Microsoft has reorganized its internal prioritiesand its managers have decided that Safety has to become number one for all your employees. The company has made this decision after having suffered several attacks, and after external criticism has multiplied.
From now on they are going to take protection much more seriously, and have begun to prepare a list of principles and objectives to be met related to it. Additionally, these goals and principles will be tied to the salary and compensation packages of Microsoft’s senior management team.
Charlie Bell, Vice President of Security at Microsofthas offered details about everything they are going to do in terms of cybersecurity in the company in a post, in which they assure that they are going to «make security the top priority at Microsoft, above everything else and above all other functions«.
To start, as we have mentioned, they are going to «introduce accountability by basing part of senior management team compensation on progress in meeting security plans and objectives«. In addition, it has implemented three security principles as part of these objectives: security by design, security by default and secure operations.
With them they aim to put security at the forefront during the design phases of their products and services, in addition to placing more emphasis on the protections activated by default. They also want to improve controls and monitoring of threats, both present and future.
Microsoft’s security pillars from now on
Apart from these three objectives, they have other broader ones that are supported by what they have called “six priority pillars of security.” That is, the six areas in which they need to improve. They are the following:
1- Improve identities and secrets. To this end, the company promises to implement the best possible standards in the infrastructure it dedicates to the protection of identities and secrets, with the aim that all of its users’ accounts are protected through multi-factor authentication. They also want all applications to be protected through credential management, as is the case with certificates.
2- Access protection and isolation of production systems. In this sense, Microsoft will ensure that only clean, managed and secure devices gain access to the company’s services. There will also be a least privileged access model, with minimum access levels and permissions, for all applications.
3 – Network protection. The company promises to secure all of its networks and production systems that are connected to the networks. To do this, it will apply principles of microsegmentation and isolation to all production environments. This will contribute to the creation of additional layers of defense against attackers.
4 – Protection of engineering systems. Microsoft notes that it will always secure access to its source code through Zero Trust and least privilege access policies. Any source code that is deployed to production environments will also be protected by security best practices. As for the test environments, they will also have standardized security, as well as infrastructure isolation.
5 – Threat monitoring and detection. Those responsible for the company promise to keep all security logs for two years, and to make six months of the logs they consider appropriate available to customers. They will also detect and respond automatically and quickly to suspicious access or configuration changes in all the company’s production services and infrastructure.
6 – Accelerate response and remediation. In this area, the company’s goal is to prevent unpatched vulnerabilities from being exploited. Microsoft is committed to reducing the time it takes to fix extremely serious cloud security vulnerabilities. They will also increase transparency around these vulnerabilities, for which they will adopt the industry standards Common Weakness Enumeration (CWE) and Common Platform Enumeration (CPE).
Those in Redmond are already coordinating their engineering teams to implement these measures in different waves and throughout the company. Azure Cloud, Windows, Microsoft 365 and Security teams are involved in this process. According to Bell, other product teams will be involved in the process each week. Aside from this, the company is working on improving its security culture, after its Cybersecurity Review Board rated it inadequate.
Microsoft is now adding Chief Information Security Officers (CISOs) to all product teams, and the Threat Intelligence Team will report directly to the CISO. In this way, the engineering teams will have a specific security manager.
With all these measures, those at Redmond hope not only to improve internally in terms of security, but also to avoid being affected by attacks such as those that have impacted the company in recent months, and that could lower confidence in Microsoft. .