Microsoft CEO Satya Nadella announced the launch of a new security strategy for the entire Microsoft portfolio on Nov. 17.

Except Nadella didn’t call it a strategy — he called it a "posture."

In practical terms we'll assume there isn't much difference between the two. Nadella said that security will no longer be an afterthought in product design, but rather a core consideration.

Same As It Ever Was?

Security is top of mind for Microsoft as it develops business around cloud products like Azure and Office 365.

But does this announcement herald a new era for Microsoft’s approach to security? According to Garrett A. Bekker III, senior analyst for Information Security with 451 Research, the objectives may be different, but the way Microsoft is going about it is not.

“It reminds me a little bit of 10 or 15 years ago when security was becoming a really big industry. At the time the number one thing that attackers, or viruses and worms were targeting was Microsoft products — either Outlook or Windows OS,” Bekker said.

“So they came out with a thing called the Trustworthy Computing Initiative. Bill Gates sent out this email warning people about fixing the vulnerabilities in their products and they also introduced security patches on a regular basis that become known as Patch Tuesday.

“The email called upon employees across the company to fundamentally rethink their approach to product development and strive to deliver products that are ‘as available, reliable and secure as standard services such as electricity, water services and telephony.'”

The Trustworthy Computing Initiative didn't end with employees and Microsoft developers building new security products. Microsoft also went on a buying spree, acquiring a number of security vendors that it considered important.

With the appetite for these acquisitions sated, Microsoft turned its attention elsewhere, happy that it had added enough security to protect itself and its customers.

Buying Cloud Security

That is until the rise of cloud computing.

In the last two months alone, Microsoft has bought two Israeli security companies, bringing its total number of Israeli security acquisitions to three in the last 12 months.

Its most recent security acquisition is Secure Islands, for a price tag of roughly $77.5 million according to ZDNet.

Microsoft is expected to integrate Secure Island’s data protection solution into its Azure Rights Management Services to offer clients mobile, cloud and on-premises data protection.

In September Microsoft bought Adallom, whose products are used for monitoring cloud-based services like Dropbox, Google Apps or Amazon Web Services.

And on Nov. 13, 2014, Microsoft acquired Aorato, an enterprise security startup founded in 2011, for a rumored $200 million. Aorato’s software protects systems from targeted attacks.

“My view is that Microsoft is starting to get serious about security, similar to the way they were trying to do to protect Windows and Outlook in the early 2000s. Nadella made it very clear, and he said as much in his opening remarks [last week] that as people are moving to the cloud, Microsoft is making big bets on it,” Bekker said.

“If you look at all those acquisitions in even the past two months, and the announcement about the new security group, a lot of it is about easing customer concerns about moving their resources to the cloud.”

Two Approaches to Cloud Security

There's a lot riding on this. Last week, when Microsoft announced the release of its new super API Office Graph, it made public some of the figures for Office 365. According to Microsoft is has:

  • 8 million consumer and 60 million commercial Office 365 subscribers,
  • 500 million people managing documents and photos in OneDrive,
  • Over 200 million Office mobile downloads

Think of the potential damage a major security breach could do to Microsoft in terms of existing or potential customers abandoning the platform.

One result of the cloud economy is the substantial third party ecosystem that has grown up around Microsoft and other cloud products. And investors are taking notice, funding a number of companies whose focus is to provide security to the Microsoft ecosystem.

“When you look at cloud security, you are looking at two approaches. You are seeing a huge ecosystem of third party start-ups that you can use to secure your products whether you are using Azure, Office 365, or — outside of Microsoft — Salesforce or Dropbox,” Bekker said.

“The other approach is for vendors to provide their own security. You have companies like Dropbox making security acquisitions, you also have Salesforce that has its own product, as does IBM, while Box is putting a lot of investment into security, too.”

Even if businesses are providing their own security, when Microsoft speaks, other vendors pay attention.

Box CEO Aaron Levie, for example, emailed the following reaction to Microsoft’s new security strategy.

"We're incredibly excited about Microsoft's bold new philosophy around security. It aligns extremely well with what we're doing at Box, where we embed security and control into every feature and product that we build. There's an enormous opportunity for Box and Microsoft to work together and help regulated industries, like government, reap the benefits of working in the cloud for the first time."

We've Only Just Begun

Bekker pointed out that this play is far from over. He said he wouldn’t be surprised to see Microsoft make further security acquisitions, perhaps for encryption.

And worth noting is that when Microsoft bought these companies, it also acquired a large, skilled workforce which specializes in security, so new home-grown products are also a possibility in coming months.

The next security addition from Microsoft is already in the works. On December 1, Customer Lockbox will give users full control over access to their data in Office 365 and Equivio Analytics for e-discovery will bring machine learning and text analytics to e-discovery.