As the reality of remote work spurs more organizations to make the transition to the cloud, Microsoft’s solutions are an increasingly popular choice. The company reached a 20 percent share of the worldwide cloud market for the first time in 2020, with 63 percent of businesses — and 95 percent of the Fortune 500! — running apps on the Microsoft Azure platform. And the SaaS productivity suite Microsoft 365 (M365, formerly Office365 or o365) now sees upwards of 200 million monthly active users.
This ubiquity makes M365 and Azure especially attractive vectors for threat actors. In this blog post, we’ll look at why securing the Microsoft cloud is particularly challenging for the IT teams of small or midsize organizations, offer salient examples of both threats and configurations, and hear from security experts Adam Mansour and Jerry Heinz on the reasons for, and ways to address, these cloud security challenges.
Examples of Microsoft Cloud Compromise
In late 2019, a sophisticated phishing campaign targeted corporate M365 users, giving cybercriminals “full access to a user’s data stored in the cloud without actually stealing the account password” — all through an official Microsoft login page.
In December 2020, Reuters reported that an unusual “cybersecurity advisory” was issued by the U.S. National Security Agency, detailing “how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems.” And in March 2021, hackers compromised the California State Controller’s Office — an agency that administers over $100 billion a year — after a single employee was tricked into inputting their M365 login credentials via a phishing link.
Hasty transitions are part of the problem, but even Microsoft struggles
In April 2020, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an official alert specifically to organizations migrating to the M365 cloud. “Due to the speed of these deployments, organizations may not be fully considering the security configurations of these platforms,” wrote CISA. We have previously written about how the unexpected shift to WFH meant, in many cases, a rushed implementation of tools to support an army of now-remote workers — and these initial hasty solutions have settled in as standard operating procedures.
Even prior to the new challenges posed by the rise of remote work, it’s proven difficult for Microsoft itself to secure its cloud. In 2019, 250 million Microsoft customer service records spanning 14 years were exposed to the internet for nearly a month. The cause for this potentially catastrophic lapse? According to Microsoft’s own blog post, “a change made to the database’s network security group on December 5, 2019, contained misconfigured security rules that enabled exposure of the data.” If even Microsoft struggles with its own cloud security configurations, we can be sure it will be no simple matter for the rest of us.
Impressive flexibility — and potentially endless configurations
Adam Mansour, ActZero’s Head of Sales Engineering, views M365 as a particular challenge to secure for small and midsize enterprises. “Why is M365 such a nightmare? In a word, data. The day you start using M365, you acquire dozens of native apps, and every single one is largely unsecured by default.” M365 enables you to set up an entire data center in just a few moments. There’s a catch, though: to secure all the M365 infrastructure from its default state after you’ve set it up is a massive undertaking. Meanwhile, your whole data center is now facing the internet, and malicious actors can potentially launch attacks at any one of these vectors.
Every organization using M365 also has Azure Active Directory enabled by default — although some are not even aware of it. Azure AD is Microsoft’s cloud-based identity and access management service, allowing employees to access external resources “such as Microsoft 365, the Azure portal, and thousands of other SaaS applications,” along with internal resources “such as apps on your corporate network and intranet.” This is convenient, but also poses considerable risk — the configurations that allow access to these various enterprise apps is poorly understood by many users.
Microsoft’s Azure platform offers far more options than an organization would have traditionally had on-premise. Jerry Heinz, a cloud computing veteran and ActZero’s VP of Engineering, identifies the versatility offered by Azure as a major hurdle to securing it. With over 200 products and cloud services for enterprises looking to further outsource their data centres, there are a “ton of different options and ways to do things,” he says.
Heinz says life has gotten far more complicated for in-house IT, who previously worked with network infrastructure that fit together in predictable ways. “If you go back to the basic architecture of the Windows NT and Windows 2000 days, for the most part, you didn’t have a lot of choices. The building blocks were the same, and an IT admin could train on this. Now you have infinite ways of putting things together.” While there are best practices, Heinz says there is no longer a “one-size-fits-all approach as far as security policy goes.”
The responsibility to protect yourself
Compounding the problem, smaller companies using Microsoft’s vast cloud offerings may not realize the responsibility they bear to protect themselves. “Microsoft does not monitor for or respond to security incidents within the customer’s realm of responsibility. A customer-only security compromise would not be processed as an Azure security incident and would require the customer tenant to manage the response effort,” writes Microsoft. And most breaches are on the customer’s end — Gartner cautions that “through 2025, 99 percent of cloud security failures will be the customer’s fault.”
Learn how to bolster your defenses
We hope you’ve seen that the flexibility offered by these cloud products serves as a double-edged sword and that this behooves you to accept responsibility for the security of your Microsoft cloud, and architect and configure for security first. For a deeper dive into what’s required to architect and configure for security, check out “Securing the Microsoft Cloud from Azure to M365.”
Topic: Cybersecurity Industry