Video: Why Microsoft is investing heavily in cloud security

US technology giant Microsoft invests over $1bn on cyber security research and development every year.

“As more and more people use the cloud, that spending has to go up,” Bharat Shah, Microsoft’s corporate vice president of Security for Azure, told Reuters last year.

The worldwide public cloud services market is projected to grow 21.4 per cent in 2018 to reach $186.4bn, up from $153.5bn in 2017, according to Gartner.

The fastest-growing segment of the market is cloud system infrastructure services (IaaS), which is forecast to grow 35.9 per cent in 2018 to reach $40.8bn.

The report also found that software as a service (SaaS) remains the largest segment of the cloud market, with revenue expected to grow 22.2 per cent to reach $73.6bn in 2018. Gartner expects SaaS to reach 45 per cent of total application software spending by 2021.

With increasing usage of the cloud, security experts say it takes more than one line of defence to keep data safe.

“Our security strategy embraces computing realities, from the cloud to the edge, with intelligent security capabilities that were developed by Microsoft’s unrivaled vantage point on digital security,” said Mohammed Arif, regional director, Modern Workplace and Security at Microsoft Gulf.

Microsoft has invested in numerous applications to improve security on its cloud platforms, and is also focussing heavily on research and development to create new technologies to combat cyber crime and address threats that could arise in the years to come.

Its public policy and legal arm also has developed a set of policy considerations and recommendations for secure, trusted and accessible cloud computing.

“What makes us unique is that these disciplines inform one another,” said Scott Charney, corporate vice president for Trustworthy Computing at Microsoft.

“Ultimately, you want public policies that truly improve security and are technically achievable at an engineering level.”

Microsoft says cyber security “isn’t a battle anyone can win alone” and hence the company has helped build a broad community of partners, including government policymakers.

“There are a lot of pieces that need to come together for us to be successful in cybersecurity,” said Microsoft president Brad Smith.

“It requires strong action by technology companies. It requires strong affirmative action by customers and it also requires strong affirmative action by governments.”

To facilitate that action, Smith has been at the forefront of pushing for a new ‘Digital Geneva Convention’, to establish strict standards for international conduct and create ways to protect people’s privacy while meeting government regulations.

Following the crippling WannaCrypt attack last year, which blocked customers from their data unless they paid a ransom using Bitcoin, Smith wrote a company blog post that technology companies are the “first responders” to such attacks.

The WannaCrypt attack stemmed from exploits that had been stolen from the US National Security Agency, and although Microsoft had released a patch to defend users against the attack, many organisations were not yet protected.

In the days following the attack, Microsoft redoubled its efforts to establish a Digital Geneva Convention and get governments to not just stockpile vulnerabilities, but consider when a vulnerability should be reported to a vendor.

“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Smith wrote.

In April this year, as a first step, Microsoft, along with 30 global technology firms including Facebook and Trend Micro, signed a “cybersecurity tech accord”.

“The companies will not help governments launch cyber-attacks against innocent citizens and enterprises, and will protect against tampering or exploitation of their products and services through every stage of technology development, design and distribution,” the accord states.

According to Jeannette Wing, corporate vice president at Microsoft’s Basic Research Labs, a symbiotic relationship is needed to fight cyber crime.

Sometimes, security and privacy technology is being developed faster than public policy can be formulated, and sometimes the public policy drives technology companies to come up with creative solutions in order to be successful, she said.

“There’s no silver bullet. We need everything in our arsenal.”

She added: “Microsoft Research has the unique responsibility to the company for thinking long term and anticipating problems the company will have – but they don’t even know they are going to have.”