Microsoft announced new security upgrades late last week to better protect its customers against cyber threats, including improved security protections for identity signing keys.
The company’s announcement comes after the recent Chinese-based hack of Commerce and State Department officials’ emails was found to be linked to a Microsoft engineer’s compromised corporate account.
The hackers leveraged a stolen Microsoft signing key to authenticate customers, allowing the hackers to masquerade as Federal users of Microsoft’s email services and access officials’ inboxes.
In a Nov. 2 blog post, Microsoft said it’s planning to prevent similar breaches by migrating to a new and fully automated consumer and enterprise key management system with “an architecture designed to ensure that keys remain inaccessible even when underlying processes may be compromised.”
Additionally, the company said it plans to move signing keys into “hardware security modules” (HSMs), which store and protect the keys in hardware.
“To stay ahead of bad actors, we are moving identity signing keys to an integrated, hardened Azure HSM and confidential computing infrastructure,” Microsoft executives Charlie Bell, Scott Guthrie, and Rajesh Jha explained in an internal email to employees.
“In this architecture, signing keys are not only encrypted at rest and in transit, but also during computational processes as well,” they wrote. “Key rotation will also be automated allowing high-frequency key replacement with no potential for human access, whatsoever.”
Microsoft is calling its new security push the Secure Future Initiative, which aims to bring together every part of the company to bolster cybersecurity protection.
