Amazon CISO CJ Moses has publicly shamed Microsoft security, halting his employer’s deployment of Microsoft 365 for a full year as the vendor tries to fix a long list of security problems that Amazon identified.Industry security executives were of two minds about the move. Some applauded Amazon, saying that the online retail giant, with $575 billion in annual revenue and almost 1.6 million employees, is one of the few companies with enough clout to pressure Microsoft into making major cybersecurity changes.But others were more cynical, saying that the move is less an altruistic effort to improve cybersecurity for all enterprises and more a thinly disguised sales pitch for Amazon Web Services. The move simultaneously says that AWS cares a lot about security while pointing out that one of its top rivals doesn’t. The public campaign began when Moses talked about the deployment halt with a reporter for Bloomberg, who wrote about it. “After conducting its own analysis of the software, Amazon asked for changes to guard against unauthorized access and create a more detailed accounting of user activity in the apps, some of which Microsoft also markets as Office 365,” the story quoted Moses saying. (Amazon confirmed the accuracy of Moses’ quotes to CSOonline.) “We deep-dived into O365 and all of the controls around it and we held, just as we would any of our service teams within Amazon, we held them to the same bar,” Moses was quoted as saying.Moses has already worked closely with at least one senior security executive at Microsoft: Charlie Bell, now EVP for security, compliance, identity and management. Before that, Bell spent more than 23 years at Amazon, rising to be an SVP with AWS. Moses said that at one point he reported to Bell at Amazon. The Bloomberg story continued: “Amazon’s requests included modifying tools to verify that users accessing the apps are properly authorized and, once in, that their actions are tracked in a manner that Amazon’s automated systems can monitor for changes that might indicate a security risk, Moses said. Microsoft’s bundle, cobbled together from what had been separate products, includes different protocols for authenticating and tracking users, some of which didn’t meet Amazon’s standards. ‘We wanted to make sure that everything was logged, and that we had access to that logging in near-real time. That was part of the hangup.’”Microsoft declined CSOonline’s request for comment on Amazon’s close scrutiny of its software.Others were more forthcoming, though.
A clever move
Adam Ennamli, the chief risk and security officer at the General Bank of Canada, called the Amazon gambit “a very clever move. They have poked a hole in everything Microsoft and that is what Amazon wanted to do.”Amazon is “showing to the world that they put security first and in doing so, they are showing that AWS is superior,” he said. Amazon’s comments “incorporates everything they are demanding from supplier and then they are indirectly pointing out [that cloud users] get mediocre security from Microsoft.””The delay in Amazon’s rollout of Microsoft 365 says a lot about the state of enterprise tech today,” Ennamli said. “Here’s a tech giant, one that literally helps other companies move to the cloud, hitting the pause button on its own cloud transition over security concerns.”Other cybersecurity officials focused more on this being more evidence that Microsoft may give aggressive lip service to embracing cybersecurity, but their actions don’t support it.Richard Blech, CEO of ZSOC Corp., said, “Amazon’s decision to delay its deployment of Microsoft 365 following a Russia-linked cyberattack reveals a systemic issue that should send shockwaves across the cybersecurity community: the failure of even the most established vendors to prioritize foundational security in an era of unprecedented threat sophistication.”
Inadequate logging
“This is no longer just a matter of oversight. It’s a glaring dereliction of responsibility by Microsoft, given the stakes and the lessons the industry should have internalized by now,” Blech said. “The heart of the issue lies in Microsoft’s inadequate logging and telemetry capabilities, which Amazon cited as insufficient for its security needs. This shortfall is not just a technical gap, it’s a fundamental breach of trust.”Another cybersecurity vendor CEO is Matthew Webster, who runs Cyvergence. Webster applauded Amazon, saying that “Amazon’s efforts not only protect their own interests but also help strengthen the ecosystem for countless other companies.””Companies routinely conduct due diligence to protect modern infrastructure, but this case stands out because it involves two industry behemoths closely scrutinizing security. What sets Amazon apart is that their influence ensures systemic changes across Microsoft, benefiting the broader ecosystem rather than just one organization,” Webster said. “In contrast, smaller companies often request changes as part of legal contracts, but these are typically one-offs, especially in non-cloud environments. I’ve seen such approaches lead to inefficiencies and risks. When a company as large as Amazon makes a request”, particularly in the cloud, it’s handled with rigor, minimizing potential issues.”Roger Grimes, a defense evangelist at KnowBe4, echoed what others said in pointing out Amazon is one of a handful companies that Microsoft has to take seriously.”It must be nice to have the buying power to tell Microsoft to fix these things or we won’t buy and to have Microsoft listen,” Grimes said. “I don’t know all of what they are asking Microsoft to fix, but it’s probably the right asks and will benefit the world.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3625205/amazon-refuses-microsoft-365-deployment-because-of-lax-cybersecurity.html
