Skip to main content

The old adage used to be that “all publicity is good publicity,” but I’m not sure the folks in Redmond, Washington would agree. The Microsoft Corporation has been under fire in the past few weeks after a series of security incidents exposed sensitive data – most significantly the data of high-ranking United States officials, including a cabinet secretary.

Due to these high–profile events, the Cyber Safety Review Board (CSRB) – a group sponsored by the Department of Homeland Security including experts from both the industry and government – issued a scathing report in response. This report states that Microsoft’s “security culture was inadequate and requires an overhaul.”

If you are a small business owner that relies on Microsoft for a significant portion of their technology stack, this could lead you to ask the question – “should I trust and continue to use Microsoft?”

As a security practitioner, my answer would be yes, but with some caveats.

Let’s address some of the issues and challenges that stem from this very question. The first of these issues is that, realistically, there are only two major players in the cloud productivity application space – Microsoft and Google. While Google outpaces Microsoft in worldwide usage (50% for Google, 45% for Microsoft), it is reported that Microsoft holds a whopping 85% share of the U.S. government productivity software market.

Willie Sutton, a notorious bank robber of the early half of the 1900s, was once asked by a reporter why he robs banks. His answer was simple – “Because that’s where the money is.” The same thought process holds true for individuals and groups performing cyberattacks. Microsoft cloud systems are heavily attacked because of their widespread popularity. With over 345 million paid seats in use, it’s a juicy target – whether this be for the “casual” attacker, or the determined nation-state sponsored groups.

It needs to be said that there is no perfect security solution for any product or technology, but there are a few areas where Microsoft needs to take responsibility and make changes. The most significant of these attacks – the one performed by the group called Storm-0558 – was initially started by the threat actors gaining access to a Microsoft Services Account key that allowed the attackers to forge tokens that granted access to hosted mailboxes. To date, Microsoft has never fully explained how this key was obtained by the Storm-0558 group.

This is a huge concern because one of two things is true; either Microsoft doesn’t know how this key was compromised, or they do know but aren’t sharing what’s being done to protect these keys going forward.

The other big thing that Microsoft needs to address is the default security posture of its products. Every software vendor since the beginning of time has had to strike that balance between usability and security, figuring out how much “pain” they are going to inflict upon their customers by enforcing security standards such as multifactor authentication (MFA) by default.

Sadly, it typically takes a significant security event to cause a software vendor to make this type of shift. By default, Microsoft and all other major software vendors should adopt a “secure by default” configuration that requires a minimum set of security standards to be in place. To be fair, Microsoft (and others) have come a long way in the past five years, but the fact that less than 40% of Microsoft cloud accounts are protected by MFA shows that there is still a long way to go.

Additionally, the necessary security tools and configuration options should be included in the base license models and not seen by Microsoft and other vendors as an “add-on” option. The ability to set up proper logging for security monitoring and to establish things like conditional access should be base features included in the product, not something that a customer has to decide to do (if they are even advised to do it by their technology partner in the first place). To Microsoft’s credit, they did change their stance on this and now include a higher level of logging as a part of their base offerings.

Lastly, the managed services provider (MSP) community needs to do better. Our clients collectively look to us for guidance on what to do, and they count on our best practices to help keep them safe. As a community, we need to do a better job of educating our customers and making sure their systems are safe. We have the insight and the collective knowledge to make a difference – we need to use that power. We also need to hold our technology partners accountable and push for the things that our clients need to keep them safe.

In the end, I’m still a big believer in Microsoft and cloud-based systems as a whole. No systems are foolproof, every system has its weak points and new weaknesses crop up every day. Microsoft needs to make sure they are protecting all the information entrusted to them, and we as a partner community need to help keep our client’s data safe.

Navigating Microsoft’s security landscape can be complex, but you don’t have to do it alone. As a Microsoft Solution Partner, our team is equipped with the expertise and resources to support and guide you through the proper security reviews, ensuring your Microsoft solutions are robust and reliable. With our comprehensive approach, we’re here to help you maintain a secure and compliant environment. Reach out to us for a partnership that empowers your security strategy and leverages the full potential of Microsoft technologies.

Tim Weber Profile Picture
Tim Weber,
VP Channel Growth, Cyber74.