Identity & Access Management , Next-Generation Technologies & Secure Development , Secure Software Development Lifecycle (SSDLC) Management
How Microsoft Is Beefing Up Security With 34,000 Engineers
After Review Board Criticism, Microsoft Targets Culture, Governance, EngineeringMicrosoft said it has implemented substantial culture, governance and engineering changes in recent months to address the increased complexity of cybersecurity threats.
See Also: The Backbone of Modern Security: Intelligent Privilege Controls™ for Every Identity
The security initiative - the largest cybersecurity engineering project in the Seattle-area software and cloud computing giant's history - comes after the federally empaneled Cyber Safety Review Board blamed Microsoft's "corporate culture that deprioritized enterprise security investments" for allowing preventable security breaches. In response, Microsoft has allocated 34,000 engineers to engrain security in the company's operations (see: Report Slams Microsoft for Security Blunders in Chinese Hack).
Microsoft's engineering teams have shifted toward a more security-first mindset in recent months, as weekly engineering updates with CEO Satya Nadella and other top executives ensure transparency and accountability, according to Joy Chik, identity and network access president at Microsoft. She said challenges remain around deprecating legacy insecure settings that would affect customers using legacy infrastructure.
"Satya is very clear: Security is top priority, quality is top priority, and then balance with all the customer product feature needs," Chik told Information Security Media Group. "That clear message on priority is really important."
How Microsoft Plans to Approach Security Differently
Microsoft said it has embraced standardized logging, network isolation and enhanced authentication procedures to protect against cyberattacks. The company has also integrated security into employee performance review and compensation structures - including senior leadership - and introduced a cybersecurity governance council and deputy CISOs aligned with Microsoft's security functions (see: Microsoft Overhauls Security Practices After Major Breaches).
Product-specific deputy CISOs provide security oversight for specific product lines while collaborating with the central CISO function, Chik said. This structure blends in-depth product knowledge with a holistic view of risk across Microsoft's ecosystem and is crucial for both evaluating and prioritizing security efforts as well as ensuring that they are aligned with business needs, according to Chik.
"The collection of the entire console allows that body to have a holistic view of the risk, as well as helping to prioritize what should be the right security posture, and then working with the engineering side hand in hand so that we can collectively use the risk to then prioritize the work," Chik said.
Chik said a cornerstone of Microsoft's security philosophy is the zero trust model, which assumes a breach is inevitable. The company has therefore focused on early detection, rapid response and limiting lateral movement within systems. Microsoft emphasized the importance of ecosystem collaboration, and Chik called for industry players to share threat signals and work together to combat attackers.
"If we use the zero trust principle, then we always assume breach, so that detection and monitoring is equally important," Chik said, "as well as, 'When anything happens, how do we quickly remediate as well as respond?'"
Microsoft's security efforts aim not only to protect its own environment but also to share best practices and tools with customers, according to Chik. She said AI plays a significant role in these efforts, allowing Microsoft to improve threat detection and response times and helping both the company and its customers stay ahead of increasingly sophisticated threats.
"We continually invest in AI with all the threat signals we have," Chik said. "How can we also leverage AI to help us to do threat hunting and help us get more in terms of insights into the threat landscape?"
Microsoft has been a frequent target for threat actors in recent years. Russian hackers compromised its source code repositories and internal systems in a breach first disclosed in January, and a China-based threat actor known as Storm-0558 gained access to Microsoft Outlook systems in July 2023, stealing emails from 25 organizations (see: Microsoft's Latest Hack Sparks Major Security Concerns).
How Microsoft Plans to Enhance Its Security Engineering
From an engineering standpoint, Microsoft has made significant technical improvements around identity protection, tenant isolation, network security and software engineering systems and has scaled security improvements with platform engineering. The firm said it has improved response times to vulnerabilities as well as communication during security incidents, even when no customer action is required.
"We established the Customer Security Management Office to improve public messaging and customer engagement for security incidents," Microsoft said in the progress report. "This new office will work in partnership with teams across the company, ensuring that our public messaging and customer engagement are aligned with our security goals."
Pre-built templates and tools streamline the implementation of security best practices, Microsoft said, simplifying security compliance while also maintaining developer velocity and satisfaction. The company also has automated the use of centrally governed pipeline templates for consistency and efficiency in production builds and cut access to privileged roles to protect engineering systems and supply chain.
"Eighty-five percent of our production build pipelines for the commercial cloud are now using centrally governed pipeline templates, making deployments more consistent, efficient, and trustworthy," Microsoft saidin the progress report. "We also implemented proof-of-presence checks for critical chokepoints in our software development code flow."
Efforts to protect identities include hardware security modules and video-based user verification for employees, which Microsoft said is coupled with the elimination of unused apps and inactive tenants to reduce the attack surface. The automated rotation of access token signing keys will help stop attackers from exploiting credential mismanagement and nonstandard protocols to gain access to systems.
"We completed enforcement of the use of phishing-resistant credentials in our production environments and implemented video-based user verification for 95% of Microsoft internal users in our productivity environments to eliminate password sharing during setup/recovery," Microsoft said in the progress report.
Microsoft said it has reduced its attack surface by eliminating 730,000 unused applications and 5.75 million inactive tenants while enforcing strict governance over tenant creation. By ensuring tenant and system isolation, Microsoft said, it is preventing lateral movement in case of breaches and minimizing the potential entry points for attackers.
Monitoring and detecting threats has been enhanced by ensuring that 99% of network devices emit standardized security logs, according to Microsoft. The company said it has also implemented service tags and network security perimeters to manage traffic and minimize risks from lateral movement.
"Over 99% of physical assets on the production network are recorded in a central inventory system, which enriches asset inventory with ownership and firmware compliance tracking," Microsoft said in the progress report. "Virtual networks with back-end connectivity are isolated from the Microsoft corporate network and subject to complete security reviews to reduce lateral movement."
Finally, Microsoft said, it has strengthened its transparency and compliance efforts through governance improvements and frequent updates to its senior leadership team and board. New tools and processes, such as retaining security logs for two years and expanding security logs for customers, aid transparency, according to the company.
"We have made Microsoft 365 audit logs available to all customers, eliminating the previous E5 license requirement," Microsoft said in the progress report. "Additionally, we have enabled more M365 audit logs through Microsoft Purview. Furthermore, the default free retention period for M365 audit logs has been extended from 90 days to 180 days."