It's high time for another sweeping Microsoft security initiative. Or is it?

Mary Jo Foley is the Editor in Chief at Directions on Microsoft. Before joining Directions, Mary Jo has worked as... more

It’s been a while since Microsoft announced a company-wide security initiative. Remember Security Development Lifecycle back in 2004, post-Blaster? Or Trustworthy Computing in 2002?

Microsoft’s newest imperative, unveiled both internally and publicly on November 2, is called the Secure Future Initiative (SFI). It’s focused on revamping how Microsoft designs, builds, tests, and maintains its services and software.

It’s probably no coincidence Microsoft is unveiling SFI after widespread outcry — and calls for government regulation — following the Storm-0558 China hack. Via that breach, bad actors infiltrated a number of business and government Outlook email accounts, all stemming from access to a Microsoft Account consumer key.

Storm-0558 is hardly the only big cybersecurity incident that’s hit Microsoft and its customers in recent months. Phishing, ransomware, malware as a service and other security issues are cropping up non-stop. And as more companies bring generative AI technology in-house, even more sophisticated security problems will, no doubt, be added to the mix. At the same time, big tech companies increasingly are finding themselves on the “failure to inform” end of a sharp legal stick, giving Microsoft even more incentive to be proactive in cleaning up its security act.

Unsurprisingly, AI plays heavily into Microsoft’s proposed security solution (as it does with every Microsoft announcement these days). Microsoft is working on an AI assistant tool called Security Copilot that is meant to help IT pros more quickly and easily see what’s happening from a security standpoint in their organizations. Microsoft recently broadened its private, paid testing program for Security Copilot ahead of its expected 2024 general availability.

As part of the SFI initiative announced today, Microsoft said it will improve its own software development and vulnerability remediation activities. Specifically, Microsoft execs said they will:

Cut the time it takes to mitigate cloud vulnerabilities by 50 percent to speed up dramatically its vulnerability response and resulting security updates. As part of this, execs said Microsoft will “encourage more transparent reporting in a more consistent manner” across the tech sector, presumably by modelling full transparency and timely reporting of its own security incidents.
Move to a new, fully automated consumer and enterprise key-management system that builds on Azure Hardened Security Module (HSM) and confidential computing infrastructure where the keys are not just encrypted at rest and in transit, but also during computational processes.
Expand automated threat modeling against its code to try to head off and defeat future attacks. As part of this, the company is expanding its use of memory-safe languages like C#, Python, Java, and Rust to eliminate classes of traditional software vulnerabilities.
Embed more security defaults into products, such as mandatory multi-factor authentication (MFA) and other on-by-default security settings over the next year and beyond.

“The Trustworthy Computing push happened because (Microsoft founder Bill) Gates recognized that security problems were slowing PC sales, which hurt Microsoft sales. It could be that it is seeing similar limiting effects in the cloud business, with customers so under siege that they can’t adopt new technologies,” said Directions on Microsoft analyst Rob Helm.

“And in that business, Microsoft can’t ignore the problems that a customer is having with security, because Microsoft is effectively a big part of the customer’s IT department,” Helm added.

Whatever happened to Trustworthy Computing?

Speaking of Trustworthy Computing, Microsoft’s last major cross-divisional security initiative, Directions on Microsoft analyst, Michael Cherry, wondered whatever became of it.

“The questions that should be asked of Microsoft is, ‘if you were doing Trustworthy Computing correctly, and this assumes you are still doing it, then what about your secure by design, secure by deployment, and secure by default isn’t working?’” Cherry said. After all, with Cloud based services Microsoft has responsibility for aspects of all three Trustworthy Computing pillars.

“If Microsoft was doing Trustworthy Computing — and there is no good reason that it would have ever stopped doing it — then one would think they should be on top of and adapting to new threats and threat actors. Is the reality that Microsoft, as an organization, doesn’t have the discipline to really address security and identity because the race to get products to market and meet the continual fast-pace of updates required to drive the Microsoft ‘As- a-Service’ subscription engine? If so, that means product teams have all abandoned secure by design, secure by deployment, and secure by default.”

“Maybe instead of a new initiative, Microsoft should just quietly get back to first principles of Trustworthy Computing and wait until it has the fundamentals down pat before adding AI,” Cherry said.