Microsoft, the Washington-based software giant, reigned supreme for many years in the throes of Silicon Valley competition. However, as competitors have stepped up and the industry has been flooded with VC-adorned startups, Bill Gates’ company somehow has come to be perceived as the born-again underdog in the tech world.
The internal promotion of previous executive vice president, Satya Nadella, came with many questions. Although Nadella undoubtedly brings a tremendous amount of experience to the CEO role, he’s also an insider, which may make it more difficult to reach important decisions that differ from the current established views of Microsoft’s trajectory. Like Bill Gates, Nadella has made it clear that Microsoft needs to be hungry and act like a startup again because the company is at an important crossroads – the intersection of a new way of delivering technology amidst a generational shift in IT security threats. During his time, Bill Gates rose to the occasion and transformed Microsoft by embracing security. Will Nadella be able to do the same?
Recently, Microsoft shared with Infosecurity it’s recollections about a previous era of uncertainty, highlighting the early 2000’s when it was the target of persistent, whack-a-mole-like bugs. Infamously, in two weeks Code Red spread to vast numbers of computers worldwide. These experiences ultimately prompted Bill Gates to transform Microsoft from a software company, to a software and security company – a shift that, arguably, saved the business from ruins. Back then, Microsoft’s software was the epitome of vulnerability. Today, the company’s commitment to security is well understood, “Trustworthy Computing” is accepted and “Patch Tuesdays” are a regular part of operational practice. Microsoft overhauled its practices and code base with security in mind, and came out on top.
Fast-forward a decade later, where the advent of ‘the cloud’ has completely changed the way IT services are delivered. Previously, everything was kept on-premise. Today, we outsource. Remote data centers make everything manageable externally and deliverable through the internet. As such, Microsoft is experiencing an identity crisis as a company that once thrived on software sales. Now it faces a world that increasingly accesses software through hosted environments ‘as-a-service.’
This is also the troublesome side of the cloud. We’ve given up control of our data and information assets to free ourselves of the burden of managing them, and there are immense risks associated with this practice.
Today’s security issues come in a different form and are no longer the same network issues that we grew accustomed to. In cloud computing, many of the traditional security items are already built into the cloud or can readily be built in, integrated into the service offering. The new risks we face emanate from concerns over data ownership and control, governance, residency/sovereignty, and compliance. These issues did not exist in the same way in the old IT world.
These new security concerns share a common element – that of data residing in third-party providers’ cloud environments. As one of the largest cloud providers in the market, Microsoft, and Nadella, will have to answer to users (and the world, which is watching) about not only exactly how they are securing data against the traditional threats, but also precisely and clearly what the company will do with their customers’ data.
Committing publicly not to view, mine or disclose customer data is a noble, but ultimately unreliable assurance for most. First, management can change policies in the future. There are groups within Microsoft that believe mining customer data will provide value to customers as well as to the company.
Even if Microsoft management remains true to its word of not mining customer data, the promises and seemingly reliable commitments of a cloud provider to protect the confidentiality and privacy of its customers’ data cannot be counted upon. We know that when governments around the world inevitably come knocking with court orders that cloud providers, Microsoft included, have no choice but to turn data over, regardless of whether it is privileged or relevant. Recently, former secure email provider Lavabit lost its court appeal. Lavabit’s argument that turning over encryption keys exposing hundreds of thousands of customers’ data when the government was pursuing a single individual was overshadowed by the government’s need to gain timely access to the data. This case has set a precedent for what we can expect in the future.
We are currently amidst a heightened public discourse to determine how these concerns affecting nations, businesses and individuals – and who ultimately owns the data – will be settled.
While society is debating these matters, technology can provide some of the answer. Newly available technology – specifically, encryption-in-use – can address these new security concerns, enabling businesses to maintain the control, governance, sovereignty, and compliance of their data. The promise of the cloud and the accompanying willingness of businesses to put their data in third-party environments leads directly to the need to encrypt data in all three states: in transit, in use, and at rest before sending it to the cloud – and the need for businesses to hold on to the encryption keys directly. When businesses do these things, cloud providers such as Microsoft have no ability to view, mine or disclose their data.
Bill Gates positioned Microsoft for years of growth as a result of his monumental decision to transform a Microsoft and take on security. In doing so, he did what was in the best interest of the company’s customers despite some internal protests. In the age of Software-as-a-Service and data ownership and control issues, Microsoft should encourage its customers to encrypt their data in-use, as well as in-transit and at rest, and to hold on to the encryption keys directly. Many entrenched interests at Microsoft will disapprove of such a decision. Nevertheless, like Bill Gates before him, Satya Nadella must put the customer first while restructuring a modern Microsoft to take on the next decade.
Elad Yoran is chariman and CEO of cloud encryption company Vaultive. His entrepreneurial experience includes Riptech, provider of managed security services to governments and Fortune 500 corporations, which was acquired by Symantec; Sentrigo, provider of database security recently acquired by McAfee; and MediaSentry, a provider of anti-piracy technology solutions to the motion picture, music and software industries, acquired by SafeNet. Yoran, a cloud encryption expert and Cloud Security Alliance board member, has been recognized as “Entrepreneur of the Year” by Ernst & Young.