In a strategic move to enhance security measures, Microsoft has successfully removed over 730,000 redundant applications and deactivated 5.75 million inactive tenants within its cloud infrastructure as part of the expansive Secure Future Initiative (SFI). This initiative was launched following two significant breaches into Microsoft’s network in the past year.
Furthermore, Microsoft has rolled out 15,000 secure devices for software development teams in the last three months and implemented video-based identity verification for 95% of its production staff. Updates to the Entra ID and Microsoft Account processes have also been put in place to enhance the generation, storage, and rotation of access token signing keys for both public and government clouds.
Secure Future Initiative
These changes are part of a larger Microsoft initiative to reduce vulnerabilities, strengthen cloud identity and authentication mechanisms, and improve threat detection and response capabilities. According to Charlie Bell, executive vice president of Microsoft Security, the SFI has involved the equivalent of 34,000 full-time engineers, making it the most extensive cybersecurity engineering effort in history.
The SFI was launched in November 2023, following security breaches by China’s Storm-0558 and Russia’s Midnight Blizzard, which compromised Microsoft’s infrastructure and email accounts of several government agencies and senior officials.
The US Department of Homeland Security’s Cyber Safety Review Board conducted an analysis of the Storm-0558 incident, attributing the breach to multiple security failures at Microsoft. Recommendations were made to enhance cloud security, particularly in the areas of identity and authentication.
Microsoft’s focus areas for improvement under SFI include identity and secrets management, cloud tenant and production system security, engineering system protections, network security, threat detection, and incident response protocols.
Sweeping Security Changes at Microsoft
Microsoft’s ongoing efforts include enhancing the protection of critical signing keys, reducing the attack surface by eliminating unused apps and inactive tenants, and improving network visibility and security measures.
To safeguard engineering systems, Microsoft has implemented centralized pipeline templates for production builds, enforced shorter lifespans for access tokens, and enhanced access controls. Mandatory checks have been introduced at critical points in the software development process.
Exec-Level Accountability
Microsoft’s commitment to security is evident in organizational changes that hold executives accountable for security goals. These changes include linking senior leadership compensation to security objectives, strengthening collaboration between threat intelligence and the CISO’s office, and fostering closer collaboration between engineering and security teams.