What can we do when we see Microsoft, the threat is growing, and where we need to take it? How Microsoft is going to improve security settings in cloud environments
“The threat is growing,” he tells WIRED. “It’s a huge drag on the world. What can we do when you look at all of this? Most of the ability to defend is held by Microsoft. It caused us to step back.”
Microsoft is launching a major security effort known as the Secure Future Initiative. This new approach is intended to change the way Microsoft operates its software and services. It’s the biggest change to security efforts inside Microsoft since the company announced its Security Development Lifecycle (SDL) in 2004 after Windows XP fell victim to a huge Blaster worm attack that knocked PCs offline in 2003. The push occurred two years after co- founder Bill Gates called for a trustworthy computing initiative.
Microsoft plans to use automation and artificial intelligence during the software development process to improve the security of its cloud services, cut the time it will take to fix cloud vulnerabilities, and make it easier for better security settings to be implemented in the box.
“We plan to cut the time it takes to mitigate cloud vulnerabilities by 50 percent,” says Bell in his memo. Our investment and learnings in automation, orchestration, and intelligence- driven tools and processes make us in a position to achieve this. If Microsoft can cut the industry window for security fixes to only 45 days, then that is a good start to the new initiative.
Bell says they are moving identity platforms to confidential computing infrastructure that they helped pioneer. “In this architecture, data governing identities is encrypted not only at rest and transit but during computational processes as well. This means that even if an attacker gets through our layered defenses in the course of targeting encryption keys, the key data is designed to be inaccessible within automated systems that do not require human touch.”
Microsoft is trying to improve security defaults. “Over the next year we will enable customers with more secure default settings for Multi-Factor Authentication (MFA) out-of-the-box,” says Smith. “This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.”
In September, a research firm disclosed that Microsoft’s artificial intelligence researchers accidentally exposed 38 terabytes of data by using an azure feature called SAS token. “Account SAS tokens are extremely hard to manage and revoke,” said Wiz researchers at the time. Microsoft does not specifically mention SAS in its new security initiative, but it could be that the company is looking at it.
Smith says cloud services should be recognized as critical infrastructure with protection against attack under international law, and for greater accountability for nation-states involved in subverting cloud security. Smith says that state governments should commit publicly that they won’t plant software vulnerabilities in the networks of critical infrastructure providers. “They should also commit that they will not permit any persons within their territory or jurisdiction to engage in cybercriminal operations that target critical infrastructure.”