Microsoft SFI update: Five of 28 security objectives nearly complete

Posted on by

Some of the achievements this latest progress report notes include:

  • Microsoft has filled the Deputy CISO for Business Applications post (which includes Windows, Microsoft 365 and Office);
  • all 14 Deputy CISOs have completed a comprehensive risk inventory of their platform and function, aligning risks to current threat intelligence and product domains;
  • recently, the company launched a Secure by Design UX Toolkit for Microsoft developers, to improve user experience (UX) and security integration in all products. There’s also a customer-facing version. The toolkit has been deployed to 22,000 employees, embedding security best practices in product development and ensuring product interfaces are designed to be intuitive, non-intrusive, and help protect customer data;
  • Azure launched a fraud prevention feature incorporating multi-factor authentication (MFA) for logging into the Azure Portal to prevent unauthorized party abuse. This adds to the October 2024 implementation of mandatory multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin center, and Microsoft Intune admin center;
  • MFA enforcement for all Microsoft 365 admin center users is being rolled out. Additionally, there’s a new AI administrator role for efficient administration of Microsoft 365 Copilot and enterprise AI services without the extensive permissions required for the global admin role;
  • 90% of identity tokens from Microsoft Entra ID for Microsoft apps are validated using one standard identity SDK, which provides a consistent and hardened implementation, improving security;
  • phishing-resistant MFA now protects 100% of Microsoft production system accounts and 82% of employee productivity accounts. Additionally, more than 19 million resources in Microsoft Azure now adhere to Microsoft’s safe secrets standard.
  • on March 26, Microsoft launched a new sign-in experience for more than 1 billion users. By the end of this month, most Microsoft account users will see updated sign-in and sign-up user experience flows for web and mobile apps. This new user experience is optimized for a passwordless and passkey-first experience. Microsoft is also updating the account sign-in logic to make passkey the default sign-in choice whenever possible.
  • more than 97% of Microsoft’s production infrastructure assets have been inventoried and are being tracked. In addition, 99% of network devices, and more than 95% of nodes/machines, have central security log collection with a two-year retention policy enforced.

The Microsoft Secure Future Initiative (SFI) is, the company said, a multiyear effort to “revolutionize the way we design, build, test, and operate our products and services, to achieve the highest security standards.” Some objectives will take several years to complete. Others, like work on post-quantum cryptography and the orderly sunsetting of cryptographic techniques as they age, will take much longer.

The company calls SFI “the largest cybersecurity engineering project in history.” Goals are aligned with the security principles of Secure by Design, Secure by Default, and Secure Operations.