Microsoft has what may sound like a counter-intuitive request: Please try to hack into Azure more often.
The company isn’t encouraging malicious attacks but it does want security researchers to spend more time poking holes in its flagship cloud service so the company can learn about flaws and fix them.
Many so-called White Hat hackers do this for the company’s older products like Windows, Office and browsers, but there aren’t enough working on Azure, said Kymberlee Price, who oversees community programs in Microsoft’s Security Response Center. The company is planning several steps to change that, including explicitly stating it won’t take legal action against researchers and creating a game-like reward system that gives successful bug-finders perks and bragging rights.
Microsoft currently offers bug bounty payments for Azure, but “it’s just not getting as much activity as I would like to see,” Price added.
It’s an issue Microsoft needs to worry about as it bets big on cloud services for revenue growth. The shift to cloud computing is changing cybersecurity, providing new opportunities and new challenges. One of the biggest risks is that Microsoft now runs services for customers in its cloud, which means the software giant is on the hook to protect them.
Microsoft is planning to release what’s called a safe harbor statement giving researchers legal clearance to report a vulnerability. “We’ve always done that but we’ve never formally articulated it,” Price said. It’s important to publish a formal policy as researchers work more on cloud systems where they may worry they’ll accidentally knock a service offline or access customer data and get in trouble, she said.
In her first stint at Microsoft in the 2000s, Price was one of the security engineers pioneering the company’s effort to collaborate with security researchers, rather than viewing them as adversaries. She left in 2009 and returned a little more than two years ago.
Right now attackers still target networks located at a company’s own offices more frequently than the cloud, but that’s changing, said Azure Chief Technology Officer Mark Russinovich. “The level of sophistication of the attackers and the interest in (attacking) the cloud just continues to grow as the cloud continues to grow,” he added.
Cloud security requires new tools and techniques but it also enables companies like Microsoft to track and analyze vast amounts of data to find malicious actors and scan networks of hundreds of thousands of customers so it can see attacks materialize.
Russinovich spoke about protecting the cloud at an academic conference at Microsoft attended by hundreds of Microsoft workers and security engineers from Amazon Web Services, Google, Nike Inc. and others. The event grew out of a trail-running group that includes Microsoft’s Ram Shankar Siva Kumar, who oversees a team of engineers who apply machine-learning to cybersecurity, and peers at AWS and Google. The group would often share techniques and research while on the trail and the idea for a formal conference to exchange ideas was born.
The hope is that sharing data, tools and techniques publicly will help everyone better fend off attackers. As long as private customer information is protected, Microsoft wants to share security data, said Steve Dispensa, general manager, cloud and AI security at Microsoft.
“The idea that we’re smarter than the attackers is a malignant myth – they know before we do where the weak spot is,” he said. “We publish data, we all learn, a rising tide lifts all boats.”