Microsoft has had a rough few years of cybersecurity incidents. It found itself at the center of the SolarWinds attack nearly three years ago, one of the most sophisticated cybersecurity attacks we’ve ever seen. Then, 30,000 organizations’ email servers were hacked in 2021 thanks to a Microsoft Exchange Server flaw. If that weren’t enough already, Chinese hackers breached US government emails via a Microsoft cloud exploit earlier this year.
Something had to give.
Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). This new approach is designed to change the way Microsoft designs, builds, tests, and operates its software and services. It’s the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.
Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands.
In an internal memo to Microsoft’s engineering teams today, the company’s leadership has outlined its new cybersecurity approach. It comes just months after Microsoft was accused of “blatantly negligent” cybersecurity practices related to a major breach that targeted its Azure platform. Microsoft has faced mounting criticism of its handling of a variety of cybersecurity issues in recent years.
“Satya Nadella, Rajesh Jha, Scott Guthrie, and I have put significant thought into how we should respond to the increasingly more sophisticated threats,” explains Charlie Bell, head of Microsoft security, in an internal memo distributed today. “To this end, we have committed to three specific engineering advances we are taking on our journey of continually improving the built-in security of our products and platforms. These advances comprise what we’re calling the Secure Future Initiative. Collectively, they improve security for customers both in the near term and against threats we know will increase over the horizon.”
The first big change is how Microsoft develops its software. The company will rely on more automation and AI to catch security risks and vulnerabilities. This includes leveraging CodeQL, GitHub’s code analysis engine, to automate security checks during development. “Our goal is to accelerate the deployment of CodeQL integrated with GitHub Copilot learnings,” says Bell. “We will use CodeQL to perform static and dynamic code analysis, helping our teams find and fix bugs in our code at AI speed and scale.”
This AI push for security won’t be limited to software development at Microsoft, either. “As a company, we are committed to building an AI-based cyber shield that will protect customers and countries around the world,” explains Brad Smith, Microsoft vice chair and president, in a blog post today. “AI is a game changer. While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles. And coupled with a global network of datacenters, we are determined to use AI to detect threats at a speed that is as fast as the interest itself.”
Part of the criticism leveled at Microsoft in recent months has been focused on the amount of time it takes the company to respond to major security vulnerabilities. Cybersecurity company Tenable originally discovered an Azure flaw in March, but it says it took Microsoft “more than 90 days to implement a partial fix” that only applied to new Azure applications.
“We plan to cut the time it takes to mitigate cloud vulnerabilities by 50 percent,” says Bell in his memo. “We are in a position to achieve this because of our investment and learnings in automation, orchestration, and intelligence-driven tools and processes.” Ninety days is the typical industry window for security fixes, so if Microsoft can reliably cut that to 45 days, then that’s a great start to this new security initiative.
Microsoft is also looking at hardening the platforms that protect its encryption keys. Chinese hackers breached US government emails after stealing signing keys that allowed them to break into dozens of email inboxes earlier this year.
“To stay ahead of bad actors, we are moving identity platforms to confidential computing infrastructure that we helped pioneer,” says Bell. “In this architecture, data governing identities is encrypted not only at rest and transit but during computational processes as well. This means that even if an attacker gets through our layered defenses in the course of targeting encryption keys, the key data is designed to be inaccessible within automated systems that do not require human touch.”
Microsoft is also focusing on improving security defaults. “Over the next year we will enable customers with more secure default settings for Multi-Factor Authentication (MFA) out-of-the-box,” says Smith. “This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.”
In September, cybersecurity research firm Wiz disclosed that 38TB of data had accidentally been exposed by Microsoft AI researchers thanks to an Azure feature called SAS tokens. “Account SAS tokens are extremely hard to manage and revoke,” said Wiz researchers at the time. Microsoft doesn’t specifically mention SAS tokens in its new security initiative, but hopefully it’s something the company is looking at, too.
While this is Microsoft’s biggest commitment to cybersecurity in more than a decade, I can also sense that the company is increasingly angered by the attacks it has found itself at the center of. “We should all abhor determined nation state efforts that seek to install malware or create or exploit other cybersecurity weaknesses in the networks of critical infrastructure providers,” says Smith in his blog post today. “These bear no connection to the espionage efforts that governments have pursued for centuries and instead appear designed to threaten the lives of innocent civilians in a future crisis or conflict.”
Smith calls on states to “recognize cloud services as critical infrastructure, with protection against attack under international law” and for greater accountability for nation-states involved in undermining cloud security. “All states should commit publicly that they will not plant software vulnerabilities in the networks of critical infrastructure providers such as energy, water, food, medical care, or other providers,” says Smith. “They should also commit that they will not permit any persons within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.”
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!