Amazon delayed the deployment of Microsoft 365, the widely-used cloud-based productivity suite, following security concerns linked to a high-profile cyberattack, reports Bloomberg
Amazon had signed $1 billion licensing agreement with Microsoft, which is intended to modernize the company’s workplace tools for its global workforce. The decision to halt the rollout highlights the growing complexity of safeguarding cloud-based services in an era of increasingly sophisticated cyber threats.
Cyberattack Sparks Doubts
The suspension is tied to a 2023 cyberattack by a hacking group known as Midnight Blizzard, which has been linked to Russian intelligence. The breach targeted Microsoft’s corporate systems, compromising email accounts belonging to high-level personnel, including cybersecurity and legal teams.
Microsoft disclosed the incident in January 2024, acknowledging that the hackers accessed a “small number” of accounts.
Amazon’s Chief Information Security Officer, CJ Moses, expressed concern over the breach and its implications for deploying Microsoft 365. Moses stated to Bloomberg, “At that time, Microsoft wasn’t able to tell us if they had gotten the [hackers] out of their environment.”
The breach prompted Amazon to reassess the security protocols in Microsoft 365, delaying its adoption until potential vulnerabilities could be addressed.
Amazon’s $1 Billion Deal with Microsoft
Amazon’s decision to transition to Microsoft 365 was announced as part of a $1 billion, five-year agreement signed in late 2023. The contract includes one million licenses for the suite, which integrates popular applications like Word, Excel, and Outlook into a unified cloud-based platform.
This meant was a departure from Amazon’s reliance on its in-house tools, such as AWS WorkDocs and WorkMail, as the company sought to enhance collaboration and productivity across its sprawling workforce.
The rollout was initially planned to begin in November 2023, aligning with the release of Microsoft 365 Copilot, an AI-powered assistant that integrates generative AI capabilities into Office applications. However, security concerns stemming from the Midnight Blizzard attack caused Amazon to suspend the deployment.
Moses noted that Amazon applied the same rigorous standards to Microsoft as it does to its internal service teams. “We held [Microsoft] to the same bar as we would any of our internal service teams,” he said.
Addressing Security Gaps
Amazon identified several areas in need of improvement within Microsoft 365, including enhanced real-time logging and consistent user authentication protocols. The suite, originally developed as standalone applications, lacked uniform security standards, leading to potential gaps in tracking and monitoring user activity.
Moses emphasized the importance of comprehensive activity tracking, stating, “We wanted to make sure that everything was logged, and that we had access to that logging in near-real time.”
Microsoft responded by deploying its engineering teams to address Amazon’s concerns. Charlie Bell, Microsoft’s security chief and a former Amazon executive, played a pivotal role in implementing the requested updates. Moses praised Bell’s leadership, noting, “They’ve done yeoman’s work. We’ve given them some pretty steep tasks.”
Rare Collaboration Between Rivals
The partnership between Amazon and Microsoft represents a unique instance of collaboration between two fierce competitors in the cloud computing sector. Amazon leads the market with AWS, while Microsoft’s Azure platform has been gaining significant ground in recent years. Despite their rivalry, the two companies have occasionally worked together, but also competed fiercly, like in the case of Joint Enterprise Defense Infrastructure (JEDI) program.
The collaboration to enhance Microsoft 365 security demonstrates a shared recognition of the importance of addressing cybersecurity challenges in an interconnected digital ecosystem.
For Microsoft, the deal underscores the appeal of its flagship productivity suite. For Amazon, the move reflects a strategic decision to prioritize operational efficiency and workforce productivity over promoting its proprietary tools.
Broader Implications for Cloud-Based Security
The delay in Amazon’s adoption of Microsoft 365 underscores the growing scrutiny faced by cloud software providers in ensuring robust security. In recent years, high-profile breaches have underscored the vulnerabilities inherent in cloud services, prompting companies to demand higher security standards from their vendors.
Under CEO Satya Nadella, Microsoft has prioritized cybersecurity, investing heavily in strengthening its cloud offerings. The enhancements requested by Amazon could set a precedent for how cloud-based productivity tools are expected to meet enterprise-level security requirements.
Deployment Timeline Remains Unclear
While Amazon and Microsoft have made progress in addressing security concerns, neither company has provided a definitive timeline for resuming the rollout. Engineers from both organizations continue to collaborate on implementing the necessary updates, with Amazon’s eventual adoption of Microsoft 365 contingent on meeting its stringent security benchmarks.
Moses remained optimistic about the collaboration but emphasized the importance of getting it right. “We believe we’re in a good place to start redeployment next year,” he told Bloomberg.