In November 2023, we introduced the Secure Future Initiative (SFI) to advance the cybersecurity protections of Microsoft, our customers, and the industry. In May 2024, we expanded the initiative to focus on six key security pillars, incorporating industry feedback and our own insights. Since the initiative’s inception, we’ve dedicated the equivalent of 34,000 full-time engineers to the Secure Future Initiative—making it the largest cybersecurity engineering effort in history. Now, we’re sharing key updates and milestones from the first Secure Future Initiative Progress Report.
Focus on security above all else
At Microsoft, we recognize our unique responsibility to protect the future of our customers and our community. As a result, everyone at Microsoft plays a pivotal role in “Putting Security First.” We’ve made significant progress in strengthening our security-first culture. Some key updates include:
To improve governance, we announced the creation of a new Cybersecurity Governance Council and the appointment of VPs of Information Security (CISOs) for key security functions and all engineering divisions. Led by our Chief Information Security Officer Igor Tsygansky, VPs of Information Security form the Cybersecurity Governance Council and are responsible for the company’s overall cyber risk, defense, and compliance. Security is now a core priority for all employees at Microsoft and will be included in their performance reviews. This will empower every employee and manager to commit to prioritizing and taking responsibility for security, and a way for us to recognize employee contributions to SFI and celebrate impact. We launched the Security Skills Academy, a personalized learning experience with specific security training for all employees worldwide. The academy ensures that, regardless of role, employees are equipped to prioritize security in their daily work and identify the direct role they play in securing Microsoft. To ensure accountability and transparency at the highest levels, Microsoft’s senior leadership team reviews SFI progress weekly and updates are provided to the Microsoft Board of Directors quarterly. Additionally, Microsoft's senior leadership team now has security performance directly tied to compensation.
Highlights: A Comprehensive Approach to Cybersecurity
We’ve also made progress across our six core pillars, each of which represents a critical area of focus for cybersecurity. These pillars guide our ongoing work to advance security across Microsoft and help us meet the evolving demands of the security landscape. Here are the latest updates across these areas:
Protecting identities and secrets: We completed updates to Microsoft Entra ID and Microsoft Account (MSA) for our public and U.S. government clouds to automatically generate, store, and rotate access token signing keys using the Azure Managed Hardware Security Module (HSM) service. We continued to drive broad adoption of our standard identity SDKs, which provide consistent verification of security tokens. This unified verification now covers more than 73% of tokens issued by Microsoft Entra ID for Microsoft-owned applications. We expanded unified security token enrollment in our standard identity SDKs to support threat hunting, detection, and enablement in many critical services ahead of broad adoption. We completed enforcement of phishing-resistant credentials in our production environments and implemented video-based user verification for 95% of internal Microsoft users in our production environments to eliminate password sharing during setup and recovery. Tenant protection and production system isolation: We completed a full application lifecycle management iteration for all of our production and productivity tenants, eliminating 730,000 unused applications. We eliminated 5.75 million inactive tenants, significantly reducing the potential cyberattack surface. We implemented a new system to simplify the creation of test and experiment tenants while enforcing secure defaults and strict lifetime management. We deployed over 15,000 new production-ready locked-down devices in the past three months. Network protection: Over 99% of physical assets on the production network are registered in a central inventory system, enriching asset inventory with ownership tracking and firmware compliance. Backhaul virtual networks are isolated from the Microsoft corporate network and undergo full security audits to limit lateral movement. To help customers secure their deployments, we expanded platform capabilities such as admin rules to facilitate network isolation for Platform as a Service (PaaS) resources such as Azure Storage, SQL, Cosmos DB, and Key Vault. Protecting engineering systems: 85% of our production pipelines for commercial cloud now use centrally governed pipeline templates, making deployments more consistent, efficient, and trustworthy. We’ve reduced the lifetime of personal access tokens to seven days, disabled Secure Shell (SSH) access for all internal Microsoft engineering repositories, and significantly reduced the number of elevated roles that can access engineering systems. We’ve also implemented proof-of-presence checks for critical choke points in our software development code flow. Monitoring and detecting threats: We’ve made significant progress in enforcing that all Microsoft production infrastructure and services adopt standard libraries for security audit logs, ensuring relevant telemetry is released, and that logs are retained for a minimum of two years. For example, we’ve implemented centralized management and a two-year retention period for identity infrastructure security audit logs, which include all security audit events throughout the lifecycle of existing signing keys. Similarly, more than 99% of network devices are now enabled to centrally collect and retain security logs. Accelerate response and remediation: We’ve updated processes across Microsoft to improve mitigation time for critical vulnerabilities in the cloud. We’ve begun publishing critical vulnerabilities in the cloud as Common Vulnerabilities and Threats (CVEs), even if no customer action is required, to improve transparency. We’ve created a Customer Security Management Office (CSMO) to improve public messaging and customer engagement around security incidents.
Emphasizing our security commitment
In security, continuous improvement is more important than “perfection,” and this is reflected in the amount of resources we have mobilized to achieve our SFI goals. The collective work we do to continually increase protection, eliminate outdated or non-compliant assets, and identify remaining systems for monitoring is a definitive measure of our success. As we look to the future, we remain committed to continuous improvement. SFI will continue to evolve, adapt to new cyber threats, and refine our security practices. Our commitment to transparency and collaboration with the industry remains steadfast. Earlier in 2024, Microsoft became a major supporter of the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Secure by Design pledge, reinforcing our dedication to embedding security in every aspect of our products and services. Additionally, we continue to incorporate recommendations from the Cybersecurity Integrity Review Board (CSRB) to strengthen our approach to cybersecurity and build resilience.
The work we’ve done so far is just the beginning. We know that cyber threats will continue to evolve, and we must evolve with them. By fostering a culture of continuous learning and improvement, we’re building a future where security is not just a feature, it’s the foundation.
SFI Progress Report
Discover key updates and achievements from SFI's first progress report.
Learn more
To learn more about Microsoft Security solutions and the Microsoft Secure Future initiative, visit our website. Bookmark the Security blog to keep up with our expert security coverage. You can also follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest cybersecurity news and updates.
