This blog article has been in the works for years, at least in my head!. I spoke at a technologies leaders session last year and referred to Microsoft as a "Ikea of Security". I am a big fan of Ikea, they do a lot of R&D into how best to design cost effect, yet functional furniture, and best of all they have system thinking which means they plan out how a number of pieces fit together to make a complete end-to-end system, or should we call that a platform as this is a technical blog.
I'm just back from InfoSec Europe, which had some great sessions, and hundreds of vendors, big and small, niche and general players. Following this visit I am left in no doubt that there is a lot of dancing around in the InfoSec industry, lots of people trying to solve specific problems but not very much coordination or systems thinking. (For a good deep dive on Systems Thinking I recommend you read up on the Toyota manufacturing system)
I attended the session given my Ann Johnson , CVP of Cybersecurity Solutions Group at Microsoft. A powerful session, passionately delivered, with a clear message. Ann made the point that there is up to 3 million unfilled vacancies in the Information Security sector, and we need to do more for diversity to address this issue. "We go where we are welcomed and we stay where we are valued", was Ann message.
You see here's the thing, today the InfoSec industry is comprised of very similar like-minded people and we need to diversify to have a broader mind to problem solving. A good information security management system incorporates Human element skills, technical skills, communication skills, risk management skills. If we have too much in one pillar we will try to engineer our way out of everything....and that hasn't worked well so far, so need to approach this differently.
Microsoft stands up on stage telling us we need to think differently, be more inclusive, do whatever we can to retain the current workforce in the sector and encourage more to get involved. We need to automate what we can and ensure the people are used for tasks that are difficult to automate. No one could disagree with this logical message.
But then lets look at Office 365. It is a tremendous platform that has enabled productivity and empowers users - I'm a big fan.
Here's my gripe. Recently I asked Microsoft about their Password checking functionality which they recently released, to check user passwords against known breach data. If a user's password is a password that is contained in a breach, then the user is informed and required to change it. This is all seamlessly integrated into the "platform", and we don't need to tie up valuable InfoSecurity folks extracting the hashes from NTDIS files, running them through a password cracking rig or similar.
But then Microsoft comes along and says that functionality in Azure AD called "password protection" is only available for P2 subscribers, which will cost large companies tens or hundreds of thousands dollars per year. I do accept that P2 licences give you more that just the password checking functionality, but here's the point:
No Excuses, its not rocket science
Troy Hunt provides a free API via cloudflare to do this, so you cannot say you need to recoup millions of dollars of development costs for this feature.
There is shared responsibility with cloud services, but as O365 becomes more popular it becomes a bigger target so don't put this all back on the customer.
Credential stuffing and credential theft is widespread and a costly problem. Yes you can (and should) implement MFA but in addition you should also check users are not using breached passwords and inform them.
NIST and NCSC have recommend doing this in lieu of forced password rotation.
So to the Microsoft team, please don't let the mistakes of the browsers wars repeat themselves - i.e. when you achieved browser dominance you stopped innovating and users were very much let out in the cold, until Chrome came along.
Call to Action Microsoft please
Make the breached "password protection" checking functionality available to all P1 customers as part of your shared responsibility of cloud security. It will improve overall security of O365, save your customers a lot of money and heartache, and free up those scare resources you mention from the InfoSec team. I bet you won't even notice this on your P&L but you customers will really benefit.
How do we action this
Where do I go to get this discussed and considered, is there somewhere we can submit this request and get it voted on?
And as for Microsoft being the Ikea of Cybersecurity, I've a few more blogs in the works on those, stay tuned.