On May 3, Microsoft presented the main pillars of its major program to improve its cybersecurity practices. This plan, entitled “Secure Future Initiative” (SFI), was launched internally last November. In particular, it planned to automatically block certain abuses, search for sensitive data in network traffic, and apply new requirements when creating corporate accounts.
Security that applies from the design of the product or service
Charlie Bell, executive vice president of Microsoft Security, explains that Microsoft's initiative revolves around three “security principles”and of “six priority security pillars”. According to the first principle, “safety comes first when designing any product to service”. The other two principles specify that these security protections will be “enabled and applied by default”that they are not optional, and that “Security controls and monitoring will be continually improved.”
Advertisement
THE “pillars of security” provide further details. Microsoft first intends to 100% protect identities and “secrets”, i.e. the encryption keys, authentication tokens or identification information managed by the system. The firm calls for identity and public key infrastructure (PKI) systems to be “ready for a post-quantum crypto world”.
It also undertakes to take a series of measures to prevent pirates from accessing the source code of its products, by isolating production systems. A major challenge for Microsoft: in March, the group admitted that Russian hackers from the Nobelium group had stolen “certain source code repositories and internal company systems”.
Accelerate vulnerability remediation measures
Microsoft also takes many measures to protect networks, including creating “additional layers of defense” against hackers, and making it easier for customers to secure their networks and isolate network resources in the cloud.
To better detect future threats, Microsoft plans to maintain an up-to-date inventory of its production infrastructure and services, retain security logs of its systems for at least two years and facilitate access to security investigations. It also wants to propose faster mitigation measures, to counter criticism of its long delays in detecting and correcting cyberattacks in its systems. The Nobelium group's intrusion, initially detected in January, actually began at the end of November.
Advertisement
It remains to be seen whether the Redmond firm will manage to stick to its roadmap. In recent months, Microsoft has increased its efforts and investments in the development of generative AI tools. Solutions that could give hackers a wider scope to carry out cyberattacks and endanger customer data.
“Choose safety,” insists Satya Nadella
The IT giant has decided to move up a gear, particularly following a report from the American government. “Recent findings from the Cyber Safety Review Board (CSRB) (…) highlight the seriousness of the threats our company and our customers face,” explains Charlie Bell in a press release.
The CSRB, a government committee attached to the United States Department of Homeland Security, published its conclusions a month ago on the espionage campaign that targeted Exchange messaging last summer. The email boxes of 22 organizations and 500 individuals around the world, including some senior US government officials, were hacked by the Storm-0558 hacker group, believed to be affiliated with the China. The CSRB had denounced a “corporate culture” inadequate, and added that the pirates' intrusion was “avoidable”.
In a note to employees on Friday, Microsoft CEO Satya Nadella said: “If you are faced with a dilemma between security and another priority, your answer is clear: choose security. In some cases, this means prioritizing security before other things, like releasing new features or providing ongoing support for existing systems.” Satya Nadella specifies that in the future, the remuneration of Microsoft executives will be calculated in part based on the degree of achievement of the objectives of this program.
Selected for you