At Microsoft, years of security debt come crashing down


This audio is auto-generated. Please let us know if you have feedback.

Years of accumulated security debt at Microsoft are seemingly crashing down upon the company in a manner that many critics warned about, but few ever believed would actually come to light. 

Microsoft is an entrenched enterprise provider, owning nearly one-quarter of the global cloud infrastructure services market and, as of Q1 last year, nearly 20% of the worldwide SaaS application market, according to Synergy Research Group.

Though not immune to scandal, in the wake of two major nation-state breaches of its core enterprise platforms, Microsoft is facing one of its most serious reputational crises.

“It’s certainly not the first time a nation-state adversary has breached Microsoft’s cloud environments and after so many instances, empty promises of improved security are no longer enough,” Adam Meyers, SVP of counter adversary operations at CrowdStrike, said via email.

In January, Microsoft said a Russia-backed threat group called Midnight Blizzard, gained access to emails, credentials and other sensitive information from top Microsoft executives, certain corporate customers and a number of federal agencies.

Then in early April, the federal Cyber Safety Review Board released a long-anticipated report which showed the company failed to prevent a massive 2023 hack of its Microsoft Exchange Online environment. The hack by a People’s Republic of China-linked espionage actor led to the theft of 60,000 State Department emails and gained access to other high-profile officials.

Just weeks ago, the Cybersecurity and Infrastructure Security Agency issued an emergency directive, which orders federal civilian agencies to mitigate vulnerabilities in their networks, analyze the content of stolen emails, reset credentials and take additional steps to secure Microsoft Azure accounts. While the order only applies to Federal Civilian Executive Branch agencies, CISA warned other organizations could be impacted. 

For many critics of Microsoft, the events of the past nine months are the logical conclusion of a company that has ridden the wave of market dominance for decades and ignored years of warnings that its product security and practices failed to meet the most basic standards. 

“In a healthy marketplace, these would be fireable offenses,” said AJ Grotto, director of the Program of Geopolitics, Technology and Governance at the Stanford Cyber Policy Center and a former White House director for cyber policy. “Regrettably, the marketplace is far from healthy — Microsoft has the government locked in as a customer, so the government’s options for forcing change at Microsoft are limited, at least in the short term.”

The concern was, and is, that Microsoft’s security gaps would potentially lead to catastrophic outcomes. 

Microsoft needs to dedicate its internal resources towards zero-trust initiatives and make new investments in its infrastructure, according to Karan Sondhi, CTO, public sector at Trellix.

“Currently, Microsoft directs the vast majority of their security investments in revenue generating roles instead of internal security roles,” Sondhi said via email.

Microsoft has a considerable stake in the cloud security space. Not only is Microsoft one of the world’s largest cloud providers, but it is also a major security provider to the enterprise. Microsoft has more than 1 million security customers, with 700,000 using four or more of its security products, CEO Satya Nadella said during the company’s fiscal second quarter conference call in January

The company generates more than $20 billion in revenue per year from its security business. 

Vulnerable ecosystem

The state-linked activity targeting Microsoft systems also impacted on other companies that use Microsoft products — Hewlett Packard Enterprise disclosed it was impacted by ongoing activity from the threat group as well. 



Source link