Microsoft has had a rough year in terms of cybersecurity, with the tech giant experiencing a number of security incidents involving its products in recent months.
First, Russian state-sponsored hackers managed to steal U.S. government emails by compromising Microsoft corporate email accounts. In a 2023 attack by a Chinese state-sponsored group, Microsoft Exchange Online mailboxes were breached, including those of Secretary of Commerce Gina Raimondo, U.S. Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.
After stating that security would be its number one priority, the company has now released an update on the progress of the Secure Future Initiative (SFI), a program launched in November 2023 to advance Microsoft's cybersecurity protection.
Safeguarding the future through lessons from the past
Microsoft’s SFI update provides an overview of the progress being made to “prioritize security above all else,” including governance updates, new training programs, employee security reviews, and how Redmond is addressing its core cybersecurity pillars.
Last year, Microsoft enhanced its governance by creating a Cybersecurity Governance Council comprised of deputy chief information security officers (CISOs) who regularly review all aspects of cybersecurity, including risk, compliance and defense.
Executives have also tied their pay to security performance to improve accountability and create incentives for them to focus on avoiding mistakes and improving past performance. Additionally, the company introduced a Security Training Academy to provide employees with new cybersecurity skills and knowledge.
Across Microsoft’s six key cybersecurity pillars, the company has taken steps to improve identity and secrets protection by boosting token management and phishing resistance in Microsoft’s access management solution, Microsoft Entra ID. Tenant and production protection has been improved by simplifying application lifecycle management and reducing the attack surface by eliminating inactive tenants.
Network protection has been improved by isolating certain virtual networks with back-end connectivity to reduce the potential for lateral movement, and management rules for Azure Storage, SQL, Cosmos DB, and Key Vault have been increased to help customers protect themselves.
SLI has also resulted in 85% of Microsoft’s production build processes for the commercial cloud using centralized governance, personal access tokens being reduced to a seven-day lifespan, and controls being introduced into the software development cycle along with a reduction in the number of elevated roles that can access engineering systems.
Threat detection and monitoring has been simplified by the introduction of standardized security audit logs and centralized log management covering 99% of network devices.
Finally, Microsoft has committed to improving transparency and reducing the time to mitigate common vulnerabilities and exposures (CVEs) across its cloud infrastructure by updating processes as well as establishing the Customer Security Management Office to improve communication with customers when a security incident occurs.
“The work we’ve done so far is just the beginning. We know cyberthreats will continue to evolve, and we must evolve with them,” said Charlie Bell, executive vice president of security at Microsoft.
“By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”