Cybersecurity

Identity vulnerabilities a concern at Microsoft, outside researcher claims

Microsoft is “playing so many different roles in security that things get really complex and challenging,” expert tells IT Brew.
article cover

Jean-Luc Ichard/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Size matters, at least when it comes to cybersecurity.

That’s according to Ryan Kalember, chief strategy officer at cybersecurity firm Proofpoint, who told IT Brew he worries that tech giant Microsoft’s vulnerabilities and sprawling product offerings could combine to expose severe flaws in the company.

“The rest of us kind of throw up our hands and say, ‘Okay, if Microsoft can’t do this, who can?’” Kalember said.

Make it show. Kalember feels that Microsoft is “playing so many different roles in security that things get really complex and challenging” quickly. The company manages identity on a number of internal platforms, opening the door to potential threats. Microsoft declined to provide comment for this story, referring us instead to a blog post about security.

Threats such as the one Kalember mentioned are also found in the software supply chain, Blackberry VP of Product Security Christine Gadsby told IT Brew at the RSA Conference in early May. Gadsby described the problem as one of “saturation,” where people downloading the same app will be exposed to the same vulnerability, which in effect expands the threat surface.

“There’s a lot of us tinfoil hatters in the software side that do believe that that’s really where the next kind of big vulnerability exploit will be—[there’ll be] somebody that figures out how to get saturation [on] something that we all use,” Gadsby said.

Putting Microsoft’s size into historical perspective is important to understand the complexities at play in terms of how the company handles security, Kalember said. Its longevity makes crossover from older devices possible, which is something other companies can’t offer. There are downsides, though.

“You can’t buy that from Google. You can’t buy that from Amazon. You can’t buy that from Apple. You can’t buy that from anybody, frankly—you can kind of piece it together,” Kalember said. “But the same reason that all of that stuff works together is the same reason it’s all exploitable together.”

So much larger than life. That’s not to say Google is immune to problems of scale. At the RSA Conference, Google VP Engineering of Cloud Security Brian Roddy told IT Brew that the company tries to stay abreast of those challenges by implementing identity protection and “a suite of controls so you have the belt-and-suspenders-style model of being able to protect yourself in order to make sure that there is the appropriate isolation and segmentation of environment.”

Such protections are all well and good, but ultimately, Kalember said, the issue is the “haphazardly” thrown together identity policies that Microsoft has, which allows for systems infiltration.

“It’ll turn into much, much bigger problems because it’s basically one way in the door and then lots and lots and lots of places to go once you’re in. Even if you’re not on the network.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.