Microsoft admits it still lags behind in cybersecurity, but says it is working to improve
Microsoft has had a tough year when it comes to cybersecurity. The tech giant has been hit with a number of security incidents involving its products in recent months.
First, Russian state-sponsored hackers were able to steal U.S. government emails by compromising Microsoft corporate email accounts. A 2023 attack by a Chinese state-sponsored group compromised Microsoft Exchange Online mailboxes, including those of Commerce Secretary Gina Raimondo, U.S. Ambassador to the People’s Republic of China R. Nicholas Burns, and Congressman Don Bacon.
After claiming at the time that safety would be its top priority, the company has now published a progress report update on the Secure Future Initiative (SFI) – a program launched in November 2023 to improve Microsoft’s cybersecurity.
Securing the future by learning the lessons of the past
Microsoft’s SFI update provides an overview of the progress being made with “prioritize safety above all else“including governance updates, new training programs, employee security assessments and how Redmond is addressing its core pillars of cybersecurity.
Microsoft has improved its governance over the past year by establishing a Cybersecurity Governance Council, made up of Deputy Chief Information Security Officers (CISOs) who regularly review all aspects of cybersecurity, including risk, compliance, and defense.
Executives have also tied their pay to security performance to increase accountability and create an incentive to focus heavily on avoiding mistakes and improving past performance. In addition, the company introduced a Security Skilling Academy to provide employees with new cybersecurity skills and knowledge.
Regarding Microsoft’s six core cybersecurity pillars, the company has taken steps to improve identity and confidentiality protection by enhancing token management and phishing resistance in Microsoft’s access management solution, Microsoft Entra ID. Tenant and production protection has been improved by streamlining app lifecycle management and reducing the attack surface by removing inactive tenants.
Network security has been enhanced by isolating certain virtual networks with backend connectivity to reduce the chance of lateral movement. In addition, governance rules for Azure Storage, SQL, Cosmos DB, and Key Vault have been expanded to help customers protect themselves.
The SLI has also resulted in 85% of Microsoft’s commercial cloud production pipelines using centralized management. The lifetime of personal access tokens has been reduced to seven days, and controls have been introduced into the software development cycle. In addition, the number of elevated roles with access to technical systems has been reduced.
Threat detection and monitoring have been streamlined with the introduction of standardized security audit logs and centralized log management for 99% of network devices.
Finally, Microsoft has committed to improving transparency and reducing the time it takes to mitigate common vulnerabilities and exposures (CVEs) in its cloud infrastructure by updating processes and establishing the Customer Security Management Office to improve communication with customers when a security incident occurs.
“The work we’ve done so far is just the beginning. We know cyberthreats will continue to evolve and we must evolve with them,” said Charlie Bell, Executive Vice President of Microsoft Security.
“By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.”
