In response to these security flaws, Microsoft has declared that security is its top priority. To back up this claim, the company announced updates to its program to strengthen its cybersecurity defenses, starting in November 2023. Read more here
It’s been a tough year for Microsoft when it comes to cybersecurity and the nature of the damage the company has suffered, with the tech giant grappling with a series of significant security breaches involving some of its most important and widely used products.
The company now acknowledges that its cybersecurity efforts have been lacking, as revealed by several high-profile breaches, including one in which Russian government-backed hackers broke into Microsoft corporate email accounts and managed to steal sensitive U.S. government emails.
In another alarming incident, a Chinese government-sponsored group compromised Microsoft Exchange Online mailboxes, including those of prominent figures such as Commerce Secretary Gina Raimondo, U.S. Ambassador to China R. Nicholas Burns, and Congressman Don Bacon.
In the wake of these security flaws, Microsoft has declared that security is its top priority. To back up this claim, the company released an update to its Secure Future Initiative (SFI), a program launched in November 2023 that aims to significantly strengthen Microsoft’s cybersecurity defenses.
The SFI progress report outlines steps Microsoft is taking to “prioritize security above all else,” including major updates to governance, new programs for employee upskilling, and rigorous security reviews. The company is focused on addressing core pillars of cybersecurity, reflecting its commitment to fundamentally change its approach to protecting user data and systems.
Over the past year, Microsoft has strengthened its governance framework by establishing a Cybersecurity Governance Council, comprised of deputy chief information security officers (CISOs), which regularly reviews all cybersecurity issues, including risk management, compliance, and defense strategies.
To drive accountability, Microsoft has tied executive compensation to security performance, creating a strong incentive for leaders to focus on preventing errors and improving security outcomes. Additionally, the company has introduced a Security Skills Academy aimed at equipping employees with the latest cybersecurity skills and knowledge.
In terms of specific cybersecurity measures, Microsoft is focusing on six key pillars, including better protecting identities and secrets by improving token management and phishing resistance within our access management solution, Microsoft Entra ID, and streamlining app lifecycle management by removing inactive tenants, reducing the attack surface and better protecting tenants and production environments.
Isolating specific virtual networks with back-end connections enhances network security and reduces the potential for lateral movement by an attacker.
Additionally, Microsoft has implemented stricter management rules for Azure Storage, SQL, Cosmos DB and Key Vault to help protect customer data, and the Secure Future Initiative has brought 85% of Microsoft’s production build pipeline for commercial cloud services under centralized management.
Personal access tokens are now limited in lifetime to seven days, additional security checks have been put into place to harden software development cycles, and the number of elevated roles with access to engineering systems has been reduced, further protecting critical infrastructure.
To improve threat detection and monitoring, Microsoft introduced standardized security audit logs and centralized log management, which now covers 99% of network devices. The company is also working to increase transparency across its cloud infrastructure and reduce the time it takes to address Common Vulnerabilities and Exposures (CVEs). This includes updating processes and establishing a Customer Security Management Office to improve communication with customers during security incidents.
Despite these efforts, Microsoft acknowledges that the work is far from done. Charlie Bell, executive vice president of Microsoft Security, emphasized that cyber threats are constantly evolving, and Microsoft needs to evolve with them. The company aims to foster a culture of continuous learning and improvement, making security a foundation for how it works going forward, not just a feature.
