Collectively, these recommendations offer a roadmap for, if not averting similar cloud disasters in the future, then at least positioning CSPs and their customers to deal with these kinds of incidents in a better posture. Although each recommendation is heavily substantive and valuable, experts raise some of the more significant recommendations that CSPs should consider in the wake of the investigation.

Security industry response largely positive

Industry reaction to the report indicates that the CSRB is headed in the right direction, even if the report’s recommendations will take time to digest. “It’s a lot to consume,” James Campbell, CEO and Co-Founder of Cado Security, tells CSO. From Campbell’s perspective, one prominent takeaway “is gaining as much visibility as you can” when it comes to cloud environments.

A Microsoft spokesperson tells CSO the company is still reviewing the final report’s recommendations but says, “We appreciate the work of the CSRB to investigate the impact of well-resourced nation-state threat actors who operate continuously and without meaningful deterrence.”

“We thought the report was great,” Phil Venables, Google vice president and CISO of Google Cloud, tells CSO. “We welcomed the report. I think the CSRB did a good job on this.” Venables thinks that most of the report’s broader recommendations stem from Microsoft’s failures, which “were things that most of the other cloud providers already had controls to mitigate.”

“When you look at the broader recommendations, especially some of the more detailed recommendations, even though the report directs them at the entire industry, they’re clearly giving the remarks in other parts of the report directed at Microsoft,” Venable says.

The report does praise Google, AWS, and Oracle for adopting “a security architecture best suited to [their] technological infrastructure and customer use cases,” in contrast to Microsoft’s “corporate culture that deprioritized both enterprise security investments and rigorous risk management.”