Amazon has delayed the internal rollout of Microsoft 365 by a year. The company is concerned about the security of the e-mail and productivity software.
This reports news agency Bloomberg. The tech giants struck a deal last year to offer Amazon employees Microsoft 365. Amazon has long used versions of Office installed on its own servers.
But Amazon paused the rollout after Microsoft discovered that a Russia-linked hacker group had gained access to some of its employees’ e-mail accounts. After its own analysis of the software, Amazon asked for changes to prevent unauthorized access. And to create more detailed records of user activity in the apps.
Striking collaboration
It’s an unusual confluence of events: a huge commercial deal between two rivals in cloud computing in the Seattle area, a state-sponsored hack, and a technical collaboration that could improve the security of the world’s most widely used office productivity software.
“We deep-dived into O365 and all of the controls around it and we held – just as we would any of our service teams within Amazon – we held them to the same bar,” said CJ Moses, Amazon’s chief information security officer. Moses’ team handed Microsoft’s security chief Charlie Bell – a former Amazon engineer – a list of requested improvements, and engineers from both companies have been working for months on these modifications.
“We believe we’re in a good place to start redeployment next year,” he said. Moses said that last week in an interview at Amazon Web Services’ re:Invent conference. Microsoft declined to comment.
Hefty deal for Microsoft
According to a report by Business Insider last year, Amazon pledged $1 billion over five years to purchase Microsoft 365 software. Its approximately 1.5 million employees are expected to use it. The deal made Amazon one of the largest buyers of Microsoft’s main cloud productivity package.
Last fall, a hacker group attacked some of Microsoft’s business systems. The group goes by the name Midnight Blizzard. Microsoft announced in January that the group had eventually gained access to a “small number” of employee e-mail accounts. Among them were senior executives and cybersecurity and legal employees. It was one of a series of security incidents that led CEO Satya Nadella to declare security Microsoft’s top priority.
Early this year, Moses advised Amazon’s security chief Steve Schmidt and CEO Andy Jassy to suspend the rollout. This so that Microsoft could assess the damage. And Amazon could investigate further. “At that time still, Microsoft wasn’t able to tell us if they had gotten the [hackers] out of their environment,” Moses said.
Authentication protocols
Amazon’s requests included modifications to tools to verify that users accessing the apps were properly authorized. And that their actions, once inside, are tracked in a way that Amazon’s automated systems can monitor for potential security risks, Moses said.
Microsoft’s package was composed of previously separate products. It included several protocols for authenticating and tracking users. Some of the protocols did not meet Amazon’s standards. “We wanted to make sure that everything was logged, and that we had access to that logging in near-real time,” Moses said. “That was part of the hangup.”
Bell, who supervised Moses at AWS before he left for Microsoft in 2021, indicated that Microsoft would also make the improvements available to other customers, Moses said. He praised the efforts of his former boss. “They’ve done yeoman’s work,” Moses said. “We’ve given them some pretty steep tasks.”
Tip: Microsoft bundles Microsoft Defender with Microsoft 365