As mentioned in the last blog this a major release for us and it marks Microsoft Secure Score’s transition from simply being a gamified list of security recommendations to one that we think is on its way to becoming the go-to posture management app for security administrators. There’s lots of work left to do to achieve that aspiration, but we feel we’re well on our way.
With this release, we focused on the following areas:
Improving the assessment and scoring models
Adding planning, workflow and posture monitoring improvements
Adding metrics and trend reports to drive meaningful planning and status discussions with leadership
Our previous blog provides all of the details on these investments and our brand new Mechanics video helps bring them to life so today’s blog is going to focus on some key changes and feedback that came out of the public preview program.
During the public preview we’ve seen strong usage growth and there has been no shortage of feedback along the way. Much of it helped us further refine the user experience and your ideas jammed the long-term roadmap with a lot of great ideas. With that said there are two areas of change that we think are important to mention as everyone transitions to the new release.
Improvement Action Changes
The area that we received the most feedback on was related to Improvement Actions. As a product team and a community we’ve had to work together to learn what constitutes an Improvement Action worth adding to the product and to be honest we (Microsoft) didn’t get it perfect in our previous releases. Here are some new principles you helped us define that will enable us to help ensure that only the right types of Improvement Action make it into the system:
Status of Improvement Actions must be measurable through automation
Improvement actions when implemented must render a measurable level of risk reduction
Without these principles Microsoft Secure Score only provides a directional view of your posture status rather than the precise measurement we had in mind.
The new principles correct this problem but there is a trade-off that had to be made which will impact a subset of the existing Improvement Actions. The trade-off is that Improvement Actions that violate these rules must now be removed from the product at least temporarily. There are two classes of Improvement Actions that are impacted by these new principles including:
Not scored improvement actions we’re those that lacked automation to determine control status. Improvement actions of this type have been removed until automation can be added at which point, they can return to the product.
Review improvement actions were recommendations that suggest a security administrator review a report or something similar and then take the appropriate actions. Unfortunately, these actions couldn't be monitored or measured. Like Not Scored Improvement Actions these will be removed until automation can be added.
In addition to these changes customers have informed us that some Improvement Actions where yielding inaccurate numbers in certain scenarios. To address this problem the engineering team expanded their testing coverage and a number of multi-factor authentication and other Improvement Actions have been fixed in response.
A complete list of the Improvement Actions that have been temporarily removed because of accuracy issues can be found at the following pages: Previous Version and Public Preview.
Security related scores in other Microsoft 365 and Azure Security products
Another point of recurring feedback is related to security scores showing up in various user experiences across Microsoft 365 and Azure. The thrust of the questions tends to be about whether they are aligned, are different, etc. Here is how to think about it.
The vision for Microsoft Secure Score is that it will be the centralized user experience for all security related points and Improvement Actions across Microsoft 365 and Azure workloads. Individual products can include a secure score experience scoped to their workload however they must align to the Microsoft Secure Score design patterns and branding. They must also forward their score and improvement action data to Microsoft Secure Score so that it can provide the end to end super set view for an organization’s security posture.
At the moment the Azure workloads are yet to start sending their data however as you’ll notice in the new Microsoft Secure Score experience everything is plumbed in for the day when that data starts to flow into the system. We are still in the process of determining a date for this and will keep you posted when it becomes more clear.
As mentioned a moment ago we have defined a common set of design patterns and branding for all products to align on however the transition to this new state across all of Microsoft 365 and Azure is a work in progress. For this reason, you may see secure score experiences like the following which are not yet aligned. The changes for this particular example are straight forward and you can anticipate Identity Secure Score will soon be rebranded to Microsoft Secure Score for Identity. At this time the score will be change from the # Points Achieved to the % Complete model that Microsoft Secure Score has just transitioned to.
That covers it for today. Thanks for your interest in Microsoft Secure Score and we hope you enjoy the new release. Please logon and take and look and if you have any questions or feedback feel free to leave them in the comments section below.