Surface has powered a volunteer program within Microsoft’s high security ranks with their largest security transformation to date, ensuring security is built-in and empowering employees at all levels to defend against cyber threats. We dig into the company’s Secure Future Initiative, new security standards, and the executive team that will make this change.
Redefining Security Culture
Security: Microsoft Security is a foundation, not just a feature Fortunately, a damning report from the US Cyber Safety Review Board allowed the organization to re-prioritize security, making sure everybody in every role knows that part of doing their work is maintaining a secure digital environment.
Fast forward to November of 2023, which saw the launch of the Secure Future Initiative (SFI), and things began to change. The largest cybersecurity engineering effort in Microsoft history, this program has mobilized the equivalent of 34,000 full-time engineers.
Performance reviews focused on security and ongoing training for all employees, served to reinforce the fact that security is now everyone’s job. A culture which is of most importance when it comes to fostering resilience and moving from response based security models to proactive ones covering a Microsoft wide plethora of products and services.
Simplification of Security Workflow
Along the way, Microsoft has also worked to enhance security throughout its processes and infrastructure. For starters, the company has simply updated its Entra ID and Microsoft Account (MSA) systems to make access token-signing keys more secure via Azure-managed hardware security modules. Microsoft has also removed 5.75 million inactive tenants, which cuts down the number of potential attack surfaces.
The software giant is also introducing a new testing system that can fix secure defaults to prevent such legacy systems from becoming security nightmares down the line. This preserve approach guarantees the new growth is solved with security in mind right from the start.
As an additional safety measure, Microsoft now monitors the centralized firmware compliance and logging across over 99% of its physical network. The company has also increased its audit log retention to 2 years, providing a richer set of records of their security actions.
Better access controls are another main theme. These measures include reducing the life span of personal access tokens used by engineering teams to 7 days, temporarily turning off ssh-based access to all internal engineering repositories, and restricting the number of people with access to highly sensitive systems. These moves can hedge the risk of unauthorized access as well as potential data theft.
Conclusion
The security transformation that Microsoft has embarked on borders on the herculean, but it is also a crucial effort for Microsoft to win back the trust of both its customers and the tech community at-large. Microsoft is establishing a bar that industry should look to meet by placing security first, empowering its workforce and implementing strong processes and controls. This wholistic approach will augment the company’s own security posture and will also be a template for other organizations, who need to shore up their defenses against new forms of cybercrime.
