Amazon Paused Rollout of Microsoft Office for a Year After Hacks

Share

Amazon.com Inc. has delayed the deployment of Microsoft Corp.’s cloud-based Office suite for a year as the two companies work to resolve Amazon concerns about the security of the bundle of email and productivity software. The tech giants signed a deal last year to provide Amazon employees with Microsoft 365, the cloud-based package that includes Word, Outlook, Windows and other software. Amazon has long used versions of Office installed on its own servers.

But Amazon paused the rollout after Microsoft discovered a Russia-linked hacker group had gained access to some of its employees’ email accounts. After conducting its own analysis of the software, Amazon asked for changes to guard against unauthorised access and create a more detailed accounting of user activity in the apps, some of which Microsoft also markets as Office 365.

It’s an unusual confluence of events: a massive commercial deal between two Seattle-area cloud-computing rivals, a state-sponsored hack, and an engineering collaboration that could improve the security of the world’s most widely used office productivity software.

“We deep-dived into O365 and all of the controls around it and we held – just as we would any of our service teams within Amazon – we held them to the same bar,” said CJ Moses, Amazon’s chief information security officer. Moses’s team gave Microsoft security chief Charlie Bell – a former Amazon engineering executive – a list of requested enhancements, and engineers from both companies have spent months working on those changes.

“We believe we’re in a good place to start redeployment next year,” Moses said in an interview last week at Amazon Web Services’ re:Invent conference. Microsoft declined to comment.

Amazon committed $1 billion (roughly Rs. 84,821 crore) over five years to buy Microsoft’s 365 software for its roughly 1.5 million employees, Business Insider reported last year. The deal made Amazon, the second largest private employer in the US behind Walmart Inc., one of the biggest buyers of Microsoft’s flagship cloud productivity suite.

Then last fall, a hacking group called Midnight Blizzard attacked some of Microsoft’s corporate systems. The company disclosed in January that the group ultimately gained access to a “small number” of employee email accounts, including senior leaders and cybersecurity and legal workers. It was one among a series of lapses that spurred Chief Executive officer Satya Nadella to declare security Microsoft’s top priority.

Moses early this year recommended to Amazon security chief Steve Schmidt and CEO Andy Jassy that the company suspend the rollout, to give time for Microsoft to assess the damage and for Amazon to conduct further investigation.

“At that time still, Microsoft wasn’t able to tell us if they had gotten the [hackers] out of their environment,” Moses said.

Amazon’s requests included modifying tools to verify that users accessing the apps are properly authorized and, once in, that their actions are tracked in a manner that Amazon’s automated systems can monitor for changes that might indicate a security risk, Moses said. Microsoft’s bundle, cobbled together from what had been separate products, includes different protocols for authenticating and tracking users, some of which didn’t meet Amazon’s standards.

“We wanted to make sure that everything was logged, and that we had access to that logging in near-real time,” Moses said. “That was part of the hangup.”

Bell, who supervised Moses at AWS before leaving for Microsoft in 2021, indicated that Microsoft would make the enhancements available to other customers, Moses said. He praised his former boss’s efforts.

“They’ve done yeoman’s work,” Moses said. “We’ve given them some pretty steep tasks.”

© 2024 Bloomberg LP

(This story has not been edited by NDTV staff and is auto-generated from a syndicated feed.)