Last November, we launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.
Since then, the threat landscape has continued to rapidly evolve, and we have learned a lot. The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack from last July, and the Midnight Blizzard attack we reported in January, underscore the severity of the threats facing our company and our customers.
Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more.
We are making security our top priority at Microsoft, above all else—over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.
We will mobilize the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions. In addition, we will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.
Below are details to demonstrate the seriousness of our work and commitment.
Expansion of SFI approach and scope
We have evolved our security approach, and going forward our work will be guided by the following three security principles:
- Secure by design: Security comes first when designing any product or service.
- Secure by default: Security protections are enabled and enforced by default, require no extra effort, and are not optional.
- Secure operations: Security controls and monitoring will continuously be improved to meet current and future threats.
We are further expanding our goals and actions aligned to six prioritized security pillars and providing visibility into the details of our execution:
1. Protect identities and secrets
Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization. As part of this, we are taking the following actions:
- Protect identity infrastructure signing and platform keys with rapid and automatic rotation with hardware storage and protection (for example, hardware security module (HSM) and confidential compute).
- Strengthen identity standards and drive their adoption through use of standard SDKs across 100% of applications.
- Ensure 100% of user accounts are protected with securely managed, phishing-resistant multifactor authentication.
- Ensure 100% of applications are protected with system-managed credentials (for example, Managed Identity and Managed Certificates).
- Ensure 100% of identity tokens are protected with stateful and durable validation.
- Adopt more fine-grained partitioning of identity signing keys and platform keys.
- Ensure identity and public key infrastructure (PKI) systems are ready for a post-quantum cryptography world.
2. Protect tenants and isolate production systems
Protect all Microsoft tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact. As part of this, we are taking the following actions:
- Maintain the security posture and commercial relationships of tenants by removing all unused, aged, or legacy systems.
- Protect 100% of Microsoft, acquired, and employee-created tenants, commerce accounts, and tenant resources to the security best practice baselines.
- Manage 100% of Microsoft Entra ID applications to a high, consistent security bar.
- Eliminate 100% of identity lateral movement pivots between tenants, environments, and clouds.
- 100% of applications and users have continuous least-privilege access enforcement.
- Ensure only secure, managed, healthy devices will be granted access to Microsoft tenants.
3. Protect networks
Protect Microsoft production networks and implement network isolation of Microsoft and customer resources. As part of this, we are taking the following actions:
- Secure 100% of Microsoft production networks and systems connected to the networks by improving isolation, monitoring, inventory, and secure operations.
- Apply network isolation and microsegmentation to 100% of the Microsoft production environments, creating additional layers of defense against attackers.
- Enable customers to easily secure their networks and network isolate resources in the cloud.
4. Protect engineering systems
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure. As part of this, we are taking the following actions:
- Build and maintain inventory for 100% of the software assets used to deploy and operate Microsoft products and services.
- 100% of access to source code and engineering systems infrastructure is secured through Zero Trust and least-privilege access policies.
- 100% of source code that deploys to Microsoft production environments is protected through security best practices.
- Secure development, build, test, and release environments with 100% standardized, governed pipelines and infrastructure isolation.
- Secure the software supply chain to protect Microsoft production environments.
5. Monitor and detect threats
Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services. As part of this, we are taking the following actions:
- Maintain a current inventory across 100% of Microsoft production infrastructure and services.
- Retain 100% of security logs for at least two years and make six months of appropriate logs available to customers.
- 100% of security logs are accessible from a central data lake to enable efficient and effective security investigation and threat hunting.
- Automatically detect and respond rapidly to anomalous access, behaviors, and configurations across 100% of Microsoft production infrastructure and services.
6. Accelerate response and remediation
Prevent exploitation of vulnerabilities discovered by external and internal entities, through comprehensive and timely remediation. As part of this, we are taking the following actions:
- Reduce the Time to Mitigate for high-severity cloud security vulnerabilities with accelerated response.
- Increase transparency of mitigated cloud vulnerabilities through the adoption and release of Common Weakness Enumeration™ (CWE™), and Common Platform Enumeration™ (CPE™) industry standards for released high severity Common Vulnerabilities and Exposures (CVE) affecting the cloud.
- Improve the accuracy, effectiveness, transparency, and velocity of public messaging and customer engagement.
These goals directly align to our learnings from the Midnight Blizzard incident as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cybersecurity best practices, auditing logging norms, digital identity standards and guidance, and transparency.
We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos. The pillar leaders are working across engineering Executive Vice Presidents (EVPs) to drive integrated, cross-company engineering execution, doing this work in waves. These engineering waves involve teams across Microsoft Azure, Windows, Microsoft 365, and Security, with additional product teams integrating into the process weekly.
While there is much more to do, we’ve made progress in executing against SFI priorities. For example, we’ve implemented automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. We have eliminated or reduced application targets by removing 730,000 apps to date across production and corporate tenants that were out-of-lifecycle or not meeting current SFI standards. We have expanded our logging to give customers deeper visibility. And we recently announced a significant shift on our response process: We are now publishing root cause data for Microsoft CVEs using the CWE™ industry standard.
Adhering to standards with paved paths systems
Paved paths are best practices from our learned experiences, drawing upon lessons such as how to optimize productivity of our software development and operations, how to achieve compliance (such as Software Bill of Materials, Sarbanes-Oxley Act, General Data Protection Regulation, and others), and how to eliminate entire categories of vulnerabilities and mitigate related risks. A paved path becomes a standard when adoption significantly improves the developer or operations experience or security, quality, or compliance.
With SFI, we are explicitly defining standards for each of the six security pillars, and adherence to these standards will be measured as objectives and key results (OKRs).
Driving continuous improvement
The Secure Future Initiative empowers all of Microsoft to implement the needed changes to deliver security first. Our company culture is based on a growth mindset that fosters an ethos of continuous improvement. We continually seek feedback and new perspectives to tune our approach and progress. We will take our learnings from security incidents, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale.
Instituting new governance
We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting.
Microsoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.
Finally, given the importance of threat intelligence, we are bringing the full breadth of nation-state actor and threat hunting capabilities into the CISO organization.
Instilling a security-first culture
Culture can only be reinforced through our daily behaviors. Security is a team sport and is best realized when organizational boundaries are overcome. The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors. These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers. Through this process of bottom-to-top and end-to-end problem solving, security thinking is ingrained in our daily behaviors.
Ultimately, Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us.