The power of cloud computing keeps us connected to our data, our devices and each other like never before
so it's more important than ever to keep it secure, private and safe from current and future threats
that's why hundreds of microsoft engineers, scientists and researchers are working to protect you by...
securing
the cloud
Inside the high-tech, high-stakes race to keep the cloud safe, secure and empowering for all.

Introduction

A New Era

In Cloud Computing

At any point in time on any day of the week, Microsoft’s cloud computing operations are under attack: The company detects a whopping 1.5 million attempts a day to compromise its systems.

Microsoft isn’t just fending off those attacks. It’s also learning from them.

All those foiled attacks, along with data about the hundreds of billions of emails and other pieces of information that flow to and from Microsoft’s cloud computing data centers, are constantly being fed into the company’s intelligent security graph.

It’s a massive web of data that can be used to connect the dots between an email phishing scam out of Nigeria and a denial-of-service attack out of Eastern Europe, thwarting one attack for one customer and applying that knowledge to every customer using products including the company’s Azure computing platform, Windows 10 operating system or Office 365 productivity service.

Those security threats have heightened substantially in recent years, as criminals have built lucrative businesses from stealing data and nation-states have come to see cybercrime as an opportunity to gain information, influence and advantage over their rivals. That’s led to potentially catastrophic attacks such as the WannaCrypt ransomware campaign that’s made recent headlines. This evolving threat landscape has begun to change the way customers view the cloud.

“It was only a few years ago when most of my customer conversations started with, ‘I can’t go to the cloud because of security. It’s not possible,’” said Julia White, Microsoft’s corporate vice president for Azure and security. “And now I have people, more often than not, saying, ‘I need to go to the cloud because of security.’”

It’s not hyperbole to say that cloud computing is completely changing our society. It’s upending major industries such as the retail sector, enabling the type of mathematical computation that is fueling an artificial intelligence revolution and even having a profound impact on how we communicate with friends, family and colleagues.

That’s because the cloud has given people the ability to take advantage of massive computing resources, far larger and more efficient than what is available within a company data center, and the ability to access those resources via any individual computer, cellphone or other gadget.

In the process, cloud computing itself has become a formidable business. The analyst firm Gartner projects that the public cloud services market will grow to nearly $385 billion in 2020.

Microsoft expects its commercial cloud business alone to see an annualized revenue run rate of $20 billion in its 2018 fiscal year.

As more people have started to trust their data, business and personal information to the data centers that power the cloud, it’s ushered in a new era of cybersecurity.

On the one hand, individuals and companies have had to give up a measure of physical control that comes from knowing all their emails and family photos are on the hard drive of their home computer in the living room, and all their sales or payroll data are stored on servers physically located within company offices.

But on the other hand, security experts say, the cloud has allowed companies like Microsoft to create much more sophisticated tools to guard against increasingly cunning attackers. That means instead of having to manage security completely on their own, companies also can rely on cloud service providers like Microsoft who have only one job — to keep your data secure.

A Digital Geneva Convention

Why we need a global commitment to keep the cloud safe from cyber attacks perpetrated by nation states.

“One of the fundamental things people should realize about cloud service providers is that security and compliance is really core,” said Doug Cahill, a senior cybersecurity analyst with the consulting firm Enterprise Strategy Group, Inc. “It isn’t an option for their business. It is their business.”

Locks and clouds are shown in a 3D graphic illustration

Security from the ground up

The cloud has some built-in advantages. Unlike the internet in general, it was built from the ground up with modern security and privacy in mind. It’s also a controlled ecosystem protected by people who spend all day thinking about data security and privacy.

Cahill said that, traditionally, internet and computer security safeguards have been bolted onto a tool rather than built into it. With cloud infrastructure, security considerations are part of the development process.

“The cloud is an opportunity to do security better,” he said.

And with tools like the intelligent security graph, the cloud benefits from a sort of group immunity: Any time Microsoft detects a security threat to Azure, Office 365 or another service running on that cloud platform, every other service on that platform gets the benefit of that knowledge.

White thinks of it like this: Before cloud computing, everyone had their own little island of information about attempted attacks on their individual companies. Now, Microsoft has the benefit of being able to gather and analyze billions of pieces of information a day to look for attempted attacks, and apply that information for the benefit of all its customers.

“The interesting thing about security is, unlike other technologies, it’s a cat-and-mouse game. There’s bad guys and then there’s good guys, and we kind of chase and catch and chase and catch,” White said. “And ultimately, the thing that puts you ahead of that chase is insights and intelligence.”

By the Numbers

The Microsoft Cloud

Every second, Microsoft adds hundreds of gigabytes’ worth of telemetry to the Intelligent Security Graph.

Intelligent Security Graph illustration

Microsoft scans 400 billion emails for malware and phishing scams each month through Office 365 and Outlook.

Email security illustration

Microsoft invests about $1 billion in cloud security each year.

Cloud security illustration

Cross-company approach

But security experts say it takes more than one line of defense to keep data safe. To secure its cloud, Microsoft takes a comprehensive approach that stretches across the entire company, providing security for both consumers and businesses.

The company’s product teams offer a wide variety of tools to monitor and respond to security threats, as well as specialized services to help companies keep their data safe. Microsoft’s more than 3,500 security engineers are also constantly fine-tuning those approaches they learn from each cyberattack, including the recent WannaCrypt ransomware campaign.

Its public policy and legal arm also has developed a set of policy considerations and recommendations for secure, trusted and accessible cloud computing that build off its years-long commitment to trustworthy computing.

More recently, it has called for a Digital Geneva Convention to establish standards for international conduct and worked on ways to protect people’s privacy to meet government regulations.

In the days following the WannaCrypt attack, Microsoft redoubled its efforts to establish a Digital Geneva Convention and get governments to not just stockpile vulnerabilities, but consider when a vulnerability should be reported to a vendor. The WannaCrypt attack stemmed from exploits that had been stolen from the U.S. National Security Agency, and although Microsoft had released a patch to protect against the attack, many organizations were not yet protected.

“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Brad Smith, Microsoft’s president, wrote in a company blog post outlining the steps the company took after the WannaCrypt attack.

In addition to addressing and responding to customers’ current threats, Microsoft also has research labs throughout the world that are working on a number of breakthrough technologies to improve cybersecurity and address threats that could arise in years to come.

These efforts are closely coordinated. Take a look at a recent research paper on cloud security and you’ll find the author list includes both researchers and a top Azure executive. Talk to one of the company’s sales directors and you’ll find he’s been spending as much time with the research teams as the product groups, trying to figure out thorny challenges for customers such as how organizations can share customer data without compromising privacy. Read about Microsoft’s public policy approach and you’ll find policy recommendations that address everything from regulatory mandates to customer privacy expectations.

“What makes us unique is that these disciplines inform one another,” said Scott Charney, who serves as corporate vice president for trustworthy computing. “Ultimately, you want public policies that truly improve security and are technically achievable at an engineering level.”

Microsoft executives know this isn’t a battle anyone can win alone, and that’s why they rely on, and have helped build, a broad community of partners, including government policymakers.

“There are a lot of pieces that need to come together for us to be successful in cybersecurity,” Smith said. “It requires strong action by technology companies. It requires strong affirmative action by customers and it also requires strong affirmative action by governments.”

That’s a symbiotic relationship that helps everyone, said Jeannette Wing, who is currently the corporate vice president in charge of Microsoft’s basic research labs and recently accepted a new role as head of Columbia University’s Data Science Institute, starting in July 2017. Sometimes, she noted, security and privacy technology is being developed faster than public policy can be formulated, and sometimes the public policy drives technology companies to come up with creative solutions in order to be successful.

“There’s no silver bullet,” Wing said. “We need everything in our arsenal.”

In both security and privacy, Microsoft also has the luxury of thinking beyond responding to the short-term threats, and looking ahead to how the cloud can remain secure a decade or more in the future. That’s due in part to its worldwide network of research labs, which employs some of the world’s leading cryptographic and security researchers, Wing said.

“Microsoft Research has the unique responsibility to the company for thinking long term and anticipating problems the company will have – but they don’t even know they are going to have,” she said.

PART II

Team Effort

Cyber Heroes and Villains

Bharat Shah is the kind of guy who is so immersed in the nitty-gritty aspects of cloud security that he can effortlessly spin through a litany of acronyms, statistics and industry jargon with as much ease as most of us order a sandwich.

But Shah, Microsoft’s corporate vice president of security for the company’s Azure platform, knows that for most of Microsoft’s customers, none of those acronyms and statistics matter. What they care about is whether their data is going to be safe.

That’s why, to explain why he believes Microsoft’s systems of protection and detection are superior, he goes back to a time before the internet. He compares cybersecurity to the way in which U.S. states trying to catch bank robbers got a lot better at doing so once they all started sharing records of bank robberies with each other. Once one state knew to be on the lookout for that bank robber, all the other states did, too.

In the internet age, the same principle applies: If one customer is hit with an attempted attack, all the other customers are protected against that attack as well. That pooling of data is called the “cloud effect.”

“If we detect a set of attacks on one tenant, or a handful of tenants, we can synthesize that and start using the things that we learn from that to protect all the other tenants out there,” Shah said. “That’s the cloud effect. We learn. We react. We turn something on, and we protect everybody else.”

For example, Mark Russinovich, the chief technology officer for Microsoft Azure, points to a time when one customer was hit by a particularly malicious email phishing attack – and everyone else on the network got the benefit of Microsoft’s work to mitigate and prevent that scam.

“Customers didn't have to do anything to get that added level of protection,” Russinovich said.

Intelligent security graph

Microsoft tracks attempted attacks on its cloud – along with hundreds of billions of other pieces of data – in a huge system it calls the Microsoft Intelligent Security Graph.

It then uses a branch of artificial intelligence called machine learning to analyze all those billions of pieces of data to improve its security defenses and hone its responses. A machine learning system is especially useful for this purpose because it can continually learn to spot new signs of attack as data pours in, refining and improving its algorithms with every new bit of information.

Machine learning is proving especially revolutionary in fighting what Shah calls “FPFN battles.” That stands for “false positive false negatives,” and it’s a huge problem in the security industry.

Anyone who’s ever had a pet activate a security alarm knows what the false positive problem looks like: If your alarm is regularly going off in the middle of the night because the cat runs through the motion detector, chances are you’ll either turn off the alarm or pay it no mind when a real burglar tries to get in the house.

The Art of Encryption

How Microsoft stays a step ahead of cyber criminals through advances in encryption that keep your data safe.

In cybersecurity, false positives are one of the biggest drains on the system, wasting time and distracting security experts as they search for the proverbial needle in the haystack.

“If you get 1,000 alerts, and 999 are false positives but one of them is a real breach, it's the job of the humans to go figure out which one's real. And that takes time and it takes judgment,” Russinovich said. “A lot of times, when you're that overwhelmed, you're not looking closely at each one and can miss that one, that breach.”

With the machine learning system, some of that initial vetting is done automatically, freeing up security experts to focus on the ones they know are a true threat.

False negatives are an even trickier nemesis: That’s when something gets through and no one suspected it. Shah said machine learning augments security experts’ work by rooting out the even more sophisticated anomalies that could cause those false negatives to get through.

A cloud shape sits on a concrete floor in a photo illustration

Identity-driven security and more

Even as both attackers and defenders get more sophisticated, Shah said the most common form of attack is still a relatively old-fashioned one: Figuring out, or getting people to give up, their passwords.

“The simplest attack is that people’s credentials are stolen through a variety of means, and then they masquerade around as you or me,” Shah said.

That raises a complex question: Beyond passwords, how does the system know if you really are you? To prevent these kinds of attacks, Microsoft uses machine learning and other analytics to spot abnormalities in people’s behavior, such as logging in from a different location or doing unusual things once in the system.

The company also has worked to make more user-friendly systems to protect against that kind of attack, creating tools such as multi-factor authentication that aren’t cumbersome to use. That includes tools like Windows Hello, which uses fingerprint or facial recognition instead of a traditional password.

And it’s fine-tuned how people access and use data, adding options such as the ability to only grant access to certain data for a short period of time or requirements that multiple people sign off on highly critical actions.

These identity-driven security offerings are just a few of the tools Microsoft uses to keep its clients’ data safe and private. It’s also constantly taking other steps, such as beefing up email protections, to guard against employees inadvertently clicking on dangerous links that land in their inboxes.

Shah said those tools, along with other advantages such as the cloud effect, are strong enough for nearly every customer – and, in many cases, better than the safeguards companies had before moving to the cloud.

"Cryptography is a very strong tool that can be used around the world equally well. Mathematics doesn’t care what country you’re from.”

Cahill, the security analyst, said that’s because many companies struggle to keep up with the time consuming day-to-day of keeping up with the latest security safeguards: things like regularly checking for vulnerabilities, patching security bugs or making sure that only the right people have access to secure information.

“These are all things that cloud service providers do as just normal operating procedure,” he said.

But sometimes, Shah and others hear from a customer who is worried about more complex threats or whose data is especially sensitive. That’s where Microsoft can point to cutting-edge offerings such as Shielded VMs, a Windows Server 2016 offering that can keep data safe from rare types of attacks, such as a rogue employee or administrator. Another option, Always Encrypted for SQL Server, provides additional protections for very sensitive data, such as Social Security numbers or credit card information.

Always Encrypted is one of several examples of technology being used by customers today that originated within a Microsoft research lab.

The interaction between research and product groups forms a symbiotic relationship that both the researchers and the engineers say serves them well. The cryptographers and computer scientists who are working on new security technologies can get a gut check from the engineers about whether their ideas would ever work in the real world, and the engineers can go to the researchers for everything from broad-based technology frameworks to one-off solutions.

Control in the cloud

One of those researchers is Manuel Costa. He’s a principal researcher in Microsoft’s Cambridge, U.K., research lab, and these days he spends most of his time thinking of the most cutting-edge ways to make the cloud more secure.

But Costa isn’t interested in a solution that would only work in the narrow confines of a research lab. He wants to build something that will work in the real world and, more importantly, work for actual customers who care as much as he does about privacy and security.

For him, that comes down to control.

“We want our customers to have control,” Costa said. “They should be able to make an informed decision on what to share and what to keep private. And our job, on the technology side and the research side, is to make sure that we have very, very strong techniques to honor what our customers expect from us on that front.”

Portrait photo of Manuel Costa, a principal researcher in Microsoft’s Cambridge, U.K. research lab

Manuel Costa

Researcher in Microsoft’s Cambridge, U.K. lab

Costa is one of the key people working on a research project that proposes using hardware in cloud computing data centers to create a physical protection around very sensitive data. Once the data is inside the hardware, the research project allows the sensitive information to stay encrypted – or protected in such a way that only people with permission to access it can see it – even when it’s being used for computation.

Sriram Rajamani, the head of Microsoft’s Bangalore, India, research lab and another key collaborator on this project, said cloud providers have gotten very good at keeping data encrypted while it’s at rest, or simply being stored. That means that even if a bad actor gets hold of the physical disk containing all your personal banking information, they can’t read it.

Cloud providers also are quite good at keeping data encrypted in transit, making it hard for anyone to intercept that banking data while it’s being sent from the server to your computer.

But until now, the challenge has been how to keep data encrypted while it’s being used to make calculations. With this new system, companies that analyze financial trading data or scrutinize medical records for markers of disease could do that work in the cloud with the confidence that only the person who owns the data holds the keys to unlocking it. That means no one else – not even the people who work in the data center – would be able to access it or provide anyone with access to it.

“That’s an important technological capability because it gives us the ability to tell our customers that we can store your data and you can operate on it, but we don’t have access to it,” Rajamani said. “If somebody hacks into our data center, they still don’t have access to it. And you don’t have to trust us or our employees in order to ensure confidentiality for your data.”

"I think it’s really important that we pay close attention to protecting the systems that underpin our society."

That may not seem like a big deal to most of us, but cloud security experts say it’s the type of advance that will make it easier for even the most personal data, such as our medical records, to be both stored and analyzed using the cloud.

“We’re taking the first steps on something that I think will transform the whole industry going forward,” said Russinovich, the Azure executive, who was so intrigued by the project that he joined the research effort.

It’s a research project for now; Costa, Rajamani and others are working on ways to make it more efficient for real-world use.

Recently, they began looking at how they could minimize the amount of code that needs the highest level of security, and therefore must be stored in the secure hardware. That would vastly decrease the surface space that needs to be protected from any type of attack and make the system much more efficient.

From worms to cloud-based security

Costa’s fascination with security began in the early days of the internet, when he read one of the first research papers about internet worms, a type of attack in which malicious code replicates and automatically spreads from machine to machine.

First, he wanted to understand everything about worms. Then, he wanted to do everything he could to protect computers against them.

Portrait photo of Sriram Rajamani, head of Microsoft’s Bangalore, India research lab

Sriram Rajamani

Head of Microsoft’s Bangalore, India research lab

“I started to think that we were using more and more computers, and we would need to have much, much stronger security to prevent these types of attacks,” he said.

Flash forward a couple decades. The technology may have changed – and, as Costa suspected, grown much more prevalent — but his primary goal has not.

“I think it’s really, really important that we pay close attention to protecting the systems that underpin our society,” he said.

Costa believes the hardware-based project is one solution for keeping data safe, but he says one of the allures of research – especially in this field – is that there needs to be multiple approaches, and there is always room for improvement.

“Security is this vast, complex problem,” Costa said. “We want to have many barriers, many types of protection.”

Policy, privacy and regulation

To understand Microsoft’s broad-based approach to cloud security, it helps to go back in time about 15 years, to the period in the internet’s history when those worms first caught Costa’s attention. The same type of security threats also were captivating the attention of many people at Microsoft, including co-founder Bill Gates.

In a bid to keep its flagship Windows operating system from being overrun by security threats, Gates launched the company’s Trustworthy Computing Initiative with a bang: He told thousands of developers to stop working on products and instead focus solely on making Microsoft products more secure. The effort took about 60 days and cost the company more than $100 million.

"What we need now is a Digital Geneva Convention."

From that point on, Microsoft made security an integral part of the development process of every product it makes and service it offers, and it committed to working with the entire industry to share security findings.

Scott Charney, who serves as corporate vice president for trustworthy computing and oversees programs meant to ensure security remains a core priority, said that approach has carried through with products like Azure. With systems like the intelligent security graph, it’s also adapted to a world in which products get updated continuously, instead of shipped out in physical boxes three or four times a decade.

Portrait photo of Scott Charney, corporate vice president for trustworthy computing at Microsoft

Scott Charney

Corporate vice president for security policy

Now, the company is taking that one step further by building security tooling right into its development environment, Visual Studio. That allows the company to more naturally check for security flaws before code goes out the door.

“It just puts security in the normal workflow,” Charney said. “It's not about responding to attacks anymore. It's just part of building your stuff.”

Nevertheless, Charney acknowledges that it can be nerve-wracking for customers to switch to the cloud.

“Customers want to get to the cloud because they see the potential, the productivity, the cost savings,” he said. “But the cloud is this black box. If I go to the cloud, how do I know what the heck is happening?”

Microsoft’s response: Be transparent and give customers control over their data. Charney said that means doing things like promising to notify a client if there is an attempted attack and giving the customer the option of approving certain tasks or requests for information.

It also means providing clients with the ability to manage their encryption keys and control access to their data. In the end, Charney said, customers want more control and Microsoft’s job is to figure out how to give them that control while keeping their data safe.

A Digital Geneva Convention


When you talk with Microsoft President Brad Smith about cybersecurity, one thing he’ll note is that cybercrime is just that – a crime. That means that any company working on these issues must work closely with government officials, since they are the ones who ultimately have the power to put on the real or virtual handcuffs.

But, Smith notes, cybercrime is also different from most other forms of crime.

For one thing, the cloud computing data centers that have become the criminal playing field are mostly owned by the private sector and operating in multiple countries throughout the world.

For another, some of the bad actors are nation-states themselves, and in some cases those nation states are committing crimes against private citizens or infrastructure.

“Cybercrime and security threats started with people that took it almost as a hobby or sporting event,” Smith said. “It unfortunately has rapidly evolved to a crime pursued for financial gain – an organized criminal enterprise activity. And now, it’s entered a third domain, which is nation state attacks.”

Earlier this year, in a keynote speech at the RSA security conference, Smith called on governments to work with technology companies by pledging not to engage in attacks on the private sector or stockpile vulnerabilities against them. In addition, he asked governments not to target civilian infrastructure.

Smith compares this call for new rules to arms control limitations, and he said it’s much like the 1949 Geneva Convention, in which governments came together to protect civilians in times of war. This new effort would include a tech accord among members of the industry, in which they would agree to a shared set of principles and values.

“What we need now is a Digital Geneva Convention,” he said.

Microsoft already works closely with law enforcement on other cybercrime issues. For example, in May, the Federal Trade Commission announced that it had collaborated with Microsoft’s Digital Crimes Unit to track down scammers who pose as technical support representatives in order to get people’s personal information.

Microsoft’s approach to cloud security and privacy also is increasingly informed by the evolving regulatory guidelines around personal data, such as the European Union’s General Data Protection Regulation. These regulatory guidelines are a key consideration for many customers who want the benefits of the cloud but need to make sure they follow the often dizzying array of rules for protecting personal data and privacy.

The strategist and the professor

Portrait photo of Brant Zweifel, an industry strategist in Microsoft’s public sector division

Brant Zwiefel

Industry strategist in Microsoft’s public sector division

It was a regulatory challenge that got Brant Zwiefel thinking about privacy and security in the cloud.

The year was 2014, and California was in the midst of an extreme drought. Frank Loge, a professor of civil and environmental engineering at the University of California at Davis, had an idea he thought might help.

Loge, who also is the director of the university’s Center for Water Energy Efficiency, wanted to analyze tens of millions of customer records from water municipalities throughout the state, to figure out which tactics were effective in getting people to use less water.

“We said, ‘Let’s become the repository for all the water data in the state of California, and let’s share that data,’” Loge said recently during a visit to Microsoft’s Redmond, Washington, campus.

The response was not exactly heartening.

“People said, ‘This is impossible. It can’t be done,’” Loge recalled.

Luckily for Loge, he happened onto a group of people for whom the words “it can’t be done” seemed more like a challenge than an obstacle.

One of them was Zwiefel. He’s an industry strategist in Microsoft’s public sector division, and Loge’s story struck a nerve with him.

Not long before, Zwiefel had been attending his daughter’s softball game talking to a mom who volunteers for their county’s social services agency. She was experiencing a similar problem: Kids were falling through the cracks because social services, school systems and police departments had no way of sharing data. That meant that a kid who was having trouble in school, and whose parents might be having trouble with the law, weren’t necessarily getting the help they needed from social services.

“They were never talking to each other until something really bad happened, and then they would go and look and find out that there were indicators all over the place and they should have intervened earlier,” Zwiefel said. “So, you know, that’s what really drove me to say, ‘OK, we have a data sharing problem.’”

The problem is relatively new because the possibility of a solution is so new. A decade ago, no one could have expected that we’d have the computing power, algorithms and cloud-based data storage capabilities needed to share data and run the kind of analysis needed to spot such trends.

That’s changed dramatically in the last few years, and it’s opened up tantalizing possibilities for people in the public sector and beyond. For example, a hospital doing research could now conceivably analyze data from numerous other hospitals, hastening research into ways to better treat a certain type of cancer.

It would be complex, time-consuming and expensive for these organizations to create a system on their own that meets all their regulatory, logistical and privacy requirements to share personal data like police records or water bills. But at Microsoft, Zwiefel figured he might be able to find the expertise needed to build what came to be called trusted data collaboratives.

At the same time, some senior members of Microsoft’s cloud and research divisions had been looking for a similar solution for people who wanted to share data but didn’t entirely trust each other. They began a collaboration that includes people from Microsoft’s legal, research, engineering, sales and services teams.

Like Zwiefel and Loge, they were undeterred by people who said it wouldn’t be possible, and many put in their own time to visit Loge and work on the project.

This spring, Zwiefel said the group hopes to pilot with Loge the data vault containing water and energy data, and a set of research trusted data collaboratives. But already, Loge said, the work they have done together while building the system has allowed him to analyze data and better understand how the state can make significant water and energy savings.

It’s also had ancillary benefits, such as exposing areas in which municipalities can offer more fair and equitable pricing.

Zwiefel and the team hope the project will have two core benefits: It will help solve some of the tough societal problems that drew them to the project in the first place, and it will give customers an innovative solution to what may have seemed like an impossible task.

Ramarathnam Venkatesan, or Venkie, a principal researcher in cryptography and security who became one of the project’s core contributors, said such a project wouldn’t have been successful without such a broad group of people contributing to it.

“You need research people. You need product people to work on it. You need public policy people to work with you, and above all you need the sales department to work with you because they know where the problem is,” Venkatesan said.

Part III

The Future

It looks cloudy, and that's a good thing

Venkatesan and Zwiefel aren’t the only ones at Microsoft looking at ways that companies and organizations can share data securely and confidentially in the cloud. Costa’s team also is exploring how the hardware-based encryption solution his team is working on could be used for that purpose, and a mathematician named Kristin Lauter is looking at a cryptographic way to solve that problem.

Lauter, a principal researcher and head of Microsoft’s cryptography research group, said Microsoft is pursuing the problem from multiple angles because security is never a one-size-fits-all proposition. A financial services company that wants to run investment analytics, a cancer researcher who wants to compare hundreds of health care records and an individual who wants to secure her genomic record – these people are all likely to want different security methods.

Microsoft researchers also are working on all sorts of other cloud security tools aimed at meeting future security and privacy needs. Some researchers are creating ways to provide security for emerging technologies, such as artificial intelligence and quantum computing. Others are looking at ways to provide better safeguards to customers who interact with cloud-based systems, by providing big improvements to the security tools many people are already using for communication and transactions.

A combination lock floats against a high-tech background in a 3D graphic illustration

Still others are looking at ways to add extra security protections to existing tools.

For example, a research project Srinath Setty and Ph.D. student Sebastian Angel are working on aims to provide a system for encrypting the metadata that shows who a person traded texts or other communication with. Although the status quo is that the messages themselves are encrypted, the record that the conversation existed is not.

“That’s actually very sensitive information,” Setty said.

Setty and other researchers also are working on various projects that aim to add more security and confidentiality properties to a promising system for sharing data, called blockchain, that was originally developed for transactions using the alternative currency Bitcoin.

The cryptographer

Kristin Lauter is a mathematician, and she started her career doing the kind of research that is generally called pure mathematics. That changed when she got the opportunity to help build into the Windows operating system a type of security safeguard called elliptic curve cryptography.

Portrait photo of Kirsten Lauter, principal researcher and head of Microsoft’s cryptography research group

Kristin Lauter

Head of Microsoft’s cryptography research group

She was hooked. From then on, Lauter said, she began to focus her research on cryptography that solves real-world privacy and security challenges.

She likes the idea of doing research that could eventually have an impact on customers, and she also enjoys a good challenge.

“When we can talk directly to a customer and they tell us what problem they’re trying to solve or what scenarios they need to enable, that just gives us a whole new target to shoot at – this whole new source of problems to address, which is really interesting,” Lauter said.

Lately, Lauter has been focused on long-term solutions for protecting genomic data in the cloud using a method called homomorphic encryption. It’s a software-based solution that allows people to compute on and analyze data without decrypting it. Lauter argues that this is especially important for genomic data because it is perhaps the most personal data we have.

“I think part of the reason I’m so inspired by this particular research direction is that I really see the connection to societal good and the importance of privacy,” she said.

Lauter and her colleagues have created homomorphic encryption tools that work in a research lab, and now she’s working on ways to make the research project practical enough for everyday use in a cloud computing data center.

The team also is working on how to apply the security measures they’ve created with homomorphic encryption to add extra protection to other areas of cutting-edge research.

For example, she’s working with artificial intelligence researchers to create tools that would allow people to do machine learning on data that is protected by homomorphic encryption. That would add an unprecedented layer of privacy and security to AI research.

She’s also exploring how to create tools that use the same underlying cryptography that is used in homomorphic encryption to protect data once a quantum computer is developed. Many experts believe that quantum computers would be powerful enough to solve the hard math problems that are used in traditional cryptography today. Lauter said this new method, called lattice-based cryptography, could provide the type of encryption even a quantum computer can’t break.

Lauter said one key advantage to the type of cryptography work she does is that it can be used anywhere in the world, including by people who want to share data across global borders.

“Cryptography is a very strong tool that can be used around the world equally well,” Lauter said. “Mathematics doesn’t care what country you’re from.”

"We’re taking the first steps on something that I think will transform the whole industry going forward."

Climbing a security mountain: Project Everest

While security experts like Lauter are thinking about how to protect data that’s in the cloud, Cédric Fournet is thinking about how to keep data safe while it’s traveling to and from the data center that houses the cloud-based systems.

The long-term objective of the effort, called Project Everest, is simple.

“The overall goal is to provide secure connections between clients and servers, no questions asked,” said Fournet, a principal researcher in Microsoft’s Cambridge, U.K., research lab. “By default, you don’t even have to think about it. Your communications are private and authenticated.”

Getting there is a bit tougher. Here’s why: The tools that cryptographers have created to protect your data when you access your bank records or buy a baby gift online are based on abstract mathematical properties that are designed to be very hard to unscramble.

But once those abstract algorithms are implemented in software, they are exposed to the bugs and imperfections of their code, and of other code that has been written to be used with the algorithms. That’s where bad actors look for openings that can allow them to attack.

Photo portrait of Cedric Fournet, a Microsoft researcher who leads the company’s Constructive Security team

Cedric Fournet

Researcher in Microsoft’s Cambridge, U.K. lab

Security experts work very hard to prevent those attacks, both by actively looking for vulnerabilities and by responding to threats. It’s a particularly tough challenge because you don’t know what you’re looking for exactly – security is something you don’t notice until you or someone else breaks it, and then you have to go back and figure out how the breakage occurred.

With Project Everest, Fournet and his team hope to create a system in which they can mathematically prove that there are no vulnerabilities that could hamper the two most common forms of internet security protocols, HTTPS and TLS. The team is using a mix of automation and manual proofs to verify every single line of code in those protocols.

The goal is to give people using the protocols in the real world the same guarantees cryptographers can give you when they create the algorithms in the lab setting. The ultimate goal is to create this verified, secure system that works easily and efficiently, making it practical for real-world adoption.

It’s an ambitious effort, but Fournet and his team believe they have a few advantages. For one, he’s very familiar with the TLS protocols because he’s been deeply involved in efforts to make the most recent iteration of them more robust. And for another, he has the advantage of being able to check in with systems and products groups at Microsoft who would have the job of using these systems in the real world.

“Without being able to work with practitioners who actually deploy protocols or maintain those protocols, we would be missing a big part of the context,” he said.

The long game

Cloud security is a long game. To do it right, you need to constantly be investing in both the safeguards people need now and the protection they’ll need a year or even a decade from now.

That means anticipating both what new technology or capability customers will want to use in the cloud, as well as what new exploits criminals will come up with to try to gain unwanted access to their data.

But you could also call it a never-ending game because it’s not a fight that anyone – the lawyers, the engineers, the researchers and the security gurus – ever expects to end.

For every bad guy the good guys catch, there’s another one waiting in the wings. What’s more, they’re using the same technological advantages the security experts are using.

“Bad actors, and especially cyber criminals, also see the benefits of the cloud,” said Cahill, the security analyst.

Costa, the security researcher, was talking one day about how those who work in the security field are rarely satisfied that anything is truly secure. That’s why, for example, companies like Microsoft are constantly trying to attack themselves, looking for any nook or cranny a bad guy might not have found yet.

That may seem like a frustrating endeavor to some, but Costa said that to those who work in security, it’s actually the reason to go to work every day.

“I think we can always improve. That's what motivates us,” he said. “Everything can always be improved.”