News
Microsoft Outlines New Commitment to Security
- By Chris Paoli
- May 03, 2024
In the wake of criticism for its recent security record, Microsoft is outlining steps it is taking to improve, companywide.
In a blog post released on Friday, Charlie Bell, executive vice president of Microsoft Security, broke down the lessons learned from the "Storm-0558" Outlook security incident last year and how the company will evolve after the Department of Homeland Security’s Cyber Safety Review Board (CSRB) found the company found fault with Microsoft's security during the Chinese hack.
"We are making security our top priority at Microsoft, above all else -- over all other features," wrote Bell. "We're expanding the scope of SFI [Secure Future Initiative], integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape."
The Secure Future Initiative (SFI) was announced in November and is the company's latest comprehensive security strategy that focuses on security through the development, deployment and maintenance of the company's products and services. It also looks to build a culture within the company that places the responsibility of security on everyone at Microsoft.
In Friday's blog. Bell outlined how the company will be expanding and better defining the three security principles that will power SFI:
- Secure by design: Security comes first when designing any product or service.
- Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
- Secure operations: Security controls and monitoring will continuously be improved to meet current and future threats.
He also broke down how this will trickle down into what the company has identified as the six actionable pillars the company has already begun to take.
- Protect Identities and Secrets: Microsoft is prioritizing the security of identity infrastructure and authentication processes, employing rapid key rotation and hardware protection techniques to safeguard platform keys and identity infrastructures against unauthorized access.
- Isolate Production Systems: Efforts to isolate and protect production environments are being intensified, with stringent controls to minimize potential breaches and ensure that all Microsoft environments meet high-security standards.
- Enhance Network Security: Comprehensive measures are being implemented to secure Microsoft's production networks, with a particular focus on isolation and micro-segmentation to shield customer and Microsoft resources.
- Secure Engineering Systems: Governance of software supply chains and engineering infrastructures is being strengthened to protect against vulnerabilities in software assets and operational systems.
- Advanced Threat Detection and Monitoring: Microsoft aims for extensive coverage in detecting threats to its infrastructure, enhancing its ability to rapidly respond to and mitigate potential security incidents.
- Accelerate Response and Remediation: A proactive approach to vulnerability management is being adopted to quickly address security weaknesses and prevent exploitation.
As an example of how the company has embraced SFI, Bell pointed to the recent example of Microsoft enabling automatic multifactor authentication by default across Microsoft Entra ID tenants.
Bell said that the entire initiative aims at creating a new culture of security at Microsoft, and this starts from the top down. Microsoft has announced that senior leaders' compensation will be directly tied to the company's SFI, and pay will be directly tied to reaching internal milestones and preventing future security incidents. Further, weekly security meetings with engineering and leaders will help to instill the notion that security is a "team sport."
"Ultimately, Microsoft runs on trust and this trust must be earned and maintained, As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us.