The Microsoft Mantra: “We discover new things to sell to distract people from some of our more interesting issues. Like all those security challenges we constantly face“.
BY:
Antonio Greco
Cyber/Data Science Analyst
PROJECT COUNSEL MEDIA
29 September 2022 (Siena, Italy) – I read about a weird Microsoft innovation. No, no, no – it’s not about cybersecurity. Perish the thought. No, it’s not about getting a printer to work in Windows 11. No, it’s not about the bloat in Microsoft Edge. And – at least not yet – it’s not about the wild and extremely wonderful world of Microsoft Teams.
The title of the article in Computerworld is “Microsoft Viva Enhancements Address Employee Disconnect in Hybrid Work Environments“. After explaining why humans invented an office or factory to which employees went to complete tasks, the author tries to illustrate why the work from home approach is not a productivity home run. Employees like to get paid and fiddle around. Work is often hard. I did spot one Italian government employee sitting in a one room office here in Sienna doing absolutely nothing. I checked on the fellow three times over three days of our video shoot. Nothing. No visitors. No phone buzzing. Not even a computer in site. Now that’s a reliable worker … doing nothing with style. Ah, the Italians.
But I digress. Let’s get to the Microsoft inventions, shall we?
The product/service is Microsoft Viva and it has the usual Redmond touch. There is Viva Pulse and there is Viva Amplify. What’s up? According to the write up:
“Viva Pulse is designed to enable managers and team leaders to seek regular and confidential feedback on their team’s experience, using smart templates and research-backed questions to help managers pinpoint what’s working well, where to focus, and what actions could be undertaken to address team needs”.
And next up:
“Viva Amplify is meant to improve communication between leaders and employees. The app centralizes communications campaigns, offers writing guidance to improve message resonance, enables publishing across multiple channels and distribution groups in Microsoft 365, and provides metrics for improvement”.
Other extensions may be Viva Answers, Viva Leadership Corner, Viva Engage, and my personal favorite “People” in Viva.
These products include Microsoft smart software which will perform such managerial magic as answer employee questions. Also the systems will put “collective knowledge to work for all employees.” Yep. “All”. I love categorical affirmatives, don’t you? So universal. There will even be a “Leadership Corner” where employees “can interact directly with leadership, share ideas and perspectives, participate in organization initiatives, and more.”
Okay, I can’t summarize any more. I’m getting sick.
How did this all come together? My take is that Microsoft got a group of 20 somethings together (possibly in a coffee shop) and asked them to conjure up a way for employees working on a project in their jammies to communicate. The result is Viva, and it will be pitched by certified partners to big customers as a productivity enhancement tool. If I were trying to sell this to a government agency, I would say, “This is an umbrella under which Teams can operate. Synergy. Shazam! Oh, the first year is free … when you renew your existing Microsoft licenses”.
The concerns are obvious:
– As many cybersecurity experts have already opined, the Viva construct will expand the attack service for bad actors
– The numerous moving parts will not move in the way users expect. Typical Microsoft.
– Managers will find learning the constantly updating Viva components will be time consuming and they will go to managing via the old way – phone calls and walking around.
Great innovation? Hardly. To Microsoft, however, this is the equivalent to discovering a new thing to sell and distract people from some of Microsoft’s more interesting issues. Like its never-ending security issues.
As we have chronicled over many, many, (many) years every year seems to be a security annus horribilis for Microsoft, with numerous, continuing vulnerabilities impacting its leading services, including Active Directory, Exchange, and Azure. Microsoft is no stranger to being targeted by cyber attackers seeking to exploit known and zero-day vulnerabilities, but the rate and scale of the Microsoft incidents put the tech giant on a continuing back foot. A few months ago the eDiscovery community found out how bad when cyber attackers accessed a document review (defined here for our non-eDiscovery readers) via Microsoft Exchange. And those issue continued last week: hackers took over Microsoft Exchange Servers using rogue OAuth apps. [sigh]
As we have also chronicled, Microsoft has made many catastrophic architectural decisions. The design of Active Directory, Office macros, PowerShell, and other tools has enabled successive generations of threat actors to compromise entire environments undetected. This is one of the primary reasons why ransomware attacks spread from single machines to entire organizations unchecked. Now, many of these mistakes are being repeated in the cloud. We only need to look at the horribly insecure default configuration of Office 365 for evidence of that.
Yes, yes, yes. I know. Corporate politics are complex. When your mission is to “empower every organization on the planet to achieve more”, sometimes shipping a risky productivity feature (like adding JavaScript to Excel) will ride roughshod over Microsoft’s army of well-intentioned security professionals. If the company was moving slower to ship more secure code, discontinuing old features (like Apple), or trying to get its massive customer base to a great security baseline faster (like Google), it could do amazing things for the security community. But it’s not.
So rather than investing millions into preventing vulnerabilities and exploitable configurations, Microsoft is instead profiting from their existence. So, with one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to “protect” users from those same vulnerabilities and threats. Add in the world’s most extensive incident response practice, and Microsoft is the arsonist, the fire department, and the building inspector all rolled into one. Pretty good business model, yes?
The good news? Many organizations “get it” and are now looking beyond Microsoft to protect users and environments. As we learned this year at the International Cybersecurity Forum, most security leaders now are reluctant to put all their eggs in a Microsoft basket.
But just one note: I think it is pretty fair to say IT professionals should both expect and demand that all their vendors, even the big ones, mitigate more security risk than they create 😉
