Microsoft is cleaning up its cloud environment to reduce the risk of leaks, vulnerabilities, exploits, and attacks. This is not a moment too soon, as Microsoft has been mercilessly taken to task by hackers several times recently. Under the banner of the Secure Future Initiative, 730,000 unused apps and 5.75 million inactive tenants have now been removed from the company’s cloud systems.
The company has also deployed 15,000 secure devices for its production teams and instituted video-based identity verification for nearly all staff (95 percent). In addition, Micrsoft beefed up the security of Entra ID (identity management, formerly Azure Active Directory) and the processes behind Microsoft Account for authenticating users, says Charlie Bell, executive vice president of security for the company, in an update on the progress of the Secure Future Initiative (SFI).
Other measures Microsoft has taken include commissioning a lifecycle management system for all tenants of test and experiment environments, with strict default settings and expiration deadlines. Meanwhile, the Azure Managed Hardware Security Module (HSM) automatically generates access token signage keys and rotates these regularly.
Logging improved
Microsoft now also requires standard libraries for security audit logs in its production infrastructure. This ensures that relevant telemetry is kept for at least two years. Also, almost all of the company’s network devices are now equipped with software for centrally collecting and storing security logs, intending to simplify threat detection.
The SFI has six pillars: protecting identities and secrets , isolating production systems, improving network security, protecting development environments, threat detection and improving incident response (plus faster remediation if things do go wrong). Attacks by Russian and Chinese (state) hackers on Microsoft environments last year prompted these improvements.
Tip: Microsoft repeats lessons it hadn’t learned itself before Russian hack
Last November, the Russian-backed hackers of Midnight Blizzard managed to access the mail accounts of key individuals within Microsoft. Earlier that year, the Chinese hacker group Storm-0558 managed to get into to Microsoft systems as well. By obtaining an important Microsoft key, the attackers could look into the mailboxes of U.S. and European decision-makers for up to six weeks. Among those affected by the hack in the U.S. were Commerce Secretary Gina Raimondo and China Ambassador R. Nicholas Burns.
‘Cascade of errors’
The cause in the latter case involved a zero-day vulnerability in GetAccessTokenForResourceAPI, which exposed Azure Active Directory applications (now Entra ID). The compromised data was located on the Microsoft Outlook Web application (OWA). According to the U.S. Cyber Safety Review Board (CSRB), this downright embarrassing hack involved a ‘cascade of errors’ on Microsoft’s part.
The company allegedly had an ‘inadequate security culture,’ ignored best practices, and mostly prioritized performance and uptime over security. The company also did not correct key errors in published blogs or did so very late. For example, only at the urging of the CSRB did Microsoft correct descriptions of important details about the attack.
Also read: ‘Cascade of errors’ enabled Chinese infiltration at Microsoft