Microsoft Chief Executive Officer Satya Nadella took Washington, D.C., by storm Tuesday and detailed the software giant’s rapid transformation from being the target of choice for hackers because of poor security and coding practices to becoming one of the computing world’s leading information security and cyber intelligence firms.
The distinction is an important one for the Redmond, Wash.-based company, as it competes with the likes of Amazon and Google for a share of the growing multibillion-dollar Federal cloud computing market, where concerns about data security are driving many of the key spending decisions agencies face. And at a time when repeated massive data breaches have shaken the confidence that many officials may have had in the ability of the cloud to provide enough security for mission-critical and private data, Nadella seems to have orchestrated a fundamental restructuring and rebranding of Microsoft as a trusted service provider.
“Trust is at the core of this. Customers are not going to use this technology if they can’t trust it. And that’s why trust for us is central,” Nadella told a packed crowd of government and industry information technology professionals who gathered in Washington, D.C., to attend Microsoft’s Government Cloud Forum.
Nadella described what he called “a principled approach” to security and trust. “We have four pillars to this. When it comes to privacy, we will ensure your data is private and is under your control. When it comes to compliance, we will manage your data in accordance with the law of the land. We will also be transparent about both the collection of data and the uses of data,” he said. “And lastly, we will ensure that all your data is secure.”
He pointed to 2015 as a “tough year” for cybersecurity, noting that the top eight data breaches have accounted for more than 160 million data records being compromised at the cost of about $3 trillion in market value. But he also pointed out that Microsoft now spends more than $1 billion a year on research and development of security for its mainstream products—Windows, Office, and Azure.
One of the biggest challenges facing all organizations is the time it takes to detect an inrusion, Nadella said. “It’s something like 229 days between when you have been intruded versus when you know and you can start to respond,” he said.
Microsoft’s strategy is being driven by its unique perspective of what is taking place in cyberspace. The company processes 300 billion user authentications each month, updates a billion Windows devices, and analyzes 200 billion emails as part of the Office 365 service for spam and malware.
“All of this has helped us develop a very different security posture inside of Microsoft,” Nadella said. “But with this changing environment, it’s no longer about our code and the threat modeling and the testing. But it is, in fact, about the operational security posture that we have in this constantly evolving environment. Everything from sensors to data centers is part of your environment that you need to protect. The operational security posture to me is where it all starts.”
As a result, threat detection has morphed into a behavioral approach to security. And response is the area currently undergoing what Nadella characterized as a “sea change” toward an “as-a-service” model. And the shift is even happening with Windows. “We think of Windows as a service so that we can ensure both compatibility and security of Windows endpoints continuously,” Nadella said.
At the end of the day, the new Microsoft strategy boilds down to three key areas—platform, intelligence, and partners.
“The first is building out a comprehensive platform for you to be able to run that loop from protection to detection to response,” said Nadella. “Second, we complement that with this intelligence fabric that we have and this operational security posture that we have, as well as a set of proactive and reactive services that we will have in the field, so that we can help secure your environment on a continuous basis. And lastly, it is about partnering broadly.”
Nadella said he sits in security review meetings every month during which the company looks at all of the security incidents that have been reported. “In fact, every time there is an incident when I call the CEO of the company that has had the issue, I ask two questions: How can we help? And what can we learn?”
Julia White, general manager of product marketing for Microsoft Office, provided a live demonstration of some of Microsoft’s noteworthy security enhancements. One of the first and foremost developments was a method of replacing passwords with device-based biometrics. The solution to identity theft “is to move away from passwords completely,” White said. But up until this point organizations have only really had the choice of smart cards or other similar types of technology, which can be costly and complex to deploy.
“Now, with Windows 10 Passport, we’ve addressed this issue by giving you smart-card level of…capability…but using the device as the first factor of authentication,” White said. “And the second can be biometrics using Windows Hello, and that can be fingerprint, facial, or iris. This is not just a front-end to your password…this is actually a password replacement.”
Azure Active Directory also enables stronger identity management around Software-as-a-Service applications. “It enables single sign-on to over 2,500 pre-integrated SaaS applications, as well as lets you integrate any of your existing applications,” according to White. “It lets you preconfigure apps to require multifactor authentication or you can determine it based on the user, the app type or even the device health.”
On the malware front, Office 365 is not only looking for known malware but is also on the lookout for so-called zero-day attacks involving unknown malware. Microsoft’s Outlook actually takes malicious links in emails and puts them into something the company calls a “detonation chamber” to conduct analysis on them.
Windows 10 has also taken what White characterized as a “generational step” forward in protecting users from downloading malware through the Web using something called Device Guard. “We’ve actually leveraged the latest in virtualization technology…to stop hackers from being able to run malware even if they’ve gained admin-level control of the machine,” she said.
“With Windows 10, we’re literally ending pass the hash,” White said, referring to a hacker method that enables them to move laterally across an organization from one compromised machine and to compromise other systems on the network. Microsoft’s Credential Guard provides this protection, White said.
“For the first time, we’re using hardware-based virtualization to isolate the most critical Windows services, such as authentication,” she said. “With this new isolation-based architecture, sensitive Windows processes are secured using credentials that are defended from hackers. That’s preventing a pass-the-hash attack.”
One of the key developments as far as Nadella is concerned, however, is the development of a new control plane in Azure Enterprise Mobility Suite. “We brought together a new control plane which brings identity management, device management, and data protection together,” he said. “Because that control plane becomes critical in handling accidental data loss, conditional data access, [and] conditional application access.”
Microsoft has also taken its renewed commitment to security to heart in its organizational structure. Traditionally, Microsoft has run a Digital Crimes Unit that has worked directly with law enforcement to help investigate cyber crimes, botnets, and online crimes against children. But now the company is taking a more integrated, holistic approach to fighting cyber crime.
“Now we’re bringing together the operational security people across our company, people running everything from X-Box Live to Office 365 to Azure to Windows Update to Windows Defender, and bringing them together in one operational center,” Nadella said. “We call it the Cyber Defense Operations Center. So this is like for any intelligence operation so we don’t have silos. We actually have people who in real time can actually connect the dots between what’s happening across all of these services.”