The Register: So how’s Microsoft’s Secure Future Initiative going?

Source URL: https://www.theregister.com/2024/09/23/microsoft_secure_future_initiative/
Source: The Register
Title: So how’s Microsoft’s Secure Future Initiative going?

Feedly Summary: 34,000 engineers pledged to the cause, but no word on exec pay
Microsoft took a victory lap today, touting the 34,000 full-time engineers it has dedicated to its Secure Future Initiative (SFI) since it launched almost a year ago and making public its first progress report on efforts to improve security in its products and services.…

AI Summary and Description: Yes

**Summary:** Microsoft has made significant strides in its Secure Future Initiative (SFI) amidst previous security criticisms. With a dedicated team of 34,000 engineers, the initiative aims to strengthen security across its products and services, focusing on identity protection, tenant isolation, network security, and threat monitoring. This reflects a commitment to prioritizing security in their corporate culture and practices.

**Detailed Description:**
Microsoft’s Secure Future Initiative (SFI) is a comprehensive security strategy launched in November 2023 in response to various high-profile security breaches, including compromises by state-sponsored actors. The initiative underscores Microsoft’s commitment to security by assigning accountability within its leadership and integrating security into performance metrics for employees.

Key aspects of SFI:

– **Commitment to Security:**
– **34,000 engineers** dedicated to improving security.
– Integration of cybersecurity performance into executive compensation.
– Security included as a “core priority” in employee evaluations.

– **Learning and Development:**
– Launch of the **Microsoft Security Academy** to provide tailored training for employees globally.

– **Engineering Pillars:** Microsoft has established six main pillars to measure progress:
– **Protect Identities and Secrets:**
– Implementation of Azure Managed Hardware Security Module (HSM) for token key management and enhancement of credential validation.
– Adoption of video-based user verification for 95% of internal users.
– **Protect Tenants and Isolate Production Systems:**
– Decommissioning 730,000 unused applications and 5.75 million inactive tenants.
– Deployment of over 15,000 secured devices within a three-month period.
– **Protect Networks:**
– Centralized inventory system for over 99% of physical assets recorded.
– Isolation of virtual networks from corporate systems.
– **Protect Engineering Systems:**
– 85% adoption of centrally governed pipeline templates for production build pipelines.
– **Monitor and Detect Threats:**
– Centralized logging for security audits and a retention period of two years for logs.
– **Accelerate Response and Remediation:**
– Enhanced mitigation processes for critical vulnerabilities.
– Establishment of a **Customer Security Management Office (CSMO)** to engage customers during incidents.

– **Governance Structure:**
– Formation of a **Cybersecurity Governance Council** with 13 deputy Chief Information Security Officers (CISOs) for overseeing SFI implementation.
– Quarterly updates to the board of directors on progress.

Despite these initiatives, questions remain about the transparency and accountability of executive performance evaluations and their consequences. The report emphasizes that while words and plans are commendable, actual security will be tested against real-world threats, particularly from advanced adversaries like Russia and China.

This initiative is particularly relevant for security, compliance, and infrastructure professionals as it outlines an organizational approach to enhancing cyber resilience through governance, responsibility assignment, and continuous improvement in security practices.