Microsoft took a victory lap today, touting the 34,000 full-time engineers it has dedicated to its Secure Future Initiative (SFI) since it launched almost a year ago and making public its first progress report on efforts to improve security in its products and services.
As Register readers likely remember, SFI was rolled out in November 2023 following widespread criticism of Microsoft's security failings – the most recent (at the time) being Chinese spies compromising tens of thousands of Microsoft-hosted email accounts belonging to government officials.
That was before it came to light that Kremlin spies broke into Microsoft's network and stole source code via an account that didn't have multi-factor authentication (MFA) enabled.
In May, Microsoft doubled down on SFI after the Cyber Safety Review Board report lashed Redmond for a "cascade" of "avoidable errors" that made the Chinese attack possible, and Congress summoned Microsoft president Brad Smith to testify about the blunders.
At the time, CEO Satya Nadella and Microsoft Security EVP Charlie Bell made public pledges to "prioritize security above all else." This included linking cybersecurity performance to senior execs' compensation plans, and including security as a "core priority" in all employees' performance reviews.
In today's report, Microsoft confirmed that both of these things have happened.
Unfortunately, we still don't have any specifics about which execs got raises – or were dinged – for the company's infosec efforts and progress. We're not even sure how this will be measured and then end up in senior leaders' paychecks. The Register asked Microsoft for more details about this part of the plan but Microsoft declined to comment further.
While we don't expect to see employees' reviews posted for all to see, it's also unclear how to build transparency and accountability around this commitment. "Establishing Security as a Core Priority in employee Connects accelerates Microsoft's overall SFI progress by encouraging all employees to keep cybersecurity as a guiding principle and contribute in aligned ways through their own teams," a spokesperson told The Register.
Redmond's report did note that to support this effort, it launched the Microsoft Security Academy in July. This is a "personalized learning experience of security-specific, curated trainings for all worldwide employees," we're told.
- Microsoft pins hopes on AI once again – this time to patch up Swiss cheese security
- Microsoft answered Congress' questions on security. Now the White House needs to act
- Microsoft cash to help reignite Three Mile Island atomic plant
- CISA boss: Makers of insecure software are the real cyber villains
The six SFI engineering "pillars," however, are slightly easier to measure. Here's how Redmond says it's doing in those areas:
- Protect identities and secrets: Microsoft Entra ID and Microsoft Account (MSA) for public and US government clouds will now generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. Plus, Redmond's standard identity SDKs, used to validate security tokens, now cover more than 73 percent of those issued by Microsoft Entra ID for Microsoft-owned applications. Additionally, Microsoft production environments now use so-called "phishing resistant" credentials, and 95 percent of internal users have been set up on video-based user verification in productivity environments to ensure they're not sharing passwords.
- Protect tenants and isolate production systems: Microsoft killed off 730,000 unused apps and eliminated 5.75 million inactive tenants. It also claims to have "deployed over 15,000 new production-ready locked-down devices in the last three months."
- Protect networks: Redmond says it has recorded more than 99 percent of physical assets on the production network in a central inventory system, and isolated virtual networks with back-end connectivity from the corporate network.
- Protect engineering systems: We're told that 85 percent of Microsoft's production build pipelines for its commercial cloud now use centrally governed pipeline templates.
- Monitor and detect threats: "Significant progress" has been made to adopt standard libraries for security audit logs across all production environments. This includes central management, and a two-year log retention period. More than 99 percent of network devices now have centralized security log collection and retention.
- Accelerate response and remediation: Microsoft says it updated processes that have improved mitigation time for critical cloud vulnerabilities and set up a Customer Security Management Office (CSMO) for customer engagement during security incidents. Plus, "we began publishing critical cloud vulnerabilities as common vulnerabilities and exposures (CVEs), even if no customer action is required, to improve transparency," Redmond crowed, although we imagine some bug hunters might see room for improvement around CVEs and transparency.
There's also a "Governance" piece under SFI. As part of this, Redmond set up a new Cybersecurity Governance Council and appointed 13 deputy Chief Information Security Officers (deputy CISOs) responsible for spearheading SFI company-wide. They also update the board of directors quarterly about progress toward these goals.
These 13 deputy CISOs are:
- Damon Becknel, Vice President and Deputy CISO, Regulated Industries
- Geoff Belknap, Corporate Vice President and Deputy CISO, Core and Mergers and Acquisitions
- Shawn Bowen, Vice President and Deputy CISO, Gaming
- Terrell Cox, Vice President and Deputy CISO, Microsoft Security Products Division
- Vanessa Feliberti Bautista, Corporate Vice President and Deputy CISO, Microsoft 365
- Ann Johnson, Corporate Vice President and Deputy CISO, Customer Security Management Office
- Naresh Kannan, Technical Fellow and Deputy CISO, Experiences and Devices
- John Lambert, Deputy CISO, Threat Landscape
- Timothy Langan, Corporate Vice President and Deputy CISO, Government
- Mark Russinovich, Technical Fellow, Azure CTO and Deputy CISO for Azure
- Igor Sakhnov, Corporate Vice President and Deputy CISO, Identity
- Kumar Srinivasamurthy, GM of WebXT Fundamentals and Deputy CISO, Consumer
- Yonatan Zunger, Corporate Vice President and Deputy CISO, Artificial Intelligence
Bell today touted Microsoft's commitment to achieving its SFI objectives, and said "the work we've done so far is only the beginning."
"We know that cyberthreats will continue to evolve, and we must evolve with them," he continued. We couldn't agree more. Because words and security initiatives are nice, but the real test will be to see how Microsoft handles the next time that Russia or China or someone else tries to break into customers' email inboxes or Redmond's internal environment.
By nature of its size and scope, Microsoft has a huge target on its back for adversarial nations and financially motivated cybercriminals alike.
If Microsoft can't protect customers from these threats, which, as Bell rightfully notes, are continually evolving, then all of these words are useless. Let's see the actions to back them up. ®