Microsoft has shared an update on its Secure Future Initiative (SFI), an ambitious program to enhance cybersecurity measures for Microsoft, its customers, and the broader industry. First launched in November 2023 and substantially expanded in May 2024, the initiative now encompasses six core security pillars designed to address contemporary cyber threats.
In total, Microsoft has allocated the equivalent of 34,000 full-time engineers to SFI, marking it as one of the largest cybersecurity engineering efforts in history. Microsoft has long recognized its unique responsibility to ensure a secure environment for its users. This commitment is reflected in the company’s directive that every employee must “prioritize security above all else.
Recent developments include the establishment of the Cybersecurity Governance Council, guided by Chief Information Security Officer (CISO) Igor Tsyganskiy. This council comprises Deputy Chief Information Security Officers (Deputy CISOs) across key functions and engineering divisions, ensuring comprehensive oversight of Microsoft’s cyber risk, defense, and compliance.
To further embed security into its organizational framework, Microsoft has integrated security as a core priority within employee performance reviews. This shift empowers all employees and managers to actively engage in security measures, fostering accountability and recognizing contributions to the SFI.
Additionally, Microsoft launched the Security Skilling Academy, offering personalized, security-focused training for employees worldwide. This initiative equips staff with the necessary tools to prioritize security in their roles, reinforcing the idea that everyone plays a part in safeguarding Microsoft.
To ensure transparency and accountability, the senior leadership team at Microsoft reviews SFI progress every week, providing quarterly updates to the Board of Directors. Notably, security performance is now directly linked to executive compensation.
Pillar Highlights: A Multi-Faceted Approach
The Secure Future Initiative is organized around six fundamental pillars, each designed to tackle specific aspects of cybersecurity. These pillars provide a structured approach to enhancing security across Microsoft’s services.
New updates have been made to Microsoft Entra ID and Microsoft Account (MSA) within both public and U.S. government clouds. These enhancements focus on improving the generation, storage, and automatic rotation of access token signing keys via the Azure Managed Hardware Security Module (HSM) service.
Additionally, more than 73% of tokens issued by Microsoft Entra ID now employ standardized security token validation, which strengthens capabilities for threat detection and hunting. Furthermore, phishing-resistant credentials are now mandatory in production environments, and video-based user verification has been implemented for 95% of internal users.
Microsoft has streamlined its app lifecycle management, successfully removing 730,000 unused applications and 5.75 million inactive tenants. This proactive approach significantly reduces potential attack surfaces. Alongside this, new systems for managing testing and experimentation environments have been established, complemented by the deployment of over 15,000 production-ready locked-down devices.
Over 99% of physical assets in the production network are now cataloged in a centralized inventory system, enhancing asset ownership and firmware compliance tracking. Virtual networks with backend connectivity are rigorously isolated from the corporate network, effectively minimizing lateral movement risks. Microsoft has also rolled out new platform capabilities to assist customers in securing their deployments.
To increase consistency and reliability, 85% of production pipelines for the commercial cloud now utilize centrally governed templates. Additional security measures include a reduction in the lifespan of Personal Access Tokens, the disabling of Secure Shell (SSH) access for internal engineering repositories, and the implementation of proof of presence checks at critical points in the software development process.
Microsoft has made significant progress in enforcing standard libraries for security audit logs across all production infrastructure. This ensures that relevant telemetry is emitted and retained for a minimum of two years. Additionally, centralized security log collection has been established for over 99% of network devices, greatly enhancing threat monitoring capabilities.
To improve response times for critical cloud vulnerabilities, Microsoft has implemented enhanced processes that decrease the Time to Mitigate. The company has begun publishing critical cloud vulnerabilities as Common Vulnerabilities and Exposures (CVEs), fostering greater transparency in its cybersecurity efforts. Moreover, the establishment of the Customer Security Management Office (CSMO) aims to enhance public communication and customer engagement during security incidents.
Conclusion
Microsoft’s approach to cybersecurity emphasizes consistent progress over the pursuit of perfection. The resources mobilized for the SFI reflect a dedicated effort to continually enhance protective measures, eliminate outdated assets, and identify areas requiring closer monitoring.
Microsoft is committed to adapting its strategies and practices. Earlier in 2024, the company reaffirmed its dedication to cybersecurity by becoming a major supporter of the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge.
This initiative aims to embed security into every facet of product development. Furthermore, Microsoft is actively integrating recommendations from the Cyber Safety Review Board (CSRB) to upgrade its cybersecurity framework.