Microsoft recently suffered a significant breach of their Exchange Online and Azure Ad services following the compromise of a signing key resulting in the compromise of several organizations, including government agencies. Microsoft still needs to learn how the key was compromised. However, it was detected first by the US government, which had access to Microsoft’s advanced logging capabilities. Historically if an organization wanted access to Microsoft’s Cloud Services logs or additional security tools, they would have to opt-in to premium licenses such as E5.
Many in the security community have had issues with this model from Microsoft, particularly given the additional levels of security to protect against potential vulnerabilities in their product, some drawing the analogy that it’s equivalent to a car manufacturer charging extra for seat belts, airbags, and other safety features. My friend and respected security practitioner across the pond, Daniel Card, pointed out how vital access to the tools and services provided by the Microsoft E5 license is to protect the organizations he works with:
Although unfortunate that Microsoft waited so long and that it took such a catastrophic incident for them to finally take action and provide logging capabilities to their lower licensing tiers, it may have provided the realization of their potential liabilities when it comes to the shared responsibility model where both the cloud service provider and the customer play vital roles. Recognizing the importance of this partnership, Microsoft has taken a significant step by extending logging capabilities to non-premium customers, reinforcing the shared responsibility model, and enabling enhanced security measures for all users. Microsoft’s recent decision to offer these logging capabilities to non-premium customers will level the playing field, granting equal access to invaluable security insights to mitigate today’s threats.
The shared responsibility model is built upon the premise that while cloud service providers are responsible for securing the infrastructure, customers must take ownership of their applications, data, and user access. By extending logging capabilities to non-premium customers in September 2023, Microsoft will better empower the customer’s ability to fulfill their responsibilities effectively. This move aligns with evolving cloud threats and helps Microsoft’s commitment to securing its customers with the tools necessary to safeguard their digital assets.
As businesses increasingly rely on cloud services, the responsibility for securing and monitoring data has shifted towards a shared model, where both the cloud service provider and the customer play vital roles. Microsoft, one of the leading technology giants, has been collaborating with CISA to identify critical log data that should be provided to all its cloud customers for free. Historically, advanced logging capabilities were only available to premium customers. However, Microsoft’s recent decision following this security incident to offer these logging capabilities to non-premium customers has leveled the playing field, granting equal access to invaluable security insights and strengthening the shared responsibility model.
Microsoft’s new free logging capabilities will also help Panther customers, as they no longer will need to purchase the higher subscription tiers to onboard logs into their Panther instances. This evolution will allow Panther customers to leverage our integration with Microsoft and easily correlate with other data sources and tools.
Microsoft’s decision in collaboration with CISA to provide logging capabilities to non-premium customers is a significant development that reinforces the shared responsibility model. By democratizing access to advanced logging features, Microsoft empowers organizations of all sizes to take a more proactive and vigilant stance in securing their cloud environments. This move serves as a testament to the power of the infosec community, along with Microsoft’s dedication to promoting collaboration, transparency, and continuous improvement in data security.
As more workloads move to the cloud and threats evolve to target them, initiatives like this are vital in fostering a more resilient and secure online ecosystem to make the cloud more confident. I hope more cloud providers will follow suit in making logs free and easily accessible.