Saturday 19 October 2019

Microsoft wants more Azure 'hacks' to boost security

Microsoft offers bug bounty payments. Photo: Bloomberg
Microsoft offers bug bounty payments. Photo: Bloomberg

Dina Bass

Microsoft has what may sound like a counter-intuitive request: Please try to hack into Azure more often. The company isn't encouraging malicious attacks but it does want security researchers to spend more time poking holes in its flagship cloud service so the company can learn about flaws and fix them.

Many so-called White Hat hackers do this for the company's older products like Windows, Office and browsers, but there aren't enough working on Azure, said Kymberlee Price, who oversees community programmes in Microsoft's Security Response Centre.

Please log in or register with for free access to this article.

Log In

The firm's planning several steps to change that, including explicitly stating it won't take legal action against researchers and creating a game-like reward system that gives successful bug-finders perks and bragging rights. Microsoft currently offers bug bounty payments for Azure, but "it's just not getting as much activity as I would like to see," Price added.

It's an issue Microsoft needs to worry about as it bets big on cloud services for revenue growth. The shift to cloud computing is changing cybersecurity, providing new opportunities and new challenges. One of the biggest risks is that Microsoft now runs services for customers in its cloud, which means the software giant is on the hook to protect them.

Microsoft is planning to release what's called a Safe Harbour statement giving researchers legal clearance to report a vulnerability. "We've always done that but we've never formally articulated it," Price said. It's important to publish a formal policy as researchers work more on cloud systems where they may worry they'll accidentally knock a service offline or access customer data and get in trouble, she said.


Also in Business