Microsoft has shared progress on its security updates after Chinese hackers used vulnerability gaps to hack government emails last year.
The three trillion dollar company has introduced significant improvements to ensure its identity verification tool is more secure. This comes after a Chinese hacking group known as Storm-0558 used an overlooked vulnerability in Microsoft’s cloud email service to access the accounts of thousands of government workers in the United States in July 2023.
Now, Microsoft’s executive vice president of security Charlie Bell has outlined the new security measures in a public blog post, intending to prevent any other groups from doing the same again.
The company’s CEO Satya Nadella took to X to emphasize that security is Microsoft’s “top priority”.
Security is our top priority, and we’re sharing our progress as we advance cybersecurity protection for Microsoft, our customers, and the industry. https://t.co/y0ImtHx5Y7
— Satya Nadella (@satyanadella) September 23, 2024
What security updates has Microsoft made?
The new improvements include automatically generating, storing, and rotating token signing keys for US government and public sector cloud accounts, with those keys now stored in a customer’s ‘hardware secure module.’ This should make it almost impossible for other accounts to access them.
What’s more, Microsoft has also limited the access tokens of internal employees to seven days, meaning that even if a bad actor managed to get their virtual hands on them, they wouldn’t help in gaining unlawful access to those accounts. Last but not least, the company has removed an estimated 730,000 unused apps from user accounts, while also removing 5.75 million inactive users. Hacking groups have been known to use inactive accounts or apps to break through companies’ security.
Microsoft maintains these are not one-and-done measures but rather one part of ongoing security improvements the company is working on.
“In security, consistent progress is more important than ‘perfection’ and this is reflected in the scale of resources mobilized to achieve our SFI objectives,” wrote Bell. “The collective work we are doing to continually increase protection, eliminate legacy or non-compliant assets, and identify remaining systems for monitoring conclusively measures our success. As we look ahead, we remain committed to ongoing improvement.”
Putting action behind the words, the company has also linked security performance to senior leadership’s compensation and all employees’ performance reviews. A newly launched Security Skilling Academy aims to improve the security-focused internal training for all Microsoft employees.
Featured image: Unsplash
The post Microsoft releases major security improvements in wake of Chinese email hacking scandal appeared first on ReadWrite.
