Becoming resilient by understanding cybersecurity risks: Part 3—a security pro’s perspective
Get insights on how to work with business leaders to manage risk and defend against sophisticated cyber threats.
Azure Active Directory (Azure AD) is now Microsoft Entra ID. Learn more.
I love hearing my colleagues explain how they came to the industry because so many of their stories are unusual. I’m surprised how often I hear that people got into computer science by some fortuitous accident. Although he loved computers from the time he was a kid, Oren Melzer never expected to work in the software industry. Today, he’s a Principal Group Engineering Manager in the Identity and Network Access organization, working on one of our team’s most important efforts: resilience.
When he was growing up, Oren’s business-minded parents encouraged him to develop an entrepreneurial spirit. And he did. Oren’s journey reminds us that entrepreneurship isn’t limited to building a new business from scratch, where you start off doing everything yourself. Even though he’s worked in a large organization in a large company for the past several years, Oren has enjoyed participating in many entrepreneurial efforts, including his groundbreaking work on making cloud services resilient, as he tells Nadim Abdo, Corporate Vice President of Identity and Network Access Engineering.
Oren’s interview with Nadim has been edited for clarity and length. We’ve included some video snippets so you can learn more about Oren’s personal journey and his views on the work he does.
Nadim: Oren, I’d like to start by asking what got you into the industry and computers?
Oren: It all started when I was really young. My parents were immigrants from Israel to Louisville, Kentucky. Not a ton of Israelis in Kentucky! My dad was an engineer, so we had computers super early. I’m dating myself, but we had a Commodore that ran Microsoft Disk Operating System (MS-DOS). I was probably five or six, tinkering around on that thing. When my dad showed me Quick Basic interpreter (QBasic), I created a simple little program that would ask, “What is your name?” And you’d say, “Oren.” And it would say, “Hello, Oren.” I remember thinking, “That’s the coolest thing in the world. I can make a computer program that I can talk to!” I loved doing stuff on computers from then on.
Nadim: I have fond memories of QBasic as well. That integrated development environment (IDE) and debugger were pretty awesome. So, you wrote programs from an early age—do you remember any other programs you did?
Oren: Three months after I was born, my parents started a food manufacturing company, which they still run. It’s a family business, so after a few years, they put me to work. But they realized pretty quickly that this computer thing was probably more useful than me putting cans in boxes. So, I became the company computer guy.
They had software to do all their accounting and inventory, and there was a production planning module that cost $40,000. They asked me what I thought, and I said that, with what I knew, I could write it for a lot less money. I was a high schooler, and they basically threw me into this problem. I didn’t have anybody to tell me what to do or how to do it. I wrote a bunch of Visual Basic macros that pulled data from the system, pulled up some editable forms, and then popped out a production plan. That was an entire summer project, 20-plus years ago, and their company still runs on that software to this day. I actually still get tech support calls to fix random bugs.
Nadim: That’s amazing! You must’ve learned the value of customer obsession from that experience. And obviously, this segues to how you now work on some of the most critical services in the entire industry. What learnings from that experience really carried through?
Oren: First, you have to build something that works. I wrote this software when I was 16 or 17 years old, and if it breaks, they can’t produce—30 or 40 people on a factory floor don’t know what to run or they’re scrambling to try to do the same thing manually.
I didn’t know about source control then, but I learned early on to make a backup copy when making changes. If something broke, I’d copy in the one from yesterday that worked. And there’d be weird edge cases, like some new item that the string was too long to fit into how many characters I assumed it could be. So, I learned to be very fault-tolerant, catch errors, and keep on going.
Nadim: When you went to college, what did you choose as your focus?
Oren: I was convinced that software was something everybody was doing. And I like to do things that other people aren’t doing. So, I went into college as a biomedical engineering major. I really wanted to combine the computer thing with biology, another passion I had in high school. I wanted to build medical devices and software for medical devices, pacemakers, and so forth.
A couple of things got me into software. Early on, I met another computer science major, and he became a good friend. He’s actually at Microsoft now. We started a book business together, which we wrote software for.
Video 1: Oren talks about the book business he started in college with a friend.
For a while, I actually thought this thing could be my career, but during our downtime one summer, I looked for a biomedical internship. I couldn’t find one, but who showed up at our company fair? Microsoft. I had my first internship in the identity organization after that. I loved it so much I changed my major. I ended up getting a master’s in computer science and came to Microsoft full-time. I’ve been in identity ever since.
Nadim: That’s wonderful! What do you like best about working in the identity space?
Oren: What’s cool about identity is how foundational it is, like the electric company. Very few people wake up in the morning and say, “I want to use my identity today.” But whatever you do want to do—when you look at all the Microsoft products and applications at any number of businesses—the very first question you always need to ask is, who are you? What is your identity?
Identity enables all those experiences. And when it doesn’t work, people can’t work. I tell people, “I challenge you to find another job where you can impact more people in a day than our identity system does.” We throw around numbers like “billions of authentications” like it’s nothing. That level of impact—that level of making a difference for practically every working person, and many people in college, all over the world—is practically unmatched anywhere else at Microsoft or in the industry, as far as I know.
Nadim: That’s right. The scale is certainly incredible, as is the criticality and security. With that kind of scale, there are obviously enormous technical challenges. And you’ve worked on a number of different areas within identity, right?
Oren: I started on a product called Windows CardSpace, formerly known as InfoCard. It was an identity selector in Windows, where somebody could issue you an identity to use online. To some extent, we were ahead of our time, and eventually, that project was shelved. I moved to developer frameworks and worked on Windows Identity Foundation, which became part of the Microsoft .NET Framework. I also worked on Active Directory Federation Services (AD FS).
My first entry into cloud services was the Access Control Service, which allowed admins to configure federated authentication for their apps. You could authenticate using Microsoft accounts and Google accounts and also secure your application. It was one of the identity organization’s first modern services. And it was really interesting to move from shipping software in a box, which people can download or not, to shipping something that runs all the time and is critical to day-to-day life.
Nadim: And certainly, an absolutely critical journey as part of cloud transformation with everybody using these services. Tell me about your role and what you like best about it?
Oren: I now own an area called “authentication resilience” in identity. We could build the best services in the world, with the most features, but if they’re not up all day, every day, we’re basically failing our customers. And the impact of that is enormous. We’ve learned hard lessons over the years on what can go wrong in a distributed system, so we’ve developed systems that enable us to operate, and continue to operate, in case all kinds of outages occur, whether from networking problems somewhere in Microsoft Azure, a bug that gets released in our system, or key management problems.
We’re building, number one, a set of components to ensure that if the core identity system goes down, users won’t notice. We do that by allowing sessions to live longer, while also being more secure, and to react in real-time. Secondly, we built an entire decorrelated backup authentication stack where we can continue to serve authentications even if the primary system goes down completely. The vast majority of users can stay productive and have no idea that anything has gone wrong.
The goal is to prevent the outage from happening, but if a partial outage does occur, to minimize the impact.
Video 2: Oren describes his job to his parents.
Nadim: How would you say that Microsoft is differentiating our offerings in terms of resilience?
Oren: When we started on this resilience journey a couple of years ago, we weren’t aware of any cross-industry efforts on service resilience. Existing identity standards just assume everything is going to work. With OAuth and security assertion markup language (SAML), you make a request, you get a response. There was no playbook or roadmap for figuring out how to build the next level of real-time signals, more resilience, or backup systems. We weren’t going to wait for one, so we just built it. Ultimately, a working group formed in the OpenID Foundation called Shared Signals and Events, and we actively participated. I went to many of those early meetings, trying to figure out how to build a real-time resilient identity system.
It’s one thing to talk about theory. It’s another to say, “We’ve built this already. Here’s what it looks like.” As a big believer in open standards, I’m proud that we didn’t just say, “The standard must be exactly like what we built, otherwise we’re not going to be on it.” We have actually adapted our implementation to the industry standard. And we’ve been able to get our partners elsewhere in the industry—people who build other software that works with Microsoft Azure Active Directory (Azure AD)—to adopt this standard as well. Now we can say that we have resilience and continuous access, not just for Microsoft properties, but also for many other long-tail apps, built by other people, that we know our customers rely on every day.
Nadim: One of the things that’s awesome about our team is we have so many different individuals with so much talent, with different interests, passions, and ways of looking at the world. How would you describe yourself, your approach, and your strengths?
Oren: People think of software engineers hunched over in a dark room in front of a desk, pounding on a keyboard, looking at ones and zeros on a screen. I like code as much as anybody, but I am a people person. I really thrive on human interaction, on enabling somebody to be successful, and on finding the right project for someone working for me who may be struggling a bit.
The same is true when I think about the impact of the software we build. I don’t just think about the billion requests our backup systems serve today. I think about a billion people who might’ve been frustrated because they couldn’t check their email. And now they can because this backup system kicked in. What motivates me is the people—both the ones I can see in the office and the ones I can’t see. I know they’re there. Knowing that the work I do can make a difference for those people, both in terms of the technology I build and of the people I manage, is extremely motivational for me.
Video 3: Oren shares what he likes best about his job.
Learn more about cloud resilience.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.