After multiple outages and breaches, Microsoft links executive compensation to security

A PC with Windows 11.
Enlarge / A PC with Windows 11.

It’s been a bad few years for Microsoft’s security and privacy efforts. Incorrectly configured endpoints, fraudulent security certificatesand weak passwords have all caused or risked exposure of sensitive data, and Microsoft has been criticized by security researchers, US legislatorsAnd Regulatory authorities for how it responded to and disclosed these threats.

The most high-profile of these breaches involved a China-based hacking group called Storm-0558, which breached Microsoft’s Azure service in mid-2023 and collected data for over a month before being discovered and distributed. After Months of uncertaintyMicrosoft announced that Storm-0558 had access to an engineer’s account due to a series of security flaws, which allowed Storm-0558 to collect data from 25 of Microsoft’s Azure customers, including US federal agencies.

In January, Microsoft announced that another breach had occurred, this time from the Russian state-sponsored hacker group Midnight Blizzard. The group managed to “compromise an old, non-production test tenant account” to gain access to Microsoft’s systems “for up to two months.”

All of this culminated in a report (PDF) from the US Cyber ​​Safety Review Board, the castigated Microsoft for its “inadequate” security culture, its “inaccurate public statements,” and its response to “preventable” security breaches.

To try to change things, Microsoft announced something it called ““Secure Future” initiative.” in November 2023. As part of this initiative, Microsoft today announced a number of plans and changes to its security practices, including some changes that have already been made.

“We are making security our top priority at Microsoft, above all else – above all other features,” wrote Microsoft Security Executive Vice President Charlie Bell. “We are expanding the scope of SFI to incorporate the CSRB’s recent recommendations and our insights from Midnight Blizzard to ensure our cybersecurity approach remains robust and adaptable to the evolving threat landscape.”

As part of these changes, Microsoft will also base its senior leadership team’s compensation in part on whether the company “achieves our security plans and milestones,” although Bell did not specify how much executive compensation would be contingent on achieving those security goals .

Microsoft’s post describes three security principles (“Secure by Design”, “Secure by Default” and “Secure Operations”) and six “security pillars” that are intended to address various vulnerabilities in Microsoft’s systems and development practices. The company plans to secure 100 percent of all user accounts with “securely managed, phishing-resistant multifactor authentication,” enforce least privilege access for all applications and user accounts, improve network monitoring and isolation, and retain all system security logs, among other things for at least two years. Microsoft also plans to assign new deputy chief information security officers to various development teams to track their progress and report to the leadership team and board.

As for specific fixes that Microsoft has already implemented, Bell writes that Microsoft is “implementing automatic enforcement of multifactor authentication by default for more than 1 million Microsoft Entra ID tenants across Microsoft” and 730,000 old and/or insecure apps “to date throughout production and corporate tenants expanded its security logging and took over the Common Weakness Enumeration (CWE) standard for its security disclosures.

In addition to Bell’s public safety pledge, The Verge has done this an internal memo was obtained and published from Microsoft CEO Satya Nadella, reinforcing the company’s publicly stated commitment to security. Nadella also says improving security should take priority over adding new features, which may impact security constant stream of tweaks and changes that Microsoft releases for Windows 11 and other software.

“The Department of Homeland Security’s Cyber ​​Safety Review Board (CSRB)’s recent findings on the summer 2023 Storm-0558 cyberattack underscore the severity of the threats facing our company and our customers and our responsibility to defend against them increasingly sophisticated threat actors,” writes Nadella. “If you are faced with the trade-off between security and another priority, your answer is clear: Make it safe. In some cases, this means we need to prioritize security over other things, such as releasing new features or providing ongoing support for legacy systems.”

Source link