It’s deja vu all over again at Microsoft.
In a move that resembles the famous Trustworthy Computing push of yesteryear, Redmond is responding to a spate of embarrassing hacks with a new ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.
In a note announcing the new SFI approach, Microsoft Security vice president Charlie Bell said the software giant will revamp the age-old Software Development Lifecycle (SDL) to account for the latest trends in cyberattacks.
“The first priority is security by default,” Bell said, echoing the words of Microsoft founder Bill Gates in the seminal 2002 memo that documented the company’s mission to root out security problems that were leading to destructive Windows worm attacks.
Today, Microsoft is reeling from a major hack of its flagship M365 cloud platform, a compromise that led to the theft of U.S. government emails and prompted a U.S. senator to accuse Microsoft of “cybersecurity negligence.”
The M365 hack, caused by an embarrassing mismanagement of signing keys, is being investigated by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).
“We have carefully considered what we see across Microsoft and what we have heard from customers, governments, and partners to identify our greatest opportunities to impact the future of security. We will focus on transforming software development, implementing new identity protections, and driving faster vulnerability response,” Bell said.
More specifically, Microsoft plans to move identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure where the signing keys are not only encrypted at rest and in transit, but also during computational processes as well.
“Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever,” Bell announced, a clear reference to how a crash dump error was exploited by a Chinese espionage group to steal emails from approximately 25 organizations.
Bell, who took control of security at Microsoft in 2021 after a stint running security at AWS, said the company will use AI to help automate threat modeling and adopt memory safe languages like Rust to build security at the language level and eliminate entire classes of traditional software vulnerabilities.
In a nod to the dangers of default cloud deployments that expose data to remote hackers, Bell said the SFI will move to implement Azure tenant baseline controls (99 controls across nine security domains) by default across our internal tenants automatically.
He said the move will reduce engineering time spent on configuration management and ensure adherence and auto-remediation of settings in deployment. “Our goal is to move to 100 percent auto-remediation without impacting service availability,” Bell said.
The Microsoft Security vice president also promised to cut the time it takes to mitigate cloud vulnerabilities by 50 percent and “take a more public stance against third-party researchers being put under non-disclosure agreements by technology providers.”
“Without full transparency on vulnerabilities, the security community cannot learn collectively—defending at scale requires a growth mindset. Microsoft is committed to transparency and will encourage every major cloud provider to adopt the same approach,” Bell declared.
Microsoft has itself faced intense criticism for its own approach to third-party vulnerability research of its cloud products and continues to struggle with faulty and incomplete patches and a surge in Windows zero-day attacks.
The company recently announced plans to expand logging defaults for lower-tier M365 customers and increase the duration of retention for threat-hunting data.
Related: Crash Dump Error: How Chinese Hackers Exploited Microsoft’s Mistakes
Related: The Chaos (and Cost) of the Lapsus$ Hacking Carnage
Related: US Senator Accuses Microsoft of ‘Cybersecurity Negligence’
Related: Microsoft Cloud Hack Exposed More Than Emails
Related: Chinese APT Use Stolen Microsoft Key to Hack Gov Emails
Related: Microsoft Bows to Pressure to Free Up Cloud Security Logs
