The firm's principal cyber-security strategist Jeff Jones was presenting at the IP Expo Europe exhibition in London on Thursday, where he suggested that the leaks from NSA whistleblower Edward Snowden had impacted the Redmond technology giant and the cloud computing market as a whole.
The firm claims to offer more than 200 cloud service products but has been in the headlines for all the wrong reasons over the last 18 months; first over claims that SkyDrive was continually tapped by the NSA, and then over the US DOJ decision that the government could view information held at its non-US data centres.
“Beginning on 7 March 2013, Prism now collects Microsoft SkyDrive data as part of Prism's standard Store Communications collection package for a tasked FISA Amendments Act Section 702 [FAA702) sector”, revealed a presentation slide released by American journalist Glenn Greenwald in his ‘No Place To Hide' book.
Microsoft is unlikely to have been alone as trust in the cloud took a nose-dive – Forrester researchers estimate that the scandal could cost the cloud computing industry up to £112 billion over the next three years while a study from NTT Communications indicates that almost 90 percent of IT managers have changed the way they use the cloud since. The same study claims that 16 percent delayed or cancelled their contracts with their providers.
Speaking at the event in London yesterday, Jones admitted that the leaks had hurt the software provider as well as damaged trust in the cloud.
“I talk to a lot of business customers, and part of my takeaway on this is that, in some ways there is nothing new there,” he said of the reports into government spying. “What we see is a change in prioritisation, a higher awareness, and now we're seeing more [security] incidents that are actually happening.
He then suggested that that the leaks had ‘affected' cloud in the enterprise, as well as the company's own ambitions in this area, before adding that the growing distrust in the cloud had come at a time where ‘perceptual concerns' around cloud security were dissipating on deployment.
Microsoft's big year for security
As a result, Microsoft proclaims to having spent the last year making efforts to ensure that its cloud products – which include Azure, Dynamics CRM, Office365, SkyDrive and OneNote – are more security and privacy-friendly, and that the firm is transparent about the data requests it receives from governments.
“Many of our customers have serious concerns about government surveillance of the internet,” wrote Brad Smith, general counsel and executive VP of legal and corporate affairs at Microsoft, in a blog post at the end of last year.
“We share their concerns. That's why we are taking steps to ensure governments use legal process rather than technological brute force to access customer data,” he added.
The Silicon Valley giant promised at the time that it would expand encryption at rest and in transit across all services by the end of the 2014 financial year, including using ‘best-in-class industry cryptography' such as Perfect Forward Secrecy and 2048-bit key lengths.
Office 365 now supports end-to-end encryption and Microsoft says that ‘in some cases' content stored with Azure will be too – but that is ‘the choice of the developer'.
Almost all of the firm's cloud services comply with well-recognised compliance like Article 29, Safe Harbour, G-Cloud, ISO 27001, PCI DSS, and HIPPA. Meanwhile, Jones mentioned that Microsoft has been behind the development of the Secure Development (SDL) and Secure Operations (OSA) programmes and work on ISO27034 for application development over the last two years.
This security focus has also transcended into the firm's products, with privacy and security by design in progress. Jones added that Microsoft's CISO and IT departments now work together with leadership teams in product development and other divisions to ensure security is embedded in the next line of products.
300+ people working on data privacy
As part of the company's focus on security, it has also spent the last year trying to become more transparent – especially on government data requests and gag orders.
Jones said that it details these requests twice a year and strictly opposes gag orders. “We're transparent about how many [data requests] we're getting. We oppose gag orders and challenge egregious demands for data.”
He ultimately believes that trust in the cloud is achievable. “We do believe it is possible to build cloud that managed the risks and has trust to manage their services.”
Jones said that data privacy was another important topic of Microsoft, which has more than 300 people working on the matter. He cited Microsoft's ongoing court case with DOJ.
“We believe your data is your data, we look at it like we're the landlord of the data. Were saying we won't pass it over as not our data, we're just the landlord, it's a principle we have. We want to be entrusted stewards of your data.”
SC caught up with cyber-security consultancy and pen testing outfit Nettitude after the presentation, CEO Rowland Johnson and CTO Ben Densham suggested that the cloud itself may not be the problem, but rather it's insecurities come from people and processes.
“The underlying thing is that the technology is probably not the issue, it's people and the processes,” said Johnson. “Its pretty much exactly the same technology as in your own data centres.”
Densham added that blame would inevitably fall on who was responsible for safeguarding data in the cloud but – on the subject of surveillance – believes that there may never be a perfect alliance between privacy and security, especially where nation-states are involved.
“It's almost two parallel lines that never cross,” he said.