Microsoft acknowledges cybersecurity shortcomings, pledges to make changes
Microsoft has publicly acknowledged its shortcomings in the field of cybersecurity, and announced it will make necessary changes to rectify them. The tech giant's admission comes after a series of significant security breaches, involving some of its most crucial and widely used products. In one high-profile incident, Russian state-sponsored hackers were able to access sensitive US government emails by compromising Microsoft's corporate email accounts.
Microsoft's Secure Future initiative: A response to security lapses
In another breach, a Chinese state-sponsored group infiltrated Microsoft Exchange Online mailboxes. These included those of high-profile individuals such as US Commerce Secretary Gina Raimondo, US Ambassador to China R. Nicholas Burns, as well as Congressman Don Bacon. In response to these security lapses, Microsoft has announced that security is now its top priority, and provided an update on its Secure Future Initiative (SFI).
SFI progress report outlines new security measures
The SFI progress report details the steps Microsoft is taking to "prioritize security above all else." These include significant updates to governance, new programs for upskilling employees, and stringent security reviews. The company is focusing on its core pillars of cybersecurity, suggesting a commitment to fundamental changes in its approach to protecting user data and systems.
Executive pay tied to security performance
Over the last year, Microsoft has strengthened its governance framework by forming a Cybersecurity Governance Council. This council, composed of Deputy Chief Information Security Officers (CISOs), regularly reviews all cybersecurity matters. To ensure accountability, Microsoft has linked executive compensation to security performance, offering a strong incentive for leaders to focus on preventing errors and improving security outcomes.
Security skilling academy for employee training
In addition to governance changes, Microsoft has launched a Security Skilling Academy. This initiative is designed to equip workers with the latest cybersecurity skills and knowledge. The academy was launched in July, and includes training for all employees, stressing importance of security in daily operations.
Company enhances identity and secret protection
Microsoft has focused on six key pillars of cybersecurity. These include improving identity and secret protection by bettering token management and phishing resistance within its access management solution, Microsoft Entra ID. The company has also streamlined app lifecycle management and lowered the attack surface by removing inactive tenants, thereby improving tenant and production protection.
Microsoft strengthens network security, implements stricter admin rules
Network security has been bolstered by isolating some virtual networks with backend connectivity, reducing the possibility for lateral movement by attackers. Also, Microsoft has implemented stricter Admin Rules for Azure Storage, SQL, Cosmos DB, and Key Vault to assist the customers in securing their data. The Secure Future Initiative has also seen 85% of Microsoft's production build pipelines for commercial cloud services, come under centralized governance.
Enhanced threat detection and monitoring
To strengthen threat detection and monitoring, Microsoft has brought standardized security audit logs and centralized log management, now covering 99% of network devices. The company has also committed to improving transparency and reducing the time required to address common vulnerabilities and exposures (CVEs) across its cloud infrastructure. This includes updating processes and setting up a Customer Security Management Office, to better communicate with customers during security incidents.
