Cloud Productivity Platform Security: Re-imagining your IT Resilience Strategy for a Post-Pandemic Society

Amid the tumult of 2020, there is a quiet revolution underway that will shape the IT landscape for decades to come. And one company is set to play a truly pivotal role both during the lockdown and the post-pandemic economy.

Every IT and security leader now needs to consider their cyber resilience strategy around this cloud-first company. No, I’m not talking about Zoom.

Despite the video conferencing star’s meteoric growth and publicity, it’s Microsoft, who has carefully positioned itself to dominate the enterprise software long game. Comedian Hasan Minhaj’s “you’re a verb that no-one does,” Twitter barb at Skype certainly raised a chuckle, but in reality, there are now more than 75 million daily active users of Microsoft Teams.

So Microsoft CEO Satya Nadella is set to have the last laugh. In fact, he used their recent virtual developer conference, Build 2020, to share his Microsoft 365 vision of “building the world's productivity cloud as a people-centric, multi-device, multi-sense experience.” The software development community is integral to this strategy and this is an audience that Microsoft under Nadella has won over. The $7.5 billion GitHub acquisition in 2018 and ‘all in on open source’ power play helped cement this fact.

Today, the number of organizations integrating third-party, line-of-business apps with Teams has more than tripled in the past few months. It’s this platform-centric approach Microsoft has built that is going to be hard to beat.

Exchange Online has already become the de facto standard for cloud business email. Its nearest rival, Google’s G Suite has traditionally proven more popular with smaller businesses, as evidenced by Mimecast’s own internal research. However, the pandemic cloud boom is also helping to drive growth in both Google Cloud Platform (GCP) and G Suite. In particular, Google Meet that is now adding about 3 million users daily. How Google’s larger enterprise base grows during this cost-conscious time is certainly one to watch.

The great cloud migration

Globally, the Covid-19 pandemic is causing radical rethinking of the ways organizations operate. How employees collaborate, how supply chains can be made more agile – how customers can be discovered and looked after.

In turn, this is giving today’s cloud’s late majority a shove, reminiscent of the early adopter onramp in the 2008-2009 downturn, as many organizations moved en masse to software-as-a-service vendors seeking more rapid financial op-ex incentives. This is further amplified by the fact that many of the traditionally more popular cloud services are particularly well suited to pandemic business challenges. These include communication and productivity tools, CRM, video conferencing, email and team collaboration.

There are also significant operational challenges for traditional on-premises IT infrastructure that can struggle to scale quickly without significant capital investments. The data explosion of the last decade has created sprawling on-premise archives, often with complex legal retention requirements or business-driven search needs. This is compounded by needing the appropriate skilled manpower to manage it all effectively.

Together, this presents massive opportunities in the Microsoft ecosystem including around the Azure cloud platform and the cloud-based Microsoft 365 productivity offering. Early metrics of this trend are already there. At the end of April, Microsoft reported revenue of $35 billion as its cloud business grows faster than expected. This release included the fact that Office Commercial products and cloud services revenue increased 13%, driven by Microsoft 365 Commercial revenue growth of 25%, despite some currency headwinds.

This great cloud migration is not going away. It has already seen 258+ million business users on Office 365, and I can easily imagine a world of near total deployment – and more worryingly, dependency.

Cloud security risks

Microsoft continues to launch new datacenters around the world, helping to support greater agility and scalability for businesses and governments. But as more organization’s move email and data to Microsoft 365, there’s an increased need to protect against malicious or accidental loss of data.

But what organizations often fail to realize is that this shift comes with significant risk if organizations rely on one vendor’s security and data protection alone. On its own, a single cloud service can represent a greater risk exposure if you flatten all of your protections, services and applications into one dependent system. You’re also outsourcing control of that that risk to Microsoft or Google, trusting them to apply appropriate mitigation.

However, the security efficacy of the cloud email providers has so proved sub-optimal against advanced phishing attacks and even the most basic anti-spam management. For example, Microsoft is routinely rated poorly by independent analyst firms, and Mimecast testing shows that their efficacy is not comparable.

The latest SE Labs Email Security Services Protection report from March 2020 gave both Microsoft 365 and its Advanced Threat Protection service a ‘C’ security rating. Defense-in-depth security best practice prescribes using multiple layers of security and architecturally these also need to be in the cloud to effectively work alongside your Exchange Online tenant.

During the pandemic, threat actors have quickly pivoted their tradecraft using Covid-19 phishing and impersonation lures to help them land hits on vulnerable organizations. Exchange Online is a single big target for attack and we know cybercriminals often test their campaigns against their own tenant environment (i.e. a mirror of your environment), before retargeting against their real victims. We’ve spoken to many organizations around the world who have moved to Microsoft 365 in the current climate and quickly realized they needed to bolster their advanced phishing defenses.

Continuity of productivity

Another question you need to ask is what happens to your important services when cloud productivity services go down or become otherwise unavailable? What happens when you suddenly lose your CRM, email or team collaboration tools? In the business world the impact is usually just commercial in nature, such as lost sales, employee productivity and frustrated customers. 

But downtime for critical national infrastructure organizations or government departments can have a direct impact on the delivery of vital services to the community. Healthcare, child protection, housing and public safety – and a raft of other services that public servants and citizens alike rely on – needs to work all of the time.

When core communications systems go down, it’s also common for employees to create new security and data leak risks with workarounds, usually using their own personal consumer-grade digital services. During the Covid-19 crisis, the UK government has held a daily press conference with important questions from media and members of the public. But a Zoom service outage left journalists unable to ask live questions and instead rely on the business secretary to read them out from an email.

Why is a national government relying on a single service with no appropriate backup in place? As critical sectors increasingly adopt cloud services like Zoom or Microsoft 365, the risk from this single vendor dependency for something as important as communication has to be thought about carefully.

What is your plan for the next time your email or team collaboration tool goes down? How long can you afford to be offline and disconnected?  How do you guarantee the safety and availability of your critical data without an independent copy? How do you ensure the services that rely on email to operate effectively are not impacted?

Risks equations surely need to be redrawn as we reach saturation in global cloud adoption for critical productivity and communication services. This is not just about one organization putting its email and data eggs in one basket, but rather all organizations putting all of their eggs into the same basket as each other. How do we now evaluate the collective risk of having the majority of large organizations and government services being dependent on Microsoft’s cloud services?

The recent rapid rise in cloud subscribers has unsurprisingly not gone without a hitch. A number of Microsoft outages in the last couple of month alone have affected Teams, Forms, and in one instance ‘multiple services’. Meanwhile, Slack and Zoom were hit too of course.

Human error, malicious action and technical failure will continue to happen and affect all services at point or other. It’s only a matter of time before you’re next affected. What matters is if you want or need to take control of your own uptime and build a third-party resilience plan or not.

Resilient mindset

Traditionally disaster recovery plans and systems have been predicated on the belief that IT fails, and you always need a plan B. This requirement is exactly the same in a cloud-first world and every organization needs to consider their individual security, continuity, availability, backup and data assurance risks.

Increased adoption of cloud services will support a drive for greater agility and scalability. Cloud also helps enable AI-powered bots and smart APIs that promise to automate routine tasks and bring productivity efficiencies to internal virtual collaboration.

But putting all your eggs in one basket, leaves you exposed to a broad range of risks that can have a debilitating effect on your operations.

The only way to mitigate these new risks is to adopt a strategy of cyber resilience. Essentially a multi-dimensional risk management approach that brings together threat protection, the right durability and tested recoverability.

Ask yourself these types of questions while evaluating your productivity platform cyber resilience plan:

• Where do you think Microsoft and Google productivity suites will be in 3-5 years’ time?
• What will be the largest risks to your future digitally transformed business?
• How do you expect threat actors to respond to the post-pandemic society?
• Can your organization ‘make do’ with occasional cloud service downtime or do you need your own plan B?
• Which specialist skills should you bring in-house and what should you outsource?
• What’s your backup plan for key remote workers when their ISP goes down?
• What is your backup video conferencing and team collaboration service?
• When was the last time your organization tested its business continuity plan?

This is not an exhaustive list but hopefully gives you a place to begin. Ask yourself, your team and your peers the same type of questions.

There’s rarely been a better time for the boardroom to take a keen interest in the concept of resilience, not just for IT hardware and software services, but a wide-ranging conversation from cash flow, supply chains, IT security, productivity and employee mental health. IT and risk leaders have the opportunity to step up and lead this agenda.

A prepared-for-anything mindset can only help guide us through this global crisis and come out stronger and more prepared than ever before.