Archive

Archive for the ‘Information/data protection’ Category

Work remotely, stay secure—guidance for CISOs

March 12th, 2020 No comments

With many employees suddenly working from home, there are things an organization and employees can do to help remain productive without increasing cybersecurity risk.

While employees in this new remote work situation will be thinking about how to stay in touch with colleagues and coworkers using chat applications, shared documents, and replacing planned meetings with conference calls, they may not be thinking about cyberattacks. CISOs and admins need to look urgently at new scenarios and new threat vectors as their organizations become a distributed organization overnight, with less time to make detailed plans or run pilots.

Based on our experiences working with customers who have had to pivot to new working environments quickly, I want to share some of those best practices that help ensure the best protection.

What to do in the short—and longer—term

Enabling official chat tools helps employees know where to congregate for work. If you’re taking advantage of the six months of free premium Microsoft Teams or the removed limits on how many users can join a team or schedule video calls using the “freemium” version, follow these steps for supporting remote work with Teams. The Open for Business Hub lists tools from various vendors that are free to small businesses during the outbreak. Whichever software you pick, provision it to users with Azure Active Directory (Azure AD) and set up single-sign-on, and you won’t have to worry about download links getting emailed around, which could lead to users falling for phishing emails.

You can secure access to cloud applications with Azure AD Conditional Access, protecting those sign-ins with security defaults. Remember to look at any policies you have set already, to make sure they don’t block access for users working from home. For secure collaboration with partners and suppliers, look at Azure AD B2B.

Azure AD Application Proxy publishes on-premises apps for remote availability, and if you use a managed gateway, today we support several partner solutions with secure hybrid access for Azure AD.

While many employees have work laptops they use at home, it’s likely organizations will see an increase in the use of personal devices accessing company data. Using Azure AD Conditional Access and Microsoft Intune app protection policies together helps manage and secure corporate data in approved apps on these personal devices, so employees can remain productive.

Intune automatically discovers new devices as users connect with them, prompting them to register the device and sign in with their company credentials. You could manage more device options, like turning on BitLocker or enforcing password length, without interfering with users’ personal data, like family photos; but be sensitive about these changes and make sure there’s a real risk you’re addressing rather than setting policies just because they’re available.

Read more in Tech Community on ways Azure AD can enable remote work.

You’ve heard me say it time and again when it comes to multi-factor authentication (MFA): 100 percent of your employees, 100 percent of the time. The single best thing you can do to improve security for employees working from home is to turn on MFA. If you don’t already have processes in place, treat this as an emergency pilot and make sure you have support folks ready to help employees who get stuck. As you probably can’t distribute hardware security devices, use Windows Hello biometrics and smartphone authentication apps like Microsoft Authenticator.

Longer term, I recommend security admins consider a program to find and label the most critical data, like Azure Information Protection, so you can track and audit usage when employees work from home. We must not assume that all networks are secure, or that all employees are in fact working from home when working remotely.

Track your Microsoft Secure Score to see how remote working affects your compliance and risk surface. Use Microsoft Defender Advanced Threat Protection (ATP) to look for attackers masquerading as employees working from home, but be aware that access policies looking for changes in user routines may flag legitimate logons from home and coffee shops.

How to help employees

As more organizations adapt to remote work options, supporting employees will require more than just providing tools and enforcing policies. It will be a combination of tools, transparency, and timeliness.

Remote workers have access to data, information, and your network. This increases the temptation for bad actors. Warn your employees to expect more phishing attempts, including targeted spear phishing aimed at high profile credentials. Now is a good time to be diligent, so watch out for urgent requests that break company policy, use emotive language and have details that are slightly wrong—and provide guidance on where to report those suspicious messages.

Establishing a clear communications policy helps employees recognize official messages. For example, video is harder to spoof than email: an official channel like Microsoft Stream could reduce the chance of phishing while making people feel connected. Streaming videos they can view at a convenient time will also help employees juggling personal responsibilities, like school closures or travel schedule changes.

Transparency is key. Some of our most successful customers are also some of our most transparent ones. Employee trust is built on transparency. By providing clear and basic information, including how to protect their devices, will help you and employees stay ahead of threats.

For example, help employees understand why downloading and using consumer or free VPNs is a bad idea. These connections can extract sensitive information from your network without employees realizing. Instead, offer guidance on how to leverage your VPN and how it’s routed through a secure VPN connection.

Employees need a basic understanding of conditional access policies and what their devices need to connect to the corporate network, like up-to-date anti-malware protection. This way employees understand if their access is blocked and how to get the support they need.

Working from home doesn’t mean being isolated. Reassure employees they can be social, stay in touch with colleagues, and still help keep the business secure. Read more about staying productive while working remotely on the Microsoft 365 blog.

The post Work remotely, stay secure—guidance for CISOs appeared first on Microsoft Security.

Data privacy is about more than compliance—it’s about being a good world citizen

January 28th, 2020 No comments

Happy Data Privacy Day! Begun in 2007 in the European Union (E.U.) and adopted by the U.S. in 2008, Data Privacy Day is an international effort to encourage better protection of data and respect for privacy. It’s a timely topic given the recent enactment of the California Consumer Privacy Act (CCPA). Citizens and governments have grown concerned about the amount of information that organizations collect, what they are doing with the data, and ever-increasing security breaches. And frankly, they’re right. It’s time to improve how organizations manage data and protect privacy.

Let’s look at some concrete steps you can take to begin that process in your organization. But first, a little context.

The data privacy landscape

Since Data Privacy Day commenced in 2007, the amount of data we collect has increased exponentially. In fact we generate “2.5 quintillion bytes of data per day!” Unfortunately, we’ve also seen a comparable increase in security incidents. There were 5,183 breaches reported in the first nine months of 2019, exposing a total of 7.9 billion records. According to the RiskBased Data Breach QuickView Report 2019 Q3, “Compared to the 2018 Q3 report, the total number of breaches was up 33.3 percent and the total number of records exposed more than doubled, up 112 percent.”

In response to these numbers, governments across the globe have passed or are debating privacy regulations. A few of the key milestones:

  • Between 1998 and 2000, The E.U. and the U.S. negotiated Safe Harbor, which were privacy principles that governed how to protect data that is transferred across the Atlantic.
  • In 2015, the European Court of Justice overturned Safe Harbor.
  • In 2016, Privacy Shield replaced Safe Harbor and was approved by the courts.
  • In 2018, the General Data Protection Regulation (GDPR) took effect in the E.U.
  • On January 1, 2020, CCPA took effect for businesses that operate in California.

Last year, GDPR levied 27 fines for a total of € 428,545,407 (over $472 million USD). California will also levy fines for violations of CCPA. Compliance is clearly important if your business resides in a region or employs persons in regions protected by privacy regulation. But protecting privacy is also the right thing to do. Companies who stand on the side of protecting the consumer’s data can differentiate themselves and earn customer loyalty.

Don’t build a data privacy program, build a data privacy culture

Before you get started, recognize that improving how your organization manages personal data, means building a culture that respects privacy. Break down siloes and engage people across the company. Legal, Marketing, SecOps, IT, Senior Managers, Human Resources, and others all play a part in protecting data.

Embrace the concept that privacy is a fundamental human rightPrivacy is recognized as a human right in the U.N. Declaration of Human Rights and the International Covenant on Civil and Political Rights, among other treaties. It’s also built into the constitutions and governing documents of many countries. As you prepare your organization to comply with new privacy regulations, let this truth guide your program.

Understand the data you collect, where it is stored, how it is used, and how it is protected—This is vital if you’re affected by CCPA or GDPR, which require that you disclose to users what data you are collecting and how you are using it. You’re also required to provide data or remove it upon customer request. And I’m not just talking about the data that customers submit through a form. If you’re using a tool to track and collect online user behavior that also counts.

This process may uncover unused data. If so, revise your data collection policies to improve the quality of your data.

Determine which regulations apply to your business—Companies within the E.U. that do business with customers within the E.U., or employ E.U. citizens, are subject to GDPR. CPPA applies to companies doing business within California and meet one of the following requirements:

  • A gross annual revenue of more than $25 million.
  • Derive more than 50 percent of their annual income from the sale of California consumer personal information or
  • Buy, sell, or share the personal information of more than 50,000 California consumers annually.

Beyond California and the E.U., India is debating a privacy law, and Brazil’s regulations, Lei Geral de Proteção de Dados (LGPD), will go into effect in August 2020. There are also several privacy laws in Asia that may be relevant.

Hire, train, and connect people across your organization—To comply with privacy regulations, you’ll need processes and people in place to address these two requirements:

  1. Californians and E.U. citizens are guaranteed the right to know what personal information is being collected about them; to know whether their personal information is sold or disclosed and to whom; and to access their personal information.
  2. Organizations will be held accountable to respond to consumers’ personal information access requests within a finite timeframe, for both regulations.

The GDPR requires that all companies hire a Data Protection Officer to ensure compliance with the law. But to create an organization that respects privacy, go beyond compliance. New projects and initiatives should be designed with privacy in mind from the ground up. Marketing will need to include privacy in campaigns, SecOps and IT will need to ensure proper security is in place to protect data that is collected. Build a cross-discipline team with privacy responsibilities, and institute regular training, so that your employees understand how important it is.

Be transparent about your data collection policies—Data regulations require that you make clear your data collection policies and provide users a way to opt out (CCPA) or opt in (GDPR). Your privacy page should let users know why the data collection benefits them, how you will use their data, and to whom you sell it. If they sell personal information, California businesses will need to include a “Do not sell my personal information” call to action on the homepage.

A transparent privacy policy creates an opportunity for you to build trust with your customers. Prove that you support privacy as a human right and communicate your objectives in a clear and understandable way. Done well, this approach can differentiate you from your competitors.

Extend security risk management practices to your supply chain—Both the CCPA and the GDPR require that organizations put practices in place to protect customer data from malicious actors. You also must report breaches in a timely manner. If you’re found in noncompliance, large fees can be levied.

As you implement tools and processes to protect your data, recognize that your supply chain also poses a risk. Hackers attack software updates, software frameworks, libraries, and firmware as a means of infiltrating otherwise vigilant organizations. As you strengthen your security posture to better protect customer data, be sure to understand your entire hardware and software supply chain. Refer to the National Institute of Standards and Technology for best practices. Microsoft guidelines for reducing your risk from open source may also be helpful.

Microsoft can help

Microsoft offers several tools and services to help you comply with regional and country level data privacy regulations, including CCPA and GDPR. Bookmark the Security blog and the Compliance and security series to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity and connect with me on LinkedIn.

The post Data privacy is about more than compliance—it’s about being a good world citizen appeared first on Microsoft Security.

How to balance compliance and security with limited resources

November 5th, 2019 No comments

Today, many organizations still struggle to adhere to General Data Protection Regulation (GDPR) mandates even though this landmark regulation took effect nearly two years ago. A key learning for some: being compliant does not always mean you are secure. Shifting privacy regulations, combined with limited resources like budgets and talent shortages, add to today’s business complexities. I hear this concern time and again as I travel around the world meeting with our customers to share how Microsoft can empower organizations successfully through these challenges.

Most recently, I sat down with Emma Smith, Global Security Director at Vodafone Group to talk about their own best practices when navigating the regulatory environment. Vodafone Group is a global company with mobile operations in 24 countries and partnerships that extend to 42 more. The company also operates fixed broadband operations in 19 markets, with about 700 million customers. This global reach means they must protect a significant amount of data while adhering to multiple requirements.

Emma and her team have put a lot of time and effort into the strategies and tactics that keep Vodafone and its customers compliant no matter where they are in the world. They’ve learned a lot in this process, and she shared these learnings with me as we discussed the need for organizations to be both secure and compliant, in order to best serve our customers and maintain their trust. You can watch our conversation and hear more in our CISO Spotlight episode.

Cybersecurity enables privacy compliance

As you work to balance compliance with security keep in mind that, as Emma said, “There is no privacy without security.” If you have separate teams for privacy and security, it’s important that they’re strategically aligned. People only use technology and services they trust, which is why privacy and security go hand in hand.

Vodafone did a security and privacy assessment across all their big data stores to understand where the high-risk data lives and how to protect it. They were then able to implement the same controls for privacy and security. It’s also important to recognize that you will never be immune from an attack, but you can reduce the damage.

Emma offered three recommendations for balancing security with privacy compliance:

  • Develop a risk framework so you can prioritize your efforts.
  • Communicate regularly with the board and executive team to align on risk appetite.
  • Establish the right security capabilities internally and/or through a mix of partners and third parties.

I couldn’t agree more, as these are also important building blocks for any organization as they work to become operationally resilient.

I also asked Emma for her top five steps for becoming compliant with privacy regulations:

  • Comply with international standards first, then address local rules.
  • Develop a clear, board-approved strategy.
  • Measure progress against your strategy.
  • Develop a prioritized program of work with clear outcomes.
  • Stay abreast of new technologies and new threats.

The simplest way to manage your risk is to minimize the amount of data that you store. Privacy assessments will help you know where the data is and how to protect it. Regional and local laws can provide tools to guide your standards. Protecting online privacy and personal data is a big responsibility, but with a risk management approach, you can go beyond the “letter of the law” to better safeguard data and support online privacy as a human right.

Learn more

Watch my conversation with Emma about balancing security with privacy compliance. To learn more about compliance and GDPR, read Microsoft Cloud safeguards individual privacy.

Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

CISO Spotlight Series

Address cybersecurity challenges head-on with 10-minute video episodes that discuss cybersecurity problems and solutions from AI to Zero Trust.


Watch today

The post How to balance compliance and security with limited resources appeared first on Microsoft Security.

Microsoft announces new innovations in security, compliance, and identity at Ignite

November 4th, 2019 No comments

Today, at the Microsoft Ignite Conference, we’re announcing new innovations designed to help customers across their security, compliance, and identity needs. With so much going on at Ignite this week, I want to highlight the top 10 announcements:

  1. Azure Sentinel—We’re introducing new connectors in Azure Sentinel to help security analysts collect data from a variety of sources, including Zscaler, Barracuda, and Citrix. In addition, we’re releasing new hunting queries and machine learning-based detections to assist analysts in prioritizing the most important events.
  2. Insider Risk Management in Microsoft 365—We’re announcing a new insider risk management solution in Microsoft 365 to help identify and remediate threats stemming from within an organization. Now in private preview, this new solution leverages the Microsoft Graph along with third-party signals, like HR systems, to identify hidden patterns that traditional methods would likely miss.
  3. Microsoft Authenticator—We’re making Microsoft Authenticator available to customers as part of the Azure Active Directory (Azure AD) free plan. Deploying Multi-Factor Authentication (MFA) reduces the risk of phishing and other identity-based attacks by 99.9 percent.
  4. New value in Azure AD—Previewing at the end of November, Azure AD Connect cloud provisioning is a new lightweight agent to move identities from disconnected Active Directory (AD) forests to the cloud. Additionally, we’re announcing secure hybrid access partnerships with F5 Networks, Zscaler, Citrix, and Akamai to simplify access to legacy-auth based applications. Lastly, we’re introducing a re-imagined MyApps portal to help make apps more discoverable for end-users.
  5. Microsoft Defender Advanced Threat Protection (ATP)—We’re extending our endpoint detection and response capability in Microsoft Defender ATP to include MacOS, now in preview. We’re also planning to add support for Linux servers.
  6. Azure Security Center—We’re announcing new capabilities to find misconfigurations and threats for containers and SQL in IaaS while providing rich vulnerability assessment for virtual machines. Azure Security Center also provides integration with security alerts from partners and quick fixes for fast remediation.
  7. Microsoft information protection and governance—The compliance center in Microsoft 365 now provides the ability to view data classifications categorized by sensitive information types or associated with industry regulations. Machine learning also allows you to use your existing data to train classifiers that are unique to your organization, such as customer records, HR data, and contracts.
  8. Microsoft Compliance Score—Now in public preview, Microsoft Compliance Score helps simplify regulatory complexity and reduce risk. It maps your Microsoft 365 configuration settings to common regulations and standards, providing continuous monitoring and recommended actions to improve your compliance posture.  We’re also introducing a new assessment for the California Consumer Privacy Act (CCPA).
  9. Application Guard for Office—Now available in preview, Application Guard for Office provides hardware-level and container-based protection against potentially malicious Word, Excel, and PowerPoint files. It utilizes Microsoft Defender ATP to establish whether a document is either malicious or trusted.
  10. Azure Firewall Manager—Now in public preview, customers can manage multiple firewall instances from a single pane of glass with Azure Firewall Manager. We’re also creating support for new firewall deployment topologies.

It’s a big week of announcements! More information will follow this blog in the next few days, and we’ll update this post with new content the week progresses.

Microsoft Ignite

Join us online November 4–8, 2019 to livestream keynotes, watch selected sessions on-demand, and more.


Learn more

You can see all of our Microsoft Ignite sessions (live streaming or on-demand) and connect with experts on the Microsoft Tech Community.

The post Microsoft announces new innovations in security, compliance, and identity at Ignite appeared first on Microsoft Security.

IoT security will set innovation free: Azure Sphere general availability scheduled for February 2020

October 28th, 2019 No comments

Today, at the IoT Solutions World Congress, we announced that Azure Sphere will be generally available in February of 2020. General availability will mark our readiness to fulfill our security promise at scale, and to put the power of Microsoft’s expertise to work for our customers every day—by delivering over a decade of ongoing security improvements and OS updates delivered directly to each device.

Since we first introduced Azure Sphere in 2018, the IoT landscape has quickly expanded. Today, there are more connected things than people in the world: 14.2 billion in 2019, according to Gartner, and this number is expected to hit 20 billion by 2020. Although this number appears large, we expect IoT adoption to accelerate to provide connectivity to hundreds of billions of devices. This massive growth will only increase the stakes for devices that are not secured.

Recent research by Bain & Co. lists security as the leading barrier to IoT adoption. In fact, enterprise customers would buy at least 70 percent more IoT devices if a product addresses their concerns about cybersecurity. According to Bain & Co., enterprise executives, with an innate understanding of the risk that connectivity opens their brands and customers to, are willing to pay a 22 percent premium for secured devices.

Azure Sphere’s mission is to empower every organization on the planet to connect and create secured and trustworthy IoT devices. We believe that for innovation to deliver durable value, it must be built on a foundation of security. Our customers need and expect reliable, consistent security that will set innovation free. To deliver on this, we’ve made several strategic investments and partnerships that make it possible to meet our customers wherever they are on their IoT journey.

Delivering silicon choice to enable heterogeneity at the edge

By partnering with silicon leaders, we can combine our expertise in security with their unique capabilities to best serve a diverse set of customer needs.

MediaTek’s MT3620, the first Azure Sphere certified chip produced, is designed to meet the needs of the more traditional MCU space, including Wi-Fi-enabled scenarios. Today, our customers across industries are adopting the MT3620 to design and produce everything from consumer appliances to retail and manufacturing equipment—these chips are also being used to power a series of guardian modules to securely connect and protect mission-critical equipment.

In June, we announced our collaboration with NXP to deliver a new Azure Sphere certified chip. This new chip will be an extension of their popular i.MX 8 high-performance applications processor series and be optimized for performance and power. This will bring greater compute capabilities to our line-up to support advanced workloads, including artificial intelligence (AI), graphics, and richer UI experiences.

Earlier this month, we announced our collaboration with Qualcomm to deliver the first cellular-enabled Azure Sphere chip. With ultra-low-power capabilities this new chip will light up a broad new set of scenarios and give our customers the freedom to securely connect anytime, anywhere.

Streamlining prototyping and production with a diverse hardware ecosystem

Manufacturers are looking for ways to reduce cost, complexity, and time to market when designing new devices and equipment. Azure Sphere development kits from our partners at Seeed Studios and Avnet are designed to streamline the prototyping and planning when building Azure Sphere devices. When you’re ready to shift gears into production mode, there are a variety of modules by partners including AI-Link, USI, and Avnet to help you reduce costs and accelerate production so you can get to market faster.

Adding secured connectivity to existing mission-critical equipment

Many enterprises are looking to unlock new value from existing equipment through connectivity. Guardian modules are designed to help our customers quickly bring their existing investments online without taking on risk and jeopardizing mission-critical equipment. Guardian modules plug into existing physical interfaces on equipment, can be easily deployed with common technical skillsets, and require no device redesign. The deployment is fast, does not require equipment to be replaced before its end of life, and quickly pays for itself. The first guardian modules are available today from Avnet and AI-Link, with more expected soon.

Empowering developers with the right tools

Developers need tools that are as modern as the experiences they aspire to deliver. In September of 2018, we released our SDK preview for Visual Studio. Since then, we’ve continued to iterate rapidly, making it quicker and simpler to develop, deploy, and debug Azure Sphere apps. We also built out a set of samples and solutions on GitHub, providing easy building blocks for developers to get started. And, as we shared recently, we’ll soon have an SDK for Linux and support for Visual Studio Code. By empowering their developers, we help manufacturers bring innovation to market faster.

Creating a secure environment for running an RTOS or bare-metal code

As manufacturers transform MCU-powered devices by adding connectivity, they want to leverage existing code running on an RTOS or bare-metal. Earlier this year, we provided a secured environment for this code by enabling the M4 core processors embedded in the MediaTek MT3620 chip. Code running on these real-time cores is programmed and debugged using Visual Studio. Using these tools, such code can easily be enhanced to send and receive data via the protection of a partner app running on the Azure Sphere OS, and it can be updated seamlessly in the field to add features or to address issues. Now, manufacturers can confidently secure and service their connected devices, while leveraging existing code for real-time processing operations.

Delivering customer success

Deep partnerships with early customers have helped us understand how IoT can be implemented to propel business, and the critical role security plays in protecting their bottom line, brand, and end users. Today, we’re working with hundreds of customers who are planning Azure Sphere deployments, here are a few highlights from across retail, healthcare, and energy:

  • Starbucks—In-store equipment is the backbone of not just commerce, but their entire customer experience. To reduce disruptions and maintain a quality experience, Starbucks is partnering with Microsoft to deploy Azure Sphere across its existing mission-critical equipment in stores globally using guardian modules.
  • Gojo—Gojo Industries, the inventor of PURELL Hand Sanitizer, has been driving innovation to improve hygiene compliance in health organizations. Deploying motion detectors and connected PURELL dispensers in healthcare facilities made it possible to quantify hand cleaning behavior in a way that made it possible to implement better practices. Now, PURELL SMARTLINK Technology is undergoing an upgrade with Azure Sphere to deploy secure and connected dispensers in hospitals.
  • Leoni—Leoni develops cable systems that are central components within critical application fields that manage energy and data for the automotive sector and other industries. To make cable systems safer, more reliable, and smarter, Leoni uses Azure Sphere with integrated sensors to actively monitor cable conditions, creating intelligent and connected cable systems.

Looking forward

We want to empower every organization on the planet to connect and create secure and trustworthy IoT devices. While Azure Sphere leverages deep and extensive Microsoft heritage that spans hardware, software, cloud, and security, IoT is our opportunity to prove we can deliver in a new space. Our work, our collaborations, and our partnerships are evidence of the commitment we’ve made to our customers—to give them the tools and confidence to transform the world with new experiences. As we close in on the milestone achievement of Azure Sphere general availability, we are already focused on how to give our customers greater opportunities to securely shape the future.

The post IoT security will set innovation free: Azure Sphere general availability scheduled for February 2020 appeared first on Microsoft Security.