Last November, we launched the Secure Future Initiative (SFI) to prepare for the increasing scale and high stakes of cyberattacks. SFI brings together every part of Microsoft to advance cybersecurity protection across our company and products.
Since then, the threat landscape has continued to rapidly evolve, and we have learned a lot. The recent findings by the Department of Homeland Security’s Cyber Safety Review Board (CSRB) regarding the Storm-0558 cyberattack from last July, and the Midnight Blizzard attack we reported in January, underscore the severity of the threats facing our company and our customers.
Microsoft plays a central role in the world’s digital ecosystem, and this comes with a critical responsibility to earn and maintain trust. We must and will do more.
We are making security our top priority at Microsoft, above all else—over all other features. We’re expanding the scope of SFI, integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscape.
We will mobilize the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions. In addition, we will instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.
Below are details to demonstrate the seriousness of our work and commitment.
We have evolved our security approach, and going forward our work will be guided by the following three security principles:
We are further expanding our goals and actions aligned to six prioritized security pillars and providing visibility into the details of our execution:
Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization. As part of this, we are taking the following actions:
Protect all Microsoft tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact. As part of this, we are taking the following actions:
Protect Microsoft production networks and implement network isolation of Microsoft and customer resources. As part of this, we are taking the following actions:
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure. As part of this, we are taking the following actions:
Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services. As part of this, we are taking the following actions:
Prevent exploitation of vulnerabilities discovered by external and internal entities, through comprehensive and timely remediation. As part of this, we are taking the following actions:
These goals directly align to our learnings from the Midnight Blizzard incident as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers (CSPs), across the areas of security culture, cybersecurity best practices, auditing logging norms, digital identity standards and guidance, and transparency.
We are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars, in order to drive security holistically and break down traditional silos. The pillar leaders are working across engineering Executive Vice Presidents (EVPs) to drive integrated, cross-company engineering execution, doing this work in waves. These engineering waves involve teams across Microsoft Azure, Windows, Microsoft 365, and Security, with additional product teams integrating into the process weekly.
While there is much more to do, we’ve made progress in executing against SFI priorities. For example, we’ve implemented automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft, including tenants for development, testing, demos, and production. We have eliminated or reduced application targets by removing 730,000 apps to date across production and corporate tenants that were out-of-lifecycle or not meeting current SFI standards. We have expanded our logging to give customers deeper visibility. And we recently announced a significant shift on our response process: We are now publishing root cause data for Microsoft CVEs using the CWE™ industry standard.
Paved paths are best practices from our learned experiences, drawing upon lessons such as how to optimize productivity of our software development and operations, how to achieve compliance (such as Software Bill of Materials, Sarbanes-Oxley Act, General Data Protection Regulation, and others), and how to eliminate entire categories of vulnerabilities and mitigate related risks. A paved path becomes a standard when adoption significantly improves the developer or operations experience or security, quality, or compliance.
With SFI, we are explicitly defining standards for each of the six security pillars, and adherence to these standards will be measured as objectives and key results (OKRs).
The Secure Future Initiative empowers all of Microsoft to implement the needed changes to deliver security first. Our company culture is based on a growth mindset that fosters an ethos of continuous improvement. We continually seek feedback and new perspectives to tune our approach and progress. We will take our learnings from security incidents, feed them back into our security standards, and operationalize these learnings as paved paths that can enable secure design and operations at scale.
We are also taking major steps to elevate security governance, including several organizational changes and additional oversight, controls, and reporting.
Microsoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing SFI, managing risks, and reporting progress directly to the Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.
Finally, given the importance of threat intelligence, we are bringing the full breadth of nation-state actor and threat hunting capabilities into the CISO organization.
Culture can only be reinforced through our daily behaviors. Security is a team sport and is best realized when organizational boundaries are overcome. The engineering EVPs, in close coordination with SFI pillar leaders, are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors. These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers. Through this process of bottom-to-top and end-to-end problem solving, security thinking is ingrained in our daily behaviors.
Ultimately, Microsoft runs on trust and this trust must be earned and maintained. As a global provider of software, infrastructure, and cloud services, we feel a deep responsibility to do our part to keep the world safe and secure. Our promise is to continually improve and adapt to the evolving needs of cybersecurity. This is job number one for us.