Microsoft’s Secure Future Initiative (SFI) appears to be in rude health, and is making steady progress towards addressing some of the core issues that led to the software giant being hauled over the coals by American politicians, according to a progress report.
Microsoft launched the SFI in November 2023, after becoming embroiled in a series of high-profile security incidents targeting its technology – including the ProxyLogon and ProxyShell Microsoft Exchange Server vulnerabilities that were capitalised on by ransomware gangs, and intrusions by Chinese threat actor Storm-0558 that targeted government customers by forging access tokens.
In the wake of Storm-0558’s attacks, Redmond was accused of outright negligence by Washington DC, and after additional incidents, including a January 2024 attack in which SolarWinds Sunburst attackers Cozy Bear infiltrated its systems, a damning report by the US Cyber Safety Review Board (CSRB) prompted further enhancements to the programme.
In the report summary, Microsoft security executive vice-president Charlie Bell reaffirmed Microsoft’s commitment to security, saying that consistent progress was far more important than perfection, which was reflected in the scale of the resources Microsoft has mobilised in service of the SFI – which is by some margin one of the largest cyber projects in history, with the equivalent of 34,000 full-time engineers working on it.
“The collective work we are doing to continually increase protection, eliminate legacy or noncompliant assets and identify remaining systems for monitoring conclusively measures our success,” he said.
“As we look ahead, we remain committed to ongoing improvement,” said Bell. “SFI will continue to evolve, adapting to new threats and refining our security practices. Our commitment to transparency and industry collaboration remains unwavering.
“The work we’ve done so far is only the beginning,” he said. “We know that cyber threats will continue to evolve, and we must evolve with them. By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”
Six pillars
At the core of the Microsoft SFI lie six key pillars, laid out thus:
- The protection of identities and secrets using best-in-class, quantum-ready standards;
- The protection and isolation of all Microsoft tenants and production systems;
- The protection of Microsoft production networks, and the isolation of Microsoft and customer resources;
- The protection of engineering systems, encompassing software assets, code security and governance of the software supply chain;
- The monitoring and detection of threats, providing comprehensive coverage and automatic detection of threats to Microsoft production infrastructure;
- The acceleration of response and remediation to vulnerabilities, reducing time to mitigate for high-severity bugs and improving public messaging and transparency.
On the first of these, Bell highlighted updates to Microsoft Entra ID and Microsoft Account for public and government clouds to generate, store and rotate access token signing keys, and growing adoption of standard identity software development kits for consistent token validation, which now covers over 73% of tokens issued by Entra ID across Microsoft apps.
On the second, Microsoft has completed a full iteration of application lifecycle management across its production and productivity tenant estate, and has eliminated 730,000 pieces of software to date that nobody was using anymore. Almost six million inactive tenants have also been quietly put down, further reducing the attack surface. Meanwhile, a new system to streamline the setup of testing and experimentation tenants, with secure defaults and strict lifetime management controls, has now been implemented.
On the third, over 99% of physical assets on Microsoft’s production network are now recorded in a central inventory, and virtual networks that need backend connectivity have been isolated from the Microsoft corporate network and are now being subjected to complete security reviews to help eliminate lateral movement, should anybody be lurking there who shouldn’t be. For customers, Microsoft has also expanded platform capabilities, such as Admin Rules, to make it easier to isolate platform-as-a-service resources.
Turning to the fourth pillar, over 85% of production build pipelines for Microsoft’s commercial cloud are now using centrally governed pipeline templates, which should make deployment easier and, crucially, more trustworthy.
Meanwhile, the lifetime of Personal Access Tokens has been cut to a week, and SSH access for all Microsoft internal engineering repos has been disabled, while the number needed for elevated roles to access engineering systems has been much reduced. Microsoft also implemented proof-of-presence checking at various important junctures in its development flows.
On the fifth pillar, monitoring and detecting threats, Microsoft said it had made “significant” progress on enforcing standard libraries for security audit logs across its production infrastructure and services to emit relevant telemetry, while the retention period for these logs is now up to two years at a minimum. It said over 99% of all network devices were now enabled with centralised log collection and retention.
Finally, on response and remediation, Microsoft reported that it has now updated processes to improve time to mitigate for critical cloud vulns, and has also started publishing critical cloud vulns as CVEs even if customers don’t actually need to do anything. It also set up a Customer Security Management Office in the service of public messaging and engagement.
Security culture
But Microsoft doesn’t plan to stop there, and today it also made public a series of initiatives designed to improve how its own people behave securely, and react appropriately to incidents.
Among these are the launch of a Cybersecurity Governance Council and the appointment of deputy chief information security officers (CISOs) for key cyber functions and engineering divisions, led by CISO Igor Tsyganskiy, which will take responsibility for Microsoft’s overall risk, defence and compliance posture.
Going forward, it also revealed that every employee across the entire organisation will now commit to and be held accountable for meeting core cyber requirements in their performance reviews, and is helping them along the way with the creation of an internal security skills academy programme.
Meanwhile, the senior leadership team has now been tasked with reviewing SFI progress weekly and to provide boardroom updates every three months, with their security performance now linked directly to their pay packets.