Remarkably, sixteen years have passed since Bill Gates wrote the following words to his team at Microsoft: “Trustworthy computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of trustworthiness in computing.” His now-famous memo reflected not only the software bugs that Redmond had been suffering to date, but it also foretold problems just around the corner in the guise of Blaster, Nachi, Sasser, and the like.
Now, most of you reading these words will be happy to fill in the blanks on what has occurred since, and I would expect to see more positive than negative reviews. Microsoft’s auto-update, for example, was one of the most significant contributions to improved global desktop security – perhaps ever. It ensured, for instance, that Microsoft Security Bulletin MS 17-01 was auto-installed, and the result was proactive mitigation of WannaCry.
During these past two weeks, the cyber security evangelist team at Microsoft was kind enough to spend multiple lengthy sessions with me, explaining the company’s progress in the cyber security arena. They quietly endured my incessant and annoying nit-picking (yea, I know) about every this-and-that. But in the end, thanks to their kind and friendly patience, I now have a pretty good idea of their progress and approach – and I’m here to summarize what I learned for you.
First, we should recognize the magnitude of their security investment: Since 2002, Microsoft has spent a mind-blowing $15B in security research and development. To put this massive number in context, it’s about a quarter of what T-Mobile has spent in capital on its entire network during the same period. So, say what you will about Microsoft, but they’ve put their money behind their leadership’s guidance – and they deserve considerable credit for this.
Most of you will be familiar with some innovations resulting from this investment. The Microsoft Security Development Lifecycle (SDL) and Operational Security Assurance (OSA) programs, for example, are about as close to industry standards as any corporate initiative could ever become. Most CISOs will punt at the notion of creating a local security methodology for their SDLC, opting instead to download the truckload of materials Microsoft posts on their website.
But the big news for me was the amazing new portfolio of products that Microsoft provides for customers. The coverage looked so comprehensive that the company has reached a level that only a few large providers could ever reasonably target. That is, Microsoft has developed one of the industry’s few legitimate cyber security platforms. And with their intense focus on cloud, this protection platform is going to naturally expand into hybrid enterprise architectures.
“The Microsoft security platform,” explained Sean Sweeney, one of the experts from the Microsoft security team, “is designed specifically to deal with enterprise transformation in four areas – shift to hybrid cloud, expanded use of mobility, pervasive introduction of IoT, and an increasingly hostile threat environment. Each of these enterprise factors drives the security solutions we offer our customers.”
Let’s go through each one-by-one: First, you might be surprised to know that Microsoft is the undisputed leader in cloud computing, with a whopping $16.7B in annual revenue, according to a recent Forbes article. That’s a lot of cloud dollars. And with it comes the company’s commitment to support the enterprise security community’s number one impediment to a smooth transition to cloud. And no, I don’t mean compliance: I mean Active Directory.
With its support for AD transition to the cloud, Microsoft positions itself to dominate one of the most important aspects of cyber security – one that continues to nag enterprise CISO teams still hiding behind their firewall: IAM. “One of the pillars of our security solution approach involves a new identity-based perimeter that extends from the perimeter into the virtual Azure cloud,” explained Sweeney. “We see IAM as an incredible opportunity to leverage our platform.”
There is no doubt in my mind that with its leading position in cloud computing and its underlying attention to trustworthy computing, Microsoft can hit a grand slam virtualizing security across a hybrid cloud architecture with AD serving as a flexible base of operation. This is a business advantage I am certain Microsoft competitors will lament, but it is also a security feature that I believe Microsoft enterprise customers will love.
The second area Sweeney mentioned in the Microsoft platform involved mobility. I found it interesting that the team was ready to accept that mobile device usage in the enterprise was pervasive, ubiquitous, and more than likely dominated by other manufacturers. Their diagrams positioned mobility as providing essential endpoint access in the evolving enterprise. Identity-based perimeters, for example, were depicted as being accessed from both PCs and mobile devices.
As mentioned above, Microsoft sees IAM as a natural area of adjacency to its existing product support. The degree to which mobility, hybrid cloud, and IAM are properly integrated in their security solutions will determine how successful they are. “We see identity and access management as a core area of focus for our product solutions, including for mobility,” explained Mandana Javaheri, one of Microsoft’s expert security leaders.
The third area of platform support involved IoT devices. We spent less time on this, but it was clear that as enterprise computing evolves to a more eclectic and varied mix of endpoint devices, the cyber security controls embedded in the Microsoft platform will provide advanced identity, threat management, and security management for IoT. The team showed me an eye-popping logo chart of their major customers, and it included a who’s who of IoT and OT companies.
The cyber threat management focus inherent in the Microsoft story exemplifies how the company might leverage its strengths in IoT. Take OT-based control systems, for instance. Increasingly, these industrial systems are being subjected to intense nation-state threats. Microsoft’s insights into IT-based threat management will easily extrapolate into OT-based protections for these critical industrial control systems across the world.
The final area Microsoft referenced as influencing their platform is the increasingly hostile threat environment enterprise CISOs must endure, including from nation-states. We all agreed that lateral traversal by capable actors is a ground zero technique preferred by capable intruders. “Strengthening controls across the entire hybrid cloud architectures allows our customers to create more secure means for stop these advanced cross-enterprise lateral threats,” said Sweeney.
Sweeney showed me a wonderful means for incorporating threat-related information into an ROI calculation that Microsoft shares with its customers. The quantitative model ingests the usual types of threat, asset, and priority inputs, and produces recommendations that help determine optimal security actions. “Measuring security ROI is one of the great challenges our customers deal with today,” Sweeney said. “Our goal is to help maximize their investment.”
In the end, the point that stuck out most in my mind from my time with Microsoft was this: You are already doing business with Microsoft. You already have a contract with them. You are already dependent on them for your most critical applications. And you have experienced their ups and downs – and more recently, this has been more up than down. So, to view Microsoft as offering a platform base on which to build your security architecture seems natural.
With their wise decision to focus so much time and effort on their Azure offering, Microsoft positions itself as a future-proofed partner for any enterprise looking to extend their perimeter boundaries to virtual. And having the ability to tailor cloud-resident instances of killer apps such as AD doesn’t hurt. Getting AD right in the cloud might be one of the most urgent actions an enterprise security team can make – and who better than Microsoft to help.
My advice is that you should take a closer look at Microsoft’s security products. The full list of products was too long to repeat in this article, so you should invest the private time to go through them. I suspect that after consideration, you are likely to find that sixteen years after Mr. Gates’ memo, his company has not only come a long way in security, but could arguably be positioned as offering the most desirable overall protection platform in the enterprise space.