Microsoft details extensive plans to strengthen cybersecurity practices

Microsoft Corp. executives today outlined a wide range of internal initiatives designed to strengthen the company's cybersecurity posture.

The tech giant launched the initiative following an investigation into its anti-infringement practices by the US Cyber ​​Security Review Board (CSRB). The assessment was prompted by a high-profile breach of Microsoft's Exchange Online email service by China-linked hackers. The CSRB found that the company has a “corporate culture that prioritizes enterprise security” and is “consistent with the company's centrality in the technology ecosystem.”

In its 34-page report, the committee recommended that Microsoft develop a plan to improve its anti-infringement procedures and make that plan public. The cybersecurity improvement efforts the company detailed today address this recommendation. Microsoft says the effort is also based on lessons learned from a recent breach by Russian hackers. compromised Some executives' inboxes.

In an internal memo detailing the company's new cybersecurity efforts, CEO Satya Nadella wrote: In some cases, this means prioritizing security over other duties, such as releasing new features or providing continued support for legacy systems. ”

Charlie Bell, Microsoft Executive Vice President of Security, detailed other elements of the plan in a blog post today. He explained that this effort revolves around what he calls three “security principles” and what he calls six “priority security pillars.” Going forward, Microsoft executive compensation will be calculated in part based on how well the company achieves its plan goals.

The first three security pillars outlined by Mr. Bell form the high-level framework for this effort. The first pillar is that “security is a top priority when designing products and services,” the executive said in a blog post. Two others specify that Microsoft's cybersecurity measures will be enabled by default, require no special effort to use, and will continually improve over time.

The Cybersecurity Plan's six priority security pillars outline a more detailed set of steps Microsoft takes to reduce the risk of a breach.

Two pillars focus on improving the security of sensitive data assets. The first is a term that covers secrets, such as files such as encryption keys and the data and systems that Microsoft leverages to manage user access to applications. His second pillar of this set outlines a series of steps Microsoft takes to prevent hackers from accessing the source code of its products.

The next two pillars of this plan cover the security of the company's network, production environment, and customer deployment of the product. Microsoft's efforts in this area focus specifically on isolating different systems from each other to prevent hackers from spreading malware between systems.

The final two pillars of the plan focus on streamlining how companies detect and respond to cybersecurity risks. As part of this effort, Microsoft will retain security logs from its systems for at least two years to support breach investigations. Additionally, the company plans to speed up the mitigation of vulnerabilities discovered by employees and third-party researchers.

“The Secure Future Initiative will enable Microsoft as a whole to implement the changes needed to deliver security as a top priority,” Bell elaborated. “We will feed what we learn from security incidents back into our security standards and operationalize these learnings as a paved path to secure designs and operations at scale.”

photograph: pixabay