Microsoft's progress one year into its "security reset"

Welcome to Runtime! Today: Microsoft reveals its progress toward reorienting the company around security, AWS picks an interesting time for some "routine capacity management," and the latest funding rounds in enterprise tech.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Spring cleaning

The conclusion was devastating: Following one of the most significant breaches of government data entrusted to Microsoft's protection, CISA told the public in March 2024 that the attack was the result of "a failure of Microsoft’s organizational controls and governance, and of its corporate culture around security." A month later, Microsoft vowed to repair the reputational damage caused by that attack with a series of engineering and cultural changes.

On Monday Microsoft's Charlie Bell released a new, detailed report outlining the steps the company has taken to harden its systems and train its employees since the release of its first Secure Future Initiative update last September. "Since inception, we’ve dedicated the equivalent of 34,000 engineers working full-time for 11 months to mitigate risks and address the highest priority security tasks," Bell wrote in a blog post summarizing the full report, and it's worth noting that the company hasn't had to deal with a serious security incident since last year's reset.

Several important engineering changes that impact customers have now been completed or are just around the corner. "Out of 28 objectives, 5 are nearing completion, 11 have made significant progress, and we continue to make progress against the rest," the company reported.

• Microsoft migrated the cryptographic keys —used to authenticate access to Microsoft accounts — to Azure confidential virtual machines and is in the process of doing the same thing for its Entra AD identity-management service, which directly addresses the flaw that led to the attack by hackers believed to be working for the Chinese government in the summer of 2023.
• Since September the company has eliminated an additional 550,000 "legacy tenants" from its Azure infrastructure, and it has removed nearly 6.3 million outdated systems in total over the last year.
• Almost every device (99.97% in total) that connects to Microsoft's internal networks has been "logged in a central repository with metadata for lifecycle management," which is much harder than it sounds when operating at the scale of a company like Microsoft.
• And the company has nearly completed an inventory of all the software assets used to move applications into production as well as its "production infrastructure," which includes hardware assets like networking devices and servers.

Life inside Microsoft has also changed since the initiative kicked off last year. "We have activated our culture to foster a security-first mindset in every employee at every level," Microsoft said in the report.

• "As of December 2024, every employee had a Security Core Priority and discussed individual impact with their manager during performance check-ins," the company said.
• Microsoft has installed (but didn't name, strangely) a deputy CISO for its Business Applications group, which includes products like its Power Platform and Dynamics 365.
• Around 22,000 employees are now using its "Secure by Design UX Toolkit" to build products and services with user experiences that prioritize security.

But Microsoft still faces the inherent tension between strengthening its protection of customer data while also growing its enterprise security software business, and that's not something that can get fixed in a year. That security software business could also face a growing threat from Google Cloud should its proposed acquisition of Wiz be allowed to go through.

• "Insights and learnings from this progress inform ongoing innovations in our Microsoft Security portfolio—Microsoft Entra, Microsoft Defender, and Microsoft Purview—that helps better protect customers and Microsoft," Bell wrote in the blog post, reminding customers that they can get premium protection if they'd like.
• Several enterprise security services remain available only to customers of Microsoft's E5 bundle, which costs about $20 per user per month more than the basic E3 bundle.
• Perhaps once Microsoft is done securing its own house, it might turn its attention toward giving customers a more secure-by-default experience in its basic bundles.

Fall back

Five-year projections involving just about anything related to technology tend to age poorly. It's starting to become pretty clear that some of the more bullish projections for data-center construction needed to accommodate the AI boom are going to fall flat.

AWS has now joined Microsoft this year in taking its foot off the gas when it comes to future data-center capacity planning. Wells Fargo said Monday that "AWS has paused a portion of its leasing discussions on the colocation side (particularly international ones)," according to CNBC, although it hasn't canceled any actual building commitments and still plans to increase its computing capacity over the next several years.

AWS's Kevin Miller called that decision "routine capacity management" in a LinkedIn post, and it's certainly true that discussions to build or lease new data centers fall through for all kinds of reasons on a regular basis. However, it's also true that the AI boom is subsiding as adoption moves slower than the hyperscalers expected two years ago, and wild plans made during the frantic early days of that boom are coming back down to earth.

Enterprise funding

Supabase raised $200 million in Series D funding, valuing the open-source web development platform at $2 billion.

Hammerspace scored $100 million in "new strategic growth capital," which it plans to use to expand its data-management platform around the world.

Exaforce landed $75 million in Series A funding for its security software, which security-operations centers use to manage alerts and prioritize responses.

Goodfire raised $50 million in Series A funding as it builds tools to help companies understand how AI models actually work.

Reco scored $25 million in new funding for its SaaS security product, which uses AI to help enterprises find the sprawling number of enterprise software tools running across their infrastructure.

The Runtime roundup

SAP's first-quarter cloud revenue came in slightly under expectations, but was still up 26% and it maintained its full-year cloud revenue guidance amid the disarray caused by the Trump administration's tariff policies.

AWS Bedrock customers are grumbling about restricted access to Anthropic's APIs, which "suggests AWS doesn’t have enough server capacity for Anthropic usage or is reserving an outsize amount of it for certain large customers," according to The Information.

Thanks for reading — see you Thursday!