In response to a scathing US government report criticizing Microsoft’s weak cybersecurity practices and corporate culture, security chief Charlie Bell is pledging significant reforms and a strategic shift to prioritize security above all other product features.
“This is job number one for us,” Bell said in his first public comments since the Cyber Safety Review Board (CSRB) highlighted “a cascade of avoidable Microsoft errors” leading to a major APT attack. “We must and will do more. We are making security our top priority at Microsoft, above all else — over all other features,” Bell declared, announcing plans to add Deputy CISOs to each product team and link senior leaders’ paychecks to progress on security goals.
Engineering teams across Microsoft Azure, Windows, Microsoft 365, and Security have initiated “engineering waves” to prioritize security enhancements within the expanded Secure Future Initiative (SFI). This initiative promises faster cloud patches, improved identity signing key management, and products with a higher default security bar.
Bell, who took over security at Microsoft in 2021 after leading security at AWS, stated that Microsoft will adopt recommendations from the CSRB report and add technical controls to reduce unauthorized access and secure its corporate infrastructure. This includes implementing state-of-the-art standards for identity and secrets management, hardware-protected key rotations, and phishing-resistant multi-factor authentication for all user accounts.
Additionally, Microsoft commits to enhancing network and tenant environment protection, eliminating entity lateral movement pivots, and ensuring secure device access to Microsoft tenants. The new strategy also focuses on bolstering protection for Microsoft’s production networks and systems through improved isolation, monitoring, inventory, and operations.
Furthermore, Microsoft plans to maintain an inventory of software assets used in its products and services, securing access to source code and engineering systems infrastructure through Zero Trust and least-privilege access policies.
Disclaimer
NextNews strives for accurate tech news, but use it with caution - content changes often, external links may be iffy, and technical glitches happen. See full disclaimer for details.