During its Ignite conference on Tuesday, Microsoft shared a progress update on its Secure Future Initiative (SFI), introduced a year ago, which included significant measures such as enforcing multi-factor authentication (MFA) by default for new tenants, isolating close to 100,000 work devices under conditional access policies, and blocking GitHub secrets from exposure.

The progress report, structured around Microsoft’s customary six engineering pillars used to assess its advancements, presents a more promising outlook compared to a previous, September update that themed around credentials rotation, JIT/JEA access controls, and threat monitoring.

“In May 2024, Microsoft CEO Satya Nadella made security the company’s top priority,” Microsoft said in the report. “Since that time, we have dedicated the equivalent of 34,000 engineers to advance the objectives laid out in SFI, making it the largest cybersecurity engineering project in history.”

Microsoft also highlighted efforts to embed security into its culture, completing several learning and governance initiatives, including mandatory workforce security trainings through the Microsoft Security Academy, and committing to the CISA “secure by design” pledge.

Microsoft commits to protecting identities, secrets, and systems

Microsoft emphasized its commitment to security by integrating a series of “secure by design” frameworks into its processes. The company outlined four key SFI engineering pillars supporting this effort: protecting identities and secrets, isolating production systems to safeguard tenants, protecting networks, and securing engineering systems.

To this end, the cloud leader with identity tools like Azure AD, Entra, Defender, and Authenticator has enforced MFA by default for all new tenants. Additionally, it is enforcing phishing-resistant MFA across its productivity environments.

“To help secure customers, multifactor authentication (MFA) is now on by default for new tenants and will be enforced for the Microsoft Azure Portal, Microsoft Entra admin center, Intune admin center, and Microsoft 365 admin center,” Microsoft said in the report.

Azure Managed Identity for service-to-service (S2S) has also been implemented on a large scale for Entra ID apps and Azure resources, to help protect secrets such as passwords, storage access keys, and storage SAS tokens from leaks, Microsoft added.

To mitigate device-based compromises, Microsoft reported having deployed 98,000 production-ready, locked-down devices (operating only secure, limited functionalities), in addition to moving 28,000 “high-risks users” to a customized and locked down Virtual Desktop Infrastructure (VDI) solution.

“To help secure customers, we have introduced a Microsoft Entra Conditional Access template, currently in public preview, which requires device compliance,” Microsoft said.

Within the “protect Engineering systems” pillar, which refers to the practices towards reducing the risk of secrets and credentials in Microsoft code, the company has deployed GitHub Advanced Security to block new secrets from being exposed at push within GitHub and Azure DevOps Git repositories.

To help further tackle secrets leak, Microsoft is working “to remove secrets from code and other unsecured storage and transmission methods and has implemented standards of strong authentication protocols that do not rely on weak mechanisms such as plaintext credentials and that actively detect, block, and remove exposed secrets and credentials.”

Under network protection, it is making Azure Virtual Network Encryption generally available in all regions and Domain Name System Security Extensions support available in public preview.

Additionally, to foster “isolation and segmentation” of management as well as services, over 99.3% of physical assets have been inventoried and applied mandatory access control lists (ACLs) on, to isolate their management, Microsoft revealed.

Intensified focus on threat management

Microsoft attributed a handful of other upgrades to the remaining SFI pillars: monitor and detect threats, and accelerate response and remediation.

To facilitate improved system monitoring for threat detection, Microsoft said it has expanded cloud logging capabilities which include detailed logs of more than 30 types of data and standard log retention for 180 days. These capabilities are available to Microsoft 365 customers by default at no additional cost, Microsoft added.

Additionally, the company reported establishing central management and a two-year retention period for identity infrastructure security audit logs.

Under threat management initiatives, the company said it addressed 90% of vulnerabilities within the “reduced time to mitigate” window for the high-severity cloud vulnerabilities. It also reported publishing close to 800 Common Vulnerabilities and Exposures (CVEs) as part of a transparent communication effort.

“Microsoft is continuing to make progress on our targets for SFI,” said Vasu Jakkal, CVP Security, Microsoft. “(In this report), we highlight the investments we are making across the company to identify, prioritize, and address cybersecurity risk across the company.”

Source: https://www.csoonline.com/article/3608642/from-mfa-mandates-to-locked-down-devices-microsoft-posts-a-year-of-sfi-milestones-at-ignite.html