Microsoft has announced its new Secure Future Initiative (SFI) in response to growing threats to its Azure cloud infrastructure. Microsoft’s Vice Chair and President Brad Smith announced that Microsoft is prioritizing Azure security in three areas: “1. transforming software development, 2. implementing new identity protections, and 3. driving faster vulnerability response.”
Securing Software, Azure, and Faster Vulnerability Response
First, the initiative calls for Microsoft to adopt a new software development lifecycle (SDL) approach, to deliver “software that is secure by design, by default, in deployment, and in operation.” Dubbed “dynamic software development lifecycle”, or dSDL, it will employ continuous integration and continuous delivery (CI/CD) principles for “continuous security.”
Second, Microsoft is embracing more “secure-by-default” approaches to its Azure infrastructure to ensure permissions, applications, and services are more restricted by default versus open and publicly accessible. New Azure tenant baseline controls will be deployed by default across all of its internal tenants automatically.
Third, Microsoft is committing to reducing the time it takes to mitigate cloud vulnerabilities by 50 percent. Tenable CEO Amit Yoran infamously wrote a fiery post on LinkedIn in August accusing Microsoft of negligence for taking more than 90 days to remediate Azure flaws exploited by Chinese hackers. If Microsoft can reduce the time to remediation in half, this would be a large step forward in addressing potential exploitable targets.
Azure encryption key infrastructure will also be hardened according to the statement.
Secure Future Initiative: A Necessary, but Long Overdue Response
The announcement comes as Microsoft is acknowledging it must do better as a solutions provider where Microsoft Windows, 365 (formerly Office), and Azure are ubiquitous across the enterprise and government agencies.
Therefore, any improvement in securing the underlying infrastructure, or default security controls for cloud identity, access, and permissions can have a massive positive impact.
Microsoft found itself under intense pressure and criticism after the SolarWinds cyberattack three years ago. More recently, a vulnerability in Microsoft Outlook Web Access (OWA) in Exchange Online allowed Chinese hackers to access the email accounts of government agencies and other organizations. Senator Wyden (D-OR) had even called on Microsoft to be held accountable for the flaw.
Microsoft investigations determined that Storm-0558 gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook.com by forging authentication tokens to access user email.
As artificial intelligence and automation are increasingly leveraged, it will be critically important that cloud infrastructures and solutions leveraged by enterprises are hardened.
Cyberattacks are increasing in scale and sophistication each year. Anticipating tomorrow’s threats and attack surfaces requires a fundamentally different approach to security. Doing “business as usual” for security won’t cut it anymore as ransomware continues to disrupt and even bankrupt businesses. Weak software supply chains can affect national security when a government heavily relies upon a vendor’s solution.
This is a positive step forward for Microsoft and the overall cybersecurity posture of enterprises globally. Critical infrastructure, military, hospitals, and Wall Street all use Microsoft solutions, and none can afford to be an easily exploitable target.
