{"id":1246,"date":"2024-12-16T12:36:40","date_gmt":"2024-12-16T12:36:40","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1246"},"modified":"2024-12-16T12:36:40","modified_gmt":"2024-12-16T12:36:40","slug":"amazon-refuses-microsoft-365-deployment-because-of-lax-cybersecurity","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1246","title":{"rendered":"Amazon refuses Microsoft 365 deployment because of lax cybersecurity"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Amazon CISO CJ Moses has publicly shamed Microsoft security, halting his employer\u2019s deployment of Microsoft 365 for a full year as the vendor tries to fix a long list of security problems that Amazon identified.<\/p>\n

Industry security executives were of two minds about the move. Some applauded Amazon, saying that the online retail giant \u2014 with $575 billion in annual revenue and almost 1.6 million employees \u2014 is one of the few companies with enough clout to pressure Microsoft into making major cybersecurity changes.<\/p>\n

But others were more cynical, saying that the move is less an altruistic effort to improve cybersecurity for all enterprises and more a thinly disguised sales pitch for Amazon Web Services. The move simultaneously says that AWS cares a lot about security while pointing out that one of its top rivals doesn\u2019t.\u00a0<\/p>\n

The public campaign began when Moses talked about the deployment halt with a reporter for Bloomberg, who wrote about it<\/a>.\u00a0<\/p>\n

\u201cAfter conducting its own analysis of the software, Amazon asked for changes to guard against unauthorized access and create a more detailed accounting of user activity in the apps, some of which Microsoft also markets as Office 365,\u201d the story quoted Moses saying. (Amazon confirmed the accuracy of Moses\u2019 quotes to CSOonline.)<\/p>\n

Held to the same standards<\/h2>\n

\u201cWe deep-dived into O365 and all of the controls around it and we held \u2014 just as we would any of our service teams within Amazon \u2014 we held them to the same bar,\u201d Moses was quoted as saying.<\/p>\n

Moses has already worked closely with at least one senior security executive at Microsoft: Charlie Bell, now EVP for security, compliance, identity and management. Before that, Bell spent more than 23 years at Amazon, rising to be an SVP with AWS. Moses said that at one point he reported to Bell at Amazon.\u00a0<\/p>\n

The Bloomberg story continued: \u201cAmazon\u2019s requests included modifying tools to verify that users accessing the apps are properly authorized and, once in, that their actions are tracked in a manner that Amazon\u2019s automated systems can monitor for changes that might indicate a security risk, Moses said. Microsoft\u2019s bundle, cobbled together from what had been separate products, includes different protocols for authenticating and tracking users, some of which didn\u2019t meet Amazon\u2019s standards. \u2018We wanted to make sure that everything was logged, and that we had access to that logging in near-real time. That was part of the hangup.\u2019\u201d<\/p>\n

Microsoft declined CSOonline\u2019s request for comment on Amazon\u2019s close scrutiny of its software.<\/p>\n

Others were more forthcoming, though.<\/p>\n

A clever move<\/h2>\n

Adam Ennamli, the chief risk and security officer at the General Bank of Canada, called the Amazon gambit \u201ca very clever move. They have poked a hole in everything Microsoft and that is what Amazon wanted to do.\u201d<\/p>\n

Amazon is \u201cshowing to the world that they put security first and in doing so, they are showing that AWS is superior,\u201d he said. Amazon\u2019s comments \u201cincorporates everything they are demanding from supplier and then they are indirectly pointing out [that cloud users] get mediocre security from Microsoft.\u201d<\/p>\n

\u201cThe delay in Amazon\u2019s rollout of Microsoft 365 says a lot about the state of enterprise tech today,\u201d Ennamli said. \u201cHere\u2019s a tech giant, one that literally helps other companies move to the cloud, hitting the pause button on its own cloud transition over security concerns.\u201d<\/p>\n

Other cybersecurity officials focused more on this being more evidence that Microsoft may give aggressive lip service to embracing cybersecurity, but their actions don\u2019t support it.<\/p>\n

Richard Blech, CEO of ZSOC Corp., said, \u201cAmazon\u2019s decision to delay its deployment of Microsoft 365 following a Russia-linked cyberattack reveals a systemic issue that should send shockwaves across the cybersecurity community: the failure of even the most established vendors to prioritize foundational security in an era of unprecedented threat sophistication.\u201d<\/p>\n

Inadequate logging<\/h2>\n

\u201cThis is no longer just a matter of oversight. It\u2019s a glaring dereliction of responsibility by Microsoft, given the stakes and the lessons the industry should have internalized by now,\u201d Blech said. \u201cThe heart of the issue lies in Microsoft\u2019s inadequate logging and telemetry capabilities, which Amazon cited as insufficient for its security needs. This shortfall is not just a technical gap \u2014 it\u2019s a fundamental breach of trust.\u201d<\/p>\n

Another cybersecurity vendor CEO is Matthew Webster, who runs Cyvergence. Webster applauded Amazon, saying that \u201cAmazon\u2019s efforts not only protect their own interests but also help strengthen the ecosystem for countless other companies.\u201d<\/p>\n

\u201cCompanies routinely conduct due diligence to protect modern infrastructure, but this case stands out because it involves two industry behemoths closely scrutinizing security. What sets Amazon apart is that their influence ensures systemic changes across Microsoft, benefiting the broader ecosystem rather than just one organization,\u201d Webster said. \u201cIn contrast, smaller companies often request changes as part of legal contracts, but these are typically one-offs, especially in non-cloud environments. I\u2019ve seen such approaches lead to inefficiencies and risks. When a company as large as Amazon makes a request\u2014particularly in the cloud \u2014 it\u2019s handled with rigor, minimizing potential issues.\u201d<\/p>\n

Roger Grimes, a defense evangelist at KnowBe4, echoed what others said in pointing out Amazon is one of a handful companies that Microsoft has to take seriously.<\/p>\n

\u201cIt must be nice to have the buying power to tell Microsoft to fix these things or we won\u2019t buy and to have Microsoft listen,\u201d Grimes said. \u201cI don\u2019t know all of what they are asking Microsoft to fix, but it\u2019s probably the right asks and will benefit the world.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Amazon CISO CJ Moses has publicly shamed Microsoft security, halting his employer\u2019s deployment of Microsoft 365 for a full year as the vendor tries to fix a long list of security problems that Amazon identified. Industry security executives were of two minds about the move. Some applauded Amazon, saying that the online retail giant \u2014 […]<\/p>\n","protected":false},"author":0,"featured_media":1247,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1246","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1246"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1246"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1246\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1247"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1246"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1246"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1246"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}