![Microsoft committed to making its work secure by design, secure by default, and secure in operations [File]](https://th-i.thgim.com/public/incoming/xpj2ze/article68138291.ece/alternates/LANDSCAPE_1200/2024-05-02T045409Z_2099609357_RC23B6ACT3AD_RTRMADP_3_MICROSOFT-MALAYSIA.JPG "Microsoft committed to making its work secure by design, secure by default, and secure in operations [File]")
Microsoft is telling its employees that security is “job number one” and will become the company’s “top priority,” with the direction coming after a Cyber Safety Review Board report strongly criticised Microsoft’s security operations over the Storm-0558 cloud breach.
In a blog post authored by Charlie Bell, Executive Vice President at Microsoft Security, the company acknowledged threats from the Storm-0558 cyberattack last year and the Midnight Blizzard attack it later reported in January, though it avoided directly mentioning what the board called its “failures.”
Microsoft committed to making its work secure by design, secure by default, and secure in operations when moving forward, and said its principles aligned with the federal board’s own security recommendations.
“If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems,” said Microsoft chief Satya Nadella in a memo to employees, reported The Verge outlet.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
In the official blog post shared on its website, Microsoft said it would take steps to protect identities and secrets, protect tenants and isolate production systems, protect networks and engineering systems, monitor and detect threats, and accelerate response and remediation.
Microsoft also said it had so far removed 7,30,000 apps across production and corporate tenants that were out-of-lifecycle or not meeting current SFI standards.
The Cyber Safety Review Board report looked into the Storm-0558 hacking group associated with the Chinese regime, and the way it accessed the official email accounts of senior U.S. government officials.
“The Board finds that this intrusion was preventable and should never have occurred. The Board also concludes that Microsoft’s security culture was inadequate and requires an overhaul, particularly in light of the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” said the CSRB report in March.
It added that Microsoft teams should deprioritise feature developments for cloud and product suites until “substantial security improvements” had been made, coming as a blow to the reputation of the tech giant known for its legacy systems as well as its recent advancements in generative AI.
