December 5, 2023

Microsoft has introduced its Safe Future Initiative, the corporate’s newest effort to deal with severe safety points.

Microsoft’s safety status has taken a beating in recent times, with a hack that compromised US authorities e mail handle convey the straw that broke the camel’s again. To make issues worse, Amit Yoran, CEO of safety agency Tenable, blasted the corporate’s Azure safety as “grossly irresponsible.”

It seems Microsoft is lastly working to deal with each the issue — and its status — with its new initiative, which was revealed in an inside firm memo from firm President Brad Smith:

Satya Nadella, Microsoft Chief Government Officer; Rajesh Jha, Microsoft Government Vice President, Experiences and Gadgets; Scott Guthrie, Microsoft Government Vice President, Cloud and AI; and I’ve put important thought into how we should always anticipate and adapt to the more and more extra subtle cyberthreats. We’ve fastidiously thought-about what we see throughout Microsoft and what we now have heard from prospects, governments, and companions to establish our biggest alternatives to impression the way forward for safety. Because of this, we now have dedicated to a few particular areas of engineering development we’ll add to our journey of frequently bettering the built-in safety of our merchandise and platforms. We are going to give attention to 1. remodeling software program growth, 2. implementing new id protections, and three. driving quicker vulnerability response.

Smith goes on to stipulate the corporate’s plan which can rely closely on synthetic intelligence and automation to enhance the software program growth course of, in addition to enhance using reminiscence secure languages:

This implies we’re going to use the idea of steady integration and steady supply (CI/CD) to repeatedly combine protections in opposition to rising patterns as we code, take a look at, deploy, and function. Consider it as steady integration and steady safety.

We are going to speed up and automate menace modeling, deploy CodeQL for code evaluation to 100% of business merchandise, and proceed to increase Microsoft’s use of reminiscence secure languages (resembling C#, Python, Java, and Rust), constructing safety in on the language stage and eliminating entire courses of conventional software program vulnerability.

Smith additionally says the corporate will allow safer defaults:

All of us understand no enterprise has the posh of jettisoning legacy infrastructure. On the identical time, the safety controls we embed in our merchandise, resembling multifactor authentication, should scale the place our prospects want them most to offer safety. We are going to implement our Azure tenant baseline controls (99 controls throughout 9 safety domains) by default throughout our inside tenants robotically. This can scale back engineering time spent on configuration administration, guarantee the very best safety bar, and supply an adaptive mannequin the place we add functionality primarily based on new operational studying and rising adversary threats. Along with these defaults, we’ll guarantee adherence and auto-remediation of settings in deployment. Our aim is to maneuver to 100% auto-remediation with out impacting service availability.

Microsoft will work to proceed bettering id administration in an effort to fight identity-focused espionage:

We are going to implement using customary id libraries (resembling Microsoft Authentication Library) throughout all of Microsoft, which implement superior id defenses like token binding, steady entry analysis, superior utility assault detections, and extra id logging help. As a result of these capabilities are essential for all purposes our prospects use, we’re additionally making these superior capabilities freely accessible to non-Microsoft utility builders by means of these identical libraries.

To remain forward of dangerous actors, we’re transferring id signing keys to an built-in, hardened Azure HSM and confidential computing infrastructure. On this structure, signing keys are usually not solely encrypted at relaxation and in transit, but additionally throughout computational processes as nicely. Key rotation may also be automated permitting high-frequency key substitute with no potential for human entry, in anyway.

Lastly, Smith says Microsoft will depend on AI to enhance vulnerability response time:

Lastly, we’re persevering with to push the envelope in vulnerability response and safety updates for our cloud platforms. Because of these efforts, we plan to chop the time it takes to mitigate cloud vulnerabilities by 50 p.c. We’re able to realize this due to our lengthy funding and learnings in automation, monitoring, secure deployment, and AI-driven instruments and processes. We may also take a extra public stance in opposition to third-party researchers being put underneath non-disclosure agreements by expertise suppliers. With out full transparency on vulnerabilities, the safety group can not study collectively—defending at scale requires a development mindset. Microsoft is dedicated to transparency and can encourage each main cloud supplier to undertake the identical method.

It stays to be seen if Microsoft can ship on its promise, nevertheless it’s a promising signal that the corporate’s executives see the necessity to do one thing totally different.