In response to the growing set of revelations about the NSA’s surveillance methods and alleged compromise of some large technology vendors’ services, Microsoft is taking a number of steps to try and reassure customers about the integrity of the company’s offerings and to greatly expand the use of encryption across its services.
Microsoft said that in the next few months it will be improving and expanding its use of encryption, specifically in its cloud services such as Azure, Outlook.com and Office 365. The company recently announced that it would be improving the encryption services on Office 365, but this new initiative goes well beyond that effort. Microsoft will be implementing Perfect Forward Secrecy on its cloud service and also will be moving to 2048-bit keys. This applies to data in transit between customers and Microsoft’s servers, but it also will be applied to information moving among the company’s data centers.
Microsoft said that these new security measures will be in place by the end of 2014, and some of them are in effect right now. The company also will be encrypting customer data at rest in its data centers.
“Although this is a significant engineering effort given the large number of services we offer and the hundreds of millions of customers we serve, we’re committed to moving quickly. In fact, many of our services already benefit from strong encryption in all or part of the lifecycle. For example, Office 365 and Outlook.com customer content is already encrypted when traveling between customers and Microsoft, and most Office 365 workloads as well as Windows Azure storage are now encrypted in transit between our data centers. In other areas we’re accelerating plans to provide encryption,” Brad Smith, general counsel and executive vice president for legal and corporate affairs at Microsoft said.
Microsoft officials, like their counterparts at Google, Yahoo, Apple and other tech giants, have spent much of the last six months dealing with a number of allegations in media reports of the Edward Snowden NSA leaks. The most damaging reports have alleged that these companies have provided direct access to their servers for the NSA, something all of them have denied. Recent revelations have shown that the agency is actually tapping into undersea fiber cables that move generally unencrypted data between data centers around the world. This revelation has angered engineers at Google and led the company to accelerate some of its existing plans to encrypt those data links.
While Microsoft’s moves to encrypt more customer data will provide better protection for customers, there is more that the company could be doing to give basic security to its millions of users, said Chris Soghoian, principal technologist at the American Civil Liberties Union. Soghoian has been urging Microsoft and other companies to turn on SSL by default on their Web properties for years and said that there a number of outstanding issues Microsoft needs to resolve to make these moves more significant.
“Bing still doesn’t offer SSL as an option. So will they finally change that? One of the things they said in this announcement is that they’ll be using best-in-class encryption, but that means more than just an algorithm. It means things like HSTS [HTTP Strict Transport Security] and certificate pinning,” he said. “Is Microsoft going to use certificate pinning in Internet Explorer?”
Certificate pinning allows browsers to define which certificate is associated with a specific Web property, as a defense against man-in-the-middle attacks that employ spoofed certificates. HSTS is a header that tells users’ clients that a given Web server only wants to accept secure connections.
In addition to the encryption changes, Microsoft also said it will be reinforcing the legal authorities that it uses to protect customer data that the company stores. The company notifies corporate and government customers when it receives a request for a customer’s data, and Smith said Microsoft will continue to do this in the future.
“Except in the most limited circumstances, we believe that government agencies can go directly to business customers or government customers for information or data about one of their employees – just as they did before these customers moved to the cloud – without undermining their investigation or national security. And when those limited circumstances arise, courts should have the opportunity to review the question and issue a decision,” Smith said.
But, Soghoian questioned why these same protections aren’t being extended to individual consumers whose data the government may seek.
“What about their regular customers? Forcing a gag order forces the government to go before a judge on something that they wouldn’t have to otherwise,” he said. “It’s really helpful to force the issue before an independent third party.”
Smith said Microsoft also plans to open so-called transparency centers in several locations around the world to enable government customers to inspect Microsoft’s source code for backdoors. The company has been allowing limited access to its source code for several years now, but will be expanding that in the near future.
“We’re therefore taking additional steps to increase transparency by building on our long-standing program that provides government customers with an appropriate ability to review our source code, reassure themselves of its integrity, and confirm there are no back doors. We will open a network of transparency centers that will provide these customers with even greater ability to assure themselves of the integrity of Microsoft’s products,” Smith said.