IN November 2023, we introduced the Secure Future Initiative (SFI) to advance cybersecurity protection for Microsoft, our customers, and the industry. By May 2024, we expanded the initiative to focus on six key security pillars, incorporating industry feedback and our own insights. Since the initiative began, we’ve dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history. Today, we’re sharing key updates and milestones from the first SFI Progress Report.
A FOCUS ON SECURITY ABOVE ALL ELSE
At Microsoft, we recognize our unique responsibility in safeguarding the future for our customers and community. Every individual at Microsoft plays a pivotal role in prioritizing security above all else. We’ve made significant progress in fostering a security-first culture. To improve governance, we announced the creation of a new Cybersecurity Governance Council and the appointment of deputy chief information security officers (CISO) for key security functions and all engineering divisions. Led by our CISO Igor Tsyganskiy, the deputy CISOs form the Cybersecurity Governance Council and are responsible for the company’s overall cyber risk, defense, and compliance.
Security is now a core priority for all employees at Microsoft and will be included in their performance reviews. This empowers every employee and manager to commit to — and be accountable for — prioritizing security. We also launched the Security Skilling Academy, a personalized learning experience of security-specific, curated trainings for all employees worldwide. The academy ensures that no matter the role, employees are equipped to prioritize security in their daily work and identify the direct part they have in securing Microsoft. To ensure accountability and transparency at the highest levels, Microsoft’s senior leadership team reviews SFI progress weekly and updates are provided to Microsoft’s board of directors quarterly. Additionally, Microsoft’s senior leadership team now has security performance directly linked to compensation.
A COMPREHENSIVE APPROACH TO CYBERSECURITY
We’ve also made progress across our six key pillars, each representing a critical area of cybersecurity focus. These pillars guide our ongoing work to raise the bar for security across Microsoft and help us meet the evolving demands of the security landscape.
In protecting identities and secrets, we completed updates to Microsoft Entra ID and Microsoft Account for our public and US government clouds to generate, store, and automatically rotate access token signing keys using the Azure Managed Hardware Security Module service. We have continued to drive broad adoption of our standard identity software development kits (SDKs), which provide consistent validation of security tokens. This standardized validation now covers more than 73% of tokens issued by Microsoft Entra ID for Microsoft-owned applications. We have extended standardized security token logging in our standard identity SDKs to support threat hunting and detections and enabled those in several critical services ahead of broad adoption. We completed enforcement of the use of phishing-resistant credentials in our production environments and implemented video-based user verification for 95% of Microsoft internal users in our productivity environments to eliminate password sharing during setup/recovery.
In protecting tenants and isolating production systems, we completed a full iteration of app lifecycle management for all our production and productivity tenants, eliminating 730,000 unused apps. We eliminated 5.75 million inactive tenants, drastically reducing the potential attack surface. We implemented a new system to streamline the creation of testing and experimentation tenants with secure defaults and strict lifetime management enforced. We have deployed over 15,000 new production-ready locked-down devices in the last three months.
In protecting networks, over 99% of physical assets on the production network are recorded in a central inventory system, which enriches asset inventory with ownership and firmware compliance tracking. Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement. To help customers secure their own deployments, we have expanded platform capabilities such as Admin Rules to ease the network isolation of platform as a service (PaaS) resources such as Storage, SQL, Cosmos DB, and Key Vault.
In protecting engineering systems, 85% of our production build pipelines for the commercial cloud are now using centrally governed pipeline templates, making deployments more consistent, efficient, and trustworthy. We have slimmed down the lifespan of Personal Access Tokens to seven days, disabled Secure Shell access for all Microsoft internal engineering repos, and significantly reduced the number for elevated roles with access to engineering systems. We also implemented proof of presence checks for critical chokepoints in our software development code flow.
In monitoring and detecting threats, we have made significant progress enforcing that all Microsoft production infrastructure and services adopt standard libraries for security audit logs, to ensure relevant telemetry is emitted, and retain logs for a minimum of two years. For instance, we have established central management and a two-year retention period for identity infrastructure security audit logs, encompassing all security audit events throughout the lifecycle of current signing keys. Similarly, over 99% of network devices are now enabled with centralized security log collection and retention.
In accelerating response and remediation, we updated processes across Microsoft to improve Time to Mitigate for critical cloud vulnerabilities. We began publishing critical cloud vulnerabilities as common vulnerability and exposures, even if no customer action is required, to improve transparency. We established the Customer Security Management Office to improve public messaging and customer engagement for security incidents.
THE PHILIPPINES AND MICROSOFT’S SFI
The Philippines, with its rapidly growing digital economy, has seen a significant rise in cybersecurity threats. As businesses and consumers increasingly rely on digital platforms, the need for robust cybersecurity measures has never been more critical. The Philippine government has been proactive in addressing these challenges, with initiatives such as the National Cybersecurity Plan 2022, which aims to protect the country’s critical information infrastructure, government networks, and individuals from cyber threats.
Microsoft’s SFI aligns well with these local efforts, providing advanced security solutions that can help Filipino businesses and government agencies safeguard their digital assets. The Security Skilling Academy, for instance, can play a crucial role in upskilling the local workforce, ensuring that employees are well-equipped to handle cybersecurity challenges. Additionally, the focus on protecting identities and secrets is particularly relevant in the Philippines, where digital financial services are rapidly expanding.
REAFFIRMING OUR SECURITY COMMITMENT
At Microsoft, we prioritize consistent progress in security over perfection. This is evident in the extensive resources dedicated to our Secure Future Initiative, which ensures product security from inception through deployment and ongoing use.
SFI is built on three core principles: Secure by Design, Secure by Default, and Secure Operations. Secure by Design emphasizes that security is prioritized from the very beginning of the design process for any product or service. Secure by Default ensures that security protections are enabled and enforced by default, requiring no extra effort from users and making them non-optional. Lastly, Secure Operations focuses on the continuous improvement of security controls and monitoring to address current and future threats. These principles guide our product teams, who adopt the Microsoft Security Development Lifecycle to reduce vulnerabilities and enhance security.
Our efforts focus on increasing protection, eliminating noncompliant assets, and improving monitoring. We are committed to continuous improvement, transparency, and industry collaboration. This year, we supported the US Cybersecurity and Infrastructure Security Agency’s Secure by Design pledge and integrated recommendations from the Cyber Safety Review Board.
The work we’ve done so far is only the beginning. We know that cyberthreats will continue to evolve, and we must evolve with them. By fostering this culture of continuous learning and improvement, we are building a future where security is not just a feature, but a foundation.
Peter Maquera is the chief executive officer of Microsoft Philippines.