Microsoft outage: why enterprises need to prioritise machine identity management

In the wake of Microsoft forgetting to update its Windows Insider subdomain certificate over the weekend, we look at how machine identity management can help enterprises avoid an outage

Over the weekend just gone, Windows Insider business users were greeted with a message stating “Your connection is not private”, which represented an outage caused by Microsoft not updating the certificate for the software testing program, The Register reported.

The certificate was found to have expired on the 9th June, after which browsers such as Chrome, Firefox, and Safari warned against accessing Windows Insider, before the issue was fixed in a matter of hours.

This isn’t the first time the corporation has fallen foul to expired certificates — for example, Microsoft Teams experienced an outage brought by a similar cause in February 2020.

These kinds of incidents exemplify the need for enterprises to have strong machine identity management in place to mitigate risks of an outage, allowing for business continuity.

“[Windows Insider] has a huge global community of millions of members. Although this incident did not lead to a severe a disruption, the site was still unavailable to millions of users for a number of hours which was, at a minimum, inconvenient,” said Pratik Selva, senior engineer at Venafi.

“Microsoft isn’t the only vendor to experience this type of incident. Just recently, Verifone and Spotify also suffered certificate outages that affected millions of users.

“Unless large enterprises with massive digital footprints prioritise machine identity management as a tier one application, we will see more of these kinds of incidents. The problem is that the keys and certificates that serve as machine identities are critical to reliability as well as security, and as companies move to the cloud management of them is more complicated.”

Microsoft is yet to comment on the incident.

Launched for Windows 10 in 2014, Windows Insider is an open software testing program where developers can register for builds of the operating system before general release.

Related:

Putting the trust back in software testing — Christian Brink Frederiksen, co-founder and CEO of Leapwork, discusses how trust can be placed back into software testing in 2022 and beyond.

Identity gets a new look: examining the W3C Verifiable Credentials standard — David Chadwick, product director at Crossword Cybersecurity, discusses what the W3C Verifiable Credentials standard, co-authored by Chadwick, means for identity security.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.