Security above all else
"Microsoft runs on trust and trust must be earned and maintained. Our pledge to our customers and our community is to prioritize your cyber safety above all else." Charlie Bell, EVP Security, Microsoft
Microsoft Secure Future Initiative
We’re continuously applying what we’ve learned from security incidents to improve our methods and practices. Three principles anchor our approach to the Secure Future Initiative (SFI).
Secure by design
Security comes first when designing any product or service.
Secure by default
Security protections are enabled and enforced by default, require no extra effort, and aren’t optional.
Secure operations
Security controls and monitoring will be continuously improved to meet current and future threats.
SFI pillars
We’re expanding the scope of the SFI to help our customers and community amidst the fast-changing threat landscape.
-
Protect identities and secrets
Reduce the risk of unauthorized access by implementing and enforcing best-in-class standards across all identity and secrets infrastructure, and user and application authentication and authorization.
Increased protection for sign-in credentials
Intruders don’t break in, they sign in. See how we're ensuring that our keys remain out of reach.
Back to tabsAutomatic multifactor authentication
Find out how Microsoft led the way in consumer identity by providing multifactor authentication enabled by default along with risk-based challenges.
-
Protect tenants and isolate production systems
Protect all Microsoft tenants and production environments using consistent, best-in-class security practices and strict isolation to minimize breadth of impact.
Meeting industry standards for cloud security
Read about the standardized security baselines for Azure products that meet Center for Internet Security (CIS) and National Institute for Standards in Technology (NIST) standards.
Back to tabsA more secure cloud by default
We enabled security defaults for 20 million customers on free tenants—94% of customers keep these protective measures in place.
-
Protect networks
Protect Microsoft production networks and implement network isolation of Microsoft and customer resources.
Back to tabsSegmentation and role-based access
Learn how to build a unified segmentation strategy using perimeters and isolation boundaries in workloads.
-
Protect engineering systems
Protect software assets and continuously improve code security through governance of the software supply chain and engineering systems infrastructure.
Lessons from our transition to Zero Trust
Secure access to source code and engineering systems infrastructure through Zero Trust and least-privileged access policies.
Back to tabsBuild and maintain inventory for all software assets
Build and maintain the inventory for all software assets used to deploy and operate production environments.
-
Monitor and detect threats
Comprehensive coverage and automatic detection of threats to Microsoft production infrastructure and services.
Read about our red, blue, and green teams
See how MORSE members effectively address security threats, repair broken code, and identify potential attack paths before a breach can happen.
Back to tabsSee how security researchers help Microsoft
Find out how researchers who discover a vulnerability in a Microsoft product, service, or device can receive a Bug Bounty award from Microsoft.
-
Accelerate response and remediation
Prevent exploitation of vulnerabilities discovered by external and internal entities through comprehensive and timely remediation.
Read real-time incident updates
We practice coordinated vulnerability disclosure with the research community—with no nondisclosure agreement required. Read real-time updates on known vulnerabilities.
Meet our digital defense team
Read the latest cybersecurity and threat intelligence trends and get reports with insights and recommendations.
Back to tabsGet the 2023 Microsoft Digital Defense Report
See our latest findings on the threat landscape evolution and opportunities for Microsoft and our customers to secure a resilient online ecosystem.
Foundations of SFI
Successful business operations or change management is predicated on people, process, and technology working in harmony. These are the foundations of SFI.
Continuous security improvement
The SFI empowers all of Microsoft to implement the needed changes to deliver security first. Our company culture is based on a growth mindset that fosters an ethos of continuous improvement.
Paved paths and standards
Paved paths are best practices from our learned experiences, drawing upon lessons such as how to optimize productivity of our software development and operations, how to achieve compliance, and how to eliminate entire categories of vulnerabilities and mitigate related risks.
Security-first culture
Culture can only be reinforced through our daily behaviors. The engineering executive vice presidents are also holding broadscale, weekly and monthly operational meetings that include all levels of management and senior individual contributors. Through this process of bottom-to-top, end-to-end problem solving, security thinking is ingrained in our daily behaviors.
Security governance
Microsoft is implementing a new security governance framework, spearheaded by the Chief Information Security Officer (CISO). This framework introduces a partnership between engineering teams and newly formed Deputy CISOs, collectively responsible for overseeing the SFI, managing risks, and reporting progress directly to Microsoft’s Senior Leadership Team. Progress will be reviewed weekly with this executive forum and quarterly with our Board of Directors.
Get SFI updates
Our progress so far
Learn about the tangible steps we’re taking to implement the SFI and accelerate our progress.
See how we’re using AI
Discover the ways we’re transforming software development with automation and AI.
Learn about the evolving threat landscape
SFI brings every part of Microsoft together to advance cybersecurity protection in this deep-dive.
See where the SFI started
Revisit our initial announcement about the SFI in this memo from Charlie Bell.
Security by design for government
Learn how government operations are using state-of-the-art, built-in security features from Microsoft.
Help secure your software supply chain
Learn about the Software Bill of Materials and its role in helping secure the software supply chain.
Get best practices from the Microsoft AI Red Team
Hunt for AI system failures, define a multilayered security approach, and create a plan to evolve your security posture.
The Azure security improvement cycle
See how Azure takes a defense in depth approach to vulnerabilities, layering protections throughout all phases of design, development, and deployment.
Cloud security benchmarks
Learn how the Microsoft cloud security benchmark helps you succeed in your cloud security journey.
Follow Microsoft