Microsoft has had a challenging year when we look at cybersecurity and the nature of breaches it had to suffer. The tech giant has been grappling with significant security breaches involving some of its most essential and widely used products.
Now, the company has admitted to failing in its cybersecurity efforts, as evidenced by several high-profile incidents. Among these breaches, Russian state-sponsored hackers managed to steal sensitive US government emails by compromising Microsoft’s corporate email accounts.
In another alarming event, a Chinese state-sponsored group breached Microsoft Exchange Online mailboxes, including those belonging to key figures such as Commerce Secretary Gina Raimondo, US Ambassador to China R. Nicholas Burns, and Congressman Don Bacon.
In response to these security lapses, Microsoft has declared that security is now its top priority. To back up this claim, the company has released an update on its Secure Future Initiative (SFI), a program launched in November 2023 to enhance Microsoft’s cybersecurity defenses significantly.
The SFI progress report outlines Microsoft’s steps to “prioritize security above all else.” These include substantial updates to governance, new programs for upskilling employees, and rigorous security reviews. The company is focusing on addressing its core pillars of cybersecurity, reflecting a commitment to fundamental changes in its approach to protecting user data and systems.
Over the past year, Microsoft has bolstered its governance framework by establishing a Cybersecurity Governance Council. This council, composed of Deputy Chief Information Security Officers (CISOs), regularly reviews all cybersecurity matters, including risk management, compliance, and defense strategies.
Microsoft has also tied executive compensation to security performance to ensure accountability, creating a strong incentive for leaders to focus on preventing errors and improving security outcomes. Additionally, the company has introduced a Security Skilling Academy designed to equip employees with the latest cybersecurity skills and knowledge.
Regarding specific cybersecurity measures, Microsoft has concentrated on six key pillars. These include enhancing identity and secret protection by improving token management and phishing resistance within its access management solution, Microsoft Entra ID. The company has also streamlined app lifecycle management and reduced the attack surface by removing inactive tenants, thereby improving tenant and production protection.
Network security has been strengthened by isolating specific virtual networks with backend connectivity, reducing the potential for lateral movement by attackers.
Furthermore, Microsoft has implemented stricter admin rules for Azure Storage, SQL, Cosmos DB, and Key Vault to assist customers in securing their data. The Secure Future Initiative has also seen 85% of Microsoft’s production build pipelines for commercial cloud services come under centralized governance.
Personal Access Tokens have been limited to seven days, and the software development cycle has been enhanced with additional security checks. Elevated roles with access to engineering systems have been reduced, further safeguarding critical infrastructure.
Microsoft has introduced standardized security audit logs and centralized log management to improve threat detection and monitoring, now covering 99 percent of network devices. The company has also committed to enhancing transparency and reducing the time needed to address common vulnerabilities and exposures (CVEs) across its cloud infrastructure. This includes updating processes and establishing the Customer Security Management Office to better communicate with customers during security incidents.
Despite these efforts, Microsoft acknowledges that the work must be completed. Charlie Bell, Executive Vice President of Microsoft Security, emphasized that cyber threats continually evolve, and Microsoft must evolve in tandem. The company is fostering a culture of continuous learning and improvement, aiming to make security a feature and the foundation of its operations going forward.