Source: Microsoft
Microsoft has rolled out substantial security updates following a cyberattack last year that targeted government emails. In July 2023, a Chinese hacking group known as Storm-0558 exploited a weakness in Microsoft’s cloud email service, giving them access to thousands of U.S. government employees' accounts. The breach exposed critical gaps in the company's security infrastructure, pushing the $3 trillion tech giant to act swiftly.
In response, Charlie Bell, Microsoft’s executive vice president of security, outlined these new security improvements in a public blog post, emphasizing that the company's efforts are focused on preventing similar breaches in the future.
Key Security Enhancements
One of the most significant updates is the automatic generation, storage, and rotation of token signing keys for U.S. government and public sector cloud accounts. These keys are now stored in a customer’s 'hardware secure module,' ensuring a higher level of protection. This new system is designed to make unauthorized access to sensitive accounts nearly impossible.
Additionally, Microsoft has shortened the lifespan of access tokens for internal employees to just seven days. Even if a hacker were to obtain an access token, it would expire within a week, limiting the potential damage. By enforcing this strict token expiration policy, Microsoft reduces the window of opportunity for malicious actors to exploit stolen credentials.
Another important change includes the removal of around 730,000 unused apps from user accounts and the deactivation of 5.75 million inactive users. Hacking groups often target inactive accounts or unused applications as entry points into secure systems. By removing these, Microsoft reduces the risk of unwanted access to its cloud services.
Ongoing Commitment to Security
Microsoft has made it clear that these actions are part of an ongoing effort to enhance security. As Bell noted, the company views continuous improvement as the key to maintaining security, rather than striving for a one-time fix. He emphasized that consistent progress and diligent monitoring are crucial to the company's success in securing its systems.
In a further commitment to security, Microsoft has tied the security performance of the company directly to senior leadership’s compensation and employees’ performance reviews. This move aims to ensure that security remains a top priority across all levels of the company.
Furthermore, the introduction of a new Security Skilling Academy will focus on training Microsoft employees to better handle emerging threats, strengthening the company’s defenses from within.
CEO Satya Nadella also reaffirmed the company's dedication to security in a post on X (formerly Twitter), stating that safeguarding user data and systems remains Microsoft’s "top priority."
With these measures, Microsoft is taking proactive steps to secure its cloud services and prevent future breaches, showing a clear commitment to continuous security improvements.