Microsoft has had a tricky year when it comes to cybersecurity, with the tech giant experiencing a slew of security incidents related to its products in recent months.
Firstly, Russian state-sponsored hackers were able to steal US government emails by compromising Microsoft corporate email accounts. An attack in 2023 by a Chinese state-sponsored group saw Microsoft Exchange Online mailboxes breached, including those belonging to Commerce Secretary Gina Raimondo, US Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.
Having then claimed security would be its number one priority, the company has now released a progress update on the Secure Future Initiative (SFI) – a program launched in November 2023 to advance Microsoft’s cybersecurity protection.
Safeguarding the future through the lessons of the past
Microsoft’s SFI update provides an overview on the progress being made to “prioritize security above all else” including updates to governance, new upskilling programs, employee security reviews, and how Redmond is addressing its core pillars of cybersecurity.
In the last year, Microsoft has enhanced its governance by creating a Cybersecurity Governance Council made up of Deputy Chief Information Security Officers (CISOs) that regularly review all things cybersecurity, including risk, compliance and defense.
Executives have also had their pay tied to security performance to enhance accountability and instill incentive to focus heavily on avoiding errors and improving on past performance. Moreover, the company introduced a Security Skilling Academy to provide employees with new cybersecurity skills and knowledge.
As for Microsoft’s six key cybersecurity pillars, the company has taken steps to improve identity and secret protection by boosting token management and phishing resistance in Microsoft’s access management solution, Microsoft Entra ID. Tenant and production protection has been enhanced through the streamlining of app lifecycle management, and the reduction of the attack surface through the removal of inactive tenants.
Network protection has been improved by isolating certain virtual networks with backend connectivity to reduce the potential for lateral movement, and Admin Rules for Azure Storage, SQL, Cosmos DB, and Key Vault have been increased to help customers secure themselves.
The SLI has also resulted in 85% of Microsoft’s production build pipelines for commercial cloud using centralized governance, Personal Access Tokens have been reduced to a seven day lifespan, and checks have been introduced into the software development cycle alongside reducing the number of elevated roles that can access engineering systems.
Threat detection and monitoring has been streamlined through the introduction of standardized security audit logs and centralized log management covering 99% of network devices.
Finally, Microsoft has committed to improving transparency and reducing their time to mitigate common vulnerabilities and exposures (CVEs) across its cloud infrastructure by updating processes, as well as establishing the Customer Security Management Office to improve customer communication when a security incident occurs.
“The work we’ve done so far is only the beginning. We know that cyberthreats will continue to evolve, and we must evolve with them,” noted Charlie Bell, Executive Vice President of Microsoft Security.
“By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”