Microsoft launches new initiative to augment security

Nearly 22 years after Bill Gates announced a concerted Microsoft-wide push to deliver Trustworthy Computing, the company is launching the Secure Future Initiative, to boost the overall security of Microsoft’s products and its customers and users.

A new Microsoft initiative focused on security

“In recent months, we’ve concluded within Microsoft that the increasing speed, scale, and sophistication of cyberattacks call for a new response,” says Brad Smith, Vice Chair and President of Microsoft.

Ransomware attempts are up by 200% since September 2022, he noted. Nation-state actors have become more prolific and more brazen in their cyber operations, and the best-resourced attackers are innovating at great speed.

Hence: the Secure Future Initiative.

As part of it, Microsoft is extending AI capabilities to help customers extract threat intelligence from their own data and respond to and limit the extent of cyber intrusions at machine speed, and to offer AI technologies with adequate safety and security safeguards.

The company will also make changes to how they engineer software:

“We’re going to apply the concept of continuous integration and continuous delivery (CI/CD) to continuously integrate protections against emerging patterns as we code, test, deploy, and operate,” Charlie Bell, Executive Vice President of Microsoft Security, and engineering colleagues Scott Guthrie and Rajesh Jha outlined in an email sent to Microsoft employees.

“We will accelerate and automate threat modeling, deploy CodeQL for code analysis to 100 percent of commercial products, and continue to expand Microsoft’s use of memory safe languages (such as C#, Python, Java, and Rust), building security in at the language level and eliminating whole classes of traditional software vulnerability.”

Microsoft plans to:

• Automatically implement Azure tenant baseline controls by default across its internal tenants, as well as auto-remediation of settings in deployment
• Use standard identity libraries with advanced identity defenses across Microsoft apps and make those libraries available to non-Microsoft application developers
• Move identity signing keys (both consumer and enterprise) to a hardened Azure HSM and confidential computing infrastructure, where they will be encrypted at all times (even during use) and will be automatically and regularly rotated
• Reduce by 50 percent the time it takes the company to mitigate cloud vulnerabilities.

“Finally, we believe that stronger AI defenses and engineering advances need to be combined with a third critical component – the stronger application of international norms in cyberspace,” Smith added.

“We will commit Microsoft’s teams around the world to help advocate for and support these efforts.”