|Microsoft Launches Secure Future Initiative|
|Written by Kay Ewbank|
|Thursday, 16 November 2023|
Microsoft has launched the Secure Future Initiative, a focus on improving security that includes software development, new identity protections, and faster responses to vulnerabilities.
The announcement was made eralier this month by Microsoft’s Vice Chair and President Brad Smith, who said the engineering advances anticipate future cyberthreats, such as increasing digital attacks on identity systems, and also address how Microsoft plans to build secure foundations necessary for the AI era and beyond.
The first thrust of the initiative, according to Smith, will be a transformation in the way Microsoft develops software with automation and AI with the aim of delivering software that is secure by design, by default, in deployment, and in operation.
This will build on Microsoft's Security Development Lifecycle (SDL) to add in continuous integration and continuous delivery (CI/CD). Smith said this will become "dynamic SDL" (dSDL). In practical terms, threat modeling will be automated and accelerated, and CodeQL will be used for code analysis of all Microsoft's commercial products. CodeQL is an analysis engine that can automate security checks, and model security vulnerabilities, bugs, and other errors as queries that can be executed against databases extracted from code.
Microsoft also plans to expand its use of memory safe languages such as C#, Python, Java, and Rust, and to "eliminate whole classes of traditional software vulnerability".
Microsoft also says it will ensure that security controls embedded in its products, such as multifactor authentication, will scale, and that Azure tenant baseline controls (99 controls across nine security domains) will be implemented by default across Microsoft's internal tenants automatically.
The second thrust of the initiative concerns identity management, with plans to extend existing identity features to provide "a unified and consistent way of managing and verifying the identities and access rights of our users, devices, and services, across all our products and platforms". The aim is to make it harder for identity-focused espionage and criminal operators to impersonate users.
The use of standard identity libraries (such as Microsoft Authentication Library) will be enforced across all of Microsoft, implementing identity defenses like token binding, continuous access evaluation, advanced application attack detections, and additional identity logging support. Those capabilities are also being made freely available to non-Microsoft application developers through the same libraries.
Identity signing keys will be moved to an integrated, hardened Azure HSM and confidential computing infrastructure, in which signing keys are not only encrypted at rest and in transit, but also during computational processes. Key rotation will also be automated.
The third element of the initiative is in vulnerability response and security updates for Microsoft's cloud platforms. The aim is to cut the time it takes to mitigate cloud vulnerabilities by 50 percent, using automation and AI-driven tools and processes.
"As we enter the age of AI, it has never been more important for us to innovate, not only with respect to today's cyberthreats but also in anticipation of those to come."
or email your comment to: firstname.lastname@example.org
|Last Updated ( Thursday, 16 November 2023 )|