[German]Following a series of serious security incidents, including the Microsoft Cloud, the Redmond-based giant now wants to turn things around. Security is now "above all else", they say, and a "Secure Future Initiative" has been launched at Microsoft. There have already been signs of this for a few days. But now it's all officially announced on the web. Time for a few defeatist thoughts on this topic and on Microsoft.
Advertising
A non-stop security disaster
Microsoft is in a state of chaos when it comes to security. There was the Storm-0558 hack, where attackers were able to access Microsoft's cloud and mail accounts of US government agencies (see China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud) and where Redmond still doesn't know how this could have happened. There was access by the Russian hacker group Midnight Blizzard (see Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems), where Microsoft still doesn't know if the attackers weren't still spying on its own networks. And there have been other incidents – as well as investigations by official bodies.
Cybersecurity at Microsoft; Source: Crono Viento Pexels, free use
All investigations resulted in serious accusations against Microsoft (see Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack), which was accused of serious failings in terms of cyber security. It's now an open secret that many products are lousy in terms of security. You can put it in a nutshell: As a customer and affected party, "you could puke in a jet" – and Microsoft stonewalled, obfuscated and obfuscated with every incident.
The security initiative
It has been apparent for weeks: Microsoft is slowly losing customers, the authorities are standing on Redmond's feet because of its lax security culture and business is threatening to collapse. Only the monopoly position and the "Microsoft has no alternative" are preventing Redmond from immediately sinking into insignificance and going under.
Recently, Microsoft's top boss, Satya Nadella, told analysts that from now on the company would prioritize "security". The US site Axios picked up on this at the end of April 2024 in the article Microsoft "doubling down" on cybersecurity.
Advertising
Now Charlie Bell, Executive Vice President, Microsoft Security, has definitively announced Microsoft's "pivot to the Secure Future Initiative" in the above tweet and this blog post. The aforementioned Secure Future Initiative (SFI) has been in place since November 2023 and brings together all areas of Microsoft to improve cybersecurity protection in our company and our products, according to Bell.
It is an indirect admission that the security of Microsoft's products and services is not in good shape. According to Bell, the threat landscape has evolved rapidly and the people at Microsoft have learned a lot. The recent findings of the Department of Homeland Security's Cyber Safety Review Board (CSRB) in relation to the Storm-0558 cyberattack last July and the Midnight Blizzard attack (disclosed in January 2024) would underline the severity of the threats facing the company and its customers. It's pure Microsoft speak – the problems were caused by the evil world out there in the last few months – we're not to blame.
Microsoft plays a central role in the world's digital ecosystem, according to the realization. This goes hand in hand with a great responsibility to create and maintain trust. Microsoft must and will do more, which is why security will be made a top priority at Microsoft. Security comes before everything else – that was one of the central demands of the Cyber Safety Review Board (CSRB) of the Department of Homeland Security (see Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack). If you "translate" this statement, you read the reverse conclusion as "we didn't give a damn about security until now, the main thing was to keep the money rolling in".
In the article, Microsoft's head of security explains what the company wants to do to improve and guarantee security in products and services in the future. The Secure Future Initiative pillars and security goals are to be introduced at Microsoft, and part of the remuneration of the company's senior leadership team is to be dependent on progress in fulfilling various security plans and milestones. The "Security credo a la Microsoft" has been invented for this purpose:
- Security by design: When developing a product or service, security comes first. I've been hearing that saying for years
Secure by default: Security measures are activated and enforced by default, require no additional effort and are not optional. I've also been hearing and reading about "secure by default" for as long as I can remember when it comes to computer security. - Secure operation: Security controls and monitoring are continuously improved to counter current and future threats. I think the secure operation thing is a nice paper wording, they are improving their security controls and monitoring, but we have to wait and see, what's the result.
I just read on Bloomberg that Microsoft is adding Chief Information Security Officers to its product groups, but refuses to name heads for the job. Ann Johnson alone, who has worked in Microsoft's security division since 2015, has been appointed deputy CISO for customer care and regulated industries. Johnson's role will focus on "customer engagement and communications about Microsoft's own security",.
It sounds as if the head of Microsoft, Satya Nadella, is trying to turn the ship around at the last second before it runs aground on a cliff. It is quite possible that things will change slightly for the better; Mr. Nadella has no other chance if he does not want to be catapulted from the CEO's chair. After all, the man has been there for ten years and has prescribed the credo "Mobile first, Cloud first" as a cultural change at Microsoft. Now you can see what has become of it – fishmongers know the saying "the fish rots from the head".
My 2 cents
In terms of improving the security culture at Microsoft, I'm really keeping my fingers crossed at this point that they make exponential progress – because the security flaws fall at the feet of us all! Alone, I'm skeptical that much will really change substantially, and I'd like to justify that.
- Microsoft is sitting on a bag of security-wise lazy products that have been sloppily developed for years, mainly driven by marketing. The products will continue to be used by customers and cannot simply be scrapped in order to redo everything. Nobody knows exactly what has already been compromised.
- Microsoft is a large company with more than 100,000 employees worldwide. What has been decreed is nothing more than a cultural change in which no stone can be left unturned. I recall that when Mr. Nadella took office, the quality assurance department was dissolved because "the developers can do the little bit of testing themselves". The result can be seen a decade later.
On the latter point of cultural change, I remember my last days at my previous employer (over 30 years ago) – a company with around 30,000 employees. There, too, "strategy changes were imposed non-stop" by the board and management. A colleague once vividly described the situation in a management and strategy seminar: "Our company is like a big brontosaurus in full swing, you can certainly tighten the reins and prescribe a course to the left. The thin head will also swivel to the left, but the massive body will simply run straight ahead." He was right – I remember that this company (which no longer exists today) couldn't do even the simplest things that would have been "unscheduled". And Microsoft is several times the size of the organization.
If I think back over the last 40 years, it looks bad. For as long as I can remember, Microsoft has managed selling people extremely bad products, many of which they don't even have yet, and then bringing them onto the market piece by piece as tinkering. And whenever a product (such as Windows 7 or Office 2000) was halfway good, there was always a smart guy at Microsoft who axed the whole thing so that something "much better" could be launched. From my point of view as an external observer, this has not improved in the last ten years.
And so, at the end of the day, I realized that I cannot deny my roots. I am a farmer's son, and in my early youth I often walked across the meadows where our cows grazed. There were really thick cow pats on which the flies would sit in summer. And if you weren't careful and stepped on one of those patties with your boot, you got the shit on your feet and couldn't get it off. Why is the saying "A million flies can't be wrong, but call it what you like, it's still bull shit" going through my head at the moment? I'm still thinking about it – maybe I'll have the explanation when Microsoft has got to grips with security at some point.
Similar articles:
China hacker (Storm-0558) accessed Outlook accounts in Microsoft's cloud
Follow-up to the Storm-0558 cloud hack: Microsoft is still in the dark
After CISA report on Storm-0558 hack, Microsoft provides customers with enhanced cloud logging
Stolen AAD key allowed (Storm-0558) wide-ranging access to Microsoft cloud services
Microsoft's Storm-0558 cloud hack: US senator among the victims
Microsoft's Storm-0558 cloud hack: MSA key comes from Windows crash dump of a PC
Microsoft extends Purview logging (after Storm-0558 hack)
Microsoft as a Security Risk? U.S. senator calls for Microsoft to be held accountable over Azure cloud hack– Part 1
Microsoft as a Security Risk? Azure vulnerability unpatched since March 2023, heavy criticism from Tenable – Part 2
Microsoft hacked by Russian Midnight Blizzard; emails exfiltrated since Nov. 2023
Hewlett Packard Enterprise (HPE) hacked by Midnight Blizzard since May 2023
Microsoft confirms: Russian spies (Midnight Blizzard) stole source code while accessing systems
Microsoft slammed for a cascade of faults that leads to Storm-0558 cloud hack
Advertising
A 'secure future' is MS code for 'lets make even more money' by declaring less recent hardware obsolete.