HxGN RadioPodcast

Security at Hyper-Scale

Traditional security tools will not help you identify and remediate emerging cyber threats. A cloud-first security strategy lets you gain greater visibility into and control over your hybrid estate, simplify your environment, and better manage cybersecurity risks. Join Microsoft in this HxGN TV episode as it discusses its cloud security strategy and roadmap for the future.

BK: Welcome to HxGN Radio. My name is Brian. With me today is Mark McIntyre from Microsoft to discuss security at hyperscale. Thanks for joining us Mark.

MM: Thanks for the opportunity. I appreciate it.

BK: All right. So, what does it take to protect your data, your systems, and your applications? Who sees your data and owns it? These days, we constantly hear of data breaches and cyber attacks on government agencies and critical infrastructure. So today, we’re going to be discussing this hot topic. I’d like to know a little bit of a holistic view of what cybersecurity from Microsoft is, from your perspective.

MM: Sure. Well we’ve been investing heavily in security for over 15 years really. But it wasn’t till probably just the last four or five years that we decided we’d take a much more proactive, aggressive approach to it, in terms of getting our message out there. The truth is we’ve been investing about a billion dollars a year in cyber security for the last several years. The point for us is that we want to make sure that, as companies, partners make larger business decisions and know where you want your business to go, in terms of digital transformation and how you’re going to work in the future. Security should be part of that conversation. Security should not be a bolt-on afterthought.

BK: Agreed. It’s definitely a problem right now, so it’s good to be working on that and being proactive about it.

MM: Yep.

BK: So, what are you what are you doing right now in this space?

MM: Well, security for us is a multifaceted investment approach. We still believe, as a software company at heart, that security begins with code, and with applications that are written as secure as they possibly can be. So, we continue to this day to use the security development lifecycle as  the real lifeblood of our engineering efforts.

We also invest heavily in identity. Identity, I think, is the critical control play now. We’ve been investing heavily the last several years also data. We’ve been taking Microsoft’s massive global security data set and doing all we can with it at scale, using machine learning AI tools like that. We’ve also been opening more and more of that data, so we can work with partners, cert agencies, responders, and actual customers.

BK: Obviously a lot of agencies and governments now turning to the cloud for example. What’s Microsoft doing to protect the data on that?

MM: Oh, we do a lot of things. There is an inside joke in the company that I hope comes off OK, where customers ask, “Microsoft, what keeps you awake at night?” Some of our security experts are known to point back to the customer and say, “You.” Because when you come into the cloud, our cloud, we inherit your risks. You’re a threat actor. You know, because it’s all in how you tell that joke.

We’re investing heavily from the ground up in terms of how we build data centers. That’s one reason why I wanted to come to this conference. How we operate and maintain data centers; how we handle encryption; how we work with standards bodies; how we work with governments and regulators. There’s really no one magic bullet here in terms of how we can help organisations move to the cloud and be more secure. We have to do a lot of things at once. A lot of overlapping investments.

BK: How does Microsoft deal with data sovereignty, and obviously this is important to governments.

MM: Sure. Microsoft announced probably well over a year before GDPR took effect, I think it was May 18th or May 25th, we announced that we will be GDPR compliant as a company. We met that goal. We were very serious about that. We certainly take a strong look at our compliance posture, making sure that we are working within boundaries of national regulations or industry specific requirements like Sarbanes-Oxley, HIPAA, PCI standards, and standards bodies like those.

We’re also working very closely with law enforcement agencies to go after cyber criminals, like botnet herders for example. We partner very closely with organisations like Interpol and Europol, and with industry partners in many cases, to go after organisations that harm our users.

We make available our technologies and data centers. Essentially, as you go from infrastructure to service, and platform as a service, and software as a service, we can take on more and more of that security work for you, along with our partner ecosystem. A big focus of our work right now is encouraging organisations to move responsibly at the pace that responds to their security budget and compliance requirements, to help move organisations more and more to the cloud. So, we take on more security work for them.

BK: Say my data is in a certain country with different rules. How do you protect that?

MM: Sure. We have 50 data center regions around the world right now. Each region has at least two data centers in it. We guarantee residency, so that it’s actually written into our SLAs. When you are a company and you create a resource in one of our regions, it will stay in that region. It’s financially backed, and we give you ways to verify that is indeed the case. So obviously if you’re multinational or you’re a corporation operating in different countries, you have the option to create and store data in each country as you see fit.

We also work very hard on offering different levels of encryption. Essentially, different ways to encrypt your data. Data at rest in the data center, data at transit, data as a leasing service, and data in use gives you a lot of flexibility in how you as a user want to create your own keys for encryption. You can find ways to really get the level of assurance that Microsoft might be managing your data for you, but it’s still your data, and you still have absolute control over the data.

BK: Excellent. How does Microsoft protect its own data?

MM: That’s a good question. First of all, I encourage everyone to go to a really interesting part of our website. If you’re not going to believe me, go to our own IT organisation Microsoft IT, and they have a fantastic set of resources called the MS IT Showcase. It’s dozens and dozens of really interesting short digestible case studies on how we have approached change. It shows how we have proactively faced it, and devised policy, employee collaboration, remote worker scenarios, and federated environments.

In other words, we are living this transformation ourselves. We have moved our own company into the public cloud. You could say we are 10 and 0. We have met the future of our company and our ability to protect data in the cloud. We take a lot of the learnings that we’ve had, and we figure we’re a big company operating in 190 countries with a hundred and something thousand employees. Our IP is very precious to us and there’s a lot of lessons there. We figure if there’s a use case applicable to Microsoft about how we protect data and how we grant privileges, it’s probably applicable to a larger ecosystem. A lot of the technologies, policies, and services that we offer come out of our own experience, within our company, to the cloud.

BK: Yeah. It’s great. Do you have a website linked specifically to go?

MM: Type in MS IT Showcase.

BK: MS IT Showcase. All right. Excellent. What are some of the highest risks and threats that you’ve seen?

MM: The nation state attackers. Those tend to be in the news the most. They get the most attention. Movies and books are written about them. They’re out there. They’ll always be out there. But I think the greatest collective threat that we have for better or worse is how people use IT, and the dreaded eighth OSI layer people. People interacting with technology -we all want to work; we all want to collaborate; we all want to use our own devices; we all want to use cloud storage apps; we want to use our phones.

As IT security and data and risk owners, we are charged with having to manage and having to maintain that elusive balance between security and productivity. In our case, we still view challenges against average users as the biggest threat area. Because the reality is, while there are advanced hackers out there, most hackers don’t need to be very good. They can just be persistent. They can go off. They can go on the Internet, and they can reuse older exploits, because they know they’re always going to be able to find a user or company that is not doing some of that important hygiene for security.

Now, if you want some specific examples of really serious threats, and things that keep us awake at night, think about some of the recent ransomware attacks like NotPetya, for example. We have a very troubling trend where the more advanced society of attackers are coming in and implanting malware where different variants pop up according to each user.

Suddenly, exponentially, the defender’s job gets much harder. It’s almost like whack-a-mole. You’re having to play defense. You’re having to be good 100 percent of the time, when the attacker only has to be good one time to get in. So, that’s a very troubling area. It’s out there. But fundamentally, I think our focus is still going to be on protecting identity and people who actually use technology and devices.

BK: Now like you said, it’s more like the whack-a-mole thing. But, I’m assuming, you’re also doing proactive measures to try to get in front of those as much as you can.

MM: We do a lot of that. You know, if you think about the explosion in devices and explosion in data, I know that’s been a big theme here at the conference this week. Fundamentally, how well you understand your own data, in this case security data, will dictate how well you can defend your organisation. Traditional defenses are important, but more and more of tomorrow’s investments are going to be focused around big data sets and things that help you understand unusual behavior, unusual credential behavior, and unusual application usage. In and of themselves, these events or alerts don’t necessarily mean a compromise or attack. But they point to something that should not be happening in your environment. More and more of our investments in the industry are going to be technologies that capitalise on machine learning and AI type offerings to help really parse out massive datasets and find those needles in the haystack and find those outliers. Increasingly, that’s going to be where you’re going to find attacker activity.

BK: Sure. OK. How can a company like Hexagon leverage Microsoft’s offerings to protect our customers, for example?

MM: Well, we think it’s important to adopt more and more of a cloud-first security model. You don’t get there overnight, but you take steps. Definitely, the more Hexagon and your ecosystem can move into infrastructure, platform, or software as a service model, you transfer some of that risk over to cloud providers like Microsoft.

You still ultimately own your risk, but we can handle more and more of that for you. We can do it at a pretty massive scale. So, as you think about transforming environments and as you think about how you’re going to collaborate in these federated environments, if you give us the opportunity to take more of that work for you, you can free up expensive security talent to actually focus on security alerts that matter.

In other words, I mentioned this data explosion. Do you want your scarce security talent managing infrastructure? Do you want them managing the logistics of security? Would you like to free them up and manage the actual events that can hurt you?

BK: That’s a good point. Good point. What’s the future going to look like for data security? It just keeps changing.

MM:  I don’t think we’ll stop collaborating. I really hope no one picks up their marbles and goes home.

People are going to want to work on a device that they want to work on. They’re going to want to use new SaaS apps. They are going to want to store data anywhere they possibly can, especially as more younger folks and millennials come into the workforce. College students now, they just expect this experience, and we have to find a way to provide this type of experience for these users.

I think future data security is really going to be focused on creating more and more on software providers. Those providers providing more and more holistic, end-to-end capabilities, to help a user just simply work how they want to work on a device, a phone, or what have you, whether at Starbucks or a kiosk.

At the same time, the security teams are going to need more and more assurance that they can apply a certain protection, a label, a policy on an email or document. Then that protection will follow that document throughout its lifecycle. Protection will not end at the firewall. It will not end with the device. Protection will follow that object. I think that’s the model that we really have to get to. It’s out there. Microsoft certainly does a lot of this work.

Others in the industry do it as well. If we can encourage organisations to think about identity-driven environment, identity-driven security, and get away from some of the old thinking, I think that we can really help maintain that balance.

BK: Good. Well sounds good and things are moving in the right direction and I like the idea like you said of the collaboration and doing what you can. That’s the main thing. Keeping people involved. Excellent. Well Mark, thank you very much for sharing all of this. I appreciate your time today.

MM: My pleasure. Thank you.

BK: Absolutely. All right, for more information and more episodes go to Thanks so much for listening today and have a great rest of your day.