Microsoft’s New Security Memo
Microsoft is rolling out an array of major changes to its software engineering process aimed at improving the security of its widely used platforms, the company announced Thursday. In a pair of blog posts, top executives from the Redmond, Wash.-based tech giant outlined updates that are meant to enable its software to be secure by default while also improving key areas such as identity security and cloud vulnerability mitigation. The changes are a part of Microsoft’s newly announced Secure Future Initiative, the company said.
While the new initiative also aims to use AI in a bigger way to address evolving cyberthreats, the changes around Microsoft’s software engineering will potentially impact the company’s largest platforms including Azure, Windows and Office 365.
The changes come just a few months after a high-profile Microsoft cloud breach that impacted U.S. government email accounts, and prompted an inquiry into Microsoft’s security practices by U.S. Sen. Ron Wyden. Separately, industry executives including Tenable CEO Amit Yoran have recently accused Microsoft of responding slowly and inadequately to vulnerability disclosures. And federal cybersecurity officials such as CISA Director Jen Easterly have slammed Microsoft’s monthly “Patch Tuesday” software release, which typically reveals scores of vulnerabilities, saying it represents the opposite of a “secure by default” approach to software development.
‘New Standard For Security’
In one of the blog posts announcing the changes Thursday, Microsoft President Brad Smith wrote that its new initiative will “bring together every part of Microsoft to advance cybersecurity protection.” The initiative will set “a new standard for security” at Microsoft through evolving “the way we design, build, test, and operate our technology,” Smith said.
In the second post, Microsoft’s top security executive, Executive Vice President Charlie Bell, wrote that “a more secure future will require new advances in fundamental software engineering.”
Notably, Bell’s blog post references Bill Gates’ famous 2002 memo on “Trustworthy Computing,” in which Gates committed Microsoft to bringing a stronger focus on the security of its products. Bell included one of Gates’ lines from the memo: “If we don’t do this, people simply won’t be willing — or able — to take advantage of all the other great work we do.” For Microsoft, Bell wrote, that notion “still holds true over two decades later.”
What follows are five big Microsoft changes meant to improve its security.
Enabling ‘Secure By Default’ Software Development
Microsoft’s software development lifecycle (SDL) approach, Smith wrote, is now going to evolve into what the company is calling “dynamic SDL.” The new approach — which will be powered in part by increased usage of automation and AI — will “continuously integrate cybersecurity protection against emerging threat patterns as our engineers code, test, deploy, and operate our systems and services,” he wrote.
Bell wrote that AI-powered “dynamic SDL” will enable Microsoft to “deliver software that is secure by design, by default, and in deployment.”
“Our goal is to accelerate the deployment of CodeQL integrated with GitHub Copilot learnings,” Bell wrote, referring to Microsoft-owned GitHub’s generative AI coding assistant tool.
“Principles like the Security Development Lifecycle will continue to guide our software supply chain, while we expand automation and build with memory safe languages,” Bell wrote. “We will also use threat modeling and Code QL as complementary techniques to identify and mitigate security risks and vulnerabilities in our products and services. We will use Code QL to perform static and dynamic code analysis, helping our teams find and fix bugs in our code at AI speed and scale.”
Microsoft does still plan to keep SDL “front and center,” but the company will “continue expanding [its] use of memory safe languages (MSLs) in our products whenever possible, so that we keep building security in at the language level, helping to eliminate classes of traditional software vulnerabilities.”
Expansion Of Default MFA Settings
Another update from Microsoft is that the company plans to “enable customers with more secure default settings for Multi-Factor Authentication (MFA) out-of-the-box.” This expansion — which will take place “over the next year” — will bring Microsoft’s “current default policies to a wider band of customer services,” Smith (pictured) wrote.
In his post, Bell said that Microsoft has concluded that when it comes to MFA, which is considered more secure than typical password-only authentication, the practice “must scale where our customers need them most to provide protection.”
“Over the past year, we have learned a great deal from customers in the process of making MFA on by default for new customers, for example,” he wrote. “To continue the identity example – those learnings and communications with customers helped pave the way for our introduction of wider MFA default policies for wider bands of customer tenants. By focusing on communications as well as engineering – explaining where we were focused on defaults and how customers benefit – we achieved more durable security for our customers.”
Additionally, Bell noted that MFA “is just one area of defaults for us” — adding that “over the next year you will see us accelerate security defaults.”
Faster Cloud Vulnerability Mitigation
As part of the new security initiative announced Thursday, Microsoft will be “pushing the envelope in vulnerability response and security updates for our cloud platforms,” Smith wrote in his blog post. Notably, Microsoft plans to “cut the time it takes to mitigate cloud vulnerabilities by 50 percent,” he wrote.
The company also plans to “take new steps to ensure more transparent reporting by Microsoft and will encourage more transparent reporting in a more consistent manner across the tech sector,” he wrote.
Bell added in his post that “we are in a position to achieve this because of our investment and learnings in automation, orchestration, and intelligence-driven tools and processes.”
Improved Identity Protection
Microsoft executives said in the announcements Thursday that it will “strengthen” the identity protection capabilities in its products, amid the surge in identity-based attacks. Bell described the move as Microsoft adopting a “new identity system.” The new system, he wrote, “will provide a unified and consistent way of managing and verifying the identities and access rights of our users, devices, and services, across all our products and platforms.”
Microsoft also plans to “make these advanced capabilities freely available to non-Microsoft application developers,” Smith wrote in his blog post.
Confidential Computing Migration
As part of boosting its identity security, Microsoft will also move its identity platforms into confidential computing infrastructure. Confidential computing provides hardware-based isolation of data while it’s in use, reducing the risk of compromise due to the decryption of data for usage.
“In this architecture, data governing identities is encrypted not only at rest and transit but during computational processes as well,” Bell wrote in his post. “This means that even if an attacker gets through our layered defenses in the course of targeting encryption keys, the key data is designed to be inaccessible within automated systems that do not require human touch.”