When you think of Microsoft, you don't automatically associate it with being a security company, but the tech giant has evolved into one of the biggest security players in the world, mostly out of necessity.
The onslaught of daily security breaches forced it to prioritise security as a key foundation to everything it does.
"We never used to play in the security game extensively but Microsoft has invested over $1 billion a year on security, so we are probably the biggest investor in security at the moment. That is on research and development and on some very strategic acquisitions in many areas [of security]," said Lionel Moyal, Office Business Group lead at Microsoft SA, speaking at a media roundtable on the side-lines of the Microsoft Tech Summit in Cape Town.
He said Microsoft always had security products but it was never such a big focus in the past. However, the company's big push into cloud computing through its cloud platform, Microsoft Azure, was a major catalyst for bigger investments in cyber security.
"The fact is that more and more people are moving information into the cloud and therefore you have to protect it. I think the fact that we are providing cloud services as a fundamental piece was probably the core to saying okay we need to start investing in security.
"There has also been an acceleration certainly over the past few years because of the increasing security breaches across the world," he explained.
The launch of Office 365 was also a big trigger piece, he pointed out. Since then, Microsoft 365 was launched in 2017 and combines Office 365, Windows 10 and Microsoft's Enterprise Mobility and Security features into one product. Microsoft 365 includes tools and solutions for safeguarding customer data, company data and intellectual property, and uses artificial intelligence (AI) and machine learning for threat detection and remediation.
"Microsoft learned a difficult lesson many years ago when we had vulnerabilities inside Windows 95, Windows 98, Windows XP, etc, where there were constantly vulnerabilities that were being exploited by hackers and so it became a big focus to patch those things and change our internal focus to make security front of mind in everything that we do," Moyal added.
"It's not about just growing in an area of business because there is a market opportunity, it's because you cannot afford not to invest in security at this level. It cannot be the bolt-on approach it used to be - just having an anti-virus that does these things - that is not good enough, it just doesn't cut it anymore."
Ashleigh Fenwick, communications lead for Microsoft South Africa, added that the nature of the services provided forced the company to think more deeply about the holistic solutions offered "because you are now responsible for people's data".
"The data does not sit within their four walls, it sits in our data centres and on our cloud so with that comes a much heightened responsibility to make sure we are protecting it," she added.
Classify your data
Moyal said a key area Microsoft users need to focus on is better data classification.
"With data classification, there are levels of security that you can apply, to make sure that even information you send out cannot be opened by a third party because it is protected through classification as confidential, for example.
"Encryption almost goes without saying, data should be encrypted regardless. It's more about classification and applying different standards and different restrictions to different types of data. Data inventory is also fundamental ? knowing what data you have and where exactly it is," he said.
Strategic acquisitions by the company have aided in growing strong cyber security products quickly.
"For example, in data classification, a lot of the AI around automatic remediation comes from acquiring specialist companies that have built very successful practices around these things. What we have done is we have very quickly built them in to the core technology," Moyal added.
Cyber first responders
Trust is a massive focus for Microsoft, and in the modern world of ever-increasing cyber attacks, trust equals cyber security.
"For over 10 years, Microsoft has been thinking about how we could bring commercial cloud to market in a very trusted way. And we have four core pillars we have been focusing on: secure, reliable, transparent and compliant. We have been systematically working in each of those areas and investing in them," said Victoria Grady, GM for Azure experience marketing.
"Our data centres have physical security but more and more we think about software security and we feel this is an area where we have some opportunities to be almost a first responder with Azure on behalf of our customers. We know that for you to move to the cloud you have to trust the cloud," added Grady.
She said the nation threat attacks that we now see are well beyond what any single customer organisation is typically able to deal with.
"Hiring security talent and getting the right capabilities in-house to keep up with those nation threat attacks is essential.
"When we look across our whole cloud portfolio, we have 3 500 of the top security brains and engineers on the planet that come together and look across not just Azure but all of our products. This gives us a vantage point and a brain trust that, along with the $1 billion of investment, can help us to be the first responders. We take that very seriously and it's a big investment area for the company," Grady concluded.
Last May, Microsoft announced it would bring two Microsoft Azure hyperscale data centres to SA, one to be located in Cape Town and one in Johannesburg, with a launch date set for some time in 2018.
Share