In November 2023, Microsoft launched the Secure Future Initiative (SFI), a bold step to enhance cybersecurity for Microsoft, its customers, and the wider tech industry. In May 2024, the initiative expanded to focus on six core security pillars, guided by both industry feedback and Microsoft’s own insights. Since its inception, SFI has mobilized the equivalent of 34,000 full-time engineers, marking it as the largest cybersecurity engineering effort in history. Now, Microsoft is sharing key updates and milestones in its first SFI Progress Report.
Cultivating a Security-First Culture
At the core of Microsoft’s efforts is the commitment to fostering a security-first culture. Microsoft has appointed Deputy Chief Information Security Officers (Deputy CISOs) across all key security functions and engineering divisions, forming a Cybersecurity Governance Council. Led by CISO Igor Tsyganskiy, the council is responsible for managing the company’s overall cybersecurity risks, defense, and compliance.
To further this security-driven approach, security performance is now integrated into employee performance reviews. This initiative empowers all employees to contribute actively to Microsoft’s security goals. Additionally, the company has launched the Security Skilling Academy, a specialized training program designed to equip every employee with the necessary skills to prioritize cybersecurity in their daily roles.
Progress Across Six Key Security Pillars
Microsoft’s work is centered on six key pillars that shape its cybersecurity efforts. Recent developments across these pillars include:
- Protecting Identities and Secrets:
Microsoft has updated Microsoft Entra ID and Microsoft Account (MSA) for public and U.S. government clouds, enabling secure token management via the Azure Managed Hardware Security Module (HSM). This includes broad adoption of standardized security token validation, now covering 73% of tokens issued for Microsoft-owned applications. - Tenant and Production System Security:
The company has eliminated over 5.75 million inactive tenants, significantly reducing the potential attack surface. Over 15,000 new production-ready, secure devices have been deployed to safeguard systems. - Network Protection:
Microsoft now has over 99% of physical assets on its production network centrally recorded, reducing risks of lateral movement and ensuring secure deployments through Platform as a Service (PaaS) resources like Azure Storage, SQL, and Cosmos DB. - Engineering Systems Security:
Around 85% of production build pipelines are now using centrally governed templates, streamlining operations for secure and trustworthy deployments. Microsoft has also reduced access to engineering systems, including disabling Secure Shell (SSH) protocol access. - Threat Monitoring and Detection:
Microsoft has implemented a two-year minimum retention period for security audit logs across production infrastructure and services, enabling more thorough monitoring and detection of threats. - Accelerated Response and Remediation:
By publishing Critical Cloud Vulnerabilities (CVEs) for transparency, Microsoft is ensuring rapid response and mitigation efforts, supported by the new Customer Security Management Office (CSMO).
Looking Ahead: A Continued Commitment to Security
Microsoft’s progress reflects the massive scale and resources behind SFI, but this is just the beginning. By continuing to evolve and collaborate with the industry, Microsoft reaffirms its commitment to cybersecurity. As a major supporter of the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, Microsoft is embedding security into every facet of its products and services.
The journey of securing the digital future is ongoing, and Microsoft remains committed