Microsoft overhauls cyber strategy to finally embrace security by default

Microsoft is overhauling its cybersecurity strategy, called the Secure Future Initiative, to incorporate key security features into its core set of technology platforms and cloud services. 

The plan follows a massive government and industry backlash to Microsoft after the state-linked email theft from the U.S. State Department. Microsoft came under fierce criticism from key members of Congress and federal officials who were concerned that the company was forcing federal agencies to rely on software products that lacked the necessary security features to protect against sophisticated attackers. 

The pushback related to the the State Department case was that Microsoft was upcharging customers for additional, important security features. 

Microsoft plans to enable secure default settings out of the box, so customers will not have to engage with multiple configurations to make sure a product is protected against hackers. 

For example, Microsoft will implement Azure baseline controls, which includes 99 controls across nine security domains, by default. 

“What is different now, is there has been a step change in the scale, speed and sophistication of the threat landscape, and we must meet that challenge,” Microsoft told Cybersecurity Dive in a statement. “Microsoft has been anticipating these steps and working toward them thoughtfully, given their scale and complexity.”

The Secure Future Initiative will include three major changes in its security development and response practices, according to a blog post by Charlie Bell, EVP at Microsoft Security: 

  • The company will transform the way it develops software using automation and AI. It will push to develop software that is secure by design and default, both in how the software is deployed and how it operates.
  • The company will evolve its security development lifecycle (SDL) into something it calls dynamic SDL. Microsoft will incorporate continuous integration and continuous delivery (CI/CD) into its product development process so capabilities evolve along with emerging threats. 

  • Microsoft will develop software using memory-safe languages, including C#, Java, Rust and Python. The company will expand the use of threat modeling and deploy CodeQL for code analysis for all of its commercial products. 

The changes span the full technology stack, from identity through cloud. Microsoft will enforce the use of standard identity libraries across all products, and signing keys will move to a hardened Azure hardware security module and confidential computing infrastructure. 

The company said it will reduce the time to mitigate cloud vulnerabilities by 50% and take a more forceful public stance on third-party researchers not being forced to operate under non-disclosure agreements. 

Given the company’s considerable market strength, such a change in development policies may encourage other software and security companies to accelerate their embrace of secure development practices, too, according to analysts. 

“One advantage of being Microsoft: Announcements have an enormous ripple effect based on the sheer number of customers and partners it has,” Jeff Pollard, VP and principal analyst at Forrester, said via email. “That said, there’s a clear marketing element to this considering recent vulnerabilities.”

As part of its security strategy overhaul, Microsoft said it is taking steps to better protect identities across all of its products. This will prevent adversary-in-the-middle attacks, token theft and other malicious hacking methods, the company said.

Microsoft plans to boost its use of AI in threat analysis, research and detection, according to Brad Smith, vice chair and president of the company. 

The company is calling for international reforms, including national commitments against planting vulnerabilities into key critical infrastructure providers, such as energy providers, hospitals, water facilities and food producers.