Microsoft's first security report card is in

Welcome to Runtime! Today: Microsoft reports its progress toward once again realigning the company around security, Google upgrades its AI models and bundles Gemini with Workspace, and the latest funding rounds in enterprise tech.

(Was this email forwarded to you? Sign up here to get Runtime each week.)

Getting right

Microsoft has made incredible progress toward Satya Nadella's decade-long project to reinvent one of the oldest companies in tech as one of the leading cloud providers of our time, but a series of cloud security debacles in recent years has threatened to undermine those accomplishments. Earlier this year Nadella made security Microsoft's top priority, and it released new details Monday on its efforts to rebuild its security culture.

In a blog post accompanied by a detailed report, Microsoft's security czar Charlie Bell outlined several concrete steps Microsoft took in recent months to improve its security posture. "Since the [Secure Future Initiative] began, we’ve dedicated the equivalent of 34,000 full-time engineers to SFI—making it the largest cybersecurity engineering effort in history," Bell wrote.

One of the first steps the company took was to rid itself of dead weight that attackers could use to infiltrate its networks.

• It eliminated 73,000 unused apps and closed down 5.75 million "inactive tenants, drastically reducing the potential cyberattack surface," Bell wrote.
• As new cloud applications are built, the company centralized 85% of its production build pipelines with templates that make "deployments more consistent, efficient, and trustworthy," it said.
• Microsoft now retains identity security logs for two years and implemented standard telemetry to ensure those logs are consistent.
• And perhaps most importantly given the incident that triggered the SFI, in which government emails were leaked, Microsoft now automatically rotates signing keys and "implemented video-based user verification for 95% of Microsoft internal users in our productivity environments to eliminate password sharing during setup and recovery."

But engineering fixes, while welcome and arguably overdue, aren't enough to get a company as large as Microsoft pointed in a more secure direction. "We’ve made significant progress in fostering a security-first culture," Bell wrote, outlining how life has changed for Microsoft employees in the wake of its security push.

• The company created a Cybersecurity Governance Council led by Microsoft CISO Igor Tsyganskiy, which consists of deputy CISOs across key areas of the company such as Azure and Microsoft 365.
• That council will be responsible for implementing Microsoft's security commitment across the company, and senior leadership will receive a progress update from Tsyganskiy every week.
• All employees will be evaluated on their commitment to security in their performance reviews, which feels like it could be a little tricky to judge when it comes to non-technical staff.
• But everyone will have to go through the Secure Skilling Academy training program, which "ensures that no matter the role, employees are equipped to prioritize security in their daily work and identify the direct part they have in securing Microsoft," Bell wrote. 

Corporate cybersecurity is somewhat akin to the role a football team's offensive line plays in its success; an absolutely critical function that most people only notice when something goes wrong. Only time will tell whether Microsoft has taken the right steps to secure its infrastructure, especially as customers plow ever-increasing amounts of sensitive data into its infrastructure to train their AI efforts.

• "In security, consistent progress is more important than 'perfection,' and this is reflected in the scale of resources mobilized to achieve our SFI objectives," Bell wrote.
• He's right, but Microsoft really can't afford to see another serious incident happen on his watch.
• Customers — especially its most important customer, the U.S. government — will be watching closely and evaluating their options at a time when it has never been easier to switch cloud providers.

Back-to-school savings

Google rolled out two new versions of its flagship Gemini AI models Tuesday, reducing prices and improving performance as it sought to persuade skeptics that enterprises really are jumping on the AI bandwagon. The multimodal 1.5-series models were first introduced earlier this year at Google Cloud Next, and Google said users of the new versions can expect a 2% to 20% boost in performance depending on the application.

In what might be a more significant development for enterprise customers still evaluating their AI strategy, Google slashed prices for Gemini 1.5 Pro — "our strongest 1.5 series model" — when using prompts smaller than 128,000 tokens. Prices for input and cached tokens fell 64%, while prices for output tokens decreased by 52%, which could make it much easier for companies with limited budgets to get up and running.

Google also plans to add its Gemini assistant directly into its Google Workspace office productivity suite, which will allow Workspace customers to use some of its features, such as searching documents through a chatbot. But if you want to use Gemini directly in a Workspace product such as Google Docs, you'll still need to pay for the add-on, which costs $20 or $30 per user per month depending on the plan.

Enterprise funding

Virtuous raised $100 million in new funding for its CRM platform built around the needs of non-profit organizations.

UJET scored $76 million in Series D funding and promoted Vasili Triant to co-CEO, as it aims to turn the AI contact center startup into a profitable company.

Torq landed $70 million in Series C funding for its automated cybersecurity platform, which can detect and respond to security threats based on preset rules.

Datamaran raised $33 million in Series C funding to add new generative AI features to its compliance software.

Liquid Stack landed $20 million in additional Series B funding, with plans to increase production of its liquid-cooling technology for AI data centers.\

Kestra scored $8 million in seed funding to speed up the process of orchestrating data pipelines.

The Runtime roundup

Salesforce acquired unstructured data-management platform Zoomin for $450 million, as CEO Marc Benioff gets back to his old acquisition-minded ways following the purchase of Own for $1.9 billion earlier this month.

GitHub will allow European customers to store their data on the continent starting later next month, addressing data residency concerns.

Google is looking into using small nuclear reactors for future data centers over 1GW, CEO Sundar Pichai said Monday, days after Microsoft signed a deal to revive the Three Mile Island plant.

Cloudflare played no formal role in the drama over X's availability in Brazil last week, CEO Matthew Prince said Monday, describing X as just another new customer that switched to using its network.

Thanks for reading — see you Thursday!