News

Microsoft Calls Security Pivot 'Largest Cybersecurity Engineering Project in History'

• By Gladys Rama
• 09/26/2024

Microsoft is taking pains to sharpen its internal security posture, enlisting "the equivalent of 34,000 full-time engineers" for the effort.

That's the message from a sprawling paper the company released this week detailing the progress of its Secure Future Initiative (SFI), which it launched last fall. At that time, Microsoft positioned the SFI as a comprehensive framework of security standards and best practices for its software engineers.

The SFI came under the spotlight earlier this year after a federal review of a 2023 Outlook e-mail hack found Microsoft partly to blame. That hack, attributed to Chinese hacker group Storm-0558, infiltrated the e-mail accounts of over 500 individuals worldwide, including some associated with the U.S. State Department. In its review of the incident, the U.S. government's Cyber Safety Review Board (CSRB) said it "identified a series of Microsoft operational and strategic decisions that collectively point to a corporate culture that deprioritized both enterprise security investments and rigorous risk management."

The report was scathing enough that Microsoft announced a significant expansion of the SFI the following month. Besides incorporating security recommendations from the CSRB's report into the SFI, Microsoft said it would also tie executive salaries to how well the company's various engineering groups meet the security goals prescribed by the SFI.  

This week's SFI progress report details the additional steps Microsoft has taken since that expansion announcement. Due to the scope of its efforts, Microsoft described the SFI as "the largest cybersecurity engineering project in history," impacting the company's more than 100,000 engineers, product managers and designers.

Internal Security Culture
Among the organizational changes that Microsoft has made since May, it now accounts for employees' adherence to SFI security recommendations in their performance reviews. It also launched an employee security training program in July called the Microsoft Security Academy. "By prioritizing security in all operations and offering targeted training, we are fortifying our security posture," the report said.

To ensure full alignment with the SFI, Microsoft has also scheduled weekly SFI progress reviews for its senior leadership team and quarterly reviews for its board. In addition, it has created a new internal group responsible for enforcing security and compliance standards companywide, as well as with developing a security architecture roadmap for its engineers. Reporting to Microsoft CISO Igor Tsyganskiy, this new Cybersecurity Governance Council also oversees a team of "Deputy CISOs," each responsible for enforcing SFI standards within specific Microsoft product categories. Microsoft has assigned a deputy CISO for each of the below areas:

Engineering Security
There are six engineering goals set out by the SFI, as listed in the graphic below:

Microsoft's progress report describes recent milestones for each one. The report summarized these as follows:

1. Protect identities and secrets: We completed updates to Microsoft Entra ID and Microsoft Account (MSA) for our public and United States government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. We have continued to drive broad adoption of our standard identity SDKs, which provide consistent validation of security tokens. This standardized validation now covers more than 73% of tokens issued by Microsoft Entra ID for Microsoft owned applications. We have extended standardized security token logging in our standard identity SDKs to support threat hunting and detections and enabled those in several critical services ahead of broad adoption. We completed enforcement of the use of phishing-resistant credentials in our production environments and implemented video-based user verification for 95% of Microsoft internal users in our productivity environments to eliminate password sharing during setup and recovery. 
   
   
2. Protect tenants and isolate production systems: We completed a full iteration of app lifecycle management for all of our production and productivity tenants, eliminating 730,000 unused apps. We eliminated 5.75 million inactive tenants, drastically reducing the potential cyberattack surface. We implemented a new system to streamline the creation of testing and experimentation tenants with secure defaults and strict lifetime management enforced. We have deployed more than 15,000 new production-ready locked-down devices in the last three months. 
   
   
3. Protect networks: More than 99% of physical assets on the production network are recorded in a central inventory system, which enriches asset inventory with ownership and firmware compliance tracking. Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement. To help customers secure their own deployments, we have expanded platform capabilities such as Admin Rules to ease the network isolation of Platform as a Service (PaaS) resources such as Azure Storage, SQL, Cosmos DB, and Key Vault.
   
   
4. Protect engineering systems: 85% of our production build pipelines for the commercial cloud are now using centrally governed pipeline templates, making deployments more consistent, efficient, and trustworthy. We have slimmed down the lifespan of Personal Access Tokens to seven days, disabled Secure Shell (SSH) protocol access for all Microsoft internal engineering repos, and significantly reduced the number for elevated roles with access to engineering systems. We also implemented proof of presence checks for critical chokepoints in our software development code flow.
   
   
5. Monitor and detect threats: We have made significant progress enforcing that all Microsoft production infrastructure and services adopt standard libraries for security audit logs, to ensure relevant telemetry is emitted, and retain logs for a minimum of two years. For instance, we have established central management and a two-year retention period for identity infrastructure security audit logs, encompassing all security audit events throughout the lifecycle of current signing keys. Similarly, more than 99% of network devices are now enabled with centralized security log collection and retention.
   
   
6. Accelerate response and remediation: We updated processes across Microsoft to improve Time to Mitigate for critical cloud vulnerabilities. We began publishing critical cloud vulnerabilities as common vulnerability and exposures (CVEs), even if no customer action is required, to improve transparency. We established the Customer Security Management Office (CSMO) to improve public messaging and customer engagement for security incidents.   
   

The SFI is a living document, emphasized Microsoft security executive vice president Charlie Bell in a blog post announcing the progress report.  

"We know that cyberthreats will continue to evolve, and we must evolve with them," he wrote. "By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation."

The full Microsoft SFI September Progress Report can be downloaded here.