So, here’s an interesting one from Politico. Lawmakers are asking some questions about Microsoft’s approach to logging in the wake of the SolarWinds breaches. As the hackers moved into Microsoft cloud by impersonating users, they bypassed defenses. And… the way to find that is examining logs of user behavior. This is a feature that Microsoft charges additional for. Here’s some quotes:
“It’s kind of like buying a car” and hearing, “‘Oh, you want airbags with that, and brakes? Well, that’s going to be an upcharge,’” said Rep. Jim Langevin (D-R.I.)
House Homeland Security Chair Bennie Thompson (D-Miss.) “As far as we know, Boeing doesn’t charge extra for the black box.”
Rep. Lucille Roybal-Allard (D-Calif.), who chairs the House Appropriations Homeland Security Subcommittee, raised the issue during a March 10 hearing with CISA leaders, saying it was “concerning” that CISA planned to spend “a significant portion” of the $650 million that it’s getting from the Covid-19 relief bill on upgrading Microsoft licenses.
Bloomberg picked up on the same issue – with another quote. ““If the only solution to a major breach in which hackers exploited a design flaw long ignored by Microsoft is to give Microsoft more money, the government needs to reevaluate its dependence on Microsoft,” said Oregon Senator Ron Wyden, a leading Democrat on the intelligence committee.“
Why do we care?
What struck me about this was how this is just customers speaking to us as IT providers. I can hear the echoes of customer complaints in every statement.
“You mean I have to pay more for it to be secure?”
CRN has a interview with CrowdStrike’s CEO who says this is a crisis of Trust in the Microsoft customer base. I think he’s wrong. It’s a crisis of trust in technology.
Let’s think about the rush on selling cybersecurity. It’s right there – we’re all rushing to sell security. Meaning, we’re implicitly saying we didn’t deliver it before.
So coming back and asking for more money to plug holes is implicitly dangerous, and in SMB, the danger lives for the services provider, not for the software vendor.
Think about your managed services bundles. Are you not including security in everything? If you have any options at all to opt out, you are absolutely opening yourself up to this line of reasoning.
And vendors – are you not aware of this perception? Microsoft is the easy target here, but I’m sure I could play this game with a lot of software vendors. If you’re not including the items to keep a customer secure, you open yourself up to this line of questioning.
And now the US government is asking the question too.