Our security teams around the world focus on identifying and mitigating security issues as soon as possible while minimizing customer disruption.
One of the challenges of a traditional security update is ensuring customers apply the protections promptly. We recently discussed the work that goes into these updates in The Anatomy of a Security update. Cloud services offer advantages in comparison. When we address a vulnerability in the cloud, it is fixed for every user at once and usually requires no action from our customers. This blog focuses on how we identify, mitigate, document, and communicate updates that address security vulnerabilities affecting our cloud services.
Identifying cloud vulnerabilities
Our approach to finding and mitigating security risks in the cloud has two key aspects: internal focus and external collaboration.
Internal focus. More than 8,500 global Microsoft security experts work around the clock to monitor, harden, patch, and protect Azure and our entire cloud platform. Microsoft is not immune to attempts by threat actors and in recent years cyberattacks have become more sophisticated and extensive. To respond to this threat, Microsoft’s Cyber Defense Operations Center (CDOC) brings together security experts from across the company to collaborate in real-time, detecting and mitigating issues before they impact our customers. Our red and blue teams continually test Microsoft’s defenses, look for weaknesses, and provide insights and product improvements. When we detect impact to our customers, we notify them as soon as possible to help them secure their environment.
External collaboration. One of our greatest strengths is our partnership with a diverse group of independent researchers and security industry partners from around the world. The Microsoft Bug Bounty Program issues awards to incentivize researchers to find and confidentially report high-impact security vulnerabilities to continuously harden our security and improve customer experience. In the past year, Microsoft has awarded more than $13 million to the security community to support their work.
We also encourage researchers to be transparent with the information they discover once the issue has been fully addressed and customers are protected. We do this so that all researchers can use the techniques they identify as a baseline to further detect vulnerabilities and help ensure our systems are more secure. This approach also shows the strength of our security partnerships: identifying issues before customers are impacted and sharing the journey so the security community can learn and get better together.
Mitigating vulnerabilities
In the cloud, we work in real-time. Our cloud services are continually updated to harden against attacks and these mitigations don’t follow the Update Tuesday cycle. Sometimes these are minor changes, while others address whole classes of potential issues—fixing an underlying issue that may impact a range of potential scenarios.
In the cloud, as soon as an update is ready and tested, it is released into our service. Typically, there is no customer action needed.
Security incident response
Following the discovery of a security vulnerability, our response includes several stages:
- Detection: Issues are reported by internal security experts or by external partners, and our 24/7 security teams will respond accordingly and begin an assessment.
- Mitigation: Once an issue is assessed, our teams work around the clock to identify and test mitigations. This includes variant analysis and looking at root cause for opportunities to eliminate whole classes of issues rather than single vulnerabilities where possible. We also thoroughly test fixes to ensure compatibility and data integrity.
- Deploy: Once mitigation is ready and tested, we deploy in real-time to our cloud services. This is not tied to an Update Tuesday timeframe—these updates happen regularly as needed.
After an issue has been addressed, our teams conduct a post-incident review to identify issues and improve our processes. We welcome feedback from customers and partners and review this information in our post-incident reviews so that we can continually do better.
Our approach to Common Vulnerabilities and Exposures (CVE)
The CVE program is guided by a set of rules that can and do change along with significant changes in the cybersecurity landscape. In 2019 the rules were changed to accommodate cloud-based vulnerabilities.Specifically, Rule 7.4.4 was added to state that CVE assignment to a cloud vulnerability was allowed if “the vulnerability requires customer or peer action to resolve.” Since this rule change went into effect, Microsoft has assigned CVEs to cloud-based vulnerabilities when there is a specific message that we want to send about necessary action to take, either by our customers to protect themselves or by the industry to protect the ecosystem.
When Microsoft issues a CVE, there is almost always action required to be taken by the customer. In instances where customer action is required, Microsoft understands each customer has their own process and timeframe for applying updates. However, we recommend applying all updates as soon as possible.
Targeted communications to customers
For a security or privacy incident, Microsoft provides customers with the necessary information through established communication channels and targeted to the right people whenever possible.Notifications are targeted to the specific resource that is affected, providing information to customers around any needed actions or awareness around an incident.Our main principles around customer notifications are:
- Customer trust: We do this by being thorough with targeted notifications, customer obsession, and constantly improving the experience.
- Transparency: Inform potentially affected customers with the precise steps to take. To protect the security and privacy of our customers and platform, notifications are as targeted as possible.
- Safeguard sensitive information and privacy: To ensure sensitive details regarding security or privacy incidents are not broadly communicated, information dissemination is controlled to ensure customers have time to take action before the vulnerability is more broadly known.
The cloud advantage
The combination of knowing that security teams work around the clock to identify issues, deploying updates in real-time, and remaining on alert to detect new threats are just a few of the benefits of our cloud services for our customers.
We also encourage our customers to follow the best practices to best secure their environments: Microsoft Security Best Practices.
Aanchal Gupta
Corporate Vice President | Microsoft Security Response Center