Microsoft's ongoing cloud security problem

Today: how Chinese hackers accessed government emails on Microsoft's cloud servers, the architect of Google's cloud strategy steps down, and this week's enterprise moves.

Microsoft's ongoing cloud security problem
Photo by Matthew Manuel / Unsplash

Welcome to Runtime! Today: how Chinese hackers accessed government emails on Microsoft's cloud servers, the architect of Google's cloud strategy steps down, and this week's enterprise moves.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Keys to the castle

Microsoft's software has been a target for criminals and spies for decades, given how widely it is used both among regular people and at some of the highest levels of governments around the world. But despite the fact that the company has made security one of its highest priorities for almost as long, it continues to struggle keeping the bad guys out of its cloud services.

This week Microsoft revealed that "a China-based actor" had managed to steal a key used to create multifactor authentication codes and break into Microsoft 365 accounts belonging to around 25 organizations. The U.S. government confirmed that the hackers had undetected access to email accounts used by several departments, including Commerce and State, for a month.

  • It's not clear where they got that key, which is not a thing you might find lying by the side of the information superhighway.
  • Security experts interviewed by Wired suggested that it could have been stolen from an old on-premises Windows Server or, more worryingly, from Microsoft itself.
  • But even if it fell into their laps, the attackers should not have been able to use that specific type of key, which was designed to help protect consumer accounts, to get into separately managed cloud enterprise accounts.
  • An undetected "token validation issue" in Microsoft Azure AD (which is now called Entra for some reason) allowed the attackers access to those accounts, and there's no way of knowing how widely these sophisticated attackers were able to exploit that issue.

This is pretty bad.

  • "We continue to hold the procurement providers of the U.S. government to a high security threshold," a spokesperson for the National Security Council said, which … yikes.
  • The government only detected the intrusion because it had enabled a specific type of event logging that flagged a discrepancy against a baseline of activity, CISA said in a statement.
  • Microsoft said it had mitigated the problem and promised to "(harden) our identity/access platforms to manage evolving risks around keys and tokens," which does not make clear whether Azure AD is still vulnerable in the event another key gets stolen.

The incident once again raises the question of whether cloud providers should charge customers for certain security features that might need to be table stakes in today's world, assuming we continue to expect that hackers are going to hack and that new flaws will be discovered in cloud software.

  • Tension between wanting to keep customers secure and wanting to sell lots of security software exists across all cloud vendors, but it's especially pronounced at Microsoft, which has an enormous enterprise security software business.
  • CISA director Jen Easterley has been pushing vendors to add more default security features ever since the SolarWinds attack hit U.S. government agencies, and those calls will only get stronger now.
  • The event logging software used by the government to detect this breach is, of course, a "Premium" feature in Microsoft Purview, and if you're already a Microsoft customer there are strong cost incentives to use its security software.
  • "CISA and FBI are not aware of other audit logs or events that would have detected this activity," according to CISA.

As Microsoft pushes all of its chips into generative AI while laying off thousands of staffers, maybe it's time to get back to basics.

  • The billions of dollars it has invested in generative AI may well set it up to dominate the next chapter of enterprise software, but not if existing customers start to wonder if they're getting what they're paying for from Microsoft.
  • “If you have a platform that generates billions of dollars in revenue, and promises security, and under-delivers — you can move some of those dollars into doing more security,” Orca Security's Yoav Alon told my former colleague Kyle Alspach last year.
  • Despite well-documented security problems across Microsoft Azure over the last several years, the situation does not seem to be improving.
  • “You’re handing over the keys to the kingdom to Microsoft,” said Jake Williams, a security expert interviewed by Wired. “If your organization is not comfortable with that now, you don’t have good options.”

End of an era

CNBC reported this week that Urs Hölzle, one of the original Googlers who played a key role in its development as a cloud company, is stepping down from his leadership position at Google Cloud. He'll remain at Google but will no longer be managing Google Cloud's infrastructure teams, which are charged with updating, expanding, and maintaining the enterprise infrastructure he more or less built from scratch.

Hölzle helped establish Google Cloud at a time when Google wasn't taken very seriously as an enterprise company. One could argue that period still exists, but it was Hölzle that dragged Google into the cloud infrastructure business, which is now the fastest growing segment of Alphabet's massive operation.

But he also oversaw a culture that seemed based more around imposing Google's view of the cloud on its customers than actually working with those customers on solving their problems, which current CEO Thomas Kurian was hired to correct. After Kelsey Hightower retired last month, Google Cloud has now lost two of its most visible leaders in short order.

Enterprise moves

Raejeanne Skillern is the new chief marketing officer at AWS, after a long career in enterprise marketing at Intel.

Rob Enslin is now the sole CEO of UiPath, a little over a year after joining the company as co-CEO from Google Cloud.

Daniel Lereya is the new chief product and technology officer at, following seven years at the enterprise management software company in product leadership roles.

Phil Guido is now chief commercial officer at AMD, where he'll try and expand AMD's enterprise position following 26 years at IBM.

The Runtime roundup

On top of everything else, Microsoft disclosed a zero-day vulnerability in Office this week that was used to target attendees of the NATO Summit.

The CNCF announced that Istio, an open-source service mesh project that arrived at the foundation by following a very windy path, has reached a level of maturity it describes as "graduated."

Akamai added five new cloud computing regions to its worldwide network, as it hopes to challenge the Big Three in cloud infrastructure services.

The U.K. is going to take a very close look at Adobe's proposed $20 billion acquisition of Figma following concerns "the deal could lead to less choice for designers of digital apps, websites and other products," according to Reuters.

Thanks for reading — see you Saturday!

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Runtime.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.