Connect with us

Hi, what are you looking for?


Cloud Security

After Major Cloud Hacks, Microsoft Unveils ‘Secure Future Initiative’

In response to a spate of embarrassing hacks, Redmond pushes ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and products with a higher default security bar.

NET vulnerability CVE-2023-38180 exploited

It’s deja vu all over again at Microsoft.

In a move that resembles the famous Trustworthy Computing push of yesteryear, Redmond is responding to a spate of embarrassing hacks with a new ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.

In a note announcing the new SFI approach, Microsoft Security vice president Charlie Bell said the software giant will revamp the age-old Software Development Lifecycle (SDL) to account for the latest trends in cyberattacks.

“The first priority is security by default,” Bell said, echoing the words of Microsoft founder Bill Gates in the seminal 2002 memo that documented the company’s mission to root out security problems that were leading to destructive Windows worm attacks.

Today, Microsoft is reeling from a major hack of its flagship M365 cloud platform, a compromise that led to the theft of U.S. government emails and prompted a U.S. senator to accuse Microsoft of “cybersecurity negligence.”

The M365 hack, caused by an embarrassing mismanagement of signing keys, is being investigated by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).

“We have carefully considered what we see across Microsoft and what we have heard from customers, governments, and partners to identify our greatest opportunities to impact the future of security. We will focus on transforming software development,  implementing new identity protections, and driving faster vulnerability response,” Bell said.

More specifically, Microsoft plans to move identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure where the signing keys are not only encrypted at rest and in transit, but also during computational processes as well. 

Advertisement. Scroll to continue reading.

“Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever,” Bell announced, a clear reference to how a crash dump error was exploited by a Chinese espionage group to steal emails from approximately 25 organizations.

Bell, who took control of security at Microsoft in 2021 after a stint running security at AWS, said the company will use AI to help automate threat modeling and adopt memory safe languages like Rust to build security at the language level and eliminate entire classes of traditional software vulnerabilities.

In a nod to the dangers of default cloud deployments that expose data to remote hackers, Bell said the SFI will move to implement Azure tenant baseline controls (99 controls across nine security domains) by default across our internal tenants automatically. 

He said the move will reduce engineering time spent on configuration management and ensure adherence and auto-remediation of settings in deployment. “Our goal is to move to 100 percent auto-remediation without impacting service availability,” Bell said.

The Microsoft Security vice president also promised to cut the time it takes to mitigate cloud vulnerabilities by 50 percent and “take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers.” 

“Without full transparency on vulnerabilities, the security community cannot learn collectively—defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach,” Bell declared.

Microsoft has itself faced intense criticism for its own approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.

The company recently announced plans to expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data. 

Related: Crash Dump Error: How Chinese Hackers Exploited Microsoft’s Mistakes

Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage

Related: US Senator Accuses Microsoft of ‘Cybersecurity Negligence’

Related: Microsoft Cloud Hack Exposed More Than Emails

Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails

Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.