Towards an Intelligent Security Strategy for the Future: A Microsoft-Driven Drive to Enable Secure Future Security for Customers and Globally Distributed Computing
“Satya Nadella, Rajesh Jha, Scott Guthrie, and I have put significant thought into how we should respond to the increasingly more sophisticated threats,” explains Charlie Bell, head of Microsoft security, in an internal memo distributed today. “To this end, we have committed to three specific engineering advances we are taking on our journey of continually improving the built-in security of our products and platforms. We call these advances the Secure Future Initiative. Security for customers is improved by them in the near term and against threats that will increase in the future.
This AI push for security won’t be limited to software development at Microsoft, either. “As a company, we are committed to building an AI-based cyber shield that will protect customers and countries around the world,” explains Brad Smith, Microsoft vice chair and president, in a blog post today. “AI is a game changer. While threat actors seek to hide their threats like a needle in a vast haystack of data, AI increasingly makes it possible to find the right needle even in a sea of needles. With the global network of data centers, we will be able to use artificial intelligence to detect threats as fast as the interest itself.
In the near future, Microsoft will use automation and artificial intelligence to improve the security of its cloud services, cut time it takes to fix cloud vulnerabilities, and fortify its infrastructure to protect against encryption keys falling into the wrong hands.
Bell states in his memo that they plan to reduce the time it takes to mitigate cloud vulnerabilities by 50 percent. We’re in a great position to achieve this because of our investment and learnings. Ninety days is the typical industry window for security fixes, so if Microsoft can reliably cut that to 45 days, then that’s a great start to this new security initiative.
“To stay ahead of bad actors, we are moving identity platforms to confidential computing infrastructure that we helped pioneer,” says Bell. Data governing identities is locked up at rest and transit as well as during computational processes. The key data can’t be accessed from within the automated systems that don’t need humans to operate, because they are designed to be unreadable.
Microsoft wants to improve security defaults. Smith says they will enable more secure default settings over the next year. “This will expand our current default policies to a wider band of customer services, with a focus on where customers need this protection the most.”
In September, cybersecurity research firm Wiz disclosed that 38TB of data had accidentally been exposed by Microsoft AI researchers thanks to an Azure feature called SAS tokens. According to the researchers at the time, account SAS tokens were very difficult to manage. Hopefully, Microsoft is looking at SAS token as well, since it doesn’t mention it in its security initiative.
Smith calls on states to “recognize cloud services as critical infrastructure, with protection against attack under international law” and for greater accountability for nation-states involved in undermining cloud security. Smith recommends that all states commit to not planting software vulnerabilities in critical infrastructure providers such as energy, water, food, medical care or other providers. They should commit that they will not permit anyone within their territory or jurisdiction to engage in cyber criminal operations that target critical infrastructure.