Microsoft announces a significant elevation in its security policy following the breach by the Storm-0558 hacker group stealing Azure AD keys in July 2023, and the internal system attacks by the Midnight Blizzard group stealing some company data earlier in 2024.
Microsoft unveils a major security initiative called Secure Future Initiative (SFI) introduced in November 2023, but the company’s management team states that it’s not enough. This announcement marks the expansion of SFI to cover all aspects of the company.
The new Microsoft security policy is grounded on three fundamental principles:
– Secure by design: Prioritize security in the design of any service above all other dimensions.
– Secure by default: Always enable security features by default and prohibit being optional.
– Secure operations: Continuously control and monitor security aspects and improve them consistently.
Regarding the first principle, The Verge reports that an email from Satya Nadella to employees emphasizes choosing security over other matters whenever faced with a decision, like adding features or supporting legacy systems.
Additionally, following the three basic principles, there are six pillars of best practices:
– Protect identities and secrets using various measures like key rotation, hardware security module, MFA.
– Protect tenants and isolate production systems to prevent issues from affecting each other, grant minimal access (least-privilege), and remove unused or obsolete systems.
– Protect networks through isolation and microsegmentation, and constant monitoring.
– Protect engineering systems in the development and engineering process from source code to software deployment.
– Monitor and detect threats within the system, ensuring 100% monitoring and logging for at least two years.
– Accelerate response and remediation by reducing the time to mitigate high-level cloud vulnerabilities, increasing transparency in vulnerability reporting, and following standard CWE/CPE references.
In terms of management, Microsoft also announces the appointment of Deputy Chief Information Security Officers (CISO) in all product teams and ties the high-level executives’ compensation to the progress of security measures’ implementation.
TLDR: Microsoft enhances its security policies following breaches by hacker groups, introducing Secure Future Initiative, and implementing fundamental security principles and best practices across the company structure.
Leave a Comment