Microsoft has announced its Secure Future Initiative, the company’s latest effort to address serious security issues.
Microsoft’s security reputation has taken a beating in recent years, with a hack that compromised US government email address bring the straw that broke the camel’s back. To make matters worse, Amit Yoran, CEO of security firm Tenable, blasted the company’s Azure security as “grossly irresponsible.”
It appears Microsoft is finally working to address both the problem — and its reputation — with its new initiative, which was revealed in an internal company memo from company President Brad Smith:
Satya Nadella, Microsoft Chief Executive Officer; Rajesh Jha, Microsoft Executive Vice President, Experiences and Devices; Scott Guthrie, Microsoft Executive Vice President, Cloud and AI; and I have put significant thought into how we should anticipate and adapt to the increasingly more sophisticated cyberthreats. We have carefully considered what we see across Microsoft and what we have heard from customers, governments, and partners to identify our greatest opportunities to impact the future of security. As a result, we have committed to three specific areas of engineering advancement we will add to our journey of continually improving the built-in security of our products and platforms. We will focus on 1. transforming software development, 2. implementing new identity protections, and 3. driving faster vulnerability response.
Smith goes on to outline the company’s plan which will rely heavily on artificial intelligence and automation to improve the software development process, as well as increase the use of memory safe languages:
This means we’re going to apply the concept of continuous integration and continuous delivery (CI/CD) to continuously integrate protections against emerging patterns as we code, test, deploy, and operate. Think of it as continuous integration and continuous security.
We will accelerate and automate threat modeling, deploy CodeQL for code analysis to 100 percent of commercial products, and continue to expand Microsoft’s use of memory safe languages (such as C#, Python, Java, and Rust), building security in at the language level and eliminating whole classes of traditional software vulnerability.
Smith also says the company will enable more secure defaults:
We all realize no enterprise has the luxury of jettisoning legacy infrastructure. At the same time, the security controls we embed in our products, such as multifactor authentication, must scale where our customers need them most to provide protection. We will implement our Azure tenant baseline controls (99 controls across nine security domains) by default across our internal tenants automatically. This will reduce engineering time spent on configuration management, ensure the highest security bar, and provide an adaptive model where we add capability based on new operational learning and emerging adversary threats. In addition to these defaults, we will ensure adherence and auto-remediation of settings in deployment. Our goal is to move to 100 percent auto-remediation without impacting service availability.
Microsoft will work to continue improving identity management in an effort to combat identity-focused espionage:
We will enforce the use of standard identity libraries (such as Microsoft Authentication Library) across all of Microsoft, which implement advanced identity defenses like token binding, continuous access evaluation, advanced application attack detections, and additional identity logging support. Because these capabilities are critical for all applications our customers use, we are also making these advanced capabilities freely available to non-Microsoft application developers through these same libraries.
To stay ahead of bad actors, we are moving identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure. In this architecture, signing keys are not only encrypted at rest and in transit, but also during computational processes as well. Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.
Finally, Smith says Microsoft will rely on AI to improve vulnerability response time:
Lastly, we are continuing to push the envelope in vulnerability response and security updates for our cloud platforms. As a result of these efforts, we plan to cut the time it takes to mitigate cloud vulnerabilities by 50 percent. We are in a position to achieve this because of our long investment and learnings in automation, monitoring, safe deployment, and AI-driven tools and processes. We will also take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers. Without full transparency on vulnerabilities, the security community cannot learn collectively—defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach.
It remains to be seen if Microsoft can deliver on its promise, but it’s a promising sign that the company’s executives see the need to do something different.