Microsoft is revising its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services.
The plan was created after a massive government and industry backlash against Microsoft following the government-linked theft of emails from the US State Department. Microsoft has come under fire from key members of Congress and federal officials, who have worried that the company is forcing federal agencies to rely on software products that lack the necessary security features to protect against sophisticated attackers.
The denial related to the State Department case was that Microsoft charged customers for additional, important security features.
Microsoft plans to enable secure settings by default out of the box, so customers don’t have to deal with multiple configurations to ensure the product is secure from hackers.
For example, Microsoft will implement Azure Core Controls by default, which includes 99 controls across nine security domains.
“What’s different now is that the scale, speed, and sophistication of the threat landscape has changed, and we must rise to the challenge,” Microsoft said in a statement to Cybersecurity Dive. “Microsoft anticipated these moves and worked diligently on them, given their scale and complexity.”
According to a blog post by Charlie Bell, executive vice president of Microsoft Security, the Secure Future Initiative will include three major changes in security design and response methods:
The company will change the way software is developed through automation and AI. This will encourage the development of software that is secure by design and by default, both in how the software is deployed and how it operates.
The company will evolve its Security Development Lifecycle (SDL) to a so-called dynamic SDL. Microsoft will incorporate continuous integration and continuous delivery (CI/CD) into its product development process so that capabilities evolve as threats evolve.
Microsoft will develop software using memory-safe languages, including C#, Java, Rust, and Python. The company will expand its use of threat modeling and deploy CodeQL for code analysis for all of its commercial products.
The changes span the entire technology stack, from identity to the cloud. Microsoft will implement the use of standard identity libraries across all products, and signing keys will move to Azure’s hardened hardware-based security engine and sensitive computing infrastructure.
The company said it would reduce the time it takes to mitigate cloud vulnerabilities by 50% and take a stronger public stance on ensuring that third-party researchers are not forced to act under non-disclosure agreements.
Given the company’s significant market power, such a change in development policy could prompt other software and security companies to also accelerate the adoption of secure development practices, analysts said.
“One advantage of being Microsoft is that announcements have a huge ripple effect that depends on a huge number of customers and partners,” said Jeff Pollard, vice president and principal analyst at Forrester. “However, there is a clear marketing element to this given the recent vulnerabilities.”
Microsoft’s Secure Future Initiative is a significant step forward in cybersecurity. This initiative highlights the need to adapt to the ever-changing digital landscape and sets new standards for software development and cyber threat management.