Microsoft touts expansion of Secure Future Initiative
At RSA Conference 2024, Microsoft vice president Vasu Jakkal discussed some of the criticisms leveled against the company and how the Secure Future Initiative will address them.
SAN FRANCISCO -- After a series of troubling incidents and mounting criticisms, Microsoft this week affirmed its commitment to improving cybersecurity following the recent expansion of the company's Secure Future Initiative.
The Secure Future Initiative (SFI), which Microsoft announced last November, is a broad corporate strategy to address issues with software development and vulnerability mitigation. In January, however, Microsoft disclosed a data breach it suffered at the hands of a Russian state-affiliated threat actor tracked as Midnight Blizzard.
The adversary used a password spray attack to compromise a legacy nonproduction test tenant account and accessed several Microsoft corporate email accounts, including those belonging to senior leadership. Moreover, Microsoft revealed that the initial test tenant account did not have multifactor authentication enabled.
Another challenge came in the form of a Cyber Safety Review Board (CRSB) report released last week. The report details the results of an investigation regarding a breach of Microsoft and customers -- including U.S. government agencies -- disclosed in July 2023, involving Chinese state-sponsored actor Storm-0558. The CSRB report slammed Microsoft over the breach, saying it was caused by a cascade of errors on the tech giant's part and that its security culture was "inadequate and requires an overhaul."
The expansion to the Secure Future Initiative appears to be a response to these criticisms and others leveled against the company in recent years.
The expansion was announced via a blog post Friday by Microsoft Security executive vice president Charlie Bell, in which he made one point clear: Improving cybersecurity is "job No. 1 for us." In fact, Bell said, executive compensation for Microsoft's leadership team will be tied to the company's progress in achieving the SFI goals.
"Microsoft plays a central role in the world's digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more," he wrote. "We are making security our top priority at Microsoft, above all else -- over all other features. We're expanding the scope of SFI, and integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape."
The new-and-improved SFI includes three key principles: secure by design, secure by default and secure operations. For secure by design, Bell wrote that security will be prioritized first and foremost when designing any product or service. For secure by default, Bell said security protections "are enabled and enforced by default, require no extra effort, and are not optional." And secure operations refers to the constant improvement of security controls and monitoring to "meet current and future threats."
Alongside the principles are six pillars of security to be prioritized: protecting identity and secrets; protecting tenants and isolating production systems; protecting networks; protecting engineering systems; monitoring and detecting threats; and accelerating response and remediation.
The last point is notable because it includes commitments to reduce mitigation times for high-severity cloud security vulnerabilities, accelerate response, increase transparency of cloud vulnerabilities and improve transparency by prioritizing "the accuracy, effectiveness, transparency, and velocity of public messaging and customer engagement." These three points address some of the most prominent criticisms against Microsoft in recent years, especially those stemming from the Storm-0558 breach and the CSRB report.
On the whole, Bell said, these goals represent Microsoft's learnings from the Midnight Blizzard breach as well as all recommendations from the CSRB report.
"Ultimately, Microsoft runs on trust and this trust must be earned and maintained," Bell wrote. "As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us."
Security 'has to be first'
On Tuesday at RSA Conference 2024, Vasu Jakkal, Microsoft corporate vice president of security, compliance, identity, management and privacy, spoke with TechTarget Editorial about the expansion of SFI and Microsoft's renewed security commitments.
Vasu JakkalCorporate vice president of security, compliance, identity, management and privacy, Microsoft
Jakkal said the Storm-0558 attack served as a wake-up call for Microsoft and its role in the security community.
"If you look at the threat landscape that we've been seeing, it continues to escalate. And we always talked about advanced persistent threats, but they're getting a lot more persistent," she said. "Last June and July, we faced Storm-0558, a Chinese nation-state actor. And it was a sobering reminder of the responsibility we carry toward security.
"We announced the Secure Future Initiative last November, focusing on secure by default and design," Jakkal continued. "Since then, Midnight Blizzard happened in January. And as you know, we've been going through that investigation, which involves Russian state-sponsored actors. It just reminded us again of our responsibility. And then there were the Cyber Safety Review Board recommendations. In this new age of AI, based on what we're seeing, based on what we are going through as Microsoft, we have to do more on security."
In addition to existing security challenges, Jakkal emphasized that "security has to be first" in the age of AI.
"The AI evolution is going so fast, and the pace of innovation is accelerated," she said. "I think it just reminded us that without security, you cannot have AI transformation. That's why Satya [Nadella, Microsoft CEO] said [in a recent memo to employees] security must be above all else and above any other feature."
Jakkal addressed criticisms against Microsoft stemming from a Jan. 25 blog post about the Midnight Blizzard breach in which the company seemingly used the post to upsell its identity security tools and products. SentinelOne chief trust officer Alex Stamos condemned Microsoft's behavior in a LinkedIn blog post at the time. Stamos continued his criticism of Microsoft this week during an RSA Conference session on global threats.
Jakkal said Microsoft will be more mindful with how it presents its communications, given points raised in Stamos' blog post, but she added that the intent of the blog post was to offer a solution to customers, as "we're not as familiar with our peers' technologies as we are with ours.
"When we write about security and when we find new techniques, or we find new indicators of compromise, we also like to give a solution that comes with it," she said. "And we like to tell you about how we found it and how we are protecting our customers. Obviously, we protect our customers through our products. That's why, when we mention our products, it's not more marketing. It's just telling our customers, 'Here's how we found it and we use tools like this, but you're welcome to use any other tools.' But we'll be more mindful for certain."
Regarding the role of transparency in Microsoft's security initiatives, Jakkal said her company plans to both provide more information and do so more frequently.
"We want to share more. That's why we made those very concrete commitments, and we're going to share our roadmap publicly every quarter," she said. "We have always held transparency core to our values and research; every time we conducted an investigation, we released that information. And when customers are impacted or we saw something in their digital estate, what we've realized is that all customers want to know about it -- not just the impacted ones. We're changing the way we communicate as well, being more transparent and more frequent about what we're saying. We want to be a role model for the industry, as well."
Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.