Microsoft’s security sales reached a historical high in 2022, delivering more than $20 billion in annual revenue. This comes amid industry debate about the company’s position as both targeted tech giant and security vendor.
The Redmond, Washington-based company reported during its earnings call this week a 33% increase in revenue for its security business year over year, and a 50% increase from two years ago. The division was outpacing every other major Microsoft product during the current economic downturn.
“We are the only company with integrated, end-to-end tools spanning identity security, compliance, device management, and privacy, informed and trained on over 65 trillion signals each day,” Microsoft CEO Satya Nadella said during the earnings call. “We are taking share across all the major categories we serve.”
The CEO also highlighted that the number of clients with four or more workloads on Microsoft increased more than 40% over the past year, calling out $4.46 billion British sports retailer Fraser’s Group for its decision to consolidate from ten security vendors to just Microsoft.
Focusing on identity specifically, Nadella noted that $2.76 billion digital media player manufacturer Roku, which moved identity and access management to the cloud with Azure Active Directory. Microsoft has taken up almost 25% of the identity and access management market, with Okta placed at a distant second at 9.2% of the market share, according to a July report from IDC.
In addition, Nadella said that the company’s integrated XDR and SIEM capabilities have attracted $11.61 billion Japanese pharmaceutical giant Astellas Pharma, $8.5 billion Spanish transport infrastructure firm Ferrovial and the University of Toronto to Microsoft Sentinel.
Microsoft “paradox?”
As Microsoft reinforces it’s leadership position as a security vendor, debate swirls about whether Microsoft’s own technology is a significant contributor to enterprise risk.
Factoring into that debate are the emergence of security bugs tied to product offerings. According to a CISA exploited vulnerability list, Microsoft has had 169 security bugs reported since the beginning of 2022, accounting for 30% of the total vulnerabilities uncovered over the past year. In 2021, major security agencies, including FBI, NSA, CISA, CIA, highlighted the 15 most common vulnerabilities and exposures(CVEs) exploited by hackers — among those, nine (60%) were due to cybersecurity deficiencies in Microsoft’s system.
More recently, Microsoft confirmed that a misconfigured endpoint resulted in the potential for unauthorized access to certain customer data — an incident that spurred debate in October 2022 between the company and threat intelligence company SOCRadar about the seriousness. In November, Microsoft patched six zero-day vulnerabilities, including a pair of critical bugs that have been exploited by threat actors for months.
A Microsoft spokesperson told SC Media in a statement that “in today’s threat landscape, no company or person is immune to attacks” — a point proven true in the last couple years with countless breaches targeting technology and security companies alike. The sheer volume of instances of Microsoft technology also needs to be considered when evaluating the number of exposures.
But some industry leaders raised concerns over Microsoft’s credibility in operating the security business. Ryan Kalember, executive vice president of cybersecurity strategy at Proofpoint, detailed what he dubbed “the Microsoft paradox” in a December commentary in Fortune, pointing to Microsoft’s financial gains from feature vulnerabilities.
“If [Microsoft] was moving slower to ship more secure code, discontinuing old features (like Apple), or trying to get its massive customer base to a great security baseline faster (like Google), it could do amazing things for the security community. But it’s not,” Kalember wrote. “Rather than investing millions into preventing vulnerabilities and exploitable configurations, Microsoft is instead profiting from their existence. So, with one hand, the company ships vulnerabilities and hosts malware, and with the other, it charges to ‘protect’ users from those vulnerabilities and threats.”
Microsoft threats, Microsoft contributions
It is noteworthy that Proofpoint is one of the major competitors of Microsoft in email security. It was taken private by Thoma Bravo in 2021 “at least partly due to Microsoft entering the market,” said Rik Turner, senior principal analyst at Omdia.
“Proofpoint’s commentary can be misguided as they have an economic incentive to make people doubt Microsoft,” added Malcolm Harkins, chief security and trust officer at Epiphany Systems and former chief security and privacy officer at Intel.
While Harkins did acknowledge that the security industry at large has an economic incentive to see the risk cycle continue as vendors profit from the insecurity of computing, he said it is highly unlikely that Microsoft would risk brand reputation and legal implications to allow vulnerabilities and malware to remain in business applications. Instead, he believes the contrary: that Microsoft will use the lessons learned via the security business to boost the security of its business applications, such as Microsoft Office.
Microsoft did not respond to the critiques directly in comments provided to SC Media, but a spokesperson did reiterate that the 65 trillion daily security signals processed by its cloud productivity and security products, referenced in the earnings call, enabled analysis of more than 2.5 billion endpoint signals daily and blocking of 34.7 billion identity threats and 37 billion email threats in a year.
Also referenced by Microsoft’s spokesperson was the “massive amounts of data and research” contributed to the defender community. “We fundamentally believe that collaboration is critical, and all vendors must work together to make the world a safer place.”
For the industry at large, Turner said Microsoft’s presence in the security market is positive — promoting competition but also throwing more weight behind standards like FIDO Alliance’s passwordless authentication to drive awareness and adoption.
But vendors be mindful, said Turner. “Even if you develop security technology that complements what Microsoft itself offer, it is a bit like sleeping with an elephant, because if Microsoft buys one of your competitors or develops the capability itself, you are squashed out of existence.”