The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

In response to a spate of embarrassing hacks, Redmond pushes ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and products with a higher default security bar.

In a move that resembles the famous Trustworthy Computing push of yesteryear, Redmond is responding to a spate of embarrassing hacks with a new ‘Secure Future Initiative’ promising faster cloud patches, better management of identity signing keys and a commitment to ship software with a higher default security bar.

In a note announcing the new SFI approach, Microsoft Security vice president Charlie Bell said the software giant will revamp the age-old Software Development Lifecycle (SDL) to account for the latest trends in cyberattacks.

“The first priority is security by default,” Bell said, echoing the words of Microsoft founder Bill Gates in the seminal 2002 memo that documented the company’s mission to root out security problems that were leading to destructive Windows worm attacks.

Today, Microsoft is reeling from a major hack of its flagship M365 cloud platform, a compromise that led to the theft of U.S. government emails and prompted a U.S. senator to accuse Microsoft of “cybersecurity negligence.”

The M365 hack, caused by an embarrassing mismanagement of signing keys, is being investigated by the Department of Homeland Security’s Cyber Safety Review Board (CSRB).

“We have carefully considered what we see across Microsoft and what we have heard from customers, governments, and partners to identify our greatest opportunities to impact the future of security. We will focus on transforming software development,  implementing new identity protections, and driving faster vulnerability response,” Bell said.

More specifically, Microsoft plans to move identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure where the signing keys are not only encrypted at rest and in transit, but also during computational processes as well.

Source: Security Week   By: Ryan Naraine