Expanding Microsofts Secure Future Initiative SFI Microsoft Security Blog

pLast November we launched the Secure Future Initiative SFI to prepare for the increasing scale and high stakes of cyberattacks SFI brings together every part of Microsoft to advance cybersecurity protection across our company and productsppSince then the threat landscape has continued to rapidly evolve and we have learned a lot The recent findings by the Department of Homeland Securitys Cyber Safety Review Board CSRB regarding the Storm0558 cyberattack from last July and the Midnight Blizzard attack we reported in January underscore the severity of the threats facing our company and our customersppMicrosoft plays a central role in the worlds digital ecosystem and this comes with a critical responsibility to earn and maintain trust We must and will do moreppWe are making security our top priority at Microsoft above all elseover all other features Were expanding the scope of SFI integrating the recent recommendations from the CSRB as well as our learnings from Midnight Blizzard to ensure that our cybersecurity approach remains robust and adaptive to the evolving threat landscapeppWe will mobilize the expanded SFI pillars and goals across Microsoft and this will be a dimension in our hiring decisions In addition we will instill accountability by basing part of the compensation of the companys Senior Leadership Team on our progress in meeting our security plans and milestonesppBelow are details to demonstrate the seriousness of our work and commitmentppWe have evolved our security approach and going forward our work will be guided by the following three security principlesppWe are further expanding our goals and actions aligned to six prioritized security pillars and providing visibility into the details of our executionppReduce the risk of unauthorized access by implementing and enforcing bestinclass standards across all identity and secrets infrastructure and user and application authentication and authorization As part of this we are taking the following actionsppProtect all Microsoft tenants and production environments using consistent bestinclass security practices and strict isolation to minimize breadth of impact As part of this we are taking the following actionsppProtect Microsoft production networks and implement network isolation of Microsoft and customer resources As part of this we are taking the following actionsppProtect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure As part of this we are taking the following actionsppComprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services As part of this we are taking the following actionsppPrevent exploitation of vulnerabilities discovered by external and internal entities through comprehensive and timely remediation As part of this we are taking the following actionsppThese goals directly align to our learnings from the Midnight Blizzard incident as well as all four CSRB recommendations to Microsoft and all 12 recommendations to cloud service providers CSPs across the areas of security culture cybersecurity best practices auditing logging norms digital identity standards and guidance and transparencyppWe are delivering on these goals through a new level of coordination with a new operating model that aligns leaders and teams to the six SFI pillars in order to drive security holistically and break down traditional silos The pillar leaders are working across engineering Executive Vice Presidents EVPs to drive integrated crosscompany engineering execution doing this work in waves These engineering waves involve teams across Microsoft Azure Windows Microsoft 365 and Security with additional product teams integrating into the process weeklyppWhile there is much more to do weve made progress in executing against SFI priorities For example weve implemented automatic enforcement of multifactor authentication by default across more than one million Microsoft Entra ID tenants within Microsoft including tenants for development testing demos and production We have eliminated or reduced application targets by removing 730000 apps to date across production and corporate tenants that were outoflifecycle or not meeting current SFI standards We have expanded our logging to give customers deeper visibility And we recently announced a significant shift on our response process We are now publishing root cause data for Microsoft CVEs using the CWE industry standardppPaved paths are best practices from our learned experiences drawing upon lessons such as how to optimize productivity of our software development and operations how to achieve compliance such as Software Bill of Materials SarbanesOxley Act General Data Protection Regulation and others and how to eliminate entire categories of vulnerabilities and mitigate related risks A paved path becomes a standard when adoption significantly improves the developer or operations experience or security quality or complianceppWith SFI we are explicitly defining standards for each of the six security pillars and adherence to these standards will be measured as objectives and key results OKRsppThe Secure Future Initiative empowers all of Microsoft to implement the needed changes to deliver security first Our company culture is based on a growth mindset that fosters an ethos of continuous improvement We continually seek feedback and new perspectives to tune our approach and progress We will take our learnings from security incidents feed them back into our security standards and operationalize these learnings as paved paths that can enable secure design and operations at scaleppWe are also taking major steps to elevate security governance including several organizational changes and additional oversight controls and reportingppMicrosoft is implementing a new security governance framework spearheaded by the Chief Information Security Officer CISO This framework introduces a partnership between engineering teams and newly formed Deputy CISOs collectively responsible for overseeing SFI managing risks and reporting progress directly to the Senior Leadership Team Progress will be reviewed weekly with this executive forum and quarterly with our Board of DirectorsppFinally given the importance of threat intelligence we are bringing the full breadth of nationstate actor and threat hunting capabilities into the CISO organizationppCulture can only be reinforced through our daily behaviors Security is a team sport and is best realized when organizational boundaries are overcome The engineering EVPs in close coordination with SFI pillar leaders are holding broadscale weekly and monthly operational meetings that include all levels of management and senior individual contributors These meetings work on detailed execution and continuous improvement of security in context with what we collectively deliver to customers Through this process of bottomtotop and endtoend problem solving security thinking is ingrained in our daily behaviors  ppUltimately Microsoft runs on trust and this trust must be earned and maintained As a global provider of software infrastructure and cloud services we feel a deep responsibility to do our part to keep the world safe and secure Our promise is to continually improve and adapt to the evolving needs of cybersecurity This is job number one for usppMicrosoft is a leader in cybersecurity and we embrace our responsibility to make the world a safer placep