Microsoft has recently been criticized for its approach to monetizing security services, despite the company’s struggle with vulnerabilities and data breaches. The company has been accused of prioritizing revenue over user security by charging additional fees for essential security features. A recent report from Directions on Microsoft has put the company’s security prices under a spotlight.
The Cost of Security
Enterprises are expressing frustration over being required to purchase must-have security add-ons on top of their existing subscriptions. Accessing core security tools necessitates a Microsoft 365 E5 subscription or an enhancement of an E3 subscription with compliance add-ons. To obtain a comprehensive security and compliance toolkit, some opt for the Microsoft 365 E5 subscription, priced at $57 USD per user per month. This package not only encompasses all features of the E3 level but also adds most of Microsoft’s advanced security services.
However, this approach can be prohibitively expensive, especially for larger organizations. As an alternative, companies have tried to combine various a la carte security and compliance options with the more affordable Microsoft 365 E3 or Office 365 E3 plans. This strategy has become less viable due to price increases across nearly all Office 365 and Microsoft 365 suites in 2022, making the E5 subscription the more cost-effective route despite its high cost.
Microsoft’s Incremental Adjustments and Ongoing Challenges
Following significant cyber incidents and the resulting public scrutiny, Microsoft has made minor concessions regarding its security offerings. Notably, after the Midnight Blizzard attack in 2023, which exploited OAuth protocols, and the Storm-0558 email hack affecting Microsoft and several of its key government clients, the company faced criticism for its up-selling of security features. In response, Microsoft pledged to make logging information more accessible, extending the audit logging for Purview Audit (Standard) to 180 days from the previous 90 days in October 2023. This adjustment allows customers with Microsoft 365 E3 subscriptions or lower to have an extended period to analyze logs for security threats. However, for a more extended retention period, organizations are still required to purchase additional premium services.
Customers Call for Change
Industry analysts and customers alike are advocating for a more inclusive approach to security within Microsoft’s subscription models. Wes Miller, an analyst at Directions on Microsoft, emphasizes the need for organizations to secure their operations without facing escalating costs for top-tier security services, which are increasingly being placed out of reach. There is a growing consensus that Microsoft should integrate more of its security products into standard subscriptions, though this move could potentially impact the company’s security-related revenue and attract scrutiny from anti-trust regulators.
The question remains whether Microsoft will further integrate core security features into its broader cloud subscription models to mitigate the impact of cyberattacks and improve public perception. Last week, AJ Grotto, a former senior White House cyber policy director, has voiced his concerns, suggesting that Microsoft’s dominance in the sector poses a national security risk. Grotto’s comments to The Register come in the wake of several high-profile security breaches, including incidents involving SolarWinds and unauthorized access by foreign entities to US government emails through Microsoft’s platforms.
For example, during the SolarWinds attack, Microsoft lacked essential logging features by default. This made it difficult for the government to identify vulnerabilities in their systems. Even though Microsoft makes a lot from security services (around $20 billion last year), they resisted making changes without pressure. Grotto argues this shows Microsoft’s dominance over the federal government and their willingness to prioritize profits.
Last Updated on November 7, 2024 8:50 pm CET