{"id":2844,"date":"2024-04-03T10:29:31","date_gmt":"2024-04-03T15:29:31","guid":{"rendered":"https:\/\/www.darkreading.com\/cloud-security\/feds-microsoft-clean-up-cloud-security-act"},"modified":"2024-04-03T10:29:31","modified_gmt":"2024-04-03T15:29:31","slug":"feds-to-microsoft-clean-up-your-cloud-security-act-now","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/03\/feds-to-microsoft-clean-up-your-cloud-security-act-now\/","title":{"rendered":"Feds to Microsoft: Clean Up Your Cloud Security Act Now"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

A federal review board has called on Microsoft to prioritize its approach to cloud security and stop pushing the burden of it onto customers in the wake of a <\/span>July 2023 cyberattack<\/a><\/span> that let Chinese threat actors breach Microsoft 365 accounts to spy on key <\/span>US government officials<\/a><\/span>.<\/span><\/p>\n

A report<\/a><\/span> released on April 2 by the independent Department of Homeland Security (DHS) Cyber Safety Review Board offered an incendiary review of Microsoft’s security culture, putting the blame <\/span>squarely on the company<\/a><\/span> and a “cascade of security failures” for the <\/span>cyber espionage attack<\/a><\/span> by China-based threat group Storm-0558, which “never should have happened.”<\/span><\/p>\n

The board \u2014 which was investigating the breach <\/span>at the behest<\/a><\/span> of President Joe Biden \u2014 demanded that the technology giant put cybersecurity at the top of its agenda. It also should be held to strict account to make significant revisions to its cloud-security position, even prioritizing these changes ahead of new product features and development.<\/span><\/p>\n

“To drive the rapid cultural change that is needed within Microsoft, the board believes that Microsoft\u2019s customers would benefit from its CEO and Board of Directors directly focusing on the company’s security culture and developing and sharing publicly a plan with specific timelines to make fundamental, security-focused reforms across the company and its full suite of products,” officials said in the report.<\/span><\/p>\n

Put Security Before Product Innovation<\/h2>\n

As part of its review, the board made a series of recommendations to this end, including that top executives not only develop this plan but also hold leaders at all levels across the company accountable for implementing it.<\/span><\/p>\n

Microsoft leadership also should consider directing internal Microsoft teams to “deprioritize feature developments across the company’s cloud infrastructure and product suite until substantial security improvements have been made,” instead assessing and addressing security before deploying any new features, the board concluded.<\/span><\/p>\n

Given the dependence on the security of Microsoft’s cloud-based services and infrastructure, the software giant and other CSPs also need to take more accountability overall for the security outcomes of their customers. An action item at the top of this list is to halt the practice of making customers pay for security-related logging, making it “a core element” of cloud offerings instead of an add-on service for an extra fee.<\/span><\/p>\n

Microsoft already relented and <\/span>dropped fees<\/a><\/span> associated with expanded logging access for all levels of 365 license holders shortly after the breach following complaints that it was effectively levying a <\/span>logging tax<\/a><\/span> on customers.<\/span><\/p>\n

This One Is on Microsoft<\/h2>\n

The overall finding of the board is that the blame for the breach \u2014 which allowed Storm-0558 to <\/span>gain access to email accounts<\/a><\/span> across 25 government agencies in Western Europe and the US \u2014 is solely with Microsoft, and was directly due to a series of security failings on the part of the company.<\/span><\/p>\n

As the fallout from the breach intensified in the weeks after its initial detection, Microsoft eventually in September 2023 <\/span>owned up<\/a><\/span> to a series of mistakes that led to Storm-0558 using a Microsoft account (MSA) consumer signing key to forge Azure AD tokens for accessing enterprise email accounts. MSA consumer keys are typically used to cryptographically sign into a Microsoft consumer application or service such as Outlook.com, OneDrive, and Xbox Live.<\/span><\/p>\n

The company said at the time that a race condition resulted in the signing key being present either in a crash dump or a snapshot of the crashed system. The key eventually ended up with the debugging team on Microsoft’s Internet-connected corporate network, where threat actors likely picked it off.<\/span><\/p>\n

However, government officials held executives feet to the fire over the company’s failure to detect the compromise of its “cryptographic crown jewels on its own,” as it was a customer \u2014 a <\/span>human rights organization<\/a><\/span> who <\/span>did not have access<\/a><\/span> to advanced cloud security logging \u2014 that first alerted the company to a potential issue.<\/span><\/p>\n

Moreover, Microsoft has never proven that the key used by attackers ended up in any crash dump or snapshot, and failed to correct statements claiming this as the root cause “in a timely manner.” Indeed, Microsoft did not roll back its story on how the key got into the hands of Storm-0558 until last month, when it amended <\/span>its blog post<\/a><\/span> and acknowledged it never located a crash dump containing the key.<\/span><\/p>\n

Finally, Microsoft is generally lax in comparison to other cloud service providers (CSPs) when it comes to cloud security, failing to keep security controls to a similar standard, the board found. The company must level up immediately given that its ubiquitously used products “underpin essential services that support national security, the foundations of our economy, and public health and safety,” which in turn, requires Microsoft “to demonstrate the highest standards of security, accountability, and transparency,” officials concluded.<\/span><\/p>\n

Microsoft did not immediately respond to a request for comment from Dark Reading.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A federal review board has called on Microsoft to prioritize<\/p>\n","protected":false},"author":12,"featured_media":2845,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-2844","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=2560%2C1708&ssl=1",2560,1708,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=300%2C200&ssl=1",300,200,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=640%2C427&ssl=1",640,427,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=640%2C427&ssl=1",640,427,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=1536%2C1025&ssl=1",1536,1025,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=2048%2C1367&ssl=1",2048,1367,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=1024%2C683&ssl=1",1024,683,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/feds-to-microsoft-clean-up-your-cloud-security-act-now-scaled.jpg?fit=2560%2C1708&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2844","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=2844"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/2844\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/2845"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=2844"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=2844"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=2844"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}