Microsoft appoints new deputy Chief Information Security Officers and eliminates inactive accounts as part of a comprehensive internal security revamp.

Microsoft appoints new deputy Chief Information Security Officers and eliminates inactive accounts as part of a comprehensive internal security revamp.

In a bid to bolster its cybersecurity practices, Microsoft has announced the establishment of a Cybersecurity Governance Council as part of a broader strategic effort to strengthen security controls across its platforms and services. This move comes in response to a series of high-profile cyber attacks, including the 2023 hack on Microsoft that resulted in the theft of 60,000 emails from the U.S. State Department and the breach of U.S. Commerce Secretary Gina Raimondo's account.

The CSRB report deemed the 2023 hack entirely preventable, criticizing an internal culture at Microsoft that prioritized speed-to-market over security. In response, Microsoft has announced plans to restructure many of its internal governance practices and make changes recommended by the CSRB report, including partially tying compensation to security.

The Cybersecurity Governance Council is expected to serve as a high-level body that oversees and integrates security policies, threat intelligence, compliance, and policy enforcement. The council will take ownership over ongoing compliance, implementing regulatory requirements, and identifying the architecture required to reach its security goals.

Microsoft has also made significant strides in reducing its attack surface. The company has eliminated 5.75 million inactive tenants and 730,000 unused apps as part of its app lifecycle management for production and productivity tenants. Additionally, Microsoft is now using a centrally governed pipeline template to run about 85% of its production build pipelines for commercial cloud.

In terms of personnel, Microsoft has named 13 deputy CISOs, each responsible for specific product segments within the company, including Azure, Microsoft 365, AI, and gaming. The company has also launched the Security Skilling Academy in July, offering curated security training to all company employees.

Microsoft's focus with the Secure Future Initiative is on secure by design, secure by default, and secure by operations as the company works to establish a corporate commitment to a culture of security. The company is also updating processes to improve time-to-mitigate across critical cloud vulnerabilities, including publishing them as CVEs in order to boost transparency.

Updates have been made to Microsoft Entra ID and Microsoft Account for public and U.S. government cloud to generate, store, and automatically rotate access token signing keys. These measures are designed to enhance security and protect against password-spray attacks, as demonstrated by a separate attack disclosed in January, carried out by state-linked Midnight Blizzard.

Tom Gann, chief public policy officer at Trellix, has praised Microsoft's Secure Future Initiative, stating that it is a necessary initiative for a company responsible for the majority of the IT industry's zero days. The progress report released by Microsoft shows how the company has revamped its security practices and raised accountability since launching the Secure Future Initiative in November.

Microsoft's senior leadership team is reviewing progress made under the Secure Future Initiative on a weekly basis, underscoring the company's commitment to continuous improvement in cybersecurity practices. Through the Cybersecurity Governance Council and related initiatives, Microsoft aims to set rigorous cybersecurity standards and drive widespread adoption of best practices, both within the company and across its customer ecosystem.

1. The Cybersecurity Governance Council, established by Microsoft, will oversee and integrate security policies, threat intelligence, compliance, and policy enforcement, taking ownership over ongoing compliance and identifying the architecture needed to reach its security goals.
2. Microsoft has announced plans to restructure its internal governance practices, including partially tying compensation to security, in response to the 2023 hack criticism of an internal culture that prioritized speed-to-market over security.
3. Microsoft has appointed 13 deputy CISOs, each responsible for specific product segments within the company, as part of its ongoing commitment to a culture of security and its security personnel efforts, such as the Security Skilling Academy.
4. In the realm of data-and-cloud-computing, Microsoft has made significant strides in reducing its attack surface, eliminating inactive tenants and unused apps, and updating processes for improved time-to-mitigate across critical cloud vulnerabilities.

Read also: