Gamingdeputy News on May 3: After years of security issues and increasing criticism, Microsoft has made security the top priority for every employee.
The U.S. Cybersecurity Review Board recently issued a scathing report concluding that “Microsoft's security culture is inadequate and needs an overhaul” conclusion, by which it outlines a set of security principles and goals related to the compensation package for Microsoft’s senior leadership team.
Advertisement
Last November, Microsoft announced a Security Future Initiative (SFI) in response to growing pressure on the company. “We make security a top priority at Microsoft, above all other capabilities,” Charlie Bell, executive vice president of security at Microsoft, explained in a blog post today.We will instill accountability by determining a portion of the company's senior leadership team's compensation based on progress toward achieving safety initiatives and milestones. “
Microsoft now has three security principles that form an important part of these goals:Secure by design; secure by default; operate securely. These principles aim to prioritize security during the design phase of products and services, place greater emphasis on protections enabled by default, and improve control and monitoring of current and future threats.
Gamingdeputy noticed from the announcement that Microsoft also proposed six commitments:
Protect identities and secrets. Microsoft has committed to implementing “best-in-class standards” across its identity and confidentiality infrastructure so that 100% of user accounts are protected by multi-factor authentication and 100% of applications are protected by managed credentials such as certificates.
Protect tenants and isolate production systems. Microsoft is taking an approach to ensuring that only healthy, managed and secure devices can access the company's set of services, while providing a least privilege access model (the lowest level of access or permissions) for 100% of applications.
Protect the network. Microsoft is committed to ensuring 100% security of production networks and systems connected to the network by applying isolation and micro-segmentation to all production environments to help build additional defenses against attackers.
Protect Engineering Systems. Microsoft says it will 100% guarantee access to its source code through a zero-trust and least-privilege access policy. Any source code deployed to production will also be protected by security best practices, and test environments will have standardized security and infrastructure isolation.
Monitor and detect threats. Microsoft promises to retain all security logs for two years and provide customers with six months of “appropriate logs.” It will also automatically detect and “rapidly” respond to suspicious access or configuration changes in 100% of Microsoft's production infrastructure and services.
Speed up response and remediation. The goal is to prevent unpatched vulnerabilities from being exploited through more “just in time fixes.” Microsoft has pledged to reduce the time it takes to remediate “high-severity” cloud security vulnerabilities and increase transparency about these issues by adopting the Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE) industry standards.
In addition, Microsoft's engineering leaders now hold weekly and monthly operational meetings that include various managers and senior personnel with the goal of improving Microsoft's security thinking across the company.Microsoft has also addedDeputy Chief Information Security Officer (CISO) Jobsand has its threat intelligence team reporting directly to the CISO.
Advertisement