Microsoft Secure Future Initiative
We’re continuously applying what we’ve learned from security incidents to improve our methods and practices. Three principles anchor our approach to the Secure Future Initiative (SFI).
Secure by design
Security comes first when designing any product or service.
Secure by default
Security protections are enabled and enforced by default, require no extra effort, and aren’t optional.
Secure operations
Security controls and monitoring will be continuously improved to meet current and future threats.
SFI pillars
We’re expanding the scope of the SFI to help our customers and community amidst the fast-changing threat landscape.
-
Protect identities and secrets
Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization.
Increased protection for sign-in credentials
Intruders don’t break in, they sign in. See how we're ensuring that our keys remain out of reach.
Automatic multifactor authentication
Find out how Microsoft led the way in consumer identity by providing multifactor authentication enabled by default along with risk-based challenges.
-
Protect tenants and isolate production systems
Protect all Microsoft tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact.
Meeting industry standards for cloud security
Read about the standardized security baselines for Azure products that meet Center for Internet Security (CIS) and National Institute for Standards in Technology (NIST) standards.
A more secure cloud by default
We enabled security defaults for 20 million customers on free tenants—94% of customers keep these protective measures in place.
-
Protect networks
Protect Microsoft production networks and implement network isolation of Microsoft and customer resources.
Segmentation and role-based access
Learn how to build a unified segmentation strategy using perimeters and isolation boundaries in workloads.
-
Protect engineering systems
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
Lessons from our transition to Zero Trust
Secure access to source code and engineering systems infrastructure through Zero Trust and least-privileged access policies.
Build and maintain inventory for all software assets
Build and maintain the inventory for all software assets used to deploy and operate production environments.
-
Monitor and detect threats
Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services.
Read about our red, blue, and green teams
See how MORSE members effectively address security threats, repair broken code, and identify potential attack paths before a breach can happen.
See how security researchers help Microsoft
Find out how researchers who discover a vulnerability in a Microsoft product, service, or device can receive a Bug Bounty award from Microsoft.
-
Accelerate response and remediation
Prevent exploitation of vulnerabilities discovered by external and internal entities through comprehensive and timely remediation.
Read real-time incident updates
We practice coordinated vulnerability disclosure with the research community—with no nondisclosure agreement required. Read real-time updates on known vulnerabilities.
Meet our digital defense team
Read the latest cybersecurity and threat intelligence trends and get reports with insights and recommendations.
Get the 2023 Microsoft Digital Defense Report
See our latest findings on the threat landscape evolution and opportunities for Microsoft and our customers to secure a resilient online ecosystem.
Foundations of SFI
Successful business operations or change management is predicated on people, process, and technology working in harmony. These are the foundations of SFI.
Continuous security improvement
The SFI empowers all of Microsoft to implement the needed changes to deliver security first. Our company culture is based on a growth mindset that fosters an ethos of continuous improvement.
Paved paths and standards
Paved paths are best practices from our learned experiences, drawing upon lessons such as how to optimize productivity of our software development and operations, how to achieve compliance, and how to eliminate entire categories of vulnerabilities and mitigate related risks.
Security-first culture
Culture can only be reinforced through our daily behaviors. The engineering executive vice presidents are also holding broadscale, weekly and monthly operational meetings that include all levels of management and senior individual contributors. Through this process of bottom-to-top, end-to-end problem solving, security thinking is ingrained in our daily behaviors.
Security governance
Microsoft is implementing a new security governance framework, spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing the SFI, managing risks, and reporting progress directly to Microsoft’s Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.
Get SFI updates
Our progress so far
Learn about the tangible steps we’re taking to implement the SFI and accelerate our progress.
See how we’re using AI
Discover the ways we’re transforming software development with automation and AI.
Learn about the evolving threat landscape
SFI brings every part of Microsoft together to advance cybersecurity protection in this deep-dive.
See where the SFI started
Revisit our initial announcement about the SFI in this memo from Charlie Bell.
Follow Microsoft