Microsoft issues first Secure Future Initiative report

More SFI pillars

The second SFI pillar focused on protecting cloud tenants and isolating production systems. "We completed a full iteration of app lifecycle management for all of our production and productivity tenants, eliminating 730,000 unused apps," Bell wrote. "We eliminated 5.75 million inactive tenants, drastically reducing the potential cyberattack surface."

The third pillar addressed network security. The report noted that more than 99% of physical assets on Microsoft's production network have been recorded in a central inventory system, and each asset is monitored for credential, firmware and access control list hygiene.

The report's fourth pillar also addressed supply risks and noted that 85% of Microsoft's production build pipelines for commercial cloud services are now using centrally governed pipeline templates. Microsoft stressed that its engineering systems are a prime target threat actors use to gain access to customer environments. "In recent attacks, we've seen threat actors exploit the software supply-chain through both code exploits and social engineering. We then see them attempt to exfiltrate source code to find secrets and vulnerabilities in source to be used immediately or stored to leverage at a later date," the report said.

The fifth pillar focused on monitoring and detecting threats. To that end, Bell said Microsoft has made "significant progress" toward making sure all Microsoft production assets and services are emitting standardized security logs. "For instance, we have established central management and a two-year retention period for identity infrastructure security audit logs, encompassing all security audit events throughout the lifecycle of current signing keys," he wrote. "Similarly, more than 99% of network devices are now enabled with centralized security log collection and retention."

In the sixth and final pillar, Microsoft outlined efforts to improve vulnerability response and remediation processes, which have been heavily criticized by cybersecurity vendors in recent years. "We began publishing critical cloud vulnerabilities as common vulnerability and exposures (CVEs), even if no customer action is required, to improve transparency," the report said. "We established the Customer Security Management Office (CSMO) to improve public messaging and customer engagement for security incidents."

On Monday, Microsoft also announced that it established a new Cybersecurity Governance Council with appointed deputy CISOs to assume major responsibilities. "As a group, they take responsibility for the company's overall cyber risk, defense, and compliance," Microsoft wrote in the report.

Lessons learned from Storm-0558 attack

Many of the changes outlined in the SFI report appear to be in response to the Storm-0558 attack and the resulting CSRB report, which noted that Microsoft's security culture was "inadequate and requires an overhaul."

Joy Chik, president of identity and network access at Microsoft, told TechTarget Editorial that the company took the CSRB's recommendations seriously and made significant progress in IAM.

"We do not want to have a repeat Storm-0558 attack, but on the other hand, we also recognize the threat landscape and the sophistication will continue to evolve. So we need to continue to use all the AIs and threat signals to continue and improve, and strengthen our protection, but also detection for these attack vectors," she said.

Chik said transitioning the MSA and Entra ID to the same token system enables the company to instantaneously apply security hardening to both the commercial and consumer side. As to why the changes weren't implemented sooner, she said Microsoft prioritized the commercial cloud side of operations, but realized that the same level of security was needed on the consumer side. Chik stressed that the updates to MSA and Entra ID help Microsoft raise the bar for both at the same time.

Chik also outlined how the IAM improvements would help prevent a repeat of the Storm-0558 attack. She said the attack highlighted how having multiple software layers of protection is not enough to prevent nation-state attacks, and that a security posture is better when there's zero human touch. Microsoft continues to focus on a zero-trust access approach to security, she said.

"I think this goes back to the zero-trust principles, the least amount of privilege. Basically, you should only give the amount of access you need with the least amount of privilege and with the least amount of time," Chik said. "Zero trust helps reduce legacy access tokens that are lying around that you don't really need anymore."

A key theme in the SFI progress report was enhancing IAM, particularly for Microsoft's engineering systems. Chik highlighted how the company reduced personal access token life span to seven days and disabled SSH access for all Microsoft internal engineering repositories.

She said the practice of reducing the token life spans was not implemented sooner because it's often difficult to find a balance between security and productivity. "You can always look back and say we could have implemented everything from the beginning," she said. "I think part of it goes back to the SFI, the principle of secure by design, secure by default and secure operations."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.