news
Microsoft calls Security Pivot ‘the largest cybersecurity engineering project in history’
Microsoft has taken pains to strengthen its internal security posture and is mobilizing “the equivalent of 34,000 full-time engineers” to the effort.
That’s the message from a voluminous document the company released this week detailing progress on its Secure Future Initiative (SFI), which it launched last fall. At the time, Microsoft positioned SFI as a comprehensive framework of security standards and best practices for software engineers.
SFI gained attention earlier this year after a federal investigation into the 2023 Outlook email hack found Microsoft partially responsible. The hack, attributed to Chinese hacker group Storm-0558, compromised the email accounts of more than 500 individuals around the world, including U.S. State Department officials. In its investigation of the incident, the U.S. government’s Cyber Security Review Board (CSRB) found that “a series of Microsoft operational and strategic decisions.”
The report was scathing enough that Microsoft announced a major expansion of SFI the following month. In addition to incorporating security recommendations from the CSRB report into the SFI, Microsoft said it will also link executive pay to how well the company’s various engineering groups meet security objectives set forth by the SFI.
This week’s SFI Progress Report details additional steps Microsoft has taken since announcing the expansion. Microsoft has described SFI as the “largest cybersecurity engineering project in history” due to the scope of its efforts, impacting more than 100,000 engineers, product managers, and designers at the company.
Internal security culture
Among the organizational changes Microsoft has made since May, compliance with SFI security recommendations is now considered in employee performance reviews. In July, Microsoft also launched a security training program for employees called the Microsoft Security Academy. “We strengthen our security posture by prioritizing security in all our operations and providing targeted training,” the report said.
To ensure full alignment with SFI, Microsoft also schedules weekly SFI progress reviews for the senior leadership team and quarterly reviews for the board of directors. Additionally, we created a new internal group responsible for strengthening security and compliance standards across the company and developing a security architecture roadmap for engineers. Reporting to Microsoft CISO Igor Tsyganskiy, this new Cybersecurity Governance Council will also oversee a team of “Deputy CISOs” who will be responsible for enforcing SFI standards within specific Microsoft product categories. Microsoft assigns Deputy CISOs to each of the following areas:
(Source: Microsoft)
engineering security
There are six engineering goals set by SFI, as shown in the diagram below.
(Source: Microsoft)
Microsoft’s progress report describes each recent milestone. The report summarized these as follows:
Protect identities and sensitive information: Microsoft Entra ID for public and US government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. and Microsoft Account (MSA) update. We continue to drive widespread adoption of standard ID SDKs that provide consistent validation of security tokens. This standardized validation now covers over 73% of tokens issued by Microsoft Entra ID for Microsoft-owned applications. We extended the standardized security token logging in the Standard ID SDK to support threat hunting and detection, and enabled them for several critical services ahead of widespread deployment. We have completed enforcing the use of phish-resistant credentials in production environments and have implemented video-based user authentication for 95% of Microsoft internal users in productivity environments during setup and recovery. Eliminated password sharing. Tenant protection and production system isolation: Completely iterated app lifecycle management across all production and productivity tenants, eliminating 730,000 unused apps. We eliminated 5.75 million inactive tenants, significantly reducing the potential cyber attack surface. We implemented a new system to streamline the creation of test and experimental tenants by applying secure defaults and strict lifetime controls. In the past three months, we have deployed over 15,000 new production-ready lockdown devices. Protect your network: More than 99% of physical assets on your production network are recorded in a central inventory system, enriching your asset inventory with ownership and firmware compliance tracking. Virtual networks with backend connectivity are isolated from the Microsoft corporate network and are subject to a full security review to reduce lateral movement. To help customers secure their own deployments, we have expanded platform features such as management rules that facilitate network isolation of Platform as a Service (PaaS) resources such as Azure Storage, SQL, Cosmos DB, and Key Vault. . Securing engineering systems: 85% of production build pipelines for commercial clouds now use centrally managed pipeline templates, making deployments more consistent, efficient, and reliable. We have reduced the validity period of Personal Access Tokens to 7 days, disabled Secure Shell (SSH) protocol access to all Microsoft internal engineering repositories, and significantly reduced the number of elevated roles that can access engineering systems. We also implemented proof-of-existence checks for important chokepoints in the software development code flow. Threat Monitoring and Detection: Significant progress by ensuring all Microsoft operational infrastructure and services adopt a standard library of security audit logs, ensuring relevant telemetry is emitted, and mandating that logs are retained for a minimum of two years I accomplished that. For example, we established centralized security audit log management and a two-year retention period for our identity infrastructure that covers all security audit events across the lifecycle of current signing keys. Similarly, over 99% of network devices have centralized security log collection and retention enabled. Accelerate response and remediation: We have updated processes across Microsoft to reduce time to mitigation of critical cloud vulnerabilities. To improve transparency, we have begun exposing critical cloud vulnerabilities as common vulnerabilities and exposures (CVEs), even when no customer action is required. We established a Customer Security Management Office (CSMO) to improve public messaging and customer engagement on security incidents.
In a blog post announcing the progress report, Microsoft Vice President of Security Charlie Bell emphasized that the SFI is a living document.
“We know that cyber threats continue to evolve, and we must evolve with them,” he wrote. “By fostering a culture of continuous learning and improvement, we are building a future where security is a foundation, not just a feature.”
The full Microsoft SFI September Progress Report can be downloaded here.
