Microsoft
made
security
its
No.
1
priority
for
every
employee
earlier
this
year,
following
years
of
security
issues
and
a
scathing
report
from
the
US
Cyber
Safety
Review
Board.
Nearly
six
months
after
Microsoft
CEO
Satya
Nadella
told
the
entire
company
that
security
should
be
prioritized
above
all
else,
the
software
giant
is
providing
a
report
on
its
progress.
Microsoft
first
kicked
off
its
Secure
Future
Initiative
(SFI)
in
November
2023,
just
months
before
the
US
Cyber
Safety
Review
Board
concluded that
“Microsoft’s
security
culture
was
inadequate
and
requires
an
overhaul.”
That
blistering
review
really
kicked
Microsoft
into
gear,
and
the
company
is
revealing
today
that
it
now
has
the
equivalent
of
34,000
full-time
engineers
working
toward
its
SFI,
making
it
the
biggest
cybersecurity
engineering
effort
ever
inside
of
Microsoft.
Every
Microsoft
employee
is
now
being
judged
on
their
security
work,
after
the
company
tied
its
security
efforts
to
employee
performance
reviews
last
month.
In
recent
months,
Microsoft
has
also
completed
a
series
of
improvements
to
its
security
processes
as
a
result
of
the
SFI.
Microsoft
has
updated
its
Entra
ID
and
Microsoft
Account
(MSA)
systems
to
generate,
store,
and
automatically
rotate
access
token
signing
keys
using
Azure-managed
hardware
security
module.
5.75
million
inactive
tenants
have
also
been
eliminated
to
reduce
attack
surfaces.
Microsoft
also
now
uses
a
new
system
for
testing
that
has
secure
defaults
to
avoid
legacy
systems
from
causing
security
headaches
in
the
future.
Microsoft
is
now
tracking
over
99
percent
of
its
physical
network
in
a
central
inventory
system
that
helps
with
firmware
compliance
and
logging.
Microsoft
has
improved
its
audit
logs
to
retain
logs
for
a
minimum
of
two
years,
too.
Engineering
teams
inside
Microsoft
have
now
had
personal
access
tokens
cut
down
to
just
seven
days,
SSH
access
disabled
for
all
internal
engineering
repos,
and
the
amount
of
groups
with
access
to
key
engineering
systems
has
been
reduced.
Microsoft
has
been
criticized
for
the
amount
of
time
it
takes
to
respond
to
security
issues
in
the
past,
and
the
company
is
now
publishing
CVEs
“even
if
no
customer
action
is
required,
to
improve
transparency.”
Transforming
Microsoft’s
engineering
processes
and
security
culture
is
no
easy
task,
especially
when
the
company
has
100,000
engineers,
designers,
and
project
managers
working
on
more
than
500,000
work
items
every
day
and
5
million
builds
each
month.
Microsoft
is
implementing
new
standards
by
using
a
“Start
Right,
Stay
Right,
and
Get
Right”
approach.
“Start
Right”
ensures
projects
adhere
to
security
standards
using
templates,
policies,
and
self-service
tools.
“Stay
Right”
then
makes
sure
there’s
monitoring
on
projects
and
relevant
policy
enforcement.
The
final
part
is
“Get
Right,”
which
is
designed
for
Microsoft
to
monitor
its
state
of
compliance.
The
software
giant
has
also
created
a
new
Cybersecurity
Governance
Council
and
appointed
13
deputy
CISOs,
four
of
whom
are
new
Microsoft
hires:
The
other
nine
deputy
CISOs
are
a
variety
of
veteran
Microsoft
executives
that
have
decades
of
experience
at
the
company,
including
technical
fellow
Mark
Russinovich,
who
has
been
named
deputy
CISO
for
Azure
alongside
his
current
Azure
CTO
role.
Microsoft’s
senior
leadership
team
is
now
reviewing
SFI
progress
weekly
and
providing
updates
to
Microsoft’s
board
of
directors
quarterly
on
the
progress.
Finally,
Microsoft
launched
a
security
skilling
academy
in
July,
which
includes
training
for
all
employees
to
reinforce
“the
importance
of
security
in
daily
operations.”
This
ongoing
training,
performance
reviews,
and
the
oversight
of
Microsoft’s
senior
leadership
team
certainly
puts
pressure
on
employees
to
focus
more
on
security
than
ever
before,
but
Microsoft
is
still
on
a
long
path
to
winning
back
trust
and
putting
the
headlines
about
its
security
record
in
the
rearview
mirror.
“Our
commitment
to
transparency
and
industry
collaboration
remains
unwavering,”
says
Charlie
Bell,
head
of
Microsoft
security.
“By
fostering
this
culture
of
continuous
learning
and
improvement,
we
are
building
a
future
where
security
is
not
just
a
feature,
but
a
foundation.”
Original author: Tom Warren
Comments