Microsoft Cloud Security Needs Work
Microsoft is starting to discover that being a major player in cloud is a two-edged sword.
On the one hand, you can make lots of money by being one of the few players in a concentrated market. Microsoft has had lots of practice doing that.
But cloud isn't just a concentrated market, it's also a concentrated technology. There aren't many clouds, and each of them is built in a particular way. The economies of scale that make cloud so profitable make them pretty homogenous. That's part of what customers like: Azure is Azure everywhere.
When Microsoft improves Azure, or Microsoft 365, everyone using the platform gets those improvements. Yay! Unfortunately, when there's a flaw in Microsoft 365, everyone using it gets that flaw, too, as US government customers discovered recently.
For systems that customers deploy themselves, Microsoft is able to avoid at least some responsibility because customers tune and configure systems themselves. If you can avoid applying a patch, then it's hard to say that Microsoft is responsible if you get hit by something that exploits a flaw that the patch would have fixed.
But part of why customers choose the cloud is so someone else does the patching for them. They want someone else managing the platform for them. They expect that the cloud provider is better placed, and better resourced, to keep things functioning and secure. That is seen as their responsibility, and why not? Given that customers can't really do anything about how the cloud functions.
So when things go wrong, customers are right to hold the cloud provider to account. If a bank gets robbed, we certainly blame the robbers, but we also ask questions about how well the bank secures the vault. Leaving pallets of cash on the loading dock would be seen as negligent and reckless. What expectations should we have of those we entrust with our digital valuables?
The US government appears to be thinking that the liability for security should rest more with those with the ability to do something about it, and rightly so. In its cybersecurity strategy released earlier this year (discussed in issue 34 of The Crux) it stated that:
Microsoft doesn't appear to be sufficiently ready for this new reality. It has long been able to dodge responsibility for flaws in its commercial products because software has not been held to the same product liability standards as physical goods. But this attitude is changing. The EU is moving rapidly to bring software and services into the embrace of product liability laws. The US seems poised to follow suit.
It's been over 20 years since Microsoft last had to perform an about-face on security and it seems to me that Bill Gates needs to write another email.
Unless they want to give all that cloud money back?
See also
Related items
Actiance Gains Ex-Credit Suisse Techo As CTO
Anthony West joins Actiance as CTO from Credit Suisse.
DigitalOcean Hatches New Startup Incubator
DigitalOcean announce a new incubator called Hatch for its community of startups.
AWS Outage Doesn’t Change Anything
If the latest AWS outage changes anything in your approach to cloud adoption, then you're doing it wrong.