Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Secure Future Initiative (SFI) initiative is a multiyear, cross-Microsoft initiative to increasingly secure the way in which Microsoft designs, builds, tests, and operates its products and services. SFI is build upon:
- A set of security principles that drive the way in which we innovate on security design, implement those innovations into Microsoft products as secure defaults and standards, and provide internal and external security guidance. Learn more.
- A set of prioritized security pillars and objectives. Learn more.
This article summarizes the "Protect networks" SFI pillar.
Before you start
- Learn about the SFI pillars.
- Review and track the latest progress on pillar objectives in the SFI What's New article.
- Learn about Zero Trust principles, and NIST CSF functions and categories.
- Get a list of NIST categories and acronyms to help as you review the table in this article.
Pillar and objectives
The aim of the "Protect networks" pillar is to limit adversary movement and unauthorized access across corporate networks. Networks are segmented and isolated with fine-grained network controls. Every connection is verified, controlled, and continuously monitored.
Microsoft objectives and Zero Trust/NIST mapping for this pillar are summarized in the following table.
| Objective | Zero Trust | NIST mapping |
|---|---|---|
| 1. Inventory and security standards Secure Microsoft production networks and systems connected to networks with improved network isolation, monitoring, accurate inventory, and secure operations. |
Verify explicitly: Know what devices are present and who/what they connect to. Assume breach: Full inventory supports detection and containment of breaches. |
ID.AM-01 (Physical devices and systems within the organization are inventoried). All network devices are inventoried and tracked, recognized, managed, and governed. ID.AM-03 (Assets are classified—consistent with organizational risk strategy). Networks and infrastructure are inventoried and classified. PR.AA-05 (Access permissions and authorizations are managed, enforced, and periodically verified). SFI applied security standards to network infrastructure. PR.PS-01 (Assets are formally evaluated to ensure they meet security, compliance, and resilience requirements before being approved for use). Network assets are only allowed when they pass baseline security requirements. PR.PS-04 (Assets are evaluated and validated against security requirements before being authorized for use). Network infrastructure must meet SFI security standards before use. |
| 2. Network isolation Apply identity-aware network isolation and microsegmentation to Microsoft production environments, creating additional layers of defense against attackers. |
Verify explicitly: Authenticate and authorize network flows before allowing communication. Use least privileged access: Restrict lateral movement and limit network access rights. Assume breach: Assume attackers may be in the network; isolate segments for containment. |
PR-IR-01 (Processes are established to prepare for incident response and reduce potential impact). PR-PS-01 (Security configuration requirements are established and applied). Network isolation requires enforcing standardized network‑security baselines (segmentation rules, ACLs, routing controls, boundary protections). PR-PS-04 (Assets are validated to meet security requirements before being authorized for use). Network segments, gateways, and boundary systems must meet SFI isolation standards (hardening, compliance, segmentation posture) before being allowed to connect to production networks. |
| 3. Secure customer cloud networks Accelerate adoption of network security perimeter (NSP) to place entries resources under modern perimeter enforcement and segmentation to ensure network traffic is validated and only allowed where necessary to reduce the risk of lateral movement and unauthorized access. |
Verify explicitly: NSP enforces strong validation of traffic entering protected segments. Use least privileged access: Only necessary traffic is allowed to traverse network boundaries. Assume breach: Perimeter enforcement assumes threat presence and restricts spread. |
PR.IR-01 (Processes are established to prepare for incident response and reduce potential impact). Network hardening and isolation of customer cloud networks reduce blast radius and ensure Microsoft can contain incidents quickly by limiting pivot paths into or across customer environments. PR-PS-01 (Security configuration requirements are established and applied). Customer cloud networks must meet SFI security baselines (segmentation, routing controls, firewall posture, logging, access restrictions) before being connected or allowed to serve production workloads. |
Next steps
- Review the latest progress on pillar objectives in What's New.
- Learn about adopting Microsoft SFI best practices.