With growing concern stemming from a number of high-profile security incidents, Microsoft's testimony before the House Homeland Security Committee in mid June has brought the tech giant even more attention and in the eyes of many, more scrutiny.
Prompted by the Cyber Safety Review Board's (CSRB) report on the 2023 Microsoft Exchange Online cyber intrusion, Microsoft's President, Brad Smith, appeared before lawmakers to address a myriad of topics, including international cyberwarfare, the digital dynamics of national security, as well as the company's commitment to strengthening cybersecurity protection in the wake of several missteps.
To further complicate things, just a few hours before the hearing, ProPublica released a damning report regarding a security flaw in Microsoft’s Active Directory Federation Services (AD FS) that was allegedly disregarded by the company, despite numerous warnings over several years by an employee. The flaw enabled bad actors to falsify Security Assertion Markup Language (SAML) tokens, effectively allowing for the infamous SolarWinds hack of 2020. The whistleblower alleged that Microsoft valued business growth and reputation maintenance over security in this instance.
While Smith's testimony accepted and acknowledged Microsoft's responsibility for lapses in cybersecurity practices and outlined steps towards improvement, the lack of transparency around the actively growing laundry list of cyber incidents and negligence fuels increasing fear and doubt amongst experts.
Additionally, one critical topic did not emerge in the testimony.
What About Data Governance?
Unfortunately, data governance is not among the key pillars of Microsoft’s “Secure Future Initiative,” a multi-faceted plan aiming to reinvigorate and bolster the company’s security posture, discussed in detail by Smith during his testimony. While there are a lot of important elements within the initiative’s key pillars – like securing identities and networks – it fails to prioritize the core of Zero Trust security, which is the data itself.
To be clear, Microsoft's ownership of mistakes made and admission of its security shortcomings is commendable. Smith stressing the company’s dedication to improvement reflects a necessary step toward fixing a questionable organizational culture. However, as we navigate the increasingly interconnected digital landscape, it's imperative to recognize that cybersecurity extends beyond just perimeter-centric solutions—it includes data governance frameworks that safeguard information integrity and privacy.
Data governance encompasses policies, procedures and controls that dictate how data is collected, stored, accessed, and, most importantly, shared. It provides a roadmap for organizations to uphold data integrity, confidentiality and availability—essential components in not just thwarting cyber threats, but optimally completing missions and everyday assignments. By implementing robust data governance frameworks, organizations and agencies alike can mitigate the unauthorized access and misuse of sensitive information, as well as collaborate more effectively with partners.
Microsoft's role as a leading federal provider accentuates the importance of integrating stringent data governance practices into broader cybersecurity strategies. It is no secret that the federal government has a rising tide of data-centric security. Key stakeholders are becoming increasingly aware that a comprehensive approach that seamlessly integrates data governance principles is essential for safeguarding digital assets. Going a step further, applying granular access control and establishing governance over sensitive data, wherever it travels, is critical to harnessing and activating said data’s value.
What’s Next?
In conclusion, while Microsoft claims to be committed to addressing and solving both security and organizational transparency issues that have plagued the company over the last few years, only time will tell if they will deliver on the challenge and rebuild trust.
One thing is for sure; Mr. Smith neglected to mention a major component of security that will only continue to rise in prominence. Industry leaders must broaden the conversation to include data governance practices and strategies. Protecting data as it is intentionally shared across digital platforms and ecosystems is critical in mitigating risks and ensuring the integrity and privacy of sensitive information. As we traverse an increasingly labyrinthine cyber landscape, prioritizing and exercising concepts like data governance and data-centrism alongside traditional, perimeter-focused technical solutions is paramount in safeguarding our digital future.
/headshot2.jpeg)
