Microsoft has outlined initiatives designed to enhance the company’s cybersecurity posture.
Mivrosoft, in response to CSRB following an assessment, was prompted by a high-profile breach that saw China-linked hackers breach Microsoft’s Exchange Online email service. The CSRB found the company had a “corporate culture that deprioritized enterprise security” and was “at odds with the company’s centrality in the technology ecosystem.
CSRB recommended that Microsoft develop a plan to improve its breach prevention procedures and make the plan publicly available. In continuation to the report, the Microsoft initiative the company detailed today addresses that recommendation.
Microsoft employees have been informed about the initiative and its priority to security through an internal memo from its CEO.
The initiative revolves around three “security principles” and six “prioritized security pillars.”.
The first three security pillars outlined the effort’s high-level framework. The first pillar states that “security comes first when designing any product or service. The other two specify that Microsoft’s cybersecurity measures will be enabled by default, won’t require extra effort to use, and will be continuously improved over time.
The cybersecurity plan’s six prioritized security pillars, in turn, outline a more detailed set of steps Microsoft will take to reduce the risk of breaches.
The first pillar covers secrets, a term that covers files such as encryption keys, as well as the data and systems Microsoft leverages to manage users’ access to applications. The second pillar in the set outlines a series of steps Microsoft will take to prevent hackers from accessing its products’ source code.
The plan’s next two pillars cover the security of the company’s networks, production environments and customers’ deployments of its products. Microsoft’s efforts in this area will place a particular emphasis on isolating different systems from one another to ensure hackers can’t spread malware between them.
The final two pillar of the plan focus on streamlining the way the company detects and responds to cybersecurity risks. As part of the push, Microsoft will retain security logs from its systems for at least two years to support breach investigations. In conjunction, the company plans to increase the speed at which it mitigates vulnerabilities discovered by employees and third-party researchers.
