which ones are anomalous. But in identity protection, walking the line between protecting user privacy and protecting a user from cyberattacks is a constant balancing act, said Turner. 

“Everybody’s got something to say about how information is being used to mitigate fraud,” he said. “We need that information, we need that data to help mitigate identity attacks. But there’s that friction. Without access … the ability to mitigate identity-related fraud will now be constrained. The whole privacy thing is nuanced.” 
At the end of the day, Microsoft has a major incentive to raise its cybersecurity game, especially for Microsoft Azure, which holds roughly a quarter of the market share in the cloud services industry. And following a major Azure breach from a Chinese hacking group known as Storm-0558 in July led to 25 different organizations being compromised after an engineer’s account was hacked, researching identity tech like this could help it prevent future missteps.