Archive

Archive for the ‘Data Privacy’ Category

Simplify compliance and manage risk with Microsoft Compliance Manager

January 14th, 2021 No comments

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

A breakthrough year for passwordless technology

December 17th, 2020 No comments

As 2020 draws to a close, most of us are looking forward to putting this year in the rearview mirror. Since we depend even more on getting online for everything in our lives, we’re more than ready to be done with passwords. Passwords are a hassle to use, and they present security risks for users and organizations of all sizes, with an average of one in every 250 corporate accounts compromised each month. According to the Gartner Group, 20 to 50 percent of all help desk calls are for password resets. The World Economic Forum (WEF) estimates that cybercrime costs the global economy $2.9 million every minute, with roughly 80 percent of those attacks directed at passwords.

In November 2019 at Microsoft Ignite, we shared that more than 100 million people were already using Microsoft’s passwordless sign-in each month. In May of 2020, just in time for World Password Day, that number had already grown to more than 150 million people, and the use of biometrics to access work accounts is now almost double what it was then. We’ve drawn strength from our customers’ determination this year and are set to make passwordless access a reality for all our customers in 2021.

2020: A banner year for passwordless technology

Infograph describing the passwordless technology achievements in 2020

February: We announced a preview of Azure Active Directory support for FIDO2 security keys in hybrid environments. The Fast Identity Online (FIDO) Alliance is a “cross-industry consortia providing standards, certifications, and market adoption programs to replace passwords with simpler, stronger authentication.” Following the latest FIDO spec, FIDO2, we enabled users with security keys to access their Hybrid Azure Active Directory (Azure AD) Windows 10 devices with seamless sign-in, providing secure access to on-premises and cloud resources using a strong hardware-backed public and private-key credential. This expansion of Microsoft’s passwordless capabilities followed 2019’s preview of FIDO2 support for Azure Active Directory joined devices and browser sign-ins.

June: I gave a keynote speech at Identiverse Virtual 2020 where I got to talk about how Microsoft’s FIDO2 implementation highlights the importance of industry standards in implementing Zero Trust security and is crucial to enabling secure ongoing remote work across industries. Nitika Gupta, Principal Program Manager of Identity Security in our team, showed how Zero Trust is more important than ever for securing data and resources and provided actionable steps that organizations can take to start their Zero Trust journey.

September: At Microsoft Ignite, the company revealed the new passwordless wizard available through the Microsoft 365 Admin Center. Delivering a streamlined user sign-in experience in Windows 10, Windows Hello for Business replaces passwords by combining strong MFA for an enrolled device with a PIN or user biometric (fingerprint or facial recognition). This approach gives you, our customers, the ability to deliver great user experiences for your employees, customers, and partners without compromising your security posture.

November: Authenticate 2020, “the first conference dedicated to who, what, why and how of user authentication,” featured my boss, Joy Chik, CVP of Identity at Microsoft, as the keynote speaker. Joy talked about how FIDO2 is a critical part of Microsoft’s passwordless vision, and the importance of the whole industry working toward great user experiences, interoperability, and having apps everywhere support passwordless authentication. November also saw Microsoft once again recognized by Gartner as a “Leader” in identity and access management (IAM).

MISA members lead the way

The Microsoft Intelligent Security Association (MISA) is an ecosystem of security partners who have integrated their solutions with Microsoft to better defend against increasingly sophisticated cyber threats. Four MISA members—YubiKey, HID Global, Trustkey, and AuthenTrend—stood out this year for their efforts in driving passwordless technology adoption across industries.

Yubico created the passwordless YubiKey hardware to help businesses achieve the highest level of security at scale.

“We’re providing users with a convenient, simple, authentication solution for Azure Active Directory.”—Derek Hanson, VP of Solutions Architecture and Alliances, Yubico

HID Global engineered the HID Crescendo family of FIDO-enabled smart cards and USB keys to streamline access for IT and physical workspaces—enabling passwordless authentication anywhere.

“Organizations can now secure access to laptops and cloud apps with the same credentials employees use to open the door to their office.”—Julian Lovelock, VP of Global Business Segment Identity and Access Management Solutions, HID

TrustKey provides FIDO2 hardware and software solutions for enterprises who want to deploy passwordless authentication with Azure Active Directory because: “Users often find innovative ways to circumvent difficult policies,” comments Andrew Jun, VP of Product Development at TrustKey, “which inadvertently creates security holes.”

AuthenTrend applied fingerprint-authentication technology to the FIDO2 security key and aspires to replace all passwords with biometrics to help people take back ownership of their credentials.

Next steps for passwordless in 2021

Our team has been working hard this year to join these partners in making passwords a thing of the past. Along with new UX and APIs for managing FIDO2 security keys enabling customers to develop custom solutions and tools, we plan to release a converged registration portal in 2021, where all users can seamlessly manage passwordless credentials via the My Apps portal.

We’re excited about the metrics we tracked in 2020, which show a growing acceptance of passwordless among organizations and users:

  • Passwordless usage in Azure Active Directory is up by more than 50 percent for Windows Hello for Business, passwordless phone sign-in with Microsoft Authenticator, and FIDO2 security keys.
  • More than 150 million total passwordless users across Azure Active Directory and Microsoft consumer accounts.
  • The number of consumers using Windows Hello to sign in to Windows 10 devices instead of a password grew to 84.7 percent from 69.4 percent in 2019.

We’re all hoping the coming year will bring a return to normal and that passwordless access will at least make our online lives a little easier.

Learn more about Microsoft’s passwordless story. To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post A breakthrough year for passwordless technology appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 1

October 13th, 2020 No comments

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Microsoft announces cloud innovation to simplify security, compliance, and identity

September 22nd, 2020 No comments

2020 will be remembered as a year of historic transformation. The pandemic has changed the way businesses operate and people work. One thing that has not changed is our basic human nature and the need to feel safe. Being safe and feeling safe is what allows us to do more, create more, and have trust in the technology that connects us all.

It’s no wonder, then, that cyber-security is so important right now. Digital security is about people—it’s about empowering defenders to defend and protect employees, data, work, and personal safety. It’s about making people and organizations resilient in an environment of unexpected change, like widespread remote work. Nearly overnight, organizations worldwide have had to enable remote workforces, support rapidly evolving business requirements, and steer to the next normal without knowing what that normal would be.

All of this takes place against a backdrop of advanced threats and adversaries. For example, Microsoft threat intelligence teams recently exposed cyberattacks targeting people and organizations involved in the upcoming U.S. presidential election including unsuccessful attacks on people associated with both presidential campaigns from a variety of foreign activity groups known to Microsoft as Strontium, Zirconium, and Phosphorus.

For those responsible for securing their organization’s digital infrastructure, this has all come on top of what they were already navigating—levels of complexity that often translate into barriers for companies, their people, and the customers they serve. That’s why we’re so passionate about reimagining security, identity, and compliance. We hold a differentiated view among our peers that security should not only encompass all critical aspects of security—including cybersecurity, identity, and compliance – but that these components should be tightly integrated, and built right into the products and platforms that businesses are already using, so that managing safe access, securing data, meeting regulatory requirements and protecting against threats is seamless.

Countless innovative companies like ASOS, CenturyLink, Erie Insurance, Frost Bank, Rabobank, Unilever, Rockefeller Capital Management, Uniper, Komatsu, and The Little Potato Company; and public sector organizations including the US Department of Defense, New Jersey Administrative Office of the Courts, Ashford & St. Peter’s Hospitals (NHS), St. Luke’s, and Durham University are tapping into the Microsoft cloud to help secure their futures. Today we’re delivering a new set of security, compliance, and identity innovations to help all customers simplify and modernize their environments by embracing the reality that the past seven months have likely reshaped the next 10 years of security and digital transformation.

Modern security with a new Microsoft Defender

Poor security posture is often rooted in complexity. Security teams have historically struggled to keep up with threats and signals across a patchwork of poorly integrated solutions that fail to cover the breadth of workloads, clouds, and devices that businesses run on. Fortunately, the cloud has given rise to a new generation of modern security tools that simplify the defender experience by combining signals and automating responses to catch threats that would otherwise go unchecked. The most important emerging tools are Extended Detection and Response (XDR) and cloud-native Security Information & Event Management (SIEM). Most vendors only offer one or the other.

Microsoft offers a unique approach that empowers security professionals with both cloud-native SIEM and XDR tools from a single vendor. This brings a new level of integration that gives defenders the best of both worlds—an end to end visibility across all of their resources and intelligent alerts built with a deep understanding of individual resources, enhanced with human and machine intelligence.

Today we are making the following announcements to simplify the defender experience with modern and integrated capabilities:

  • We are unifying all of our XDR capabilities together and rebranding them as Microsoft Defender, inclusive of Microsoft 365 Defender and Azure Defender.
  • Microsoft Defender offers the broadest resource coverage of any XDR in the industry, spanning identities, endpoints, cloud apps, email and docs, infrastructure, and cloud platforms.
  • Microsoft Defender uses powerful workflows and AI to correlate alerts across attack vectors, provide an end-to-end view of the attack, and automatically heal affected assets.

In addition to bringing our XDR together under Microsoft Defender, we are also announcing new Defender capabilities:

  • Microsoft Defender for Endpoint is now available for all major platforms, with the general availability of protection for Android devices and a preview for iOS.
An image of Microsoft Defender for Endpoint on an Android device.
Microsoft Defender for Endpoint on an Android device
  • Azure Defender has a new unified dashboard experience within Azure Security Center that gives you visibility into your alerts and which resources are currently monitored.
  • Azure Defender has new protections for SQL on-premises, Azure Kubernetes, Azure Key Vault, and IoT.
  • Azure Defender for IoT now protects industrial IoT, Operational Technology (OT), and building management systems (BMS) with the integration of CyberX’s agentless capabilities for securing unmanaged devices acquired in June.

Our cross-domain detection and response capabilities from Microsoft Defender are deeply integrated with our cloud-native SIEM, Azure Sentinel, reducing complexity and increasing visibility so that defenders see what matters when it matters.  In Azure Sentinel we are announcing:

  • Improvements to threat intelligence management and new integrations with threat intelligence partners, including the ability to search, add, and track threat indicators, perform TI look-ups, and enrichments as well as creating watchlists for hunting threats—so you can catch more threats, faster.
  • User and entity behavior analytics that help SecOps detect unknown threats and anomalous behavior of compromised users and insider threats. New insights are unlocked with user and entity behavior profiles that leverage machine learning and Microsoft’s security research.
  • To help Microsoft 365 E5 customers modernize faster, we are offering promotional pricing that will save the typical 3,500 seat deployment $1,500 per month—for a limited time, beginning in November 2020.

ASOS, a leading online fashion retailer, is using Azure Sentinel to detect attacks even while their security team is working remotely during the pandemic.

A headshot of tuart Gregg, Cyber Security Operations Lead, ASOS.
Stuart Gregg, Cyber Security Operations Lead, ASOS

“With everything running through Azure Sentinel, we’ve reduced the time spent on case management and resolution of alerts by approximately 50 percent.” said Stuart Gregg, Cyber Security Operations Lead, ASOS. 

In addition to the XDR and SIEM news, we are enhancing security posture management in Azure Security Center with support for multi-cloud.  Now you can see all your Azure, AWS, and GCP security posture in a unified experience within Azure Security Center. Learn more about today’s Azure security announcements here.

Compliance, simplified

Our compliance cloud solutions help customers more easily navigate today’s biggest risks, from managing data or finding insider threats to dealing with legal issues or even addressing standards and regulations. We’ve listened to customers and invested heavily in a set of solutions to help them modernize and keep pace with the evolving and complex compliance and risk management challenges they face.

  • One of our key investment areas is the set of Data Loss Prevention products in Microsoft 365. We recently announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which means customers can now identify and protect data on devices. Today, we are announcing the public preview of integration between Microsoft Cloud App Security and Microsoft Information Protection, which extends Microsoft’s data loss prevention (DLP) policy enforcement framework to third-party cloud apps—such as Dropbox, Box, Google Drive, Webex, and more—for a consistent and seamless compliance experience
  • Customers struggle to keep up with the constantly changing regulations around data protection. To help ease this challenge, we are excited to announce the general availability of Compliance Manager to help businesses simplify compliance and reduce risk by translating complex regulatory requirements to specific controls and through compliance score, get a quantifiable measure of compliance.
A headshot of Edward Contreras, CISO, EVP, Frost Bank.
Edward Contreras, CISO, EVP, Frost Bank

Customers like Frost Bank have found that tracking their compliance score makes compliance easier.

“Compliance is a really interesting field. Typically, you have somebody with a legal background, a risk background, or a security background, but very little technical background. And so trying to translate a regulation so that it fits within a technical environment is very difficult. With Compliance Manager, it actually allowed a lot of the tech talk to be translated for the side, the business side, but it also allowed a lot of the business side to be translated to the tech side. For us, it made the conversation very simple and it made the process almost seamless,” said Edward Contreras, CISO, EVP, Frost Bank.

The power of modern cloud-based identity protection

Nothing has done more to simplify the security challenges of remote work during the pandemic than modern identity solutions and Zero Trust architectures. A July 2020 Microsoft poll found that 94 percent of business leaders have already embarked on a Zero Trust journey. Identity is central to simplifying security today and shaping the next generation of the modern security infrastructure.

Microsoft is pushing the frontier of identity through the introduction of a decentralized model built on open standards to help balance the power between individuals and organizations in ways that enhance digital trust while protecting the privacy and reducing the risk of losing personal data.

  • Today we are announcing a decentralized identity pilot together with the MilGears educational program of the US Department of Defense and Trident at AIU, which helps military veterans and service members enroll in higher education and jumpstart their civilian career.

This technology will significantly reduce the time and effort it takes for veterans to verify their service records and transcripts with universities and employers. It will also help veterans maintain control of their information.

In a pilot of decentralized identity, Trident University can quickly and easily verify transcripts presented by MilGears participants.
In a pilot of decentralized identity, Trident at AIU can quickly and easily verify transcripts presented by MilGears participants.

The simplest way to manage identities and embark on a Zero Trust journey today is with Azure Active Directory (AD)—Microsoft’s cloud identity service, trusted by over 200 thousand organizations. They choose Azure AD for industry-leading security and seamless user experience.

Doug Howell, Director of IT, The Little Potato Company
Doug Howell, Director of IT, The Little Potato Company

No company or industry is immune to attack and everyone deserves modern protection. The Little Potato Company is a family-owned business with 400 employees headquartered in Alberta, Canada that uses Conditional Access as a critical component in its Zero Trust security strategy. The Little Potato Company recently saw the value of Zero Trust security firsthand when a user’s credentials were compromised and used to attempt to access corporate data. Luckily, the company had deployed Azure AD and Conditional Access, which quickly identified and blocked the login attempts from multiple locations and an unfamiliar operating system.

What you can do today

Security is a journey, and we believe in progress over perfection. The key is that every step you take in the process makes your organization safer and simpler. In fact, it makes all of us safer as we work together to stop malicious activity from causing harm and to protect data and privacy in a modern, connected world.

Here are four things you can do today to make your organization safer and more resilient:

  1. Use multi-factor authentication. Move toward passwordless.
  2. Have a plan for keeping software up to date and patch, patch, patch!
  3. Get a handle on all devices connecting to your network, from phones and laptops to edge devices, and how you’re detecting potential threats to all of them.
  4. Use benchmarks and insights like Microsoft Secure Score and Compliance Manager to understand your posture and track your progress.

2020 is marking a moment in time that none of us could have imagined; a moment that has amplified the need for a resilient response to unexpected change, and a moment in which digital safety is paramount to productivity and the peace of mind we all need to be at our best.​ We’re inspired by the way customers are using technology to turn obstacles into innovation, to turn ideas into solutions, and to embrace today’s challenges as an opportunity to build a better, safer world for all.​ That’s why we at Microsoft are reimagining security, identity, and compliance—to empower all people and organizations to thrive.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Microsoft Security blog to keep up with our expert coverage on security matters. Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft announces cloud innovation to simplify security, compliance, and identity appeared first on Microsoft Security.

Preventing data loss and mitigating risk in today’s remote work environment

July 21st, 2020 No comments

The shift to remote work over the past few months has increased the need for organizations to re-evaluate their security and risk management practices. With employees accessing corporate data at times on home computers or sharing and collaborating in new ways, organizations could be at greater risk for data leak or other risks.

To help companies with the visibility they need and better protect their data, we are announcing several new capabilities across Microsoft 365 and Azure, including:

  • New Microsoft Endpoint Data Loss Prevention solution in public preview.
  • New features in public preview for Insider Risk Management and Communication Compliance in Microsoft 365.
  • New third-party data connectors in Microsoft Azure Sentinel.
  • New Double Key Encryption for Microsoft 365 in public preview.

Read on to get more information about all these new security and compliance features rolling out starting today.

Announcing Microsoft Endpoint Data Loss Prevention (DLP)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance and privacy, but also to mitigating data leak and risk. Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. Data Loss Prevention solutions help prevent data leaks and provide context-based policy enforcement for data at rest, in use, and in motion on-premises and in the cloud. Microsoft 365 already includes built-in data loss prevention capabilities in Microsoft Teams, SharePoint, Exchange, and OneDrive, as well as for third-party cloud apps with Microsoft Cloud App Security.

Today we are excited to announce that we are now extending data loss prevention to the endpoint with the public preview of the new Microsoft Endpoint Data Loss Prevention (DLP). Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints.

Built into Windows 10, Microsoft Edge, and the Office apps, Endpoint DLP provides data-centric protection for sensitive information without the need for an additional agent, enabling you to prevent risky or inappropriate sharing, transfer, or use of sensitive data in accordance with your organization’s policies. For example, organizations can now prevent copying sensitive content to USB drives or print sensitive documents.  The sensitive content labeling integration ensures consistency across all data types and reduces false positive and false negatives within DLP. Microsoft Edge works with Endpoint DLP to extend visibility and control into third-party cloud apps and services. Also, because Endpoint DLP builds on the existing DLP capabilities in Microsoft 365, you immediately get insights when sensitive data is accessed and shared directly from the Activity Explorer in the Microsoft 365 compliance center.

An image showing how you can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

Figure 1: You can manage your data loss prevention policies across Microsoft 365 from one location – the Microsoft 365 compliance center.

The Microsoft 365 Compliance Center also now provides a single, integrated console to manage DLP policies across Microsoft 365, including endpoints.  The public preview of Endpoint DLP will begin rolling out today. For more information, check out the Tech Community blog.

New features to help you to address insider risk and code of conduct violations

Remote work, while keeping employees healthy during this time, also increases the distractions end users face, such as shared home workspaces and remote learning for children. According to the SEI CERT institute, user distractions are the cause for many accidental and non-malicious insider risks. The current environment has also significantly increased stressors such as potential job loss or safety concerns, creating the potential for increased inadvertent or malicious leaks.

Today we are pleased to announce the public preview of several new features that further enhance the rich set of detection and remediation capabilities available in Insider Risk Management and Communication Compliance in Microsoft 365.

Insider Risk Management

While having broad visibility into signals from end-user activities, actions, or communications are important, when it comes to effectively identifying the risks, the quality of signals also matters. In this release, we are significantly expanding the quality of signals that Insider Risk Management reasons over to intelligently flag potentially risky behavior. New categories include expanded Windows 10 signals (e.g., files copied to a USB or transferred to a network share), integration with Microsoft Defender ATP for endpoint security signals, more native signals from across Microsoft 365 (including Microsoft Teams, SharePoint, and Exchange), and enhancements to our native HR connector.

We are also introducing new security policy violation and data leak policy templates to help you to get started quickly and identify an even broader variety of risks.

Finally, we are also increasing integration to help you to take more action on the risks you identify. For example, integration with ServiceNow’s solution provides the ability for Insider Risk Management case managers to directly create ServiceNow tickets for incident managers. In addition, we are also onboarding Insider Risk Management alerts to the Office 365 Activity Management API, which contains information such as alert severity and status (active, investigating, resolved, dismissed). These alerts can then be consumed by security incident event management (SIEM) systems like Azure Sentinel to take further actions such as disabling user access or linking back to Insider Risk Management for further investigation.

For more information on these new features, check out the Tech Community blog.

Communication Compliance

As we embraced the shift to remote work, the volume of communications sent over collaboration platforms has reached an all-time high. Diversity, equity, and inclusion are now center stage. These new scenarios not only heighten a company’s risk exposure from insiders, but also highlight the need to support employees in these challenging times.

Communication Compliance in Microsoft 365 helps organizations to intelligently detect regulatory compliance and code of conduct violations within an organization’s communications, such as workplace threats and harassment, and take quick remediation efforts on policy violations.

Starting to roll out today, Communication Compliance will introduce enhanced insights to make the review process simpler and less time consuming, through intelligent pattern detection to prioritize alerts of repeat offenders, through a global feedback loop to improve our detection algorithms, and through rich reporting capabilities. New features also include additional third-party connectors to extend the capabilities to sources like Bloomberg Message data, ICE Chat data, and more. Additionally, the solution will see improved remediation actions through Microsoft Teams integration, such as the ability to remove messages from the Teams channel.

You can find more information about these new features in the Tech Community blog.

New partner connectors in Microsoft Azure Sentinel

Microsoft Azure Sentinel is a powerful Security Incident and Event Management (SIEM) solution that can help you collect security data across your entire hybrid organization from devices, users, apps, servers, and any cloud. Using these data sources you can build a more complete picture of the threats that your organization faces, conduct deep threat hunts across your environment, and use the power of automation and orchestration in the cloud to help free up your security analysts to focus on their highest-value tasks.

Today we are announcing several new third-party connectors across Azure Sentinel to simplify getting security insights across many leading solutions and partners, including networks, firewalls, endpoint protection, and vulnerability management.

These connectors, which offer sample queries and dashboards, will help collect security data easily and provide security insights immediately.

An image of new partner connectors provide greater visibility into external threats.

Figure 2: New partner connectors provide greater visibility into external threats.

Some of the new partner connectors include Symantec, Qualys, and Perimeter 81. You can see the full list of new connectors and learn more in our Tech Community blog.

Introducing Double Key Encryption for Microsoft 365

In today’s environment, the success of any organization is contingent upon its ability to drive productivity through information sharing while maintaining data privacy and regulatory compliance. Regulations, particularly in the financial services sector, often contain specialized requirements for certain data, which specifies that an organization must control their encryption key.  Typically, a very small percentage of a customer’s data falls into this category, but it is important for our customers to care for that specific data correctly.

To address that regulatory and unique need for some organizations, today we are pleased to announce the public preview of Double Key Encryption for Microsoft 365, which allows you to protect your most confidential data while maintaining full control of your encryption key. Double Key Encryption for Microsoft 365 uses two keys to protect your data, with one key in your control and the second in Microsoft’s control. To view the data, one must have access to both keys. Since Microsoft can access only one key, your data and key are unavailable to Microsoft, helping to ensure the privacy and security of your data.

With Double Key Encryption for Microsoft 365, you not only hold your own key, but this capability also helps you to address many regulatory compliance requirements, easily deploy the reference implementation, and enjoy a consistent labeling experience across your data estate. For more information, check out the Tech Community blog.

Get started today

Endpoint Data Loss Prevention, Insider Risk Management, Communication Compliance, and Double Key Encryption are rolling out in public preview starting today and are a part of Microsoft 365 E5. If you don’t have Microsoft 365 E5, you can get started with a trial today.

In addition, to learn more about the rest of the Microsoft 365 product updates being announced today, check out the Microsoft 365 blog from Jared Spataro.

You can also learn more about how you can modernize your SIEM with Azure Sentinel. 

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Preventing data loss and mitigating risk in today’s remote work environment appeared first on Microsoft Security.

Protecting your remote workforce from application-based attacks like consent phishing

July 8th, 2020 No comments

The global pandemic has dramatically shifted how people work. As a result, organizations around the world have scaled up cloud services to support collaboration and productivity from home. We’re also seeing more apps leverage Microsoft’s identity platform to ensure seamless access and integrated security as cloud app usage explodes, particularly in collaboration apps such as Zoom, Webex Teams, Box and Microsoft Teams. With increased cloud app usage and the shift to working from home, security and how employees access company resources are even more top of mind for companies.

While application use has accelerated and enabled employees to be productive remotely, attackers are looking at leveraging application-based attacks to gain unwarranted access to valuable data in cloud services. While you may be familiar with attacks focused on users, such as email phishing or credential compromise, application-based attacks, such as consent phishing, is another threat vector you must be aware of.  Today we wanted to share one of the ways application-based attacks can target the valuable data your organization cares about, and what you can do today to stay safe.

Consent phishing: An application-based threat to keep an eye on

Today developers are building apps by integrating user and organizational data from cloud platforms to enhance and personalize their experiences. These cloud platforms are rich in data but in turn have attracted malicious actors seeking to gain unwarranted access to this data. One such attack is consent phishing, where attackers trick users into granting a malicious app access to sensitive data or other resources. Instead of trying to steal the user’s password, an attacker is seeking permission for an attacker-controlled app to access valuable data.

While each attack tends to vary, the core steps usually look something like this:

  1. An attacker registers an app with an OAuth 2.0 provider, such as Azure Active Directory.
  2. The app is configured in a way that makes it seem trustworthy, like using the name of a popular product used in the same ecosystem.
  3. The attacker gets a link in front of users, which may be done through conventional email-based phishing, by compromising a non-malicious website, or other techniques.
  4. The user clicks the link and is shown an authentic consent prompt asking them to grant the malicious app permissions to data.
  5. If a user clicks accept, they will grant the app permissions to access sensitive data.
  6. The app gets an authorization code which it redeems for an access token, and potentially a refresh token.
  7. The access token is used to make API calls on behalf of the user.

If the user accepts, the attacker can gain access to their mail, forwarding rules, files, contacts, notes, profile and other sensitive data and resources.

An image of a Consent screen from a sample malicious app named “Risky App."

Consent screen from a sample malicious app named “Risky App”

How to protect your organization

At Microsoft, our integrated security solutions from identity and access management, device management, threat protection and cloud security enable us to evaluate and monitor trillions of signals to help identify malicious apps. From our signals, we’ve been able to identify and take measures to remediate malicious apps by disabling them and preventing users from accessing them. In some instances, we’ve also taken legal action to further protect our customers.

We’re also continuing to invest in ways to ensure our application ecosystem is secure by enabling customers to set policies on the types of apps users can consent to as well as highlighting apps that come from trusted publishers. While attackers will always persist, there are steps you can take to further protect your organization. Some best practices to follow include:

  • Educate your organization on consent phishing tactics:
    • Check for poor spelling and grammar. If an email message or the application’s consent screen has spelling and grammatical errors, it’s likely to be a suspicious application.
    • Keep a watchful eye on app names and domain URLs. Attackers like to spoof app names that make it appear to come from legitimate applications or companies but drive you to consent to a malicious app. Make sure you recognize the app name and domain URL before consenting to an application.
  • Promote and allow access to apps you trust:
    • Promote the use of applications that have been publisher verified. Publisher verification helps admins and end-users understand the authenticity of application developers. Over 660 applications by 390 publishers have been verified thus far.
    • Configure application consent policies by allowing users to only consent to specific applications you trust, such as application developed by your organization or from verified publishers.
  • Educate your organization on how our permissions and consent framework works:

The increased use of cloud applications has demonstrated the need to improve application security. At Microsoft, we’re committed to building capabilities that proactively protect you from malicious apps while giving you the tools to set policies that balance security and productivity. For additional best practices and safeguards review the Detect and Remediate Illicit Consent Grants in Office 365 and Five steps to securing your identity infrastructure.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Protecting your remote workforce from application-based attacks like consent phishing appeared first on Microsoft Security.

Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms

June 29th, 2020 No comments

With the dawn of the COVID-19 pandemic, state and federal agencies around the globe were looking at ways to modernize data intake for social services recipients. The government of a country of about 40 million citizens reached out to Microsoft and asked us to assist in this endeavor. Going paperless eliminates waiting in line at an agency office, and lowers the chance of COVID-19 transmission. The ability to make requests or apply for federal or local assistance online makes the process safer and more efficient, as once data is collected citizens should start receiving funds more accurately and quickly.

Security is a major concern of not only major governments but of other entities using Microsoft Power App intake forms. Organizations and agencies needed to be certain that Microsoft Power App intake forms could not be used to collect data from large, sensitive databases containing personal information like names, addresses, Social Security or national security identification numbers, telephone numbers, or bank account information for direct deposit. If internet-facing forms collect personal information, and are not securely implemented, bad actors can use those forms to cleverly gain access to millions—if not billions—of personal records.

We authored this white paper specifically for those agencies and organizations who are transforming data intake to partially or 100-percent paperless. Microsoft wants to ensure that customers are implementing our technologies with the most secure approach possible, and adhering to compliance with all data privacy laws. Microsoft is also making recommendations in the white paper regarding the best way to implement the NIST Cybersecurity Framework in order to identify, protect, detect, respond, and recover from cybersecurity attacks.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Best security, compliance, and privacy practices for the rapid deployment of publicly facing Microsoft Power Apps intake forms appeared first on Microsoft Security.

CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO

June 23rd, 2020 No comments

In your first six months in a new Chief Information Security Officer (CISO) role, you will often be tasked with building a security program. For some of us this is the most exciting part of the job, but it can also be stressful. You’re probably working under a deadline. Plus, it can be difficult to affect change while you’re learning the corporate culture.

In my role as CISO at Mainstay Technologies, I run a team that is responsible for security for each of our clients. I’ve learned a lot about what it takes to create a security program that’s sustainable in different organization types, sizes and industries. In this post, the second in the CISO Stressbusters series, I’ve distilled my learnings into four tips that you can apply to your own organization.

1. What makes your organization tick?

An effective security program requires participation from people across the organization. If you understand what drives decision-making and behavior, it will help you develop a scalable and sustainable plan that will be implemented and accepted into your culture. Talk with and interview team members at all levels of the organization and across departments to understand the shared values that drive the company. Identify how the organization collaborates, how decisions are made, and what your company’s risk tolerance is.

2. Do you know where all your data is? Are you sure?

Before you can implement a new program, you need to understand your current state and the gap that exists between where you are today and standards that must be met. You may need to lower real-world risk, satisfy compliance demands, or likely, both.

Start by identifying data privacy laws that you must comply with (i.e., California Privacy Protect Act or Massachusetts 201 CMR 17) and compliance frameworks that you may be contractually obligated to adhere to (i.e., DFARS NIST 800-171 or CMMC) or select a standard you will align yourself to (i.e., the NIST Cybersecurity Framework). The data that you are trying to protect must be at the core of a discovery effort. Are you protecting classified information, controlled unclassified information, patient health information, personally identifiable information, etc.? Classify it, then identify how it flows and where it lives. Then build defensive layers to protect it.

A risk assessment should be completed that includes your compliance gap analysis as well as a detailed analysis of internal and external threats and vulnerabilities (technical and organizational). This will also help to generate your risk profile: Risk equals probability multiplied by impact.

It’s also helpful to gather tangible evidence when conducting your assessment. Vulnerability, account control, and role-based access reports should all be standard. During your interviews you may hear about very organized data flows. Run a data discovery scan to see what type of data is actually being stored in which locations. Do you know how well trained your staff is? Think about integrating a red team exercise or include physical security tests. Or consider starting with something basic like phishing tests.

When Mainstay engages with a new client, we interview stakeholders to understand how they manage and protect data, and then we verify. When the assessment is complete, we move into mitigation and remediation strategies. This includes developing plans to close technical, administrative, and physical gaps. If you don’t have written information security policies and a system security plan, this should be evident in your assessment and will be part of your remediation strategy. If you don’t know who is in your building or connected to your network, physical controls, and network access controls should be implemented. We often find that data controls aren’t nearly as strong as people think, so when it comes to assessment the best approach is trust but verify.

Microsoft Defender Advanced Threat Protection (ATP) is a great technical example of software that can help you identify and manage threats and vulnerabilities in your environment.

3. Mind the gap

A thorough risk assessment gives you the data you need to start building your information security program. From there, highlight your gaps and build a remediation roadmap with milestones.  Your security posture should increase each step of the way. Work towards a continuous monitoring strategy. Define where you would like your security program to be in six months vs. two years, align with your stakeholders, and build momentum. Prioritize quick wins that you can close out now to help reduce risk immediately.

4. Map everything to the “Why”

Upfront legwork to understand the corporate culture will pay off when it’s time to establish new security policies and training. You will need to embed operational change throughout the organization. To do so requires company buy-in and participation.

Educate executives and business leaders on risk management. Show them how the changes you are recommending will improve ROI. Develop a cross-discipline governance team that reports on cybersecurity risk management at the leadership level. Conduct regular training and check ins to make sure processes are being followed. By distributing the responsibility, you will alleviate the pressure on you and your team, and it will help you build a security culture. A win-win!

Looking ahead

The job of a CISO is stressful. Don’t do it alone. Ally with people in your organization who share your values and can help you achieve your goals. Connect with CISOs from other companies who can commiserate and share advice. And stay tuned for the next CISO Stressbuster post for more advice from other CISOs and security professionals in the trenches.

Did you find these insights helpful? What would you tell your fellow CISOs about overcoming obstacles? What works for you? Please reach out to Diana Kelley on LinkedIn if you’re interested in being interviewed for one of our upcoming posts on CISO insights and stressbusters.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: Post #2: 4 tips for getting the first 6 months right as a new CISO appeared first on Microsoft Security.

Data governance matters now more than ever

April 30th, 2020 No comments

Knowing, protecting, and governing your organizational data is critical to adhere to regulations and meet security and privacy needs. Arguably, that’s never been truer than it is today as we face these unprecedented health and economic circumstances. To help organizations to navigate privacy during this challenging time, Microsoft Chief Privacy Officer Julie Brill shared seven privacy principles to consider as we all collectively move forward in addressing the pandemic.

Organizations are also evaluating security and data governance more than ever before as they try to maintain business continuity amid the crisis. According to a new Harvard Business Review (HBR) research report released today commissioned by Microsoft, 61 percent of organizations struggle to effectively develop strong data security, privacy, and risk capabilities. Together with HBR, we surveyed close to 500 global business leaders across industries, including financial services, tech, healthcare, and manufacturing. The study found that 77 percent of organizations say an effective security, risk, and compliance strategy is essential for business success. However, 82 percent say that securing and governing data is becoming more difficult because of new risks and data management complexities brought on by digital transformation.

In a world in which remote work is the new normal, securing, and governing your company’s most critical data becomes more important than ever before. The increased volume of information and multiple collaboration systems create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly. 

General availability of Microsoft 365 Records Management

Today, we are excited to announce the general availability of Microsoft 365 Records Management to provide you with significantly greater depth in protecting and governing critical data. With Records Management, you can:

  • Classify, retain, review, dispose, and manage content without compromising productivity or data security.
  • Leverage machine learning capabilities to identify and classify regulatory, legal, and business critical records at scale.
  • Help demonstrate compliance with regulations through defensible audit trails and proof of destruction.

You can now access Records Management in the compliance center in Microsoft 365.

Data governance matters now more than ever

Striking the right balance between data governance and productivity: Records Management is built into the Microsoft 365 productivity stack and existing customer workflows, easing the friction that often occurs between enforcing governance controls and user productivity. For example, say your team is working on a contract. Thanks to built-in retention policies embedded in the tools people use every day, they can continue to be productive while collaborating on a contract that has been declared a record—such as sharing, coauthoring, and accessing the record through mobile devices. We have also integrated our disposition process natively into the tools you use every day, including SharePoint and Outlook. Records versioning also makes collaboration on record-declared documents better, so you can track when edits are made to the contract. It allows users to unlock a document with a record label to make edits to it with all records safely retained and audit trails maintained. With Records Management, you can balance rigorous enforcement of data controls with allowing your organization to be fully productive.

Building trust, transparency, and defensibility: Building trust and providing transparency is crucial to managing records. In addition to continuing to audit all events surrounding a record in our audit log, we’re excited to announce the ability to obtain proof of disposal and see all items automatically disposed as part of a record label. Proof of disposal helps provide you with the defensibility you need, particularly to meet legal and regulatory requirements. Learn more in this Microsoft docs page.

Leveraging machine learning for scale: Records Management leverages our broader investments in machine learning across information protection and governance, such as trainable classifiers. With trainable classifiers, you can train the classification engine to recognize data that is unique to your organization. Once you define a record or retention label, you can apply the label to all content that matches a trainable classifier that was previously defined. So, for example, any document that appears to be a contract or have contract-related content will be marked accordingly and automatically classified as a record. For more information on creating trainable classifiers, please see this documentation. Apart from using trainable classifiers, you can also choose to auto-apply retention labels either by matching keywords on the content, its metadata, sensitive information it contains, or as the default for a particular location or folder. These different auto classification methods provide the flexibility you need to manage the constantly increasing volume of data.

Please visit this portal to learn more about Records Management.

Importance of information protection and governance

There’s never been a more important time to ensure your data, especially your most critical data, is protected and governed efficiently and effectively. Records Management is generally available worldwide today, and you can learn even more in our post on Tech Community. Eligible Microsoft 365 E5 customers can start using Records Management in the Compliance Center or learn how to try or buy a Microsoft 365 subscription.

Lastly, as you navigate this challenging time, we have additional resources to help. For more information about securing your organization in this time of crisis, you can visit our Remote Work site. We’re here to help in any way we can.

The post Data governance matters now more than ever appeared first on Microsoft Security.

Managing risk in today’s IoT landscape: not a one-and-done

April 28th, 2020 No comments

image for Halina's Blog Post_updated-BANNER

The reality of securing IoT over time

It’s difficult to imagine any aspect of everyday life that isn’t affected by the influence of connectivity. The number of businesses that are using IoT is growing at a fast pace. By 2021, approximately 94 percent of businesses will be using IoT. Connectivity empowers organizations to unlock the full potential of the Internet of Things (IoT)—but it also introduces new cybersecurity attack vectors that they didn’t need to think about before. The reality is, connectivity comes at a cost: attackers with a wide range of motivations and skills are on the hunt, eager to exploit vulnerabilities or weak links in IoT. What does it take to manage those risks?

The cybersecurity threat landscape is ever evolving so a solution’s protection must also evolve regularly in order to remain effective. Securing a device is neither a one-time action nor is it a problem that is solely technical in nature. Implementing robust security measures upfront is not enough—risks need to be mitigated not just once, but constantly and throughout the full lifespan of a device. Facing this threat landscape ultimately means acknowledging that organizations will have to confront the consequences of attacks and newfound vulnerabilities. The question is, how to manage those risks beyond the technical measures that are in place?

A holistic approach to minimizing risk

Securing IoT devices against cyberattacks requires a holistic approach that complements up-front technical measures with ongoing practices that allow organizations to evaluate risks and establish a set of actions and policies that minimize threats over time. Cybersecurity is a multi-dimensional issue that requires the provider of an IoT solution to take several variables into account—it is not just the technology, but also the people who create and manage a product and the processes and practices they put in place, that will determine how resilient it is.

With Azure Sphere, we provide our customers with a robust defense that utilizes the evidence and learnings documented in the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state even after it has been compromised. As the threat landscape evolves, renewable security also enables us to counter new attack vectors through updates. This is essential, but not sufficient on its own. Our technology investments are enhanced through similar investments in security assurance and risk management that permeate all levels of an organization. The following sections highlight three key elements of our holistic approach to IoT security: continuous evaluation of our security promise, leveraging the power of the security community, and combining cyber and organizational resilience. 

Continuous evaluation of our security promise

All cyberattacks fall somewhere on a spectrum of complexity. On one side of the spectrum are simple and opportunistic attacks. Examples are off-the-shelf malware or attempts to steal data such as credentials. These attacks are usually performed by attackers with limited resources. On the opposite side of the spectrum are threat actors that use highly sophisticated methods to target specific parts of the system. Attackers within this category usually have many resources and can pursue an attack over a longer period of time. Given the multitude of threats across this spectrum, it is important to keep in mind that they all have one thing in common: an attacker faces relatively low risk with potentially very large rewards.

Taking this into account, we believe that in order to protect our customers we need to practice being our own worst enemy. This means our goal is to discover any vulnerabilities before the bad guys do. One proven approach is to test our solution from the same perspective as an attacker. So-called “red teams” are designed to emulate the attacks of adversaries, whereas “purple teams” perform both attacking and defending to harden a product from within.

Our approach to red team exercises is to try to mimic the threat landscape that devices are actually facing. We do this multiple times a year and across the full Azure Sphere stack. This means that our customers benefit from the rigorous security testing of our platform and are able to focus on the security of their own applications. We work with the world’s most renowned security service providers to test our product with a real-world attacker mentality for an extended period of time and from multiple perspectives. In addition, we leverage the full power of Microsoft internal security expertise to conduct regular internal red and purple team exercises. The practice of constantly evaluating our defense and emulating the ever-evolving threat landscape is an important part of our security hygiene—allowing us to find vulnerabilities, update all devices, and mitigate incidents before they even happen.

Leveraging the power of the security community

Another approach to finding vulnerabilities before attackers do is to engage with the cybersecurity community through bounty programs. We encourage security researchers with an interest in Azure Sphere to search for any vulnerabilities and we reward them for it. While our approach to red team exercises ensures regular testing of how we secure Azure Sphere, we also believe in the advantages of the continual and diverse assessment by anyone who is interested, at any point in time.

Security researchers play a significant role in securing our billions of customers across Microsoft, and we encourage the responsible reporting of vulnerabilities based on our Coordinated Vulnerability Disclosure (CVD). We invite researchers from across the world to look for and report any vulnerability through our Microsoft Azure Bounty Program. Depending on the quality of submissions and the level of severity, we award successful reports with up to $40,000 USD. We believe that researchers should be rewarded competitively when they improve the security of our platform, and we maintain these important relationships for the benefit of our customers.

From a risk management perspective, both red and purple team exercises and bug bounties are helpful tools to minimize the risk of attacks. But what happens when an IoT solution provider is confronted with a newly discovered security vulnerability? Not every organization has a cybersecurity incident response plan in place, and 77 percent of businesses do not have a consistently deployed plan. Finding vulnerabilities is important, but it is equally important to prepare employees and equip the organization with processes and practices that allow for a quick and efficient resolution as soon as a vulnerability is found.

Combining cyber and organizational resilience

Securing IoT is not just about preventing attackers from getting in; it’s also about how to respond when they do. Once the technical barrier has been passed, it is the resilience of the organization that the device has to fall back on. Therefore, it is essential to have a plan in place that allows your team to quickly respond and restore security. There are countless possible considerations and moving parts that must all fit together seamlessly as part of a successful cybersecurity incident response. Every organization is different and there is no one-size-fits-all, but a good place to start is with industry best practices such as the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide. Azure Sphere’s standard operating procedures are aligned with those guidelines, in addition to leveraging Microsoft battle-tested corporate infrastructure.

Microsoft Security Response Center (MSRC) has been at the front line of security response for more than twenty years. Over time we have learned what it means to successfully protect our customers from harm from vulnerabilities in our products, and we are able to rapidly drive back attacks against our cloud infrastructure. Security researchers and customers are provided with an easy way to report any vulnerabilities and MSRC best-in-class security experts are monitoring communications 24/7 to make sure we can fix an issue as soon as possible.

Your people are a critical asset—when they’re educated on how to respond when an incident occurs, their actions can make all the difference. In addition to MSRC capabilities that are available at any time, we require everyone involved in security incident response to undergo regular and extensive training. Trust is easy to build when things are going right. What really matters in the long term is how we build trust when things go wrong. Our security response practices have been defined with that in mind.

Our commitment to managing the risks you are facing

The world will be more connected than it has ever been, and we believe this requires a strong, holistic, and ongoing focus on cybersecurity. Defending against today’s and tomorrow’s IoT threat landscape is not a static game. It requires continual assessment of our promise to secure your IoT solutions, innovation that improves our defense over time, and working with you and the security community. As the threat landscape evolves, so will we. Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. When you choose Azure Sphere, you can rely on our team and Microsoft to manage your risk so that you can focus on the true business value of your IoT solutions and products.

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Managing risk in today’s IoT landscape: not a one-and-done appeared first on Microsoft Security.

Protecting your organization against password spray attacks

April 23rd, 2020 No comments

When hackers plan an attack, they often engage in a numbers game. They can invest significant time pursing a single, high-value target—someone in the C-suite for example and do “spear phishing.” Or if they just need low-level access to gain a foothold in an organization or do reconnaissance, they target a huge volume of people and spend less time on each one which is called “password spray.” Last December Seema Kathuria and I described an example of the first approach in Spear phishing campaigns—they’re sharper than you think! Today, I want to talk about a high-volume tactic: password spray.

In a password spray attack, adversaries “spray” passwords at a large volume of usernames. When I talk to security professionals in the field, I often compare password spray to a brute force attack. Brute force is targeted. The hacker goes after specific users and cycles through as many passwords as possible using either a full dictionary or one that’s edited to common passwords. An even more targeted password guessing attack is when the hacker selects a person and conducts research to see if they can guess the user’s password—discovering family names through social media posts, for example. And then trying those variants against an account to gain access. Password spray is the opposite. Adversaries acquire a list of accounts and attempt to sign into all of them using a small subset of the most popular, or most likely, passwords. Until they get a hit. This blog describes the steps adversaries use to conduct these attacks and how you can reduce the risk to your organization.

Three steps to a successful password spray attack

Step 1: Acquire a list of usernames

It starts with a list of accounts. This is easier than it sounds. Most organizations have a formal convention for emails, such as firstname.lastname@company.com. This allows adversaries to construct usernames from a list of employees. If the bad actor has already compromised an account, they may try to enumerate usernames against the domain controller. Or, they find or buy usernames online. Data can be compiled from past security breaches, online profiles, etc. The adversary might even get some verified profiles for free!

Step 2: Spray passwords

Finding a list of common passwords is even easier. A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top. Wikipedia lists the top 10,000 passwords. There are regional differences that may be harder to discovery, but many people use a favorite sports teams, their state, or company as a password. For example, Seahawks is a popular password choice in the Seattle area. Once hackers do their research, they carefully select a password and try it against the entire list of accounts as shown in Figure 1. If the attack is not successful, they wait 30 minutes to avoid triggering a timeout, and then try the next password.

Protecting your organization against password spray attacks

Figure 1:  Password spray using one password across multiple accounts.

Step 3: Gain access

Eventually one of the passwords works against one of the accounts. And that’s what makes password spray a popular tactic—attackers only need one successful password + username combination. Once they have it, they can access whatever the user has access to, such as cloud resources on OneDrive. Or use the exploited account to do internal reconnaissance on the target network and get deeper into the systems via elevation of privilege.

Even if the vast majority of your employees don’t use popular passwords, there is a risk that hackers will find the ones that do. The trick is to reduce the number of guessable passwords used at your organization.

Configure Azure Active Directory (Azure AD) Password Protection

Azure AD Password Protection allows you to eliminate easily guessed passwords and customize lockout settings for your environment. This capability includes a globally banned password list that Microsoft maintains and updates. You can also block a custom list of passwords that are relevant to your region or company. Once enabled, users won’t be able to choose a password on either of these lists, making it significantly less likely that an adversary can guess a user’s password. You can also use this feature to define how many sign-in attempts will trigger a lockout and how long the lockout will last.

Simulate attacks with Office 365 Advanced Threat Protection (Office 365 ATP)

Attack Simulator in Office 365 ATP lets you run realistic, but simulated phishing and password attack campaigns in your organization. Pick a password and then run the campaign against as many users as you want. The results will let you know how many people are using that password. Use the data to train users and build your custom list of banned passwords.

Begin your passwordless journey

The best way to reduce your risk of password spray is to eliminate passwords entirely. Solutions like Windows Hello or FIDO2 security keys let users sign in using biometrics and/or a physical key or device. Get started by enabling Multi-Factor Authentication (MFA) across all your accounts. MFA requires that users sign in with at least two authentication factors: something they know (like a password or PIN), something they are (such as biometrics), and/or something they have (such as a trusted device).

Learn more

We make progress in cybersecurity by increasing how much it costs the adversary to conduct the attack. If we make guessing passwords too hard, hackers will reduce their reliance on password spray.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. For more information about our security solutions visit our website. Or reach out to me on LinkedIn or Twitter.

The post Protecting your organization against password spray attacks appeared first on Microsoft Security.

Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry

April 22nd, 2020 No comments

Over the last fifteen years, attacks against critical infrastructure (figure1) have steadily increased in both volume and sophistication. Because of the strategic importance of this industry to national security and economic stability, these organizations are targeted by sophisticated, patient, and well-funded adversaries.  Adversaries often target the utility supply chain to insert malware into devices destined for the power grid. As modern infrastructure becomes more reliant on connected devices, the power industry must continue to come together to improve security at every step of the process.

Aerial view of port and freeways leading to downtown Singapore.

Figure 1: Increased attacks on critical infrastructure

This is the third and final post in the “Defending the power grid against supply chain attacks” series. In the first blog I described the nature of the risk. Last month I outlined how utility suppliers can better secure the devices they manufacture. Today’s advice is directed at the utilities. There are actions you can take as individual companies and as an industry to reduce risk.

Implement operational technology security best practices

According to Verizon’s 2019 Data Breach Investigations Report, 80 percent of hacking-related breaches are the result of weak or compromised passwords. If you haven’t implemented multi-factor authentication (MFA) for all your user accounts, make it a priority. MFA can significantly reduce the likelihood that a user with a stolen password can access your company assets. I also recommend you take these additional steps to protect administrator accounts:

  • Separate administrative accounts from the accounts that IT professionals use to conduct routine business. While administrators are answering emails or conducting other productivity tasks, they may be targeted by a phishing campaign. You don’t want them signed into a privileged account when this happens.
  • Apply just-in-time privileges to your administrator accounts. Just-in-time privileges require that administrators only sign into a privileged account when they need to perform a specific administrative task. These sign-ins go through an approval process and have a time limit. This will reduce the possibility that someone is unnecessarily signed into an administrative account.

 

Image 2

Figure 2: A “blue” path depicts how a standard user account is used for non-privileged access to resources like email and web browsing and day-to-day work. A “red” path shows how privileged access occurs on a hardened device to reduce the risk of phishing and other web and email attacks. 

  • You also don’t want the occasional security mistake like clicking on a link when administrators are tired or distracted to compromise the workstation that has direct access to these critical systems.  Set up privileged access workstations for administrative work. A privileged access workstation provides a dedicated operating system with the strongest security controls for sensitive tasks. This protects these activities and accounts from the internet. To encourage administrators to follow security practices, make sure they have easy access to a standard workstation for other more routine tasks.

The following security best practices will also reduce your risk:

  • Whitelist approved applications. Define the list of software applications and executables that are approved to be on your networks. Block everything else. Your organization should especially target systems that are internet facing as well as Human-Machine Interface (HMI) systems that play the critical role of managing generation, transmission, or distribution of electricity
  • Regularly patch software and operating systems. Implement a monthly practice to apply security patches to software on all your systems. This includes applications and Operating Systems on servers, desktop computers, mobile devices, network devices (routers, switches, firewalls, etc.), as well as Internet of Thing (IoT) and Industrial Internet of Thing (IIoT) devices. Attackers frequently target known security vulnerabilities.
  • Protect legacy systems. Segment legacy systems that can no longer be patched by using firewalls to filter out unnecessary traffic. Limit access to only those who need it by using Just In Time and Just Enough Access principles and requiring MFA. Once you set up these subnets, firewalls, and firewall rules to protect the isolated systems, you must continually audit and test these controls for inadvertent changes, and validate with penetration testing and red teaming to identify rogue bridging endpoint and design/implementation weaknesses.
  • Segment your networks. If you are attacked, it’s important to limit the damage. By segmenting your network, you make it harder for an attacker to compromise more than one critical site. Maintain your corporate network on its own network with limited to no connection to critical sites like generation and transmission networks. Run each generating site on its own network with no connection to other generating sites. This will ensure that should a generating site become compromised, attackers can’t easily traverse to other sites and have a greater impact.
  • Turn off all unnecessary services. Confirm that none of your software has automatically enabled a service you don’t need. You may also discover that there are services running that you no longer use. If the business doesn’t need a service, turn it off.
  • Deploy threat protection solutions. Services like Microsoft Threat Protection help you automatically detect, respond to, and correlate incidents across domains.
  • Implement an incident response plan: When an attack happens, you need to respond quickly to reduce the damage and get your organization back up and running. Refer to Microsoft’s Incident Response Reference Guide for more details.

Speak with one voice

Power grids are interconnected systems of generating plants, wires, transformers, and substations. Regional electrical companies work together to efficiently balance the supply and demand for electricity across the nation. These same organizations have also come together to protect the grid from attack. As an industry, working through organizations like the Edison Electric Institute (EEI), utilities can define security standards and hold manufacturers accountable to those requirements.

It may also be useful to work with The Federal Energy Regulatory Committee (FERC), The North American Electric Reliability Corporation (NERC), or The United States Nuclear Regulatory Commission (U.S. NRC) to better regulate the security requirements of products manufactured for the electrical grid.

Apply extra scrutiny to IoT devices

As you purchase and deploy IoT devices, prioritize security. Be careful about purchasing products from countries that are motivated to infiltrate critical infrastructure. Conduct penetration tests against all new IoT and IIoT devices before you connect them to the network. When you place sensors on the grid, you’ll need to protect them from both cyberattacks and physical attacks. Make them hard to reach and tamper-proof.

Collaborate on solutions

Reducing the risk of a destabilizing power grid attack will require everyone in the utility industry to play a role. By working with manufacturers, trade organizations, and governments, electricity organizations can lead the effort to improve security across the industry. For utilities in the United States, several public-private programs are in place to enhance the utility industry capabilities to defend its infrastructure and respond to threats:

Read Part 1 in the series: “Defending the power grid against cyberattacks

Read “Defending the power grid against supply chain attacks: Part 2 – Securing hardware and software

Read how Microsoft Threat Protection can help you better secure your endpoints.

Learn how MSRC developed an incident response plan

Bookmark the Security blog to keep up with our expert coverage on security matters. For more information about our security solutions visit our website. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Defending the power grid against supply chain attacks: Part 3 – Risk management strategies for the utilities industry appeared first on Microsoft Security.

NERC CIP Compliance in Azure vs. Azure Government cloud

April 20th, 2020 No comments

As discussed in my last blog post on North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) Compliance in Azure, U.S. and Canadian utilities are now free to benefit from cloud computing in Azure for many NERC CIP workloads. Machine learning, multiple data replicas across fault domains, active failover, quick deployment and pay for use benefits are now available for these NERC CIP workloads.

Good candidates include a range of predictive maintenance, asset management, planning, modelling and historian systems as well as evidence collection systems for NERC CIP compliance itself.

It’s often asked whether a utility must use Azure Government Cloud (“Azure Gov”) as opposed to Azure public cloud (“Azure”) to host their NERC CIP compliant workloads. The short answer is that both are an option.  There are several factors that bear on the choice.

U.S. utilities can use Azure and Azure Gov for NERC CIP workloads. Canadian utilities can use Azure.

There are some important differences that should be understood when choosing an Azure cloud for deployment.

Azure and Azure Gov are separate clouds, physically isolated from each other. They both offer U.S. regions. All data replication for both can be kept within the U.S.

Azure also offers two Canadian regions, one in Ontario and one in Quebec, with data stored exclusively in Canada.

Azure Gov is only available to verified U.S. federal, state, and local government entities, some partners and contractors. It has four regions: Virginia, Iowa, Arizona and Texas. Azure Gov is available to U.S.-based NERC Registered Entities.

We are working toward feature parity between Azure and Azure Gov. A comparison is provided here.

The security controls are the same for Azure and Azure Gov clouds. All U.S. Azure regions are now approved for FedRAMP High impact level.

Azure Gov provides additional assurances regarding U.S. government-specific background screening requirements. One of these is verification that Azure Gov operations personnel with potential access to Customer Data are U.S. persons. Azure Gov can also support customers subject to certain export controls laws and regulations. While not a NERC CIP requirement, this can impact U.S. utility customers.

Azure Table 1

Under NERC CIP-004, utilities are required to conduct background checks.

Microsoft U.S. Employee Background Screening

Microsoft US Employee Background Screening

Microsoft’s background checks for both Azure and Azure Gov exceed the requirements of CIP 004.

NERC is not prescriptive on the background check that a utility must conduct as part of its compliance policies.

A utility may have a U.S. citizenship requirement as part of its CIP-004 compliance policy which covers both its own staff and the operators of its cloud infrastructure. Thus, if a utility needs U.S. citizens operating its Microsoft cloud in order to meet its own CIP-004 compliance standards, it can use Azure Gov for this purpose.

A utility may have nuclear assets that subject it to U.S. Department of Energy export control requirements (DOE 10 CFR Part 810) on Unclassified Controlled Nuclear Information. This rule covers more than the export of nuclear technology outside the United States, it also covers the transmission of protected information or technology to foreign persons inside the U.S. (e.g., employees of the utility and employees of the utility’s cloud provider).

Since access to protected information could be necessary to facilitate a support request, this should be considered if the customer has DOE export control obligations. Though the NERC assets themselves may be non-nuclear, the utility’s policy set may extend to its entire fleet and workforce regardless of generation technology. Azure Gov, which requires that all its operators be U.S. citizens, would facilitate this requirement.

Azure makes the operational advantages, increased security and cost savings of the cloud available for many NERC CIP workloads. Microsoft provides Azure and Azure Gov clouds for our customers’ specific needs.  Microsoft continues its work with regulators to make our cloud available for more workloads, including those requiring compliance with NERC CIP standards. The utility (Registered Entity) is ultimately responsible for NERC CIP compliance and Microsoft continues to work with customers and partners to simplify the efforts to prepare for audits.

Thanks to Larry Cochrane and Stevan Vidich for their leadership on Microsoft’s NERC CIP compliance viewpoint and architecture. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website.

 

(c) 2020 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post NERC CIP Compliance in Azure vs. Azure Government cloud appeared first on Microsoft Security.

New privacy assessments now included in Microsoft Compliance Score

January 27th, 2020 No comments

Keeping up with rapidly changing regulatory requirements has become one of the biggest challenge’s organizations face today. Just as companies finished preparing for the General Data Protection Regulation (GDPR), California’s privacy regulation—California Consumer Privacy Act (CCPA)—went into effect on January 1, 2020. And in August 2020, Brazil’s own GDPR-like regulation, Lei Geral de Proteção de Dados (LGPD), will start to be enforced.

To help you take a proactive role in getting ahead of privacy compliance, we’re announcing new privacy-focused assessments available in the public preview of Microsoft Compliance Score. These new assessments help you assess your compliance posture and provide guidance to implement more effective controls for CCPA, LGPD, ISO/IEC 27701:2019, and SOC 1 Type 2 and SOC 2 Type 2.

To learn more, read Microsoft Compliance Score helps address the ever-changing data privacy landscape.

The post New privacy assessments now included in Microsoft Compliance Score appeared first on Microsoft Security.

Categories: Compliance, Data Privacy Tags:

Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates

Starting in September 2018, Microsoft began deprecating the SSL/TLS capability of Symantec root certificates due to compliance issues. Google, Mozilla, and Apple have also announced deprecation plans related to Symantec SSL/TLS certificates. Symantec cryptographic certificates are used in critical environments across multiple industries. In 2017, DigiCert acquired Symantecs web security business that included their certificate authority business.

Since the compliance issues were identified, Microsoft has been engaged with Symantec and DigiCert to uphold industry-wide compliance expectations and maintain customer trust. DigiCert created the deprecation schedule below in partnership with Microsoft to maintain trust in the industry while minimizing impact to our mutual customers.

During certificate renewal, customers must now replace their current certificate with one signed by a non-Symantec root. Based on the schedule below, Microsoft Edge and Internet Explorer running on Windows 10/Windows Server 2016 will no longer trust certificates signed by the associated root certificate if issued after the TLS NotBefore Date. Any certificates issued prior to this date will continue to be trusted until the certificates natural expiration. Internet Explorer running on legacy Windows versions will not be impacted.

Customers with questions about their certificates or this deprecation schedule are encouraged to contact DigiCert by visiting SSL Certificate Support.

Name Thumbprint Planned TLS NotBefore Date
Symantec Class 3 Public Primary Certification Authority-G6 26A16C235A2472229B23628025BC8097C88524A1 9/30/2018
thawte Primary Root CA-G2 AADBBC22238FC401A127BB38DDF41DDB089EF012 9/30/2018
GeoTrust Universal CA E621F3354379059A4B68309D8A2F74221587EC79 9/30/2018
Symantec Class 3 Public Primary Certification Authority-G4 58D52DB93301A4FD291A8C9645A08FEE7F529282 1/31/2019
VeriSign Class 3 Public Primary Certification Authority-G4 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A 1/31/2019
GeoTrust Primary Certification Authority-G2 8D1784D537F3037DEC70FE578B519A99E610D7B0 4/30/2019
VeriSign Universal Root Certification Authority 3679CA35668772304D30A5FB873B0FA77BB70D54 4/30/2019
thawte Primary Root CA-G3 F18B538D1BE903B6A6F056435B171589CAF36BF2 4/30/2019
GeoTrust Primary Certification Authority-G3 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD 4/30/2019
GeoTrust 323C118E1BF7B8B65254E2E2100DD6029037F096 4/30/2019
thawte 91C6D6EE3E8AC86384E548C299295C756C817B81 4/30/2019
VeriSign 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 4/30/2019
GeoTrust Global CA DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212 4/30/2019
VeriSign 132D0D45534B6997CDB2D5C339E25576609B5CC6 4/30/2019

 

The post Microsoft partners with DigiCert to begin deprecating Symantec TLS certificates appeared first on Microsoft Secure.

Categories: Data Privacy Tags:

Use Windows Information Protection (WIP) to help make accidental data leakage a thing of the past

Have you always wished you could have mobile application management (MAM) on Windows?

Now you can!

Windows Information Protection (WIP) is an out-of-the box data leakage prevention feature for Windows 10 that can automatically apply protection for work files and data to prevent accidental data leakage. With 600 million active Windows 10 devices, corporate customers continuing to deploy in earnest throughout 2018, and support for WIP built right into Office 365 ProPlus, its benefits are within easy reach.

Sixty to eighty percent of data leakage is accidental (see ICO data for 2016 and 2017). WIP is a key feature that offers much needed data protection for files at rest on the Windows platform, for any organization with sensitive data, big or small. In todays security ecosystem, companies are spending $93B on security features (enough to host seven Olympic Games!). Yet companies still saw a 29 percent increase in data leakage worldwide between 2016 and 2017. WIP comes as a timely solution.

With Windows 10, Microsoft is providing a fundamental solution to this growing problem. Recognizing that the risk of leak comes from both fully managed devices and personal devices accessing work resources, we designed WIP to be deployed on PC and mobile devices running Windows 10. WIP is designed for organizations of all shapes and sizes, as a scalable solution that works to prevent accidental data leakage for end users.

WIP protects users and organizations from accidental leaks via copy-and-paste, drag-and-drop, removable storage (e.g., USB thumb drives), and unauthorized applications (e.g., non-work cloud storage providers). Windows shell integration appears in clear but unobtrusive ways. Elements like File Ownership are displayed and selectable in Explorer and File Save As dialog. Helpful briefcase icons mark resources when you are in a work context in places like window title bars, and Microsoft Edges navigation bar. Unauthorized applications are blocked from single sign-in with work credentials. WIP also includes the ability to perform selective wipe of business information, while leaving personal data behind.

WIP has three simple policy enforcement modes. It lets you choose how and whether the user experience in the clipboard, save dialog, and similar data-sharing cases have options (overrides) to move work content to non-work context. You can decide to Hide Overrides, Allow Overrides for your users, or even deploy in Silent mode just for auditing. Silent mode does not restrict unmanaged apps from opening work data the way Hide Overrides and Allow Overrides do, so you can get away with configuring less, yet still benefiting from the BYOD selective wipe capability for your work data, such as data downloaded from OneDrive for Business and Outlook email. This means when you or your user decides to unenroll their work account from their personal device, that work data stops being accessible.

WIP policy can be deployed in a few clicks in Microsoft Intune for MAM-only (without enrollment) targeting, MDM (with enrollment), or both. Being able to apply MAM-only policy will help you finally enable BYOD in regions and situations where fully managing the personal device is unacceptable. For companies that are not yet fully in the cloud, WIP policy can also be set on domain-joined computers using System Center Configuration Manager. Then, when youre ready for co-management, you can move the WIP policy management authority to Microsoft Intune.

Your corporate files can also be automatically encrypted with a local key when downloaded to WIP-managed devices. You can do this by configuring your corporate network boundary. Using network isolation policies, you can identify your LAN and corporate cloud resources, which Edge and other applications will use to recognize work sites and encrypt the data that comes from there. This works even better when combined with Conditional Access controls on Exchange Online and SharePoint Online to ensure that only managed devices can reach that data.

Additionally, WIP Learning lets you see the applications you didnt know are used with work data. It reports any app not in your policy that tries to access a work resource. You can see this data in Microsoft Intune or your Windows Analytics portal, if you have Azure Log Analytics (formerly Microsoft Operations Management Suite or OMS). WIP Learning allows you to tune your app policy to add legitimate work apps and even detect apps that should not be trying to access work data. Combined with Silent mode, you can deploy and see the immediate benefit of selective wipe control and auditing, while tuning your app list for different deployment groups in preparation for enabling boundary enforcement.

WIP provides a robust and automatic solution for protecting work data coming to the Windows device, but it also pairs well with Azure Information Protection (AIP). AIP adds the ability to control and help secure email, documents, and sensitive data that are shared, even outside your company and in the Azure cloud. WIP, combined with AIP, provides application-level access control capabilities while preventing unauthorized applications from accessing business information at rest and in flight. At the same time, WIPs simple business vs personal information classification system ensures simplicity and ease of use.

USB flash drives arent the only way data can leave a device. With the app restrictions on accessing work data, you can use WIP to guide users to use Outlook with their corporate email account to send work attachments, and SharePoint or OneDrive for Business to collaborate on work documents. This lets you enhance your overall data protection with Office DLP outbound rules, send email notifications, policy tips, and Office 365 Information Protection for GDPR.

WIP originally shipped in the Windows 10 Anniversary Update (version 1607) and since then, working across Microsoft and with industry, we have made a number of improvements, including:

  1. Support for Office 365 ProPlus, Microsoft Teams, and numerous inbox apps
  2. Simplified management Intune quick setup, WIP Learning for Apps and Network Boundary policy
  3. Manageable as MAM-only (i.e. without full device enrollment)
  4. Improved Recovery (e.g. data access resumes via re-enrollment or re-adding your work account)
  5. AIP integration to enable roaming data on removable storage (e.g. USB thumb drives)
  6. Support from 3rd party apps such as from Citrix (ShareFile), DropBox (desktop sync client), Foxit (Reader, PhantomPDF), and WinZip (WinZip 21, WinZip 22)

With all these features available, WIP is easier than ever to deploy and maintain. Enable this fast, robust, user-friendly security solution to help ensure a more effortlessly secure user experience for your organization.

More information on Windows Information Protection (WIP) found in the following resources:

Building a world without passwords

Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that weve been busy at work trying to create a world without them a world without passwords.

In this blog, we will provide a brief insight into how we at Microsoft have been thinking about solving this problem along with details on solutions that you can try out today.

Password-less

When we think about creating a world without passwords, we want to deliver on two key promises:

  1. User promise: End-users should never have to deal with passwords in their day-to-day lives.
  2. Security promise: User credentials cannot be cracked, breached, or phished.

Passwords have been a big part of our digital lives, and to fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good: they are familiar, portable, and easy to provision.

 

Figure 1. Passwords – Pros vs cons

At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.

Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.

So how are we going about it? Well, we break this up into discrete buckets:

Figure 2: Password-less strategy

  1. Develop password-replacement offerings, i.e., replace passwords with a new set of alternatives that address the shortcomings of passwords while embracing their positive attributes.
  2. Reduce user visible password-surface area, i.e., upgrade all experiences related to the entire life-cycle of a users identity (including provisioning of an account, setting up a brand-new device, using the account/device to access apps and websites, recovery, etc.) and ensure these work with password-replacements (#1).
  3. Simulate a password-less world, i.e., enable end users and IT admins to simulate and transition into a password-less world with confidence.
  4. Eliminate passwords from the identity directory, i.e., the final frontier delete passwords from the identity directory.

For more details, watch Microsofts Guide for going password-less.

Heres a quick overview of some of the solutions that you can try out today and how they map to the strategy above.

Password-replacement offerings

Windows Hello

Heres a video that provides a quick overview of Windows Hello, how it is more secure than passwords, and some of newest enhancements.

Windows Hello is being used by over 47 million users worldwide. More than 5,000 businesses have deployed Windows Hello for Business, with adoption on over one million commercial devices.

For more details, refer to www.aka.ms/whfb

Windows Hello is an excellent replacement for passwords on personal PCs. That said, we acknowledge that there are many scenarios that involve shared PCs used by transient users and that provisioning Windows Hello is not ideal. To that end, we have been working hard on lighting up a series of portable credentials that are more suitable for such shared PC scenarios.

Microsoft Authenticator app

The Microsoft Authenticator app enables users to authenticate to their Microsoft account using their mobile phone. It is built on similar secure technology that Windows Hello uses, and packages it into an simple app on your mobile device.

Heres a video that provides a quick overview of Microsoft Authenticator App.

To download the app and learn more, please go to Microsoft Authenticator

Windows Hello and our mobile Authenticator app are both great alternatives to passwords. To create a world without password, we need an interoperable solution that works across all industry platforms and browsers.

Windows Hello and FIDO2 security keys

Microsoft has been aligned with the Fast Identity Online (FIDO) working group from the start. The alliance represents 250 organizations from various industries on a joint mission to replace passwords with an easy-to-use strong credential. With the recent ratification of FIDO2 security keys by the FIDO working group, were updating Windows Hello to enable secure authentication for many new scenarios.

For more details, please check out our latest blog, Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices.

Whats new in the Windows 10 April 2018 Update?

Among many new and exciting features in the Windows 10 April 2018 Update, we set out with the goal to deliver an end-to-end product experience that’s password-less ready. With Windows 10 in S mode, we are enabling our cloud users (Managed Service Account or Azure Active Directory) to be able to go through the entire life-cycle of using their Windows 10 PC with S mode enabled without ever having to enter their passwords. Thats right. Heres how you can try it out.

Windows 10 in S mode Password-less!

  1. Set up your Authenticator App

    1. Install the Microsoft Authenticator app on your mobile device.
    2. Set it up with your Managed Service Account (MSA) and/or Azure Active Directory (Azure AD) account

Note: Upgrade your default way of authenticating from using password to the Microsoft Authenticator app by clicking the Use the Microsoft Authenticator app instead on the login page.

Figure 3: Select Microsoft Authenticator as default sign-in option

  1. Set up your Windows 10 PC with S mode enabled

    1. Install the Windows 10 April 2018 Update with S mode enabled
    2. Proceed through OOBE and set up your account
    3. Use the Microsoft Authenticator app to sign-in to your account. No passwords required!

Note: If you are prompted for a password on this screen, click the Use the Microsoft Authenticator app instead link.

Figure 4: Windows 10 S OOBE with Microsoft Authenticator app

  1. Set up Windows Hello

Figure 5: Windows Hello provisioning

  1. Thats it! Your Windows10 PC is password-less! Just use your device like you normally do.

    1. Access/SSO to your apps and websites will continue to work. No passwords required!

Figure 6: Access apps and websites seamlessly

    1. You will notice that youll be required to use Windows Hello (PIN, Face, Fingerprint) for sign-in/unlocking your PC. No passwords!

Figure 7: No passwords under Sign in options for Windows

    1. The password credential provider will no longer enumerate for Windows scenarios.

In summary, you will be able to set up a brand-new device, provision Windows Hello, log in, lock/unlock, use your favorite apps and websites without ever having to enter a password!

Security Keys for Windows Hello (Private preview for Azure AD-joined shared PCs)

FIDO2 Security keys allow you to carry your credential with you and safely authenticate to an Azure AD-joined Windows 10 shared PC thats part of your organization. A user can walk up to any device belonging to the organization and authenticate in a secure way no need to enter a username and password or set-up Windows Hello beforehand.

See how it works in this video:

The Windows Hello FIDO2 Security Key feature is now in limited preview. Please let us know if you would like to be added to the waitlist.

While we still have a way to go before we can claim victory, with the incredible lineup of products and features in our portfolio along with those in the works, we are confident that we will get there soon. Please send us your comments, questions, and feedback at pwdless@microsoft.com.

 

Karanbir Singh
Principal Program Manager, Enterprise & Security

SSN for authentication is all wrong

October 23rd, 2017 No comments

Unless you were stranded on a deserted island or participating in a zen digital fast chances are youve heard plenty about the massive Equifax breach and the head-rolling fallout. In the flurry of headlines and advice about credit freezes an important part of the conversation was lost: if we didnt misuse our social security numbers, losing them wouldnt be a big deal. Let me explain: most people, and that mainly includes some pretty high-up identity experts that Ive met in my travels, dont understand the difference between identification and verification. In the real world, conflating those two points doesnt often have dire consequences. In the digital world, its a huge mistake that can lead to severe impacts.

Isnt it all just authentication you may ask? Well, yes, identification and verification are both parts of the authentication whole, but failure to understand the differences is where the mess comes in. However, one reason its so hard for many of us to separate identification and verification is that historically we havent had to. Think back to how humans authenticated to each other before the ability to travel long distances came into the picture. Our circle of acquaintances was pretty small and we knew each other by sight and sound. Just by looking at your neighbor, Bob, you could authenticate him. If you met a stranger, chances are someone else in the village knew the stranger and could vouch for her.

The ability to travel long distances changed the equation a bit. We developed documents that provided verification during the initiation phase, for example when you have to bring a birth certificate to the DMV to get your initial drivers license. And ongoing identification like a unique ID and a photo. These documents served as a single identification and verification mechanism. And that was great! Worked fine for years, until the digital age.

The digital age changed the model because rather than one person holding a single license with their photo on it, we had billions of people trying to authenticate to billions of systems with simple credentials like user name and password. And no friendly local villager to vouch for us.

Who are you? Prove it!

This is where the difference between the two really starts to matter. Identification answers the question: Who are you? Your name is an identifier. It could also be an alias, such as your unique employee ID number.

Do you want your name to be private? Imagine meeting another parent at your kids soccer game and refusing to tell them your name for security reasons. How about: Oh your new puppy is so adorable, whats her name? And you respond, If I told you, Id have to kill you. Or you try to find an address in a town with no street signs because the town is super security conscious. Ridiculous, right? Identifiers are public specifically so we can share them to help identify things.

We also want consistency in our identifiers. Imagine if that town had street signs, but changed the names of the streets every 24 hours for security reasons. And uniqueness, if every street had the same name, youd still have a heck of a time finding the right address wouldnt you?

Now that were clear on what the identifier is, we can enumerate a few aspects that make up a really good one:

  • Public
  • Unchanging
  • Unique

In a town or public road, we have a level of trust that the street sign is correct because the local authorities have governance over road signs. Back in our village, we trust Bob is Bob because we can verify him ourselves. But in the digital world, things get pretty tricky how do you verify someone or something youve never met before? Ask them to- Prove It!

We use these two aspects of authentication almost daily when we log into systems with a user ID (identification) and password (verification). How we verify in the real world can be public, unchanging, and unique because its very hard to forge a whole person. Or to switch all the street signs in a town. But verification online is trickier. We need to be able toprovide verification of who we are to a number of entities, many of whom arent great at protecting data. And if the same verification is re-used across entities, and one loses it, attackers could gain access to every site where it was used. This is why experts strongly recommend using unique passwords for every website/app. This goes for those challenge questions too. Which can lead to some fun calls with customer service, Oh, the town where I was born? Its: xja*21njaJK)`jjAQ^. At this point in time our fathers middle name, first pets name, town where we were born, school we went to and address history should be assumed public, using them as secrets for verification doesnt make sense anymore.

If one site loses your digital verification info, no worries. You only used it for that site and can create new info for the next one. What if you couldnt change your password ever? It was permanent and also got lost during the Yahoo! breach? And it was the one you use at your bank, and for your college and car loans, and your health insurance? How would you feel?

So, with that in mind, youd probably agree that the best digital verifiers are:

  • Private
  • Easily changed
  • Unique

Your turn

OK, now that you know the difference between identification and verification and the challenges of verification in a digital world, what do you think – Is your SSN a better identifier or verifier?

Categories: cybersecurity, Data Privacy, Tips & Talk Tags:

Securing the new BYOD frontline: Mobile apps and data

With personal smartphones, tablets, and laptops becoming ubiquitous in the workplace, bring your own device (BYOD) strategies and security measures have evolved. The frontlines have shifted from the devices themselves to the apps and data residing on—or accessed through—them.

Mobile devices and cloud-based apps have undeniably transformed the way businesses operate. But they also introduce new security and compliance risks that must be understood and mitigated. When personal and corporate apps are intermingled on the same device, how can organizations remain compliant and protected while giving employees the best productivity experience? And when corporate information is dispersed among disparate, often unmanaged locations, how can organizations make sure sensitive data is always secured?

Traditional perimeter solutions have proved to be inadequate in keeping up with the stream of new apps available to users. And newer point solutions either require multiple vendors or are just too complex and time-consuming for IT teams to implement. Companies need a comprehensive, integrated method for protecting information—regardless of where it is stored, how it is accessed, or with whom it is shared.

Microsoft’s end-to-end information protection solutions can help reconcile the disparity between user productivity and enterprise compliance and protection. Our identity and access management solutions integrate with existing infrastructure systems to protect access to applications and resources across corporate data centers and in the cloud.

The following Microsoft solutions and technologies provide access control on several levels, offering ample coverage that can be up and running with the simple click of a button:

Identity and access management

Simplify user access with identity-based single sign-on (SSO). Azure Active Directory Premium (Azure AD) syncs with existing on-premises directories to simplify access to any application—even those in the cloud—with a secured, unified identity. No more juggling multiple combinations of user names and passwords. Users sign in only once using an authenticated corporate ID, then receive a token enabling access to resources as long as the token is valid. Azure AD comes pre-integrated with thousands of popular SaaS apps and works seamlessly with iOS, Android, Windows, and PC devices to deliver multi-platform access. Not only does unified identity with SSO simplify user access, it can also reduce the overhead costs associated with operating and maintaining multiple user accounts

Secure and compliant mobile devices

Microsoft Intune manages and protects devices, corporate apps, and data on almost any personal or corporate-owned device. Through Intune mobile device management (MDM) capabilities, IT teams can create and define compliance policies to meet specific business requirements, deploy policies to users or devices, and monitor device and/or user compliance from a single administration console. Intune compliance policies deliver complete visibility into users’ device health, and enable IT to block or restrict access if the device becomes non-compliant. IT administrators also have the option to install device settings that perform remote actions, such as passcode reset, device lock, data encryption, or full wipe of a lost, stolen, or non-compliant device.

Conditional access

Microsoft Intune can also help reinforce access protection by verifying the health of users and devices prior to granting privileges with conditional access policies. Intune policies evaluate user and device health by assessing factors like IP range, the user’s group enrollment, and if the device is managed by Intune and compliant with policies set by administrators. During the policy verification process, Intune blocks the user’s access until the device is encrypted, a passcode is set, and the device is no longer jailbroken or rooted. Intune integrates with cloud services like Office 365 and Exchange to confirm device health and grant access based on health results.

Multi-factor authentication

Multi-factor authentication is a feature built into Azure Active Directory that provides an additional layer of authentication to help make sure only the right people have the right access to corporate applications. It prevents unauthorized access to on-premises and cloud apps with additional authentication required, and offers flexible enforcement based on user, device, or app to reduce compliance risks.

To learn more about BYOD security, download the free eBook, Protect Your Data: 7 Ways to Improve Your Security Posture

 

Microsoft achieves globally recognized ISO/IEC 27018 privacy standard

February 16th, 2015 No comments

Today Microsoft announced its continued commitment to further protect customers’ privacy by obtaining the globally recognized ISO/IEC 27018 privacy standard for Microsoft Azure, Office 365, and Dynamics CRM Online. This achievement is designed to help assure customers of all sizes, that their most sensitive personal data will receive the strong privacy protections detailed in this standard.

We know that our customers rely on us as their cloud service provider, to continually enhance security, ensure data privacy and manage compliance expectations. There are a lot of certifications to pursue; you can be confident we’ll cut through the clutter and focus on what’s important. Microsoft’s achievement of the ISO 27018 standard will ensure additional practices are put in place to help protect your data. For more details on this important milestone, please read Brad Smith’s blog.