Microsoft will struggle with security
Their security offerings focus only on their ecosystem
Disclaimer: Opinions expressed are solely my own and do not express the views or opinions of my employer or any other entities with which I am affiliated.
Happy New Year everyone! I’m still running a 50% off sale for my blog. If your professional development budget reset, this is a great time to subscribe for the year! When you subscribe, I’ll send an email that allows you to justify the expense to your manager.
As I’ve attended events recently, people in my network regularly bring up Microsoft’s security business and debate how it imposes an existential threat to current security companies. The topic has gained more traction as cybersecurity budgets either stay the same or shrink. Microsoft plays well into this trend by providing a suite/platform of products, resulting in vendor consolation and lower operational costs. Another benefit is that not only is Microsoft a trusted name but also having more offerings in their platform allows security teams to work on security problems rather than wasting their time evaluating and possibly switching vendors.
However, in this post, I argue that although Microsoft might gain market share, it’ll struggle to compete against next-gen security companies, such as Crowdstrike and Palo Alto Networks. In other words, Microsoft will primarily take market share from legacy vendors rather than the likes of Crowdstrike and Palo Alto Networks.
What is Microsoft?
Microsoft doesn’t require any sort of introduction. It’s a huge software conglomerate that provides many types of software and services, such as cloud services (Azure), professional social networking (LinkedIn), and SaaS (Office 365). What’s important here is that it has a substantial cloud business, but in my mind, it’s primarily seen as an IT company rather than a modern software company with the strange anomaly of GitHub, which was acquired in 2018 for 7.5B in stock (a value that has only increased since the acquisition).
Microsoft as an IT company
Microsoft was and still is primarily known for its productivity software, namely the Office suite. Similarly, the Windows operating system can be considered a piece of productivity software as it provides an interface to do work on your computer without having to create your own scripts and command line tools. As a result, Microsoft has always been perceived as a productivity software company. Companies buy Microsoft to increase the productivity of their workers. For example, their word processing and spreadsheet solutions are commonplace.
Given the rise of the cloud, Microsoft was able to convert many of its customers to the cloud by first offering Office 365 as a SaaS solution, and then came its cloud offering, Azure. However, having some experience with Azure, I believe it’s not meant for the new generation of applications and developers. It’s meant for former on-prem customers who are migrating voluntarily (or involuntarily) to the cloud. They tend to have IT teams that manage the infrastructure but now are required to manage the cloud. Microsoft is trying to make this transition as smooth as possible. It’s trying to make it easy for IT teams to do basic DevOps in the cloud.
Specifically, it doesn’t cater to the new DevOps and agile mindset that many modern software companies have adopted. Compared to AWS and even GCP, the tooling and interfaces aren’t as mature from a DevOps perspective. One representative example is the access permission models in Azure. It feels that they are overly complicated, but in reality, it’s mapping their active directory permissions model, which IT teams are familiar with.
Overall, it seems that the types of organizations that use Azure are the ones where infrastructure was an IT function and will continue to be one after the cloud migration.
What does this mean for their security offering?
First, let’s take a look at Microsoft’s security offerings. On their website, they have 6 product families:
Defender - this seems to be both their endpoint and cloud security product
Entra - their identity product
Intune - their endpoint management product
Priva - their privacy product
Purview - their data security product
Sentinel - their SIEM product
What’s missing here but is briefly mentioned in their cloud solutions is GitHub Advanced Security, which is an application security product. In fact, there’s little mention of developer security at all.
It’s clear from the list and looking at their website, the focus is on IT security products. More importantly, there’s not a strong emphasis on the cloud. In the solutions, there are mentions of cloud security. They are trying to use similar messaging to Crowdstrike and Palo Alto Networks on both EDR/XDR and cloud security.
However, it’s confusing. Specifically, the Defender product seems to compete against both cloud security and endpoint security products. It’s mentioned in the cloud security solutions and as part of EDR/XDR. It seems that they view an endpoint as both a cloud instance and a physical device, such as a laptop. How does Intune fit into this? However, modern security companies consider them separate because they are likely owned by different teams. That is, IT typically owns devices, and DevOps/infrastructure engineering owns cloud instances. Having one product with two stakeholders solving seemingly two separate problems seems problematic.
Yet, this is a perfect example of Microsoft’s target market. They are creating solutions for IT teams that work on security. There’s also a heavy focus on the product families on security operations that IT has historically owned. There’s no obvious mention of a developer security solution.
What else does this mean? Although they provide a comprehensive platform, it’s confusing for companies that have more modern development teams and their corresponding threat vectors. It’s admirable though because Microsoft is listening to its customers, namely the Azure customer base who want these solutions. It makes it easier for customers to add these solutions to their existing cloud offerings. These products are more mature than what AWS and GCP offer in their cloud products. These are likely the same buyers who are looking at more legacy security solutions, such as Cisco, Barracuda, Fortinet, and Symantec.
Unfortunately, I believe that this market is shrinking or at best stagnant. Modern development teams tend to be multi-cloud or at the very least use either AWS or GCP. They tend to have fleets that include Apple devices. The Microsoft branding also doesn’t help its case here as customers might wonder if will it work well with other platforms. I’m sure it can, but it’s well-integrated into Azure and Office 365. At the very least, it seems like Microsoft is focused on those in its ecosystem, so it doesn’t feel competitive to Crowdstrike or Palo Alto Networks, which are tailored to a more “modern” customer who wants a platform-agnostic solution.
Their security growth seems to be tied to their self-created market, i.e. the Azure market, rather than the broader security market. That’s why I believe Microsoft will struggle in the broader security market (and probably why they aren’t trying to compete in that market yet). Another affirming example is that despite having a large market share in the code repository market with GitHub. The GitHub security offering struggles against modern application security products, such as Snyk.
Microsoft can continue to operate and grow in this niche, but as Azure’s presence grows, more cloud security companies will invest more resources on this market. As a result, it will likely create pressure on Microsoft’s existing offerings as companies will look for more mature and “neutral” security products. Now it’s up to Microsoft on whether it wants to mature its security business or take an approach like AWS and GCP and have its security offerings be just a “starter package.”
Takeaway
I thought about naming this post “How Microsoft Security fails,” but in my opinion, it hasn’t succeeded yet (as a security business). It can get away with IT-focused security products and have somewhat confusing products and solutions, e.g. Defender and Intune, because it defines its own rules in its own ecosystem, Azure. They have made it easy to include security for those who use Azure and honestly, who might be struggling to manage security with the cloud and modern development teams.
Unfortunately, Microsoft with their current solution and product offering won’t be competitive in the broader security market. I’m not sure they want to be, but if they do, they have to make some changes, which is a topic for another blog post. They have found a nice niche and are likely taking market share away from legacy security vendors. The larger security companies don’t have to worry any time soon. The real question is whether Microsoft wants to invest more in its security business.