Microsoft’s Safe Future Initiative has made significant strides in fostering a culture of trust and accountability across its ecosystem. By prioritizing transparency and collaboration, the company is empowering developers to build innovative solutions that benefit end-users.

In November 2023, Microsoft launched its Security First Initiative (SFI), a comprehensive effort to enhance cybersecurity safeguards for the company, its customers, and the broader industry. In May 2024, we expanded the SFI’s scope to encompass six critical security pillars, incorporating best practices and proprietary insights gained from our own experiences. Because of this, we’ve committed the equivalent of 34,000 full-time engineers to SFI – making it the largest cybersecurity engineering endeavour in history. As part of our ongoing commitment to transparency, we’re pleased to share significant developments and achievements from our inaugural SFI Progress Report.  

Safety comes first in every agreement. 

At Microsoft, we recognize our unique responsibility to secure a sustainable future for our customers and community. Due to this, every individual at Microsoft plays a crucial role in driving our collective success. By adopting a security-first mindset, we have achieved significant milestones in advancing our company’s safety standards. The latest enhancements comprise a multitude of significant improvements.  

• To strengthen governance, we established committees focused on key safety features and all engineering disciplines to ensure effective oversight and decision-making processes are in place. Led by CISO Igor Tsyganskiy, the Deputy CISOs co-head the Cybersecurity Governance Council, responsible for overseeing the company’s comprehensive cybersecurity posture, risk mitigation, and regulatory adherence.  

• Safety is now a top priority for all staff at Microsoft, to be factored into their performance evaluations. By implementing this initiative, every employee and supervisor can autonomously prioritize safety concerns and take ownership of their responsibilities, while also providing a means to formally recognize individual contributions to the Safety First Initiative and enhance overall morale.  

• We introduced a tailored learning platform, offering bespoke, security-focused training programs globally to every employee. The Academy prioritizes the safety of its staff’s daily work, regardless of function, by empowering them to take ownership of their role in ensuring Microsoft’s security, effectively establishing a direct connection between individual responsibilities and organizational success.  

• To ensure maximum accountability and transparency at all levels, Microsoft’s senior leadership team conducts a thorough review of SFI’s progress every week, providing regular updates to the company’s Board of Directors on a quarterly basis; this ensures seamless communication and alignment with overall strategic objectives.  

Cybersecurity pillar highlights: A comprehensive approach to safeguarding digital assets 

Through our six core pillars, we’ve achieved significant advancements in each critical area of cybersecurity emphasis, showcasing the depth and breadth of our comprehensive strategy. Recent enhancements have been implemented across various regions.

1. To enhance security, we have successfully implemented updates to Microsoft Entra ID and Microsoft Account (MSA) in our public and US government clouds, enabling the generation, storage, and regular rotation of entry token signing keys using the Azure Managed Hardware Security Module (HSM) service. We have successfully driven widespread adoption of our innovative identity software development kits (SDKs), providing persistent validation of security tokens. The standardized validation process is now effective in verifying more than 73% of the digital tokens issued by Microsoft Entra ID, specifically those used for Microsoft-owned purposes. We’ve successfully integrated standardized safety token logging into our widely-used ID SDKs, facilitating advanced risk detection and mitigation, and have already deployed this feature across multiple critical applications ahead of industry-wide adoption. Following a thorough implementation of phishing-resistant credentials, we successfully enforced their use across our manufacturing environments. Additionally, through the deployment of video-based consumer verification, we achieved a remarkable 95% adoption rate among Microsoft insiders in our productivity environments, thereby eliminating password sharing during setup and recovery processes. 

2. Following a comprehensive process, we successfully managed the entire app lifecycle for all manufacturing and productivity tenants, streamlining operations by removing 730,000 redundant applications. We successfully removed approximately 5.75 million inactive accounts from our tenant database, thereby significantly reducing the attack surface and minimizing the risk of a potential cyberattack. To enhance efficiency, we introduced a novel system for creating testing and experimentation environments, featuring preconfigured default settings and rigorous lifetime management controls in place. In the past quarter, we’ve successfully rolled out more than 15,000 state-of-the-art, fully secured production devices. 

3. More than 99% of physical assets across the manufacturing industry are cataloged within a centralized inventory management system, thereby enhancing asset visibility through real-time tracking of ownership and firmware compliance monitoring. Digital networks with backend connectivity are isolated from the Microsoft company community, subject to rigorous safety audits to mitigate lateral movement. To enhance the security and manageability of customers’ individual deployments, we’ve broadened our platform’s capabilities by introducing Admin Guidelines, which simplify the isolation of Platform as a Service (PaaS) resources like Azure Storage, SQL, Cosmos DB, and Key Vault. 

4. Around 85% of our manufacturing constructs in the business cloud rely on standardized, centrally governed pipeline templates, leading to more consistent, efficient, and trustworthy deployments. To enhance security, we’ve significantly reduced the duration of Private Entry Tokens to just seven days, discontinued access to the Safe Shell (SSH) protocol for all Microsoft internal engineering repositories, and substantially curtailed the allocation of elevated roles granting access to engineering systems for privileged users. Additionally, we conducted thorough proof-of-presence checks to ensure the integrity of critical chokepoints within our software development process. 

5. We’ve achieved significant strides in mandating that all Microsoft manufacturing infrastructure and suppliers adopt standardised libraries for security audit logs, ensuring relevant telemetry is transmitted, and retaining logs for a minimum of two years. Centralized administration has been set up to govern id infrastructure safety audit logs, mandating a two-year retention period that covers all safety audit events across the lifecycle of currently active signing keys. In fact, more than 99% of community devices come equipped with centralized security log collection and retention capabilities. 

6. To accelerate the remediation of critical cloud vulnerabilities, we’ve standardized and streamlined our processes across Microsoft to reduce Time to Mitigate. To promote greater openness, we publicly disclose critical cloud security flaws as Common Vulnerabilities and Exposures (CVEs), including instances where remediation action is not necessarily demanded by a buyer. To strengthen consumer trust and confidence, we created the Buyer Safety Administration Office (CSMO), focusing on effective communication and public outreach strategies to promptly address and mitigate the impact of safety incidents. 

Reaffirming our safety dedication 

Constant progress in safety is more crucial than perfection itself, which is reflected in the extensive range of resources marshaled to achieve our SFI goals. By consolidating our efforts to consistently enhance safety protocols, eliminate outdated or non-compliant assets, and solidify processes for tracking progress, we measure the effectiveness of our collective endeavors. As we look ahead, our commitment to continuous improvement remains unwavering. As SFI continues to progress, it will proactively evolve to counter emerging cyber threats, further solidifying its robust security protocols. We remain steadfast in our commitment to transparency and collaborative partnerships. In early 2024, Microsoft solidified its commitment to cybersecurity by embracing the US Cybersecurity and Infrastructure Safety Agency’s (CISA) initiative, reaffirming our pledge to integrate security across all aspects of our offerings. Furthermore, we incorporate recommendations from the Cyber Security Assessment Board to enhance our cybersecurity posture and fortify our defenses against emerging threats. 

The progress we’ve made so far is merely the beginning of our endeavour. As the ever-present threat of cyberattacks continues to adapt and grow, it is crucial that we remain proactive in our efforts to stay ahead of these malicious forces. As we nurture a culture of consistent learning and advancement, we are building a future where security is both a hallmark and a foundation. 

SFI Progress Report

What key takeaways emerged from the inaugural SFI Progress Report’s milestones and achievements?  

​​Be taught extra

To delve deeper into Microsoft’s safety features and stay informed about the latest developments in cybersecurity, visit our bookmarked page dedicated to Microsoft’s safety offerings. Comply with us on LinkedIn () and X () for the latest news and updates on cybersecurity.