• Uncategorized

    After several failures, Microsoft treats security as its top priority

    admin Posted on

    A Review of Microsoft’s Security Principles and Goals for the Next Generation of Product Development and Service Architectures, with an Update after the US Cyber Safety Review Board

    Microsoft is making security its number one priority for every employee, following years of security issues and mounting criticisms. After receiving a report from the US Cyber Safety Review Board that found Microsoft security culture was inadequate and requires an update, it has put together a set of security principles and goals for its senior leadership team.

    Microsoft is also adding deputy chief information security officers (CISOs) to each product team and is moving its threat intelligence team to report directly to the CISO. That should mean there’s a clear responsibility for security in engineering teams.

    Microsoft is making progress on some of its goals. Multifactor is used by default across more than one million of Microsoft’s own tenants, which include development, testing, demos, and production. 720,000 apps have been removed because they were not meeting current SFI standards.

    Microsoft is now coordinating its engineering teams to complete this work in waves across the company. “These engineering waves involve teams across Azure Cloud, Windows, Microsoft 365 and Security, with additional product teams integrating into the process weekly,” says Bell.

    Every facet of the SFI pillars will be governed by these principles, as we: Protect identities and secrets, Protect Tenants and Isolate Production Systems, Protect networks, Protect engineering systems, Monitor andDetect threats, and Accelerate response and Remediation. We’ve shared specific, company-wide actions each of these pillars will entail – including those recommended in the CSRB’s report which you can learn about here. The hiring and rewards decisions will be influenced by the implementation of standards, guidelines, and requirements across Microsoft. In addition, we will instill accountability by basing part of the compensation of the senior leadership team on our progress towards meeting our security plans and milestones.

    Microsoft now has three security principles that form a big part of these goals: secure by design; secure by default; secure operations. These principles are designed to put security first during the design phases of products and services, place a greater focus on protections that are enabled by default, and improve controls and monitoring for current and future threats.

    How Do We Make Sure You’re Secure? Committing the SFI Team to Preserving Cyber Security and Protecting the Internet for the Future

    Security is a team sport, and accelerating SFI isn’t just job number one for our security teams — it’s everyone’s top priority and our customers’ greatest need.

    If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. When this is the case we need to prioritize security above other things such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.

    The Department of Homeland Security has a Cyber Safety Review Board (CSRB) and its recent findings underscore the seriousness of the threats facing our company and our customers as well as the responsibility to defend against these sophisticated threat actors.

    We’ll commit the entire organization to SFI as we double down on this initiative with an approach grounded in three core principles.

    Tagged:

    admin
    View all posts

    You Might Also Like