Why Apple’s Cloud Privacy and Microsoft’s Security Initiative Matter
Technology

Why Apple’s Cloud Privacy and Microsoft’s Security Initiative Matter

Editorial Staff 461 Views 0 Comments

Join our daily and weekly emails to receive the latest updates on AI and exclusive content. Learn More

As cyber threats become more automated and malicious it is more difficult to protect enterprise data and privacy. Apple and Microsoft’s new security initiatives capitalize on their core cloud security and privacy strengths to close security gaps and reduce risk for every business.

Microsoft’s Secure Future Initiative (SFI) and Apple’s Private Cloud Compute (PCC) represent the latest enterprise-ready approaches to improving cloud security and privacy. The larger the enterprise, the more diverse its cybersecurity and privacy needs, so SFI and PCC are designed to deliver real-time responses at scale.

Microsoft first unveiled the Secure Future Initiative (SFI) in Nov. 2023 to enhance its clients’ enterprise cloud security infrastructure. SFI aims to improve security in Microsoft’s ecosystem step by step. Apple launched its Private Cloud Compute platform (PCC) in June 2024. The company published its Secure future Initiative Progress Report. The PCC, a cloud intelligence platform created for private AI processing, is the PCC. Apple’s device security and privacy architecture, which is the core of PCC, has been extended to cloud AI operations. PCC is designed to protect user data in the cloud. This is done with custom silicon, a hardened OS and privacy-preserving methods that manage data requests without storing data.

Microsoft’s Secure Future Initiative (SFI) is a multi-layered defense for enterprise security

At its foundation, SFI is designed to embed security into every layer of Microsoft products and services as part of its secure-by-design framework and more broadly speaking, a new security philosophy.

Microsoft’s Executive Vice President Takeshi Numoto recently said, “At Microsoft, security is our top priority, and through SFI, we ensure that our products and AI systems are secure, private and safe.” Microsoft reaffirmed its commitment to TrustWorthy AI with an announcement this week emphasizing responsible development and deployment of AI technologies.

Six engineering pillars form the foundation of Microsoft’s Secure Future Initiative (SFI) strategy. These pillars are designed to protect systems, data and identities while anticipating cybersecurity threats all from a common platform.

Three core principles define SFI. SFI includes secure by design and secure by default. Microsoft committed to these in their latest report, saying all product teams will be using these principles and adopting the Microsoft Security Development Lifecycle (SDL) as their development methodology.

Source: Microsoft. Secure Future Initiative Progress Report September 2024.

Microsoft SFI is built on six engineering pillars: Protect identities and secrets

. Securing identities has become a major focus for SFI. This is especially true after the increase in identity-based attacks targeting Active Directory (AD) and looking to control all identities within a company. Microsoft looks to significantly reduce enterprise identity-related attack surfaces by introducing phishing-resistant credentials and video-based identity verification.

Protect tenants and isolate production systems. Microsoft designed SFI in order to improve network security through the isolation of production environments, and by improving compliance tracking. There are also more strict isolation policies for virtual networks and production system to prevent the lateral movement or threats. Microsoft also vows to provide enhanced monitoring to ensure potential threats are identified and acted on quickly.

Protect Networks. SFI’s core is the improved monitoring of virtual network assets by recording them in a central inventory, and ensuring that corporate and production networks are isolated. SFI teams place a high value on micro-segmentation, and minimizing attack surfaces. A core construct of this area of SFI is that it ensures lateral movement within the network is limited and controlled, limiting the blast radius of a potential attack.

  • Protect Engineering Systems. SFI’s architects opted to use the Zero Trust framework in order to protect Microsoft’s Software Development Environments. This approach relies on limiting the lifetime of personal access tokens, and performing stringent checks when developing code. Microsoft’s SFI contends that these measures help prevent unauthorized access and protect critical resources during the software development lifecycle.
  • Monitor and Detect Threats. SFI is built on real-time threat detection. Microsoft’s SFI Framework aims to allow all production systems emit standard security logs to provide timely visibility into network activity. This centralized logging enables faster identification of threats and helps enterprises proactively monitor malicious activities.
  • Accelerate Response and Remediation. SFI also reduces threat identification and action time to address vulnerabilities quickly. Microsoft releases critical vulnerabilities (CVEs), regardless of whether customers take action. This helps the industry adopt mitigation techniques faster. This proactive approach boosts cloud ecosystem security.
  • Apple’s Private Cloud Compute (PCC) has privacy at the coreWhile Microsoft concentrates on closing the gaps it sees across the cloud and entering infrastructure, Apple’s Private Cloud Compute (PCC) capitalizes on the company’s decades of R&D experience in privacy.
  • Apple invested years of research and development in PCC, looking to create a stateless architecture that could ensure the privacy of customers’ data at the silicon level, making it impossible for an insider attack inside the company to breach it.Of the many design goals that define the PCC, one of the most important is scaling Apple’s industry-leading device privacy controls into cloud-based AI services. Apple’s central goal is to set a new standard for secure cloud intelligence.
  • Key features of PCC include the following:Stateless computation and enforceable privacy:

PCC employs a unique stateless architecture that ensures sensitive data is processed only for its intended purpose and never retained after a process is complete. Stateless architecture uses hardware-backed secure cryptographic protocols and enclaves to protect data during processing. PCC’s memory is non-persistent, with all data cryptographically erased upon request completion.

No privileged access:

PCC implemented a zero-trust model that prevents any privileged access that could potentially bypass privacy controls. Apple accomplishes this through a combination hardware-enforced separation, secure boot processes, and code-signing algorithm. PCC is designed with such stringent privileged access that Apple’s site reliability engineers cannot access user data or bypass security measures.

Verifiable transparency to the log level.

Cryptographically signed transparency logs of all software running on PCC nodes are published to enable third-party audits. Transparency logs can also be used to verify the code is the same as the reviewed software. Custom silicon and hardened OS.

  • The PCC uses custom Apple silicon that has built-in security functions like the Secure Enclave, and a subset of iOS or macOS that is hardened. This ensures that user data is processed in isolated environments with hardware-enforced security boundaries.Oblivious HTTP routing:
  • PCC requests go through an independent Oblivious HTTP relay. This hides the request origin, preventing IP address-person correlation.Apple also designed end-to-end encryption, advanced anonymization techniques to protect data throughout its lifecycle, advanced access controls, and support for multi-factor authentication. PCC has real-time threats detection, and it supports regular penetration testing and security audits. For a thorough analysis of the PCC platform, see VentureBeat’s recent in-depth analysis.
  • Security and privacy comparison: Microsoft SFI vs. Apple PCCIT and security teams are too busy to manage another platform. Microsoft and Apple embed security into their architectures in order to ease this burden. Apple’s Private Cloud Compute, or PCC, offers hardware-level privacy protections that enhance privacy. Both methods simplify critical security measures to keep teams safe without adding work.
  • The following comparison is a short guide to help IT and security teams gain insights into the differences between each platform:Cloud security and threat model
  • Apple PCC: Designed for secure AI cloud processing, it aims to prevent data leakage, insider threats, and targeted attacks, with robust measures to ensure privacy and security in cloud environments, according to Apple’s PCC blog post released earlier this year.

Microsoft SFI:

Focuses on reducing the attack surfaces across all Microsoft tenants and production environments, with a specific aim of preventing lateral movement between environments. SFI is aligned with Zero Trust framework, which assumes that a breach already occurred and requires constant verification of device and user identity regardless of the network location. Zero Trust protects the Microsoft 365 and Azure ecosystems. For more information on the Zero Trust framework see the NIST standard, Special Publication 800-207, which outlines the key principles of Zero Trust Architecture (ZTA).

Cultural Integration

Apple PCC:

Prioritizes privacy through technical design rather than cultural changes. Privacy is embedded in both the hardware (Apple silicon) and software (iOS/macOS), ensuring secure-by-design architecture without needing broad cultural shifts.

Microsoft SFI:

  • Security is embedded into all operations, from corporate governance to employee evaluations. The Microsoft Cybersecurity Governance Council plays a key role in ensuring risk management is consistent across the company.Scope and Focus:
  • Apple PCC: Focuses on AI privacy in cloud, multi-cloud and hybrid cloud environments. It is designed specifically for businesses seeking security and privacy assurances in AI applications, offering high levels of security for AI processing and data storage.

Microsoft SFI:

  • Microsoft’s product and services-wide initiative to engrain security into the DNA of every product and service they offer. Microsoft’s comprehensive security framework, which includes identity management, governance and employee training as well as technical safeguards, is available across the entire Microsoft ecosystem. This includes Azure and Microsoft 365. It aims to secure all layers of its platform and user base.Technical Implementation:
  • Apple PCC: Apple secures its framework with custom server hardware and silicon. Stateless computations reduce risks by storing no data between sessions. Apple’s goal is to make PCC-based AI processing secure. With privacy protections at its core, Apple’s goal is to make PCC-based AI processing secure.

Microsoft SFI:

  • Microsoft’s strategy weaves security into every phase of software development through a Secure Development Lifecycle (SDL), ensuring that security measures are incorporated from the design stage to deployment. CodeQL is an automated tool that scans code for vulnerabilities. Moreover, robust identity protection is guaranteed via MSAL (Microsoft Authentication Library), which oversees secure authentication and token management across various applications and services.Transparency and Governance:
  • Apple PCC: Researchers can audit Apple’s systems and view its AI processing environments in cryptographically signed transparency logs. Accountability allows businesses to evaluate and trust Apple’s AI infrastructure without compromising sensitive data.

Microsoft SFI:

  • Microsoft’s Secure Future Initiative (SFI) seeks to improve security transparency and cybersecurity across its products and services. Microsoft Defender for Cloud and Azure Active Directory Conditional access are advanced security features that use machine learning algorithms in order to detect and respond real-time to threats. Microsoft also launched Cyber Signals, which provides threat intelligence insights, and a Customer Security Management Office to improve communication about security incidents. These initiatives are promising, but Microsoft’s handling of critical system flaws and data breaches shows the ongoing challenges of scaling cybersecurity.Why Microsoft SFI and Apple PCC signal a shift in enterprise security
  • Realizing that IT and security teams are overstretched already, and no one needs another platform to look after, Microsoft and Apple have taken unique approaches to make security and privacy the core of their DNA.For many IT and security leaders, these two platforms are overdue. SFI is an attempt to make security a core part of Microsoft DNA. SFI, as the first generation in a new era of cybersecurity, is comprehensive and sets up the structure for security to become part of Microsoft DNA. Starting with the areas that are the most challenging for IT and security to deal with, SFI takes on the challenges of identity management, governance, and technical safeguards.

Apple’s continual investments in privacy pay dividends in PCC. Stay informed! Subscribe to receive the latest news daily in your email.

  • By signing up, you agree with VentureBeat’s terms of service.
    Thank you for subscribing. Click here to view more VB Newsletters.

Editorial Staff

Founded in 2020, Millenial Lifestyle Magazine is both a print and digital magazine offering our readers the latest news, videos, thought-pieces, etc. on various Millenial Lifestyle topics.

Leave a Reply

Your email address will not be published. Required fields are marked *