Microsoft’s biggest security transformation ever detailed in new report

Microsoft made security its No. 1 priority for every employee earlier this year, following years of security issues and a scathing report from the U.S. Cybersecurity Review Board. Roughly six months after Microsoft CEO Satya Nadella told the entire company that security should be a top priority, the software giant provide a report on its progress.

Microsoft launched its Secure Future Initiative (SFI) in November 2023, just a few months before the US Cybersecurity Review Board concluded that “Microsoft’s security culture is deficient and in need of an overhaul.” This scathing review really spurred Microsoft into action, and the company announced today that it has the equivalent of 34,000 full-time engineers working on its SFI, making it the largest cybersecurity engineering effort within Microsoft.

Every Microsoft employee is now evaluated on their security efforts, after the company tied security efforts to employee performance reviews last month. Microsoft has also completed a number of improvements to its security processes as a result of SFI in recent months.

Microsoft has updated its Entra ID and Microsoft Account (MSA) systems to generate, store, and automatically rotate access token signing keys using the Azure-managed hardware security module. It has also eliminated 5.75 million inactive tenants to reduce attack surfaces. Microsoft is also now using a new test system with secure defaults to prevent legacy systems from causing security issues in the future.

Microsoft now tracks over 99% of its physical network in a centralized inventory system that helps with firmware compliance and logging. Microsoft has also improved audit logs to retain logs for at least two years.

Personal access tokens for engineering teams within Microsoft have now been reduced to just seven days, SSH access has been disabled for all internal engineering repositories, and the number of groups with access to key engineering systems has been reduced.

Microsoft has been criticized in the past for taking too long to respond to security issues, and the company now publishes CVEs “even when no customer action is required to increase transparency.”

Transforming Microsoft’s engineering processes and security culture is no easy task, especially when you consider that the company has 100,000 engineers, designers, and project managers working on more than 500,000 work items every day and 5 million builds every month.

Microsoft is implementing new standards using a “Start Right, Stay Right, and Get It Right” approach. “Start Right” ensures projects comply with security standards using templates, policies, and self-service tools. “Stay Right” then ensures that projects are monitoring and implementing the relevant policy. The final piece is “Get It Right,” designed for Microsoft to monitor compliance status.

The software giant also created a new Cybersecurity Governance Council and appointed 13 deputy CISOs, four of whom are new hires from Microsoft:

• Damon Becknel, vice president and deputy CISO, regulated industries: Becknel joined Microsoft in July after serving as CISO at ID.me and Horizon Blue Cross Blue Shield.
• Geoff Belknap, corporate vice president and deputy CISO, core and mergers and acquisitions: Belknap previously served as CISO at Microsoft-owned LinkedIn, as well as CISO at Slack and CSO at Palantir.
• Shawn Bowen, vice president and deputy CISO for the gaming industry: Bowen spent 27 years in engineering and security roles, including serving as CISO at World Kinect and U.S. Marine Corps Intelligence.
• Timothy Langan, corporate vice president and deputy government CISO: Before joining Microsoft in July, Langan spent more than 26 years at the FBI, overseeing cyber, criminal investigations and other operations at the U.S. agency.

The other nine deputy CISOs are a diverse group of senior Microsoft executives with decades of experience at the company, including technical fellow Mark Russinovich, who was appointed deputy CISO for Azure in addition to his current role as Azure CTO. Microsoft’s senior leadership team now reviews SFI progress weekly and provides quarterly updates on progress to the Microsoft board.

Finally, Microsoft launched a security skills academy in July that includes training for all employees to reinforce the “importance of security in daily operations.” This ongoing training, performance reviews, and oversight from Microsoft’s senior leadership team puts pressure on employees to focus on security more than ever, but Microsoft still has a long way to go to restore trust and move past the headlines about its security record.

“Our commitment to transparency and industry collaboration is unwavering” Charlie Bell says“By fostering a culture of continuous learning and improvement, we are building a future where security is a foundation, not just a feature.” Microsoft head of security.