Microsoft will try to stem criticism over its products’ vulnerability to cyberattacks by offering all of its customers more information about the activity happening on their cloud platforms, following months of consultations with the U.S. government and years of criticism about its practice of charging extra for data that is vital to stopping some hacks.
Beginning in September, Microsoft will make “detailed logs of email access and more than 30 other types of log data” available for free in its basic cloud subscription tier, Vasu Jakkal, the company’s corporate vice president for security, compliance, identity, and management, wrote in a blog post on Wednesday. The company is also increasing the default retention period for log data from 90 days to 180 days.
These logging features were previously only available to premium subscribers, which made it harder for non-premium users to detect hackers accessing their systems. Microsoft’s policy of charging extra for this basic information contradicted advice from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which published guidance in April urging tech companies to offer log data and other critical features for free and by default.
Microsoft’s decision is likely to further increase pressure on other tech giants that continue charging extra for basic log data, including Amazon and Google.
Microsoft’s log-pricing policy was thrust into the spotlight last week after suspected Chinese hackers exploited a flaw in Microsoft’s system to breach the email accounts of roughly two dozen of its customers, including three government agencies. The intrusion was stealthy enough to be invisible to any customer not paying for Microsoft’s premium log data. Fortunately, the State Department was paying for that data, spotted the attack and alerted Microsoft, which fixed the problem and kicked out the hackers.
While Microsoft didn’t mention this latest Chinese attack, the company on Wednesday said its announcement was the product of its “close partnership” with CISA. The agency had spent the past several months working with Microsoft to identify the log data that should be offered for free, Eric Goldstein, CISA’s executive assistant director for cybersecurity, said in a blog post.
CISA Director Jen Easterly said her agency will “continue to work with all technology manufacturers, including Microsoft, to identify ways to further enhance visibility into their products for all customers.”
