Microsoft so far has eliminated some 730,000 unused applications and 5.75 million inactive tenants within its cloud environment as part of its sweeping Secure Future Initiative (SFI), designed to shore up security following a couple of major intrusions into its network over the past year.
The company has also deployed 15,000 new, locked-down devices for software production teams over the past three months and implemented video-based identity verification for 95% of its production staff. In addition, Microsoft has updated its Entra ID and Microsoft Account (MSA) processes for generating, storing, and rotating access token signing keys for public and government clouds.
Secure Future Initiative
The changes are part of a broader Microsoft effort to reduce its attack surface, strengthen cloud identity and authentication mechanisms, and boost its ability to detect and respond to threats. “Since the initiative began, we’ve dedicated the equivalent of 34,000 full-time engineers to SFI — making it the largest cybersecurity engineering effort in history,” said Charlie Bell, executive vice president of Microsoft Security in an update this week.
Microsoft launched SFI in November 2023, a few months after China’s Storm-0558 breached the company’s Exchange Online infrastructure and accessed email accounts across more than two dozen government agencies. Among those affected were senior officials working on US relations with China. In a second incident last year that Microsoft only discovered and reported in January 2024, Russia’s Midnight Blizzard breached the company’s corporate email accounts via a low-tech password spraying attack.
The US Department of Homeland Security’s Cyber Safety Review Board (CSRB) conducted a fact-finding analysis of the Storm-0558 incident and concluded the intrusion stemmed from a “cascade of security failures at Microsoft” at a strategic and cultural level. The board made several recommendations for Microsoft to bolster cloud security, especially around identity and authentication.
Microsoft has identified six areas for improvement with SFI: identity and secrets; security around cloud tenants and production systems; protections for engineering systems; network security; threat detection and monitoring; and incident response and remediation.
Sweeping Security Changes at Microsoft
Bell’s report this week provided an update on the progress the company has been making in each of those areas. The updates to Entra ID and Microsoft Account, for instance, are part of an effort to better protect critical signing keys for remote authentication, from misuse. Storm-0558 actors took advantage of a single, errant signing key and a vulnerability in Microsoft’s authentication system to grant themselves the ability to access essentially any Exchange Online account around the world.
Similarly, the elimination of hundreds of thousands of unused apps and millions of inactive tenants are part of an effort to reduce the surface area for potential attacks against cloud tenants and production systems.
On the network security front, Microsoft has implemented mechanisms for improving visibility: The company now maintains a central inventory for more than 99% of physical assets on its production network. “Virtual networks with backend connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement,” Microsoft’s Bell wrote.
To protect engineering systems, Microsoft has begun using centrally managed pipeline templates for 85% of its production builds for the commercial cloud, reduced the lifespan of personal access tokens to seven days, and disabled Secure Shell Access to internal Microsoft engineering repos. Proof of presence checks are now mandatory for critical points along Microsoft’s software development process.
Exec-Level Accountability
This is the second update that Microsoft has provided on the progress the company has been making with SFI. A previous one in May focused largely on changes that Microsoft has been making at the organizational level to — among other things — hold executives directly responsible for security.
The changes the company has made at the organizational level include tying compensation for senior leadership to specific security goals and milestones, tying the threat intelligence team more tightly to the enterprise CISO’s office, and requiring engineering and security teams to work together.