Microsoft must stop selling security as a premium offering

In a perfect world, Microsoft would take security seriously again. It would be transparent about breaches. Its execs would stop gloating about increasing security service revenue at a time when Microsoft can’t secure its own employees, let alone customers, against incidents that are happening with increasing frequency. And Microsoft would include must-have security capabilities as part of existing subscriptions instead of selling them as add-ons.

Selling security as a premium offering helped Microsoft build security into a self-proclaimed $20 billion USD per year business (as of January 2023). Making Microsoft 365 E5 a prerequisite to obtain core security tools is one part of Microsoft’s security growth strategy. Another is to make certain security tools available only as add-ons on top of its Microsoft 365 E5 subscription.

“Customers need the tools to keep their organizations secure without having to pay more and more every year for Microsoft’s latest top-shelf security services — which keep moving to higher and higher shelves,” according to Directions on Microsoft analyst Wes Miller.

The easiest but priciest option: Go all Microsoft 365 E5

Until Microsoft concedes, if it ever does, and makes more core security components part of the base Microsoft 365 subscriptions, what should customers do?

Some organizations are choosing to license all of their knowledge workers with Microsoft 365 E5, which costs $57 USD per user per month, because E5 includes all the capabilities of E3 and adds most (but not all) of Microsoft’s top-shelf security and compliance service. There is risk in only partially licensing an organization for E5, since security and compliance tools are typically enabled across the entire Microsoft 365 tenancy and rarely perform license enforcement at a per-user level.

Other customers try to get around going all E5 by cobbling together a bunch of a la carte security and compliance pieces and adding them to less expensive Microsoft 365 E3 or Office 365 E3 subscriptions.

This approach may have made financial sense for some orgs but doesn’t add up now. For several years, Microsoft offered two add-ons, Microsoft 365 E5 Security and Microsoft 365 E5 Compliance ($12 USD each), as a way for organizations to bring E3 users into license compliance without paying the full price of E5. But due to price increases implemented in 2022 for almost all Office 365 and Microsoft 365 suites, it is now more expensive to license users for the security and compliance capabilities via the two legacy add-ons instead of just licensing Microsoft 365 E5, which has not changed price in some time.

Microsoft takes a baby step

It’s not completely out of the question that Microsoft could make core security features part of more of its subscriptions. It did make a couple of concessions on that front after a couple of much-publicized attacks last year.

OAuth, a protocol for authorizing applications, was a key component used by Midnight Blizzard to attack Microsoft in 2023. While OAuth-based applications have become more common and are now increasingly being exploited to breach organizations, Microsoft has offered limited tools to help with oversight, and has been requiring Microsoft 365 E5 to use any of them.

After the Storm-0558 email hack which hit Microsoft and some of its key government customers last year, Microsoft’s faced complaints about some of its security-upselling practices. Logging information that would have allowed detection of the incident was only available to those Microsoft 365 customers who purchased the premium E5 plan. Those running E3 were unable to see the required logging information.

Microsoft officials pledged to make logging more broadly available, and in Oct., 2023, increased audit logging for Purview Audit (Standard) to 180 days from the original 90 days. For customers generally licensed with Microsoft 365 E3 (or less), this means that once logs are optimally configured, customers have 180 days to analyze the logged events for malicious actors before those events are lost entirely. But if customers want a longer period of logging, they still need to add Purview Audit (Premium) for one year of retention, and the 10-year Audit Log Retention add-on for up to 10 years of retention.

Will Microsoft bend further and make security core to more of its cloud subscriptions to help lessen the impact of attacks, not to mention bad publicity? We’ll be watching….

>>> Read full article>>>
Copyright for syndicated content belongs to the linked Source : Hacker News – https://www.directionsonmicrosoft.com/members/blog/2024-04-23/microsoft-must-stop-selling-security-premium-offering

Exit mobile version