Microsoft has revealed extensive details about its most significant security transformation effort in a new report, marking significant progress in its Secure Future Initiative (SFI). This initiative comes after years of security issues and a critical report from the US Cyber Safety Review Board highlighting inadequacies in Microsoft’s security culture. Nearly six months after Microsoft CEO Satya Nadella announced that security must be prioritized above all else, the tech giant has made significant strides.
The company launched its SFI in November 2023, shortly after the scathing report from the US Cyber Safety Review Board stated that Microsoft’s security culture required a complete overhaul. Today, Microsoft states it now employs the equivalent of 34,000 full-time engineers dedicated to its SFI, making it the most significant cybersecurity engineering effort in the company’s history. Following updates to the company’s performance reviews, every Microsoft employee is now evaluated based on their contribution to security.
These changes have led to several improvements in Microsoft’s security processes, including updates to its Entra ID and Microsoft Account (MSA) systems. These systems now use Azure-managed hardware security modules to generate, store, and automatically rotate access token signing keys, significantly enhancing security. Additionally, Microsoft has eliminated 5.75 million inactive tenants, reducing potential attack surfaces.
A new system to test secure defaults is now in place to mitigate the risks posed by legacy systems. Over 99 percent of Microsoft’s physical network is now tracked in a central inventory system, aiding in firmware compliance and logging. Audit logs are retained for at least two years, further bolstering security measures.
Microsoft engineering teams have seen personal access token durations reduced to just seven days, SSH access disabled for all internal engineering repositories, and a decrease in the number of groups with access to key engineering systems. Previously criticized for slow responses to security issues, Microsoft now proactively publishes CVEs to enhance transparency, even if no customer action is required.
Microsoft’s security culture overhaul
Transforming Microsoft’s engineering processes and security culture is a complex task. The company employs 100,000 engineers, designers, and project managers, handling over 500,000 work items and generating 5 million builds each month. Microsoft has implemented the “Start Right, Stay Right, and Get Right” approach to achieve this transformation.
This strategy ensures that projects adhere to security standards from the start, are monitored continuously, and are regularly audited to maintain compliance. Microsoft has also established a new Cybersecurity Governance Council and appointed 13 deputy Chief Information Security Officers (CISOs), including four new hires. These new deputy CISOs bring a wealth of experience from various industries and roles:
Damon Becknel, Vice President and Deputy CISO for regulated industries, previously served as CISO at ID.me and Horizon Blue Cross Blue Shield.
Geoff Belknap, Corporate Vice President and Deputy CISO for core and mergers/acquisitions was formerly CISO at LinkedIn and Slack and CSO at Palantir. Shawn Bowen, Vice President and Deputy CISO for gaming has a 27-year background in engineering and security, including roles at World Kinect and the US Marine Corps Intelligence. Timothy Langan, Corporate Vice President and Deputy CISO for government, joined Microsoft after a 26-year tenure at the FBI.
The other nine deputy CISOs are seasoned Microsoft executives, including Technical Fellow Mark Russinovich, who has been named Deputy CISO for Azure alongside his role as Azure CTO. Microsoft’s senior leadership team now reviews SFI progress weekly and provides quarterly updates to the board of directors. Furthermore, Microsoft launched a security skilling academy in July, which offers ongoing training for all employees to emphasize the importance of security in their daily operations.
This comprehensive training, performance reviews, and the oversight of Microsoft’s senior leadership team underscores the company’s commitment to security. Our commitment to transparency and industry collaboration remains unwavering,” said Microsoft’s head of security. By fostering this continuous learning and improvement culture, we are building a future where security is not just a feature but a foundation.
