Keeping Privacy and Encryption Safe with the Microsoft Secure Future Initiative: A Review of Microsoft’s First Open Data Platforms and Cloud Security Initiative

The platforms that protect encryption keys are being reviewed by Microsoft. Chinese hackers breached US government emails after stealing signing keys that allowed them to break into dozens of email inboxes earlier this year.

Microsoft is now announcing a huge cybersecurity effort, dubbed the Secure Future Initiative (SFI). Microsoft wants to change the way it operates its software and services. It’s the biggest change to security efforts within Microsoft since the introduction of the Security Development Lifecycle after a huge worm attack knocked PCs offline in 2003 That push came just two years after co-founder Bill Gates had called on a trustworthy computing initiative in an internal memo.

Microsoft now plans to use automation and AI during software development to improve the security of its cloud services, cut the time it takes to fix cloud vulnerabilities, enable better security settings out of the box, and harden its infrastructure to protect against encryption keys falling into the wrong hands.

Bell said that they plan to reduce the time it takes to mitigate vulnerable clouds by 50 percent. “We are in a position to achieve this because of our investment and learnings in automation, orchestration, and intelligence-driven tools and processes.” Microsoft can shorten the industry window for security fixes from ninety days to 45 days, which is a great start to their new security initiative.

“To stay ahead of bad actors, we are moving identity platforms to confidential computing infrastructure that we helped pioneer,” says Bell. “In this architecture, data governing identities is encrypted not only at rest and transit but during computational processes as well. This means that the key data is impossible to access within automated systems, even if an attacker manages to get through the layers of defense.

Microsoft is focused on improving the security default. Smith says that customers will be able to change their default settings out-of-the-box over the next year. “This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.”

In September, cybersecurity research firm Wiz disclosed that 38TB of data had accidentally been exposed by Microsoft AI researchers thanks to an Azure feature called SAS tokens. According to researchers at the time, it’s very difficult to manage and withdraw Account SAS token. Microsoft doesn’t specifically mention SAS tokens in its new security initiative, but hopefully it’s something the company is looking at, too.

Smith calls on states to “recognize cloud services as critical infrastructure, with protection against attack under international law” and for greater accountability for nation-states involved in undermining cloud security. “All states should commit publicly that they will not plant software vulnerabilities in the networks of critical infrastructure providers such as energy, water, food, medical care, or other providers,” says Smith. They must commit to not permitting any persons within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.