Cybersecurity is likely one of the prime dangers going through companies. Organizations are struggling to navigate the ever-evolving cyberthreat panorama during which 600 million id assaults are carried out every day.1 The median time for a cyberattacker to entry non-public knowledge from phishing is 1 hour and 12 minutes, and nation-state cyberattacks are on the rise.2 Organizations additionally face unprecedented complexity, making safety jobs more durable—57% of organizations are utilizing greater than 40 safety instruments, which requires vital resourcing and energy to combine workflows and knowledge.3 These challenges are magnified by the worldwide safety expertise scarcity organizations are going through and there are greater than 4 million safety jobs unfilled worldwide, rising insider dangers, and the quickly evolving regulatory panorama at present.4 These cybersecurity challenges can’t solely improve vital enterprise disruptions, they will additionally create devastating financial damages—the price of cybercrime is predicted to develop at 15% 12 months over 12 months, reaching $15.6 trillion by 2029.5
In November 2023, to handle the evolution of the digital and regulatory panorama, and the unprecedented adjustments within the cyberthreat panorama, we introduced the Microsoft Safe Future Initiative. The Safe Future Initiative (SFI) is a multiyear effort to revolutionize the way in which we design, construct, take a look at, and function our services, to realize the very best safety requirements. SFI is our dedication to enhance Microsoft’s safety posture, thereby enhancing the safety posture of all our clients, and to work with governments and trade to enhance the safety posture of all the ecosystem.
Final 12 months, the Cybersecurity and Infrastructure Safety Company (CISA), by means of its “Safe by Design” pledge, known as on the expertise trade to prioritize safety at each stage of product improvement and deployment. This strategy of embedding cybersecurity in digital supply from the outset can also be mirrored in the UK’s Authorities’s Cyber Safety Technique in addition to within the Australian Cyber Safety Centre (ACSC)’s “Important Eight” mitigation methods to guard in opposition to cyberthreats. All through this weblog submit, the time period “Safe by Design” encompasses each “safe by design” and “safe by default.”
Microsoft dedicated to work in the direction of key objectives throughout a spectrum of Safe by Design rules advocated by quite a few authorities businesses world wide. These objectives goal to reinforce safety outcomes for purchasers by embedding strong cybersecurity practices all through the product lifecycle. We proceed to take our learnings, feed them again into our safety requirements, and operationalize these learnings as paved paths that may allow safe design and operations at scale. Our SFI updates present examples of Microsoft’s progress in implementing safe by design, safe by default, and safe in operations rules, and supply finest practices primarily based on Microsoft’s personal expertise, demonstrating our dedication to enhancing safety for purchasers.
Hold studying to be taught in regards to the initiatives Microsoft has undertaken over the previous 18 months to help safe by design goals as a part of our SFI initiative. It’s organized round our SFI rules to offer our clients and companions with an understanding of the strong safety measures we’re implementing to safeguard their digital environments.
Enhancing safety with multifactor authentication and default password administration
Phishing-resistant multifactor authentication gives essentially the most strong protection in opposition to password-based cyberattacks, together with credential stuffing and password theft. This contains selling multifactor authentication amongst clients, implementing it as a default requirement for entry, and collaborating in efforts to determine long-term requirements in authentication.
In October 2024, Microsoft carried out necessary multifactor authentication for the Microsoft Azure portal, Microsoft Entra admin middle, and Microsoft Intune admin middle. Since then, Microsoft has labored with our clients to cut back extensions and quickly advance multifactor authentication adoption. A key achievement is our progress in eliminating passwords throughout merchandise. Microsoft has launched enhancements to streamline authentication and enhance sign-in experiences, emphasizing usability and safety. Customers can now take away passwords from their accounts and use passkeys as an alternative, addressing vulnerabilities and stopping unauthorized entry.
On March 26, 2025, Microsoft launched a brand new sign-in expertise for greater than 1 billion customers. By the tip of April 2025, most Microsoft account customers will see up to date sign-in and sign-up consumer expertise flows for net and cell apps. This new consumer expertise is optimized for a passwordless and passkey-first expertise. Microsoft can also be updating the account sign-in logic to make passkey the default sign-in selection at any time when potential.
Further examples of Microsoft enhancing authentication and the way clients can be taught from Microsoft’s strategy and options embody:
Microsoft suggestions for organizations to get began deploying phishing-resistant passwordless authentication utilizing Microsoft Entra ID.
Safety defaults make it simpler to assist shield in opposition to identity-related cyberattacks like password spray, replay, and phishing widespread in at present’s environments. Study extra about preconfigured safety settings out there in Microsoft Entra ID.
Microsoft’s Conditional Entry makes use of identity-driven indicators as a part of entry management selections.
To assist forestall phishing, Microsoft added extra hardening to Home windows Good day, which is the multifactor authentication resolution built-in to Home windows. Home windows Good day has additionally been prolonged to help passkeys, that are an trade normal, and which we proceed to evolve. With Good day and passkeys, on Home windows, it means a lot of the net could be protected with multifactor authentication, and other people not want to decide on between a easy sign-in and a protected sign-in.
Find out how Microsoft is advancing decentralized id requirements and verifiable credentials.
Following GitHub’s April 2024 replace on a 12 months of progress in pushing multifactor authentication adoption, additional cohorts requiring multifactor authentication enablement have been rolled out previously 12 months. This effort continues to drive multifactor authentication utilization with virtually 50% of contributing GitHub customers having multifactor authentication enabled. Of these, greater than 38% of customers have two or extra strategies of two-factor authentication enabled and greater than 3.6 million customers have a passkey enabled on their account. Moreover, GitHub has pushed for finest practices in multifactor authentication strategies, and in November 2024 shipped enhancements to the administration of multifactor authentication settings for organizations and enterprises that enable the restriction of insecure strategies of multifactor authentication resembling textual content messaging.
Lowering complete courses of vulnerabilities
Most exploited vulnerabilities at present stem from sorts that may usually be mitigated on a big scale, resembling SQL injection, cross-site scripting, and reminiscence security language vulnerabilities. Governments goal to cut back these by encouraging corporations to undertake practices like eliminating authorization validation logic errors, enabling using memory-safe languages, creating safe firmware architectures, and implementing safe administrative protections. The purpose is to attenuate exploitation dangers by addressing systemic vulnerabilities at their root.
Our introduction of necessary use of the Microsoft Authentication Library (MSAL) throughout all Microsoft purposes helps be sure that superior id defenses, resembling token binding, steady entry analysis, and superior software assault detections, are constantly carried out. This standardizes safe authentication processes, making it considerably more durable for attackers to take advantage of identity-related vulnerabilities. MSAL allows builders to amass safety tokens from the Microsoft id platform to authenticate customers and entry secured net APIs.
Microsoft can also be dedicated to adopting memory-safe languages, resembling Rust, for growing new merchandise and transitioning current ones. This strategy addresses widespread vulnerabilities associated to reminiscence security. Microsoft is investing closely into protected language to reinforce the security of our code, and we’re making use of this new strategy to our safety platform and different key areas like Microsoft Floor and Pluton safety firmware.
In Home windows 11, we’ve utilized a safe by design technique from the very first line of code. We have now established a {Hardware} Safety Baseline, which helps to make sure each Home windows 11 PC has constant {hardware} safety forming a safe basis. Home windows 11 has safe by default settings and stronger controls for what apps and drivers are allowed to run. That is necessary as unverified apps and drivers result in malware and script assaults. And most malware and ransomware apps are unsigned, which suggests they are often authored and distributed with out being provably protected. For shoppers and smaller organizations, Good App Management is a brand new characteristic that makes use of cloud AI to allow thousands and thousands of identified protected apps to run, no matter the place you bought them. For bigger organizations, IT admins can layer on App Management for Enterprise insurance policies and deploy them utilizing Intune.
With Home windows powering enterprise vital options throughout all kinds of shoppers, we’re dedicated to serving to be sure that Home windows stays essentially the most safe and dependable platform. At Microsoft Ignite in 2024, we introduced the Home windows Resilience Initiative targeted on enhancing the safety and resilience of the Home windows working system. This includes implementing superior safety features, enhancing menace detection and response capabilities, and to assist be sure that Home windows can face up to and get well from cyberattacks. As a part of the Home windows Resilience Initiative, we’re working to guard in opposition to widespread cyberattacks along with strengthening id safety talked about above.
As a part of this we’re addressing the long-standing problem of overprivileged customers and purposes, which create vital threat. But many individuals don’t need to quit admin management of their PC. To assist strike the steadiness of admin privileges and safety we’re introducing Administrator safety (at present in Home windows Insiders). Admin safety provides you the safety of normal consumer permissions by default, and when wanted you possibly can securely authorize a just-in-time system change utilizing Home windows Good day. As soon as the method has accomplished, the non permanent admin token is destroyed. This implies admin privileges don’t persist. Admin safety will likely be disruptive to cyberattackers, as they not have elevated privileges by default, which is able to assist organizations guarantee they continue to be answerable for Home windows.
We’re additionally collaborating with endpoint safety companions to undertake protected deployment practices. This implies all safety product updates will likely be gradual, minimizing deployment dangers and monitoring to assist guarantee any detrimental affect is stored to a minimal. Moreover, we’re growing new Home windows capabilities that enable safety product builders to construct their merchandise outdoors of kernel mode, decreasing the affect to Home windows within the occasion of a safety product crash.
One other key improvement is our safe by design consumer expertise (UX) toolkit. Human error causes nearly all of safety breaches. The UX toolkit helps construct safer software program and enhance consumer safety experiences. This toolkit represents a brand new mind-set—the place design and safety aren’t siloed however are working collectively from the very starting. Adopted internally and shared externally, the toolkit helps different software program organizations in enhancing their safety practices.
Different actions Microsoft has labored on to eradicate courses of vulnerabilities embody:
Continued help to allow builders to make use of the reminiscence protected language Rust on Home windows.
Taking steps to mitigate Home windows NT LAN (NTLM) Relay Assaults by default in opposition to Trade Service, Energetic Listing Certificates Providers and Light-weight Listing Entry Protocol (LDAP).
Zero Belief Area Identify System (DNS) preview expanded to incorporate Home windows 11 enterprise clients. This characteristic helps lock down gadgets to solely access-approved community locations.
Floor embedded firmware merchandise use of a widespread firmware structure.
Launch of the Home windows 365 Hyperlink, which is the primary Cloud PC machine for Home windows 365. Home windows 365 Hyperlink eliminates native knowledge and apps and has no native admin customers and gives staff a approach to extra securely stream their Home windows 365 Cloud PC.
GitHub launched CodeQL help for GitHub Actions workflow information. This new static evaluation functionality identifies widespread steady integration and steady supply (CI/CD) flaws each in current code bases and earlier than they’re launched to assist eradicate this class of vulnerabilities. Utilizing this new characteristic, the GitHub Safety Lab was capable of assist safe greater than 75 GitHub Actions workflows in open supply tasks, disclosing greater than 90 totally different vulnerabilities.
Boosting patch software charges
Well timed and efficient patch administration is important for cybersecurity, as that is how we are able to cut back the window of alternative for malicious actors to take advantage of software program flaws.
Microsoft has made measurable will increase within the set up of safety patches, which we achieved by enabling computerized set up of software program patches when potential and enabling this performance by default, in addition to by providing widespread help for these patches.
Microsoft continues to roll out main safety updates on the second Tuesday of every month, often known as Patch Tuesday. This common schedule ensures that every one programs obtain well timed updates to handle vital vulnerabilities, thereby decreasing the chance of exploitation by cyberattackers.
Constructing on this basis, Microsoft has made vital strides in enhancing the replace course of with Home windows 11. By decreasing the variety of required system restarts from 12 to 4 per 12 months by means of using Hotpatch updates, we’ve additional streamlined operations and inspired organizations to stay compliant with patching necessities.
Different examples of our efforts in to spice up patch and safety replace charges embody:
Home windows Hotpatch: Introduced at Microsoft Ignite 2024, this gives a 60% discount in time to undertake safety updates, assisted by making use of updates seamlessly with out system restarts.
Microsoft has emphasised the significance of clearly speaking the anticipated lifespan of merchandise on the time of sale and investing in provisioning capabilities to ease buyer transitions to supported variations when merchandise attain the tip of their lifecycle. This technique ensures that clients are well-informed and may easily adapt to new applied sciences.
Adopting a Vulnerability Disclosure Coverage (VDP) and Frequent Vulnerabilities and Exposures (CVE)
Coordinated vulnerability disclosure, a apply Microsoft adopted greater than a decade in the past, advantages each safety researchers and software program producers by enabling collaboration to reinforce product safety. A VDP that authorizes public testing of merchandise, commits to refraining from authorized motion in opposition to those that comply with the VDP in good religion, gives a transparent channel for reporting vulnerabilities, and permits public disclosure of vulnerabilities based on coordinated vulnerability disclosure finest practices and worldwide requirements makes an actual distinction for cybersecurity. Moreover, producers can show transparency by together with correct Frequent Weak point Enumeration (CWE) and Frequent Platform Enumeration (CPE) fields in each CVE file for the producer’s merchandise.
Our adoption of the CWE and CPE requirements in each CVE file for its merchandise is a crucial achievement. This transparency facilitates correct and detailed details about vulnerabilities, facilitating well timed and efficient remediation. By issuing CVEs promptly for all vital or high-impact vulnerabilities, Microsoft demonstrates its dedication to sustaining a safe setting and defending its clients from potential cyberthreats.
One other notable spotlight is the publication of a machine-readable CSAF information, which give a transparent channel for reporting vulnerabilities and authorizes public testing of Microsoft merchandise. This fosters collaboration between safety researchers and software program producers, enabling the identification and mitigation of vulnerabilities in a coordinated method.
Different actions Microsoft has labored on to undertake VDP and CVE embody:
Empowering clients to detect and doc intrusions
Organizations ought to do extra to detect cybersecurity incidents and perceive their affect. To make sure they will do this, producers ought to present artifacts and evidence-gathering instruments, like audit logs.
An instance of Microsoft’s dedication on this space is our implementation of sturdy sensors and logs, enhancing detection of cyberthreats. This initiative gives clients with actionable insights into potential intrusions, enabling swift responses and threat mitigation.
Different actions Microsoft has labored on to empower clients to detect and doc inclusions embody:
Microsoft Purview has expanded its audit logging and retention intervals, amongst different safety enhancements, to extend safety visibility and incident response capabilities for cloud-based companies.
Microsoft Safety Copilot affords prebuilt promptbooks to automate security-related duties, resembling incident investigations, consumer evaluation, and menace intelligence assessments, enhancing effectivity and accuracy in cybersecurity operations.
Microsoft has supplied detailed steering on implementing the United States Division of Protection (DoD) Zero Belief Technique, with actions categorized into goal and superior phases to realize full Zero Belief adoption by 2032.
Microsoft’s Expanded Cloud Logs Implementation Playbook gives detailed steering on operationalizing new logging capabilities in Microsoft Purview Audit (Customary).
Microsoft has revealed a whitepaper on classes discovered from pink teaming greater than 100 generative AI merchandise at Microsoft. The whitepaper highlights the significance of understanding AI programs, breaking them with out computing gradients, and the need of human involvement in AI pink teaming, amongst different subjects.
GitHub shipped enhanced capabilities to the GitHub audit log to offer clients with elevated visibility of API occasions and options to allow enterprise administration, automation, and integration.
To be taught extra about Microsoft Safety options, go to our web site. Bookmark the Safety weblog to maintain up with our professional protection on safety issues. Additionally, comply with us on LinkedIn (Microsoft Safety) and X (@MSFTSecurity) for the newest information and updates on cybersecurity.
1Microsoft Digital Protection Report 2024.
2Microsoft Digital Protection Report 2022.
3IDC North America Instruments and Distributors Consolidation Survey, 2023.
42024 ISC2 Cybersecurity Workforce Research.
I love how you write—it’s like having a conversation with a good friend. Can’t wait to read more!This post pulled me in from the very first sentence. You have such a unique voice!Seriously, every time I think I’ll just skim through, I end up reading every word. Keep it up!Your posts always leave me thinking… and wanting more. This one was no exception!Such a smooth and engaging read—your writing flows effortlessly. Big fan here!Every time I read your work, I feel like I’m right there with you. Beautifully written!You have a real talent for storytelling. I couldn’t stop reading once I started.The way you express your thoughts is so natural and compelling. I’ll definitely be back for more!Wow—your writing is so vivid and alive. It’s hard not to get hooked!You really know how to connect with your readers. Your words resonate long after I finish reading.