Amazon has delayed the deployment of Microsoft 365, the cloud-based Office suite, for a year due to security concerns.
Although the two companies signed a deal last year to provide Microsoft 365 to Amazon employees, Amazon has traditionally used locally installed versions of Office software on its servers, according to Bloomberg.
Amazon paused the rollout of Microsoft 365 after a Russia-linked hacker group gained access to some of its employees’ email accounts.
Following this, Amazon requested changes to the software to enhance security, including improved safeguards against unauthorized access and more detailed tracking of user activity.
We deep-dived into O365 and all of the controls around it and we held – just as we would any of our service teams within Amazon – we held them to the same bar,” said CJ Moses, Amazon’s chief information security officer.
Moses’s team provided Microsoft’s security chief, Charlie Bell, a list of requested enhancements. Bell, a former Amazon engineering executive, has led engineers from both companies in working together for months to implement these changes to improve the security of Microsoft 365.
“We believe we’re in a good place to start redeployment next year,” Moses said in an interview last week at Amazon Web Services’ re:Invent conference.
Amazon committed $1 billion over five years to purchase Microsoft 365 for its 1.5 million employees, making it one of the largest buyers of Microsoft’s cloud productivity suite.
However, last fall, a hacking group called Midnight Blizzard breached some of Microsoft’s corporate systems. In January, Microsoft revealed that the group accessed a “small number” of employee email accounts, including those of senior leaders and key cybersecurity and legal staff.
This breach, along with others, led CEO Satya Nadella to prioritize security at Microsoft.
Earlier this year, Moses recommended to Amazon’s security chief, Steve Schmidt, and CEO Andy Jassy that the company suspend the rollout of Microsoft 365.
“At that time still, Microsoft wasn’t able to tell us if they had gotten the [hackers] out of their environment,” Moses said.
Amazon’s requests included modifications to ensure that tools could verify user authorization and track actions within the apps, allowing Amazon’s automated systems to monitor for security risks. Microsoft 365, which combines previously separate products, used different protocols for authentication and user tracking, some of which did not meet Amazon’s security standards.
