Archive

Archive for the ‘Compliance’ Category

How to improve risk management using Zero Trust architecture

“Compliance is all about risk management and lessening risk, and the same is true of Zero Trust.”

Abbas Kudrati

What’s risk management and why is it important?

Risk management, the process of developing a strategy for addressing risk throughout its lifecycle, normally involves four phases: risk identification, assessment, response, and monitoring and reporting.

Phases of risk management listed as identification, assessment, response, and monitoring and reporting.

Risk management plays a critical role in helping organizations with their security posture enhancement. Taking insider incidents as an example, they are not only costly to organizations but also time-consuming to be contained. Given the limited resources available, we have seen many organizations often prioritize investment in security controls, which can address the more critical risks. As such, the return on investment (ROI) is maximized in effectively protecting the organizations’ assets as well as ensuring their business operations. Risk management is an ongoing activity. Are the long-established risk management programs in the enterprises staying on top of the evolving digital and threat landscapes?

With trends like digital transformation, cloud migration, and hybrid work, traditional trust boundaries are getting blurred. Perimeter-driven defense is no longer adequate in protecting against the rising attack vectors. More attention has been drawn to the Zero Trust security model that assumes attackers are in the enterprise environment and encourages organizations to always verify explicitly and enforce least-privilege access.

Why is risk management important, noting that an insider incident costs an average of USD11.45 million and takes an average of 77 days to resolve.

How can Zero Trust architecture help with risk management?

Microsoft approaches the following Zero Trust architecture as a reference for customers to defend their digital estates.

Zero Trust architecture design.

Let’s look at how Zero Trust architecture can help an organization effectively manage enterprise risk management practice throughout the four phases:

1. Identification: More thorough asset discovery and risk identification with the six pillars

In the initial step of risk management, organizations need to categorize the system and information processed, stored, and transmitted based on impact analysis. With prioritization, activities of identifying threats and vulnerability to the assets are then performed. The Zero Trust architecture emphasizes the full coverage of organization assets across the entire digital estate, with six pillars specified as identity, endpoint, network, data, application, and infrastructure. Following the reference architecture would allow organizations to obtain a holistic view of their IT landscapes and associated risks.

Some questions for organizations to consider during the asset discovery and risk identification phase:

  • What types of structured and unstructured data do you create, process, and store? Are all data classified, labeled, and encrypted?
  • What applications do you access? Are they in the cloud or on-premises?
  • What types of infrastructure do you manage—in the cloud or on-premises?
  • Who has access to your resources, including network, data, applications, and infrastructure? Are they internal or external stakeholders, human or non-human actors? How are the authentication and authorization of the identities enforced?
  • From which endpoints are access to your resources allowed? Are they owned by a company or individuals? How is device management performed and compliance reviewed?
  • What are the normal and abnormal paths of an identity accessing your resources of any kind?

2. Assessment: Continuous risk assessment as input to access control evaluation and enforcement

Typically, a risk assessment on an information asset is performed periodically or upon major changes. It allows organizations to determine the potential risks and evaluate if the existing processes and controls are sufficient to lower the risks to an acceptable level. In the more dynamic digital world where attacks happen at cloud speed, Zero Trust architecture recommends continuous risk assessment—each request shall be intercepted and verified explicitly by analyzing signals on user, location, device compliance, data sensitivity, and application type. In addition, rich intelligence and analytics can be leveraged to detect and respond to anomalies in real-time, enabling effective risk management at the request level.

In addition, the security controls included in the Zero Trust architecture enable defense-in-depth, which shall be taken into consideration during regular risk assessment at system or organizational levels. With identity being the new first line of defense, strong multifactor authentication helps to determine if the actor is who it claims to be, reducing the likelihood of unauthorized access. Device compliance check then helps to reduce the likelihood of actors using compromised or outdated endpoints to access organization resources. In case of a breach, network micro-segmentation based on least-privilege access principle will minimize the lateral movement of malicious actors, narrowing the attack surface and containing the damage. Encryption of data in transit and at rest renders data unreadable and unusable without decryption keys, further lessening the impact of data breaches.

3. Response: Real-time responsive measures to mitigate risks throughout the request life cycle

Zero Trust architecture can also be aligned with the four general categories of risk response strategies: tolerate, operate, monitor, and improve. By design, it is recommended that telemetry, state information, and risk assessment from threat protection shall all feed into the Zero Trust policy engine to enable automatic response to threats immediately. Upon collection and evaluation of all risk signals from various sources, Zero Trust policies shall be enforced in real-time to allow, deny, restrict, or further authenticate access requests. Such approaches offer great responsiveness to risks detected in real-time throughout a request lifecycle, allowing organizations to address risks in a timely manner.

4. Monitoring and reporting: Visibility at all levels empowering risk monitoring and reporting

Risk monitoring and reporting are also critical components to ensure risk governance and assurance. It is common for organizations to keep risk monitoring and reporting at the system level. With Zero Trust architecture, organizations would benefit from the flexibility of gaining visibility at all levels into risks. At the granular level, risks of a single-user identity or sign-in will be evaluated, logged, and reported. With IT and security tools integrated, other potential breach indicators like a high volume of data access and transfer and malware detection can be associated, allowing the first line of the risk management team to obtain all necessary details for investigation. The rich threat and vulnerability data can be further processed to offer an aggregated view of an organization’s risk posture, making the risk reporting to senior management and auditors more accurate and hassle-free. With the insights generated from risk monitoring and reporting, risk management strategy and policy can be continuously reviewed and improved to stay relevant and effective.

Learn more

Learn more about the Microsoft Zero Trust framework.

Organizations may leverage the free Microsoft Zero Trust Maturity Assessment Quiz to understand their current state of Zero Trust maturity and our recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to improve risk management using Zero Trust architecture appeared first on Microsoft Security Blog.

So you want to be a CISO: What you should know about data protection

Data is the lifeblood of any organization. Whether you’re a Chief Information Security Officer (CISO) or aspiring to become one, protecting sensitive business data will be your main priority. But the job isn’t getting any easier. In 2021, the number of data breaches climbed 68 percent to 1,862, costing an average of USD4.24 million each.1 The damage from a breach touches everyone, causing diminished brand equity and consumer trust, decreased shareholder confidence, failed audits, and increased scrutiny from regulatory agencies.

It’s easy to become so preoccupied with protecting against the next ransomware attack that you overlook risks within your own organization. Insider leaks of sensitive data, intellectual property (IP) theft, fraud, regulatory violations—any of these can crash a company (and your career) as quickly as a headline-grabbing breach. Given the breadth of today’s digital estate—on-premises, in the cloud, and at the edge—Microsoft Purview provides the inside-out, integrated approach that an effective CISO needs to reduce the risk of internal and external data breaches before they occur. Here are some things to consider, both when prioritizing for yourself and talking to your board of directors.

Mind your own house—insider threats

As the “Great Resignation” or “Great Reshuffle” rolls on, organizations worldwide are dealing with large numbers of people heading for the exits—and climbing aboard. Results from Microsoft’s most recent Work Trend Index indicate that 43 percent of employees are likely to consider changing jobs in the year ahead. This massive shift in employment status has been accompanied by the “Great Exfiltration.” Many of those transitioning employees will, intentionally or not, be leaving with sensitive data stored on personal devices or accessed through a third-party cloud. During 2021, 15 percent of workers uploaded more corporate data to personal cloud apps as compared to 2020. What’s more alarming, 2021 also saw 8 percent of exiting employees upload more than 100 times their usual data volume.2

As a CISO, you’re responsible for data spread across multiple platforms, devices, and workloads. You’ll need to consider how that technology interacts with your organization’s business processes. That includes having policies in place to prevent data exfiltration; especially if you work in a regulated industry, such as finance or healthcare. It starts with asking: Who can access the data? Where should the data reside (or not reside)? How can the data be used? How do we prevent oversharing? A modern data loss prevention (DLP) solution—cloud-native and comprehensive—enables you to centrally manage all your DLP policies across cloud services, devices, and on-premises file shares. Even better, this type of unified DLP solution requires no additional infrastructure or agents, helping to keep costs down. Even in a time of great change, today’s workplace requires that people remain free to create, manage, and share data across platforms and services. However, the organizations they work for are often constrained by limited resources and strict privacy standards when seeking to mitigate user risks. For that reason, you’ll need tools that can analyze insider threats and provide integrated detection and investigation capabilities. The best solution for insider threats will be:

  • Transparent—balancing user privacy with organizational risk by using privacy-by-design architecture.
  • Configurable—enabling policies based on your industry, geographical location, and business groups.
  • Integrated—maintaining a workflow that’s integrated across all your data, wherever it resides.
  • Actionable—providing insights to enable reviewer notifications, data investigations, and user investigations.

Protecting against insider threats should include templates and policy conditions that define which triggering events and risk indicators require examination. For that reason, your insider-risk solution should be able to look at potential risk patterns across the organization, as well as investigate risky activity with end-to-end workflows. Furthermore, a solution that helps detect code of conduct violations (harassing or threatening language, adult content, and sharing sensitive information) can be a reliable indicator for possible insider threats. Machine learning will help provide greater context around certain words or key phrases, so investigators can speed up remediation.

Automate and integrate your data strategy

Because many organizations resist going all-in on one vendor, most CISOs have to deal with data spread across a patchwork of on-premises and cloud storage. Though clunky, legacy data silos are a fact of life. If large volumes of “dark data” aren’t correctly classified as sensitive, then it becomes difficult to protect personally identifiable information (PII) or sensitive corporate IP and implement data loss prevention policies. A thrifty CISO needs to simplify wherever possible, using a comprehensive solution to help protect the entire digital estate. A good data management solution should provide both the flexibility for users to manually classify their documents, as well as system administrators applying auto-labeling and machine learning-trainable classifiers.

  • Data discovery: It’s not unheard of to discover that an employee unknowingly stored a customer’s Social Security Number (SSN) on an unprotected site or a third-party cloud. That’s why you’ll want a data management solution like PII that automatically identifies sensitive data using built-in sensitive information types and regulatory policy templates, such as General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act of 1996 (HIPAA). And since sensitive data can land anywhere, the right solution needs to use automation to cast a wide net across on-premises, multicloud, operational, and software as a service (SaaS) data.
  • Data classification: Look for unified built-in labeling that’s already integrated with broadly used applications and services, allowing users to further customize sensitivity levels for their specific needs. The right solution should also allow automatic labeling and policy enforcement across an organization for faster classification and data loss prevention deployment at enterprise scale. In addition, look for unified data management solutions that identify and classify sensitive data found on-premises, multicloud, and SaaS to create a holistic map of your entire data estate.
  • Data governance: You want your organization’s data to be discoverable, trusted, and stored in a location where it can be readily protected. Storing data longer than necessary increases your risk of exposure in a breach. On the other hand, deleting data too quickly can put your organization at risk of regulatory violations. Data retention, records management, and machine learning capabilities solve this problem by classifying data and automatically applying lifecycle policies, helping you manage risk and liability by keeping only the data you need and deleting what you don’t.

Make data protection a team effort

A primary responsibility for any CISO is to protect the organization’s IP, such as software source code, patented designs, creative works—pretty much anything that gives the business a competitive edge. But with the growth of big data and changing regulatory standards, CISOs are also expected to protect user data, such as PII, personal health information (PHI), and payment card industry (PCI) data. Privacy laws are also increasing restrictions on the use, retention, and location of user data, both internally and with third-party vendors.

In addition, hybrid and multicloud services create new challenges by distributing data’s geographic origins, storage location, and user access points. Today’s CISO needs to work with colleagues in data protection, privacy, IT, HR, legal, and compliance, meaning, you may be sharing duties with a Chief Data Officer (CDO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Chief Information Officer (CIO). That’s a lot of acronyms at one table. So, rather than duplicate efforts or compete for territory, an effective CISO should adopt a unified solution for data protection that helps eliminate potential redundancies and keeps your entire security team working off the same script.

Bonus tip—simplify

We all know the days of firewalls and perimeter-based security aren’t coming back. Enabling an effective Zero Trust approach requires the ability to protect data across a multicloud, multiplatform environment. Microsoft’s decision to unify data protection, governance, and compliance capabilities as Microsoft Purview—bringing together the former Microsoft Azure Purview and Microsoft 365 Compliance portfolio under one brand—reflects our belief that organizations need a simpler approach to data protection.

If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

2 With the ‘Great Resignation’ comes the ‘Great Exfiltration’, Kevin Townsend. January 11, 2022.

The post So you want to be a CISO: What you should know about data protection appeared first on Microsoft Security Blog.

The future of compliance and data governance is here: Introducing Microsoft Purview

April 19th, 2022 No comments

The worldwide shift to a hybrid workplace has pushed us all to embrace ubiquitous connectivity. Those new connections have helped us become more collaborative; routinely editing and sharing documents in real-time from wherever we happen to be working. Instant messaging went from being a tool of convenience to a cornerstone of communication. People in business, operations, and technical roles became adept at stitching together disparate solutions to meet changing needs.

But constant connectivity brings evolving, inherent risks. Over the past two years, organizations have seen a massive increase in their digital footprint, leading to data fragmentation and growth across a multitude of applications, devices, and locations. The Great Reshuffle left blind spots within ever-enlarging data estates.1 Dark data, which organizations pay to store, but goes underutilized in decision making, is now growing at a rate of 62 percent per year.2  Even the virtual office has created the risk of new collaboration mediums opening doors to harassment, sensitive data leaks, and other workplace policy infractions. It’s a big digital world for any organization to try to manage. 

The lines between risk roles are blurring 

Just as today’s big-data, multiplatform, hyper-connected workplace brings new vulnerabilities, the responsibility for protecting it is also in flux. For example, an organization with a Chief Data Officer (CDO), Chief Risk Officer (CRO)/Chief Compliance Officer (CCO), Chief Information Security Officer (CISO), and Chief Information Officer (CIO) has to choose whether they will duplicate, compete, or collaborate. Conditions that are driving the need for integrated risk management include:

  • The pandemic: Ongoing decentralized work has reinforced the need for strategic, operational, and business continuity management. All of this requires cross-functional data sharing and coordination. 
  • Nation-state attacks: Increasing sophistication and frequency of nation-state attacks is driving collaboration between compliance, data, and security functions. 
  • Remote work: Virtual communication spaces require coordination between compliance, IT, and HR. 
  • Evolving regulations: New requirements, like those from the Office of Foreign Assets Control (OFAC), Department of Justice (DOJ), and the European Union Whistleblower Directive require collaboration among all risk-management leaders.
  • Data sharing: Requirements for continuous access to operational data across functions (read the DOJ’s requirements for compliance programs).  
  • Growing CDO responsibilities: The CDO’s role may go beyond data management and protection to include business intelligence, AI, and machine learning. Because this role can overlap with a Chief Analytics Officer (CAO) and CISO, a unified solution for risk management is vital to eliminating redundancies.
  • Governance and compliance: Overlap between information governance, records management, and data collection is driving the need for a comprehensive solution for managing data risk.

In a tracking survey of over 500 US decision-makers, nearly all (95 percent) are concerned about challenges they face regarding data protection in 2021.” 3

The market has responded with dozens of products that force security, data governance, compliance, and legal teams to stitch together a patchwork of solutions. This approach not only strains resources, but it’s also ineffective. Security outcomes are worse—audits are failed and brand reputations are damaged.

”A survey of US decision-makers showed that to meet their compliance and data-protection needs, almost 80 percent had purchased multiple products, and a majority had purchased three or more. 4

Introducing Microsoft Purview 

To meet the challenges of today’s decentralized, data-rich workplace, we’re introducing Microsoft Purview—a comprehensive set of solutions that help you govern, protect, and manage your entire data estate. This new brand family combines the capabilities of the former Azure Purview and the Microsoft 365 Compliance portfolio that customers already rely on, providing unified data governance and risk management for your organization.

The new Microsoft Purview:

  • Helps you gain visibility into assets across your entire data estate.
  • Enables easy access to all your data, security, and risk solutions. 
  • Helps safeguard and manage sensitive data across clouds, apps, and endpoints.
  • Manages end-to-end data risks and regulatory compliance.
  • Empowers your organization to govern, protect, and manage data in new, comprehensive ways. 

Microsoft Purview brings together data governance from Microsoft Data and AI, along with compliance and risk management from Microsoft Security. Microsoft Purview is also complemented by identity and access management, threat protection, cloud security, endpoint management, and privacy management capabilities—creating a truly comprehensive approach to security.

Microsoft Purview at a glance

Chart of new product names within the Microsoft Purview portfolio: Microsoft Purview Audit (Premium), Microsoft Purview Communication Compliance, Microsoft Purview Compliance Manager, and more.

Securing multicloud and multiplatform environments

Because organizations now operate across multiple clouds and on-premises platforms, we’ve expanded Microsoft Purview’s capabilities to include data protection for macOS users, as well as offering new data classifiers, protection for mobile devices, and data lifecycle management.

  • To extend Microsoft Purview’s capabilities for macOS users, we’re excited to announce the general availability (GA) of Microsoft Purview Data Loss Prevention (DLP) for macOS endpoints. Now organizations can extend their endpoint DLP insights and controls to devices running macOS (Catalina or higher). In addition, the preview of restricted app groups for Windows endpoints allows organizations to scope different access restrictions to sensitive files between a set of sanctioned or unsanctioned applications. Learn about Microsoft Purview DLP for macOS endpoint.
  • Before sensitive data can be safely shared, it first needs to be identified. To that end, we’re extending our sensitive information type catalog with more than 50 new classifiers. The new classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva. Explore the new data classifiers in Microsoft Purview.
  • With remote users now regularly accessing files from multiple locations, devices, and apps, organizations shouldn’t have to compromise on security for productivity. To help address this, the preview of co-authoring of encrypted documents for mobile devices (iOS and Android) enables multiple users to work simultaneously on Microsoft 365 apps and documents with autosave, allowing for enhanced real-time collaboration and productivity. Learn about co-authoring of encrypted documents.
  • Within any document file’s lifecycle, organizations need to be able to configure retention and deletion settings. To help simplify that process, we’re announcing the preview of multi-stage retention in Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance), which automatically applies a new label when an item reaches the end of its retention period. Learn more about multi-stage retention from Microsoft Purview Data Lifecycle Management.

Protecting your business and employees in a hybrid work environment

Employees don’t gather around the water cooler anymore. They’re communicating across digital channels and personal and corporate devices. Microsoft Purview helps protect your organization’s data with Insider Risk Management, eDiscovery, Communication Compliance, and more.

  • Many organizations have had to adapt to a changing workforce during the Great Reshuffle. Recent enhancements to the detection and investigation capabilities of Microsoft Purview Insider Risk Management help provide security teams with additional context and actionable insights to keep data secure, including expanded coverage with Microsoft Defender for Cloud Apps. Learn about Microsoft Purview Insider Risk Management.
  • Sensitive data isn’t confined to business transactions. According to the 2022 Work Trend Index annual report from Microsoft, employees are communicating over a greater variety of digital channels. With so much internal chatter, robust data and document discovery are essential for organizations responding to both internal investigations and external inquiries. To help meet that need, we’re excited to announce additional capabilities for Microsoft Purview eDiscovery (Premium), which improve the identification of relevant data in Microsoft Teams and help manage legal holds with new reporting functionality. Learn about Microsoft Purview eDiscovery.
  • To help organizations maintain a positive work culture and a strong commitment to user privacy, Microsoft Purview Communication Compliance helps detect code of conduct violations (including harassing or threatening language, adult content, and sharing sensitive information). We’re excited to announce new features, including expanded optical character recognition, machine learning model highlighting, reduced detection-to-investigation time, and step-by-step onboarding guidance. Protect your employees and business with Microsoft Purview Communications Compliance.
  • To help organizations save time and manual efforts, we’re excited to announce the general availability of continuous compliance assessments in Microsoft Purview Compliance Manager. This feature allows customers to understand and act on over 150 recommendations across our suite of solutions—increasing customers’ ability to measure and manage their data handling from a single location. Learn more about continuous assessments in Microsoft Purview Compliance Manager.

Enhancing data governance across compliance and privacy imperatives

Microsoft Priva complements Microsoft Purview’s data governance and compliance portfolio. Acting as a separately available privacy management solution that proactively identifies and helps protect against privacy risks, Priva provides visibility into organizations’ privacy postures. This includes associated privacy risks arising from personal data transfers, overexposure, and hoarding. Priva’s policy-driven templates also help customers adhere to common privacy regulations and requirements.

At the same time, Priva provides the flexibility to customize policies for user groups, data locations, conditions, and notifications. As the foundation of enterprise privacy management, Priva automatically recommends risk-remediation actions and subject rights requests at scale—offering built-in review and redact capabilities and integration with business processes and APIs.

We protect data to protect people 

Regulations regarding data governance don’t exist in a vacuum. Their purpose is to help create a more ethical digital world. A strong solution is built around strong principles. It’s designed to protect customers’ data, keep employees’ workplaces safe, and protect the business. At Microsoft, we don’t do these things just because they’re required, we do them because they’re right.   

There’s no going back to the days of perimeter-based security. Enabling an effective Zero Trust approach requires the ability to govern, protect, and understand data coming from an ever-widening array of endpoints. Similarly, the number of tools we use for work will also grow. And with it, the challenge of having to protect data and manage risk across a multicloud and multiplatform environment. 

The unification of Microsoft’s data governance and compliance capabilities to Microsoft Purview reflects our belief that the world needs a simpler and more unified approach to data. We want to help you get the most out of your data while simultaneously managing risk and compliance. If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

Join other cybersecurity professionals at the Microsoft Security Summit digital event on May 12, 2022. Hear exciting product announcements and discover solutions you can use to lay the foundation for a safer and more innovative future. Register now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1How Microsoft can help reduce insider risk during the Great Reshuffle, Alym Rayani, Microsoft Security. February 28, 2022.

2Shed light on your dark data before GDPR comes into force, CIO, April 2018.

3September 2021 survey of 512 US compliance decision-makers commissioned by Microsoft from Vital Findings.

4February 2022 survey of 200 US compliance decision-makers (n=100 599-999 employees, n=100 1000+ employees) commissioned by Microsoft with MDC Research.

The post The future of compliance and data governance is here: Introducing Microsoft Purview appeared first on Microsoft Security Blog.

3 strategies to launch an effective data governance plan

March 31st, 2022 No comments

Aware of the potential risks of sensitive data if not managed properly, you’ve undertaken a data discovery process to learn where it’s all stored. You’ve classified this sensitive data—confidential information like credit card numbers and home addresses collected from customers, prospects, partners, and employees—as either non-business, public, general, confidential, or highly confidential. You’ve assessed the risks to better protect it from exposure and the risk of theft or loss. Your next step is to govern your data. But what does that mean and how do you launch a data governance plan?

Data governance is the process of managing data as a strategic asset. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy. All the preceding steps—data discovery, data classification, and data protection—are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.

To avoid those issues, ensure that you govern your data properly. Let’s explore three steps to take when building a data governance plan.

1. Set lifecycle controls on sensitive data

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.1

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only “adequate, relevant and limited” personal data that is “necessary.”2 GDPR also encourages you to pseudonymize and encrypt this personal information.

Your organization’s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it’s still in use or active. Another option is to have approvals in place before deleting documents to ensure you’re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.

2. Operationalize data governance

After setting lifecycle controls to manage your company’s sensitive data, it’s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn’t a set-it-and-forget-it situation. You’ll need ongoing processes to protect and govern sensitive data.

However, a company’s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company’s Data Governance Officer or legal department can offer guidance on what’s required.

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don’t properly label data as sensitive, you’ll be unable to locate, identify, or successfully govern it. 

3. Manage role-based access

A major tenant of Zero Trust, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don’t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance only at onboarding is that this doesn’t address changes in access necessary as employees change roles or leave the company.

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs—no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.

When deciding what data people need to access, consider both what they’ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It’s about ensuring that people have the right access to the right information at the right time.

Other questions to ask when building your plan include:

  • How do you revoke access when someone no longer needs it due to a role change, offboarding, or another reason?
  • Have you set up recurring and exception-based monitoring and reporting to check what people are doing with the access they have? 
  • Could implementing a permissions management solution help reduce costs and workload to IT while increasing user productivity?

Organizations need to be able to prove to auditors and regulators that privacy policies are being followed and enforced within the company. Restricting network access based on the roles of individual users can assist with that.

Secure sensitive data with data governance

Data governance ensures that your data is discoverable, accurate, and trusted. Protect your sensitive data by launching a data governance plan that involves setting lifecycle controls of sensitive data, operationalizing data governance, and managing role-based access. As a follow-up to careful data discovery, data classification, and data protection, data governance can help you protect your sensitive data through its entire lifecycle according to industry regulations, which in turn will help you protect your employees, customers, prospects, and partners.

Read more about data governance and protecting sensitive data:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1GDPR personal data – what information does this cover?, GDPR.

2GDPR Article 5(1)(c), EUR-Lex. 2016.

The post 3 strategies to launch an effective data governance plan appeared first on Microsoft Security Blog.

Microsoft shares 4 challenges of protecting sensitive data and how to overcome them

March 1st, 2022 No comments

Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. They also can diminish the trust of those who become the victims of identity theft, credit card fraud, or other malicious activities as a result of those breaches. In 2021, the number of data breaches climbed 68 percent to 1,862 (the highest in 17 years) with an average cost of USD4.24 million each.1 About 45 million people were impacted by healthcare data breaches alone—triple the number impacted just three years earlier.2

Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual.

Every level of an organization—from IT operations and red and blue teams to the board of directors— could be affected by a data breach. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Let’s look at four of the biggest challenges of sensitive data and strategies for protecting it.

1. Discovering where sensitive data lives

The data discovery process can surprise organizations—sometimes in unpleasant ways. Sensitive data can live in unexpected places within your organization. For instance, an employee may have stored a customer’s SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Of an estimated 294 million people hacked in 2021, about 164 million were at risk because of data exposure events—when sensitive data is left vulnerable online.3   

The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Scans for data will pick up those surprise storage locations. However, it’s close to impossible to handle manually.

2. Classifying data to learn what’s most important

That leads right into data classification. Once the data is located, you must assign a value to it as a starting point for governance. The data classification process involves determining data’s sensitivity and business impact so you can knowledgeably assess the risks. This will make it easier to manage sensitive data in ways to protect it from theft or loss.

Microsoft uses the following classifications:

  • Non-business: Data from your personal life that doesn’t belong to Microsoft.
  • Public: Business data freely available and approved for public consumption.
  • General: Business data not meant for a public audience.
  • Confidential: Business data that can cause harm to Microsoft if overshared.
  • Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Leveraging security products that enable auto-labeling of sensitive data across an enterprise is one method, among several that help overcome these data challenges.

3. Protecting important data

After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. They are accountable for protecting information and sharing data via processes and workflows that enable protection, while also not hindering workplace productivity.

Data leakage protection is a fast-emerging need in the industry. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Cyber incidents topped the barometer for only the second time in the survey’s history. At 44 percent, cyber incidents ranked higher than business interruptions at 42 percent, natural catastrophes at 25 percent, and pandemic outbreaks at 22 percent.4

4. Governing data to reduce unnecessary data risks

Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. You don’t want to store data longer than necessary because that increases the amount of data that could be exposed in a breach. And you don’t want to delete data too quickly and put your organization at risk of regulatory violations. Sometimes, organizations collect personal data to provide better services or other business value. For instance, you may collect personal data from customers who want to learn more about your services. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted.

How to approach sensitive data

The fallout from not addressing these challenges can be serious. Organizations can face big financial or legal consequences from violating laws or requirements. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. One of these fines was related to violating the GDPR’s personal data processing requirements. Another was because of insufficient detail to consumers in a privacy policy about data processing practices. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.5

Considering the potentially costly consequences, how do you protect sensitive data? As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation.

For data classification, we advise enforcing a plan through technology rather than relying on users. After all, people are busy, can overlook things, or make errors. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Trainable classifiers identify sensitive data using data examples.

Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. When considering plan protections, ask: Who can access the data? Where should the data live and where shouldn’t it live? How can the data be used?

Microsoft solutions offer audit capability where data can be watched and monitored but doesn’t have to be blocked. It can be overridden too so it doesn’t get in the way of the business. Also, consider standing access (identity governance) versus protecting files. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. 

Explore data protection strategies

Security breaches are very costly. Data discovery, data classification, and data protection strategies can help you find and better protect your company’s sensitive data. Learn more about how to protect sensitive data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

2Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. January 31, 2022.

3Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. January 25, 2022.

4Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. January 18, 2022.

6Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. January 17, 2022.

The post Microsoft shares 4 challenges of protecting sensitive data and how to overcome them appeared first on Microsoft Security Blog.

How Microsoft can help reduce insider risk during the Great Reshuffle

February 28th, 2022 No comments

These are exciting and demanding days for organizations adapting to hybrid work realities, including a wider distributed workforce and more rapid change in employee roles. Organizations are becoming more agile as they refocus on employee onboarding and empowerment, opportunities with third-party partners, and cloud transformation. These dramatic shifts drive business resilience and upside in a world still coping with pandemic disruptions.

These workplace shifts test and break an organization’s compliance postures as executive, IT, and risk professionals take stock of resulting gaps and blind spots. Research from Carnegie Mellon University’s CyLab, with support from Microsoft, found that a majority of surveyed organizations had experienced over five malicious insider threat incidents in the last year (69 percent of respondents), and over 10 inadvertent or data misuse incidents (58 percent of respondents).1

Underscoring the stakes of the moment is the business sector’s high-profile challenge: the Great Reshuffle of employee roles and talent. Microsoft’s 2021 Work Trend Index found that 41 percent of the global workforce was considering leaving their employer due to burnout and a lack of workplace flexibility.2 The cyber risk ramifications of reshuffles like this are clear when you consider the data exposure that can occur with a mix of departing employees and new staff unfamiliar with the organization’s security and compliance policies.

The best course of action for navigating the changing data landscape isn’t overly restricting employee access or aggressively punishing small errors. Organizations need a solution that lends employees the access they need while providing IT teams tools to quickly identify risky insider activity. This balance of trust is critical when implementing an insider risk program and can create a culture of empathy that empowers employees to work safely and independently.

We’re excited to announce a few new features that can help organizations better manage their insider risks, while also facilitating a corporate culture of safety and respect.

Improving insider risk management visibility, context, and integrations

Identifying and managing security and data risks inside your organization can be challenging. Insider risk management in Microsoft 365 helps minimize internal risks by empowering security teams to detect and act on malicious and inadvertent activities in your organization. Where traditional tools and strategies may focus on preventing sensitive data from leaving your organization, insider risk management leverages machine learning to correlate signals around risky user behavior and identify which activities may result in data theft or data leakage. These insights help security teams to identify potential concerns and can help accelerate time to action.

Communication compliance in Microsoft 365 helps organizations foster safe and compliant communications across corporate communications. In the world of hybrid work, organizations seek out communication and collaboration tools to empower employees to do their best work. At the same time, they need to manage risk in communications to protect company assets, fulfill regulatory compliance obligations, and detect code of conduct violations, like harassing or threatening language, sharing of adult content, and inappropriate sharing of sensitive information. We are honored that  Gartner® has listed Microsoft as a Leader in its 2022 Magic Quadrant™ for Enterprise Information Archiving, a market “designed for archiving data sources to a centralized platform to satisfy information governance requirements.”3

Built with privacy by design, the solutions ensure that user names are pseudonymized by default, role-based access controls are built-in, and investigators must be explicitly added by an administrator.

Today, Microsoft is excited to announce new functionalities in insider risk management and communication compliance for Microsoft 365:

  • Enhancements to sequence detections.
  • Enhancements and additions to insider risk investigation capabilities.
  • Enhanced cumulative exfiltration anomaly detection capabilities.
  • Enhanced audit trail of investigator and analyst activity.
  • New classifier to detect customer complaints made about your organization’s products or services in communication compliance.

Microsoft 365 E3 customers are welcome to sign up for an Insider Risk Management Trial or the Microsoft E5 Compliance Trial through the Microsoft compliance center.

Enhancements to sequence detections

To help security and risk management teams accelerate time to action when it comes to insider risk management, it’s important to provide a rich context of risky user activity that goes beyond a transactional view.

In 2021, we introduced sequence detection to help analysts and investigators identify a series of connected activities and get a better understanding of intent. Today, we’re excited to announce enhancements to our sequence detections, including the ability to identify changes in document sensitivities, such as a document label being downgraded from Confidential to Public in an effort to evade detections. Insider risk can also detect sequences that may start on an endpoint device, providing greater visibility into the risky activity that may start on a workstation or device. We’ve also included additional exfiltration signals to broaden the coverage of sequences, including visibility for when a user uploads data to a cloud as a potential exfiltration step.

Enhancement and additions to insider risk investigation capabilities

With insider risk management, your security, data protection, or investigative teams have new tools and capabilities to better understand and investigate the risky activities happening in your environment.

This update includes an improved user experience for drilling down into sequences within the activity explorer. With these latest updates, security teams can get better insights into user activity types, including the ability to filter by activity category in the user activity view.

The improved alert triage experience in insider risk management includes a new summary user alert history timeline to provide better context, as well as an enhanced alert overview page.

New summary alert timeline in Insider Risk provides context on risky user activity.

Furthermore, insider risk management administrators can now set up email notifications for high severity alerts or for policy health recommendations.

Enhanced cumulative exfiltration anomaly detection capabilities

With cumulative exfiltration anomaly detection (CEAD) in insider risk management, organizations can leverage machine learning models to detect when a user’s exfiltration activities exceed the organizational averages. This can help to detect exfiltration activities that security teams might traditionally miss through data loss prevention (DLP) or structured policies alone. Learn more about CEAD.

Enhanced alert review experience, including the new visual for cumulative exfiltration anomaly detection.

With these latest updates, there are new visuals to represent potentially risky activity, making it easier for investigative or analyst teams to review and triage user activity against the organizational normal. CEAD will also prioritize cumulative exfiltration of sensitive documents based on prioritized SharePoint sites and built-in sensitive information types, as well as Microsoft Information Protection (MIP) label prioritization.  

Enhanced audit trail of investigator and analyst activity

When security or investigative teams are looking into organizational activity, it is crucial that investigations align with regulatory requirements and your organization’s compliance and security policies. It is also key to ensuring objectivity on the part of the investigators and analysts who are reviewing user activities.

Microsoft is announcing new audit events for insider risk management, including audit events of activities within the content explorer, activity explorer, and user timeline. These additional audit log events mean that anyone reviewing audit logs will have a better understanding of what investigators or analysts did within the insider risk management interface.

New customer complaints model in communication compliance

In highly regulated industries, such as financial services, pharmaceuticals, and food, organizations are mandated by law to track and address customer complaints made on their products or services. We are excited to announce the preview of a new customer complaint classifier that detects possible complaints filed by customers and surfaces matches for customer complaint management.

This new feature can help organizations meet regulations that mandate detection and triage of complaints, such as the Consumer Financial Protection Bureau and the Food and Drug Administrator requirements. Additionally, this feature can help organizations gain insight into how to improve their products and services.

View of customer complaints classifier during policy configuration.

Microsoft partners with other security leaders to address insider risk

In addition to our work in growing the capabilities of our insider risk management and communication compliance solutions, Microsoft is focused on reducing insider risks through partnerships and knowledge sharing. Microsoft is a Founding Research Sponsor of MITRE Engenuity’s Center for Threat-Informed Defense (Center), which launched a knowledge base to identify insider threats. See the Center’s release announcement here.

This latest resource from the Center is designed to help insider threat programs and security operation centers (SOCs) “detect, mitigate, and emulate insider actions on IT systems” and to stop those behaviors deemed risky or damaging. These resources include a Knowledge Base of Tactics, Techniques, and Procedures (TTPs) and the Design Principles and Methodology report.

As a Founding Research Sponsor, Microsoft researchers and security practitioners collaborated with other security industry partners to share TTPs and insights for what we are seeing in the insider risk space. “Microsoft’s work with the Center team and other security leaders confirms that insider risks pose a huge threat and that detection requires context beyond standard TTPs. Through this program, Microsoft’s Digital Security and Resilience and engineering teams partnered with and learned from others, and we are excited to see the collaboration in this space grow,” shared Rob McCann, Principal Data Scientist in Microsoft’s Security Research division. “This initial Knowledge Base sets the stage for industry-wide expansion and increased awareness of insider risk across the security community, and helps lay a foundation for further development and understanding of the insider risk landscape. This is an exciting step forward, and we’re grateful to have been a part of it.”

The insights and learnings from Microsoft’s participation in the Center have reaffirmed the priorities that have shaped Microsoft’s investments, both internally and in solutions available to our customers, including insider risk management.

Building an effective insider risk program

Over the past 18 months, we have seen high-profile insider risk incidents across a number of industries, ranging from data theft to corporate code of conduct violations. Recent high-profile examples have included the theft of confidential documents related to COVID-19 vaccines in the pharmaceutical industry to workplace harassment.

PwC and Microsoft advocate for an enterprise-wide approach to insider risk by leveraging key stakeholders to identify potential insider risks and tailor technical controls to address them. See how your organization can benefit from this approach by downloading the PwC and Microsoft whitepaper Building an effective insider risk management program.

Get started

These new features in insider risk management and communication compliance for Microsoft 365 have already rolled out or will start rolling out to customer tenants in the coming weeks. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense (DoD) tenants.

We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Microsoft 365 compliance center. By enabling the trial in the compliance center, you can quickly start using all capabilities of Microsoft Compliance, including insider risk management, communication compliance, records management, Advanced Audit, Advanced eDiscovery, MIP, DLP, and Compliance Manager.

If you are a current Microsoft 365 E3 user and interested in experiencing insider risk management, check out the Insider Risk Management Trial or the Microsoft E5 Compliance Trial to see how insider risk solutions and analytics can give you actionable insights.

Learn more about how to get started and configure policies in your tenant in the supporting documentation for insider risk management and communication compliance. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Insider Risk Management Program Building: Summary of Insights from Practitioners, CyLab, Carnegie Mellon University. May 2021.

2The Great Reshuffle and how Microsoft Viva is helping reimagine the employee experience, Seth Patton, Microsoft 365. September 28, 2021.

3Gartner, Magic Quadrant for Enterprise Information Archiving, Michael Hoeck, Jeff Vogel, Chandra Mukhyala, Gartner. January 24, 2022.

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post How Microsoft can help reduce insider risk during the Great Reshuffle appeared first on Microsoft Security Blog.

Gartner® names Microsoft a Leader in the 2022 Magic Quadrant™ for Enterprise Information Archiving

January 28th, 2022 No comments

With data doubling every two years, it is more critical than ever to have simple and integrated tools to understand and manage risks to an organization. As more people work remotely, users collaborate and store data in different locations. These secular trends offer new possibilities in how work gets done—but also expose an organization to new and expanded risks: increased exposure to data breaches, costs associated with finding relevant data quickly, and meeting compliance requirements. These trends and challenges emphasize the need for a comprehensive enterprise information archiving (EIA) solution that can balance risk and productivity across multiple clouds and systems.

The Microsoft Compliance suite offers an integrated set of solutions to address the information risk and archiving challenges our customers face. We introduced multiple innovations over the past few years:

  • Seamless risk management. Risk management is no longer a siloed activity. An EIA solution needs to work seamlessly with security, compliance, and productivity solutions. Our Microsoft 365 Advanced eDiscovery solution, for example, can automatically collect linked content with the original message in Microsoft Teams, Yammer, and Outlook.
  • Leveraging machine learning to manage data at scale. With the large volume of data created every day, it is impossible to manually manage an organization’s content. It is easiest to manage data at scale with machine learning integrated throughout business processes, rather than as a separate add-on. For example, our trainable classifiers categorize content for retention, deletion, and protection policies.
  • New data types and multi-cloud compliance. The rise of text messages, asynchronous communication, and other communication modes creates a variety of formats to manage risk and compliance. This year Microsoft introduced 65 plus new connectors built by Microsoft and partners. Customers can leverage their investments in Microsoft 365 Compliance to manage imported data alongside their Microsoft 365 data.

We are honored that Gartner has listed Microsoft as a Leader in its 2022 Magic Quadrant™ for Enterprise Information Archiving in recognition of our ability to execute and completeness of vision. This is the fourth consecutive year that Gartner recognized Microsoft as a Leader in this critical space. Additionally, Microsoft placed highest in the ‘ability to execute.’ Read the full report.

Gartner 2022 Magic Quadrant for E I A chart depicting Microsoft under the Leaders category in the top right hand corner.

According to Gartner, “Leaders have the highest combined measures of ability to execute and completeness of vision. They may have the most comprehensive and scalable products. They have a proven track record of financial performance and an established market presence. In terms of vision, they are perceived to be thought leaders, with well-articulated plans for ease of use, product breadth, and how to address scalability. For vendors to have long-term success, they must plan to address the expanded market requirements for EIA, including support for multiple content types; support for the cloud; solid, relevant e-discovery functionality; and a seamless user experience.”

To us, this recognition would not be possible without the close partnership with our customers that provides critical insights for our solutions. We look forward to continuing this partnership and product innovation.

Learn more

We invite you to read to full Gartner® 2022 Magic Quadrant™ for Enterprise Information Archiving report.

For more details about our enterprise information archiving solution, please visit our website or view our Microsoft 365 for business subscription.

Microsoft continues to be a Leader in four additional Gartner Magic Quadrant reports in the broader security space:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER and Magic Quadrant are registered trademarks and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner, Magic Quadrant for Enterprise Information Archiving, by Michael Hoeck, Jeff Vogel, Chandra Mukhyala. 24 January 2022.

The post Gartner® names Microsoft a Leader in the 2022 Magic Quadrant™ for Enterprise Information Archiving appeared first on Microsoft Security Blog.

Categories: Compliance, cybersecurity Tags:

Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview

June 2nd, 2021 No comments

Smart meters and smart grid infrastructure have been deployed in many of the world’s electric distribution grids. They promise energy conservation, better grid management for utilities, electricity theft reduction, and a host of value-added services for consumers. To deliver on this promise, they need to collect granular electric usage data and make this available to the stakeholders who need it. This has created consumer privacy concerns which are being addressed with security and governance programs, like Microsoft Information Protection and Azure Purview, and with regulation by the government. The ability to protect and govern smart meter data is critical to addressing consumer privacy. It’s also critical to making the data available to realize the return on investment in terms of environment, safety, savings, and enhanced services to consumers.

Smart grid data contains private information

Smart meter data is personally identifiable information (PII). Information potentially available through the smart grid includes:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1. Information Potentially Available Through the Smart Grid.

Figure 1: Information potentially available through the smart grid.1

This gives rise to a range of privacy concerns from personal data exposure for embarrassment or extortion, determination of behavior patterns for unwanted marketing, by criminals who might be casing a premises or seeking to exploit children, or inappropriate uses by government.

Depending on the granularity and character of data collected, smart meter data can be disaggregated to reveal private information:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Figure 5-2. Using Hidden Markov Models to Produce an Appliance Disaggregation.

Figure 2: Using hidden Markov models to produce an appliance disaggregation.2

Electric meter data was generally not a focus of privacy concern prior to smart meters. With smart meters, there is the potential for the data to be near real-time and with a frequency and granularity not previously available. The potential value of smart meter data for demand management programs, time of use pricing, outage management, grid optimization, energy theft reduction, unlocking the value of smart cities, and other uses increases as does the frequency and granularity of the data.

Utilities and other stakeholders need to do a privacy impact assessment (PIA) for the use of this data. Part of this process is to set out the controls that will be used to govern the data.

Many of the same regulations and standards that cover PII in general apply to smart meter information. These include General Data Protection Regulation (GDPR), California Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Act (LGPD), and many other established and emerging privacy regimes. A geographic summary of privacy regulations is provided by the global law firm DLA Piper.

Where is PII from smart meters located?

Smart meter data is in the meters themselves and the backhaul infrastructure, potentially passing through range extenders, connected grid routers on its way to the head end. From here it is made available to the utility departments and other organizations as permitted in databases and data reservoirs to derive value from the data.

Conceptual Reference Diagram for Smart Grid Information Networks. Ref NIST Special Publication 1108R2, Figure 3-2.

Figure 3: Conceptual reference diagram for smart grid information networks.3

With the range of stakeholders that need access to the data, there will be a variety of technologies and architectures that must be governed. Broadly, there will be PII in structured resources like SQL or SAP S/4HANA databases, and unstructured like desktop application files and email or data repositories like Azure Blob, Data Lake Storage, or Amazon S3.

The data should be governed during its full lifecycle from collection through to secure auditable disposal—both inside the utility’s environment and outside as third parties access the data for permitted uses.

Protect and governing PII from smart meters

The Microsoft Information Protection and Governance framework protects and governs Microsoft 365 data, including desktop applications, email, on-premises repositories, and with Microsoft Cloud App Security, both in our own- and third-party clouds and on Windows 10 endpoints like laptops.

Most impactful for smart meter data, we now have Azure Purview (now in preview) for structured and unstructured data outside of Microsoft 365, such as in databases, data lakes, SAP, and a range of other environments where smart meter data is stored and used to extract value.

Microsoft Information Protection and Governance framework.

Figure 4: Microsoft Information Protection and Governance.

To properly protect and govern PII in smart grid data, we need to identify and inventory this data across our cloud and on-premises environment. We need to protect this data with durable security policies that stay with the data throughout its lifecycle. We need to implement Data Loss Prevention (DLP) to keep the information from traveling to places it should not go and we need to dispose of data when it’s no longer needed for business purposes. The deletion should be permanent and auditable.

Microsoft Information Protection as part of Microsoft 365 provides the tools to know your data, protect your data, and prevent data loss. It provides users with a native experience in their documents and emails, providing automation to recognize PII and either recommend the user apply a sensitivity label with the option to override this suggestion with auditable justification to enforce the application of the label.

Microsoft Information Protection provides real time assistance to users with a native experience while they work. Users receive suggestions and can automatically label data or override the suggestion with auditable justification if configured by the administrator.

Figure 5: Microsoft Information Protection provides real-time assistance to users with a native experience while they work.

The sensitivity label can enforce encryption, scoping the document to be consumed only by the intended organization, teams, or individuals. It can enforce watermarking, disable cut and paste, and a range of other security policies for the life of the document, even when it leaves the sender’s environment.

PII such as credit card numbers can be recognized as out-of-box sensitive information types and then be tuned to reduce false positives. Custom sensitive information types can be informed by keywords, keyword dictionaries, or regular expressions which are particularly useful for recognizing utility account numbers or smart meter numbers. Machine learning can be used to recognize documents by using trainable classifiers to reason over a sample of relevant documents to recognize documents that are like these.

Sensitive data can be identified, inventoried, and protected as it is created, in the cloud with Microsoft Cloud App Security (MCAS) or with on-premises resources using the Azure Information Protection (AIP) scanner.

These sensitivity labels and sensitive information types can trigger DLP policies across email, desktop applications, SharePoint sites, OneDrive, Windows 10 devices, Teams, and third-party clouds. The policies are managed with a unified experience across Office 365, cloud, on-premises, and endpoint locations.

Data loss prevention policies can be triggered by sensitivity labels or sensitive information types. These policies can be administered for email, SharePoint, OneDrive, Teams, endpoints, on premises repositories and third party clouds from a single admin interface.

Figure 6: Selections of locations to apply policy.

Files and emails can be tagged with retention labels as well as sensitivity labels. Like sensitivity labels in Microsoft Information Protection, they can be applied manually or in an automated way based on out-of-box, custom information types, or machine learning with trainable classifiers.

Retention labels can enforce auditable retention, deletion and disposition review of documents and emails in the Microsoft 365 tenant.

Figure 7: Records management.

Retention labels can enforce auditable retention, deletion, and disposition review of documents and emails in the Microsoft 365 tenant.

This can facilitate compliance with privacy regulations, but also regulations that require retention for discovery purposes such as utility commissions or Freedom of Information (FOI) requests.

Visualization and reporting for sensitive data, including smart meter PII as well as the retention labels and policies applied, are available from the compliance portal so that sensitive data can be inventoried, managed, and reported on.

Azure Purview

Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software as a service (SaaS) data. We’ll focus on PII data discovery in this post.

Azure Purview Data Map captures metadata across a wide range of data sources and file types with automated data discovery and sensitive data classification. Azure Purview extends our information protection and governance capabilities beyond Microsoft 365.

Among the broad list of data sources, you’ll be able to scan SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Azure Purview creates a data map for a broad list of sources including but not limited to SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Figure 8: Metadata map.

The data in these sources can be classified and labeled by out-of-box and custom sensitive information types, including those defined for smart grid PII.

The data in the sources connected to Azure Purview can be classified and labelled by out of the box and custom sensitive information types, including those defined for smart grid PII.

Figure 9: Microsoft Azure Purview classification rules.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

Figure 10: How to edit label sensitivity.

Custom classifications and rules to identify custom sensitive data types or keywords can be created in the Azure Purview solution.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data. The repositories where sensitive data is located can have additional security added or the data can be removed from locations where it does not belong.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data.

Figure 11: Azure Purview showing locations where sensitive data exists.

Azure Purview can validate that the Data Privacy Impact Assessment (DPIA) and controls undertaken by an organization around sensitive smart grid data are being enforced. This reporting can provide evidence to a regulator that an organization’s commitments to security and privacy that enabled the use of customer’s private data have been upheld.

Azure Purview does not move or store customer data outside of the geographic region in which it is deployed so data residency requirements can be met.

In addition to helping protect sensitive data, Microsoft also offers agentless, security monitoring for industrial control system (ICS) and operational technology (OT) networks to rapidly detect and respond to anomalous or unauthorized activities in control networks. Azure Defender for IoT integrates with existing security operations center (SOC) tools (like Azure Sentinel, Splunk, IBM QRadar, and ServiceNow), is broadly deployed in production across power distribution and generation sites worldwide, and is available for both on-premises and cloud-connected environments.

Microsoft 365 Information Protection and Governance and Azure Purview together provide tools to protect and govern smart meter data and other sensitive data for utilities. The more effectively we can implement protection and governance of this data, the more we can make use of it and derive value for the ratepayers who have invested in the smart grid.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1.

2NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2.

3NIST Special Publication 1108R2.

The post Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview appeared first on Microsoft Security.

How a positive hybrid work culture can help you to mitigate insider risk

May 17th, 2021 No comments

As Vasu Jakkal recently shared, we are operating in the most sophisticated threat landscape ever seen, and coupled with the next great disruption—hybrid work—security is more challenging than ever. Protecting from external threats is only one part of the challenge, though. You also must protect from the inside out—another facet of “assume breach” in your Zero Trust approach. Insider risks can be malicious or inadvertent, but all impact your most important asset: your data.

As our recent Work Trend Index showed, people are collaborating, chatting, emailing, and sharing in new ways and greater volume than ever before. Between February 2020 and February 2021, the time spent in Microsoft Teams meetings more than doubled (2.5 times) globally, the average Teams user is sending 45 percent more chats per week, the number of emails delivered to commercial and education customers is up by 40.6 billion, and we’ve seen a 66 percent increase in the number of people working on documents.

That same report also found that people are burned out. One in five global survey respondents say their employer doesn’t care about their work-life balance, with 54 percent feeling overworked and 39 percent feeling exhausted. And there are trillions of productivity signals from Microsoft 365 quantifying the precise digital exhaustion workers are feeling.

Not only does this create challenges for productivity and engagement, but it also creates risk for the organization. A recent study out of CyLab, Carnegie Mellon University’s Security and Privacy Institute—conducted with support from Microsoft—found that of the organizations who participated in the research study, 69 percent had more than 5 malicious, high-concern insider incidents in 2020, 44 percent had more than 10 incidents, and 11 percent had more than 100 incidents, such as financial fraud, sabotage, data theft, or workplace violence. The report also drew a direct correlation between the stressors impacting employees and an increase in insider risk incidents. A positive corporate culture, in which employees are engaged, rewarded, and supported, can decrease both malicious and inadvertent insider risks, such as data loss, data theft, insider trading, and others.

“A well-balanced insider risk program can become known as an advocate for employee wellbeing and a means for a more productive, engaged, connected, and committed workforce.”—Carnegie Mellon University

What can you do to mitigate risk in your organization?

  1. Listen to and empower your people: As the Work Trend Index research shows, the pandemic has taken its toll on the workforce in ways never before imagined. Stressful events can lead to individuals feeling overwhelmed or burned out, which may lead to an increase in risk for the organization. To reduce this risk and support the wellbeing of your people, it’s important that you create channels and mechanisms to listen to their concerns, giving you an opportunity to get feedback and helping them prioritize. Most importantly, ensure your people know they are valued by the organization and that they play a critical role in keeping you and your critical data safe and secure.
  2. Embrace collaboration: Insider risk management programs often focus exclusively on implementing tools and technology without incorporating the necessary organizational, risk management, and cultural considerations. Technology plays an important role, but it is just one component of an effective program. Addressing insider risk effectively requires a collaborative approach across business leaders, HR, legal, and security. It also requires education and engagement with all people in the organization.
  3. Take a holistic approach: Identifying insider risks can be complex, and it often feels like trying to find a needle in a haystack. In working with customers, we’ve found that taking a holistic, purpose-built approach that can pull signals together into a cohesive view across your organization gives you a better understanding of the relevant trends in your organization and better risk reduction. In fact, we took this approach ourselves to ensure that it’s easy to get started, yet configurable to meet your wide variety of needs. In addition to the rich set of capabilities we announced at Ignite, we recently added new capabilities, including the user activity report and activity explorer, to our insider risk management solution to expand the analytics and reporting to ensure you have the broadest view of insider risks in your organization.

As you embrace this new hybrid work world, mitigating insider risk is more critical than ever. We’re here to help as you continue this journey.

Learn more

You can learn about insider risk management and stay up to date by following our insider risk blog. You can also listen to our podcast Uncovering Hidden Risks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a positive hybrid work culture can help you to mitigate insider risk appeared first on Microsoft Security.

Categories: Compliance, cybersecurity Tags:

Meet critical infrastructure security compliance requirements with Microsoft 365

April 27th, 2021 No comments

Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition (SCADA) system operator of a power grid or chemical plant needs email, databases, and business applications to support it, much like any enterprise.

IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequences—a different risk management challenge from other enterprise IT systems.

Ransomware, thought more of as an IT problem as opposed to an industrial control system (ICS) one, has been used to attack critical infrastructure operators Norsk Hydro, Brazilian utilities Electrobras and Copel, as well as Reading Municipal Light Department and Lansing Board of Water and Light among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities between 2018 and 2020, including ICS-specific strains like EKANS.

The range of threats to our increasingly converged IT and ICS environments highlights the need for a combined approach to IT and ICS security.

Azure Defender for IoT is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365, the integration of Advanced Threat Protection (ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.

Complex compliance landscape

As the cyber threat landscape to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System (BES) participants need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), as well as using NIST 800-53 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They may also be architecting their ICS to IEC62443/ISA 99. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) like Microsoft 365 with Zero Trust architecture.

While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities’ use of the cloud for Bulk Electric System Cyber System Information (BCSI). This includes NERC’s Order on Virtualization and Cloud Computing Services and their Technical Rationale for Reliability Standard CIP-011-3, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.

Comprehensive and efficient compliance

As an organization moves workloads to the cloud, they move responsibility for a portion of the security controls to the cloud service provider.

The shared responsibility model for cloud security. As cloud service provider takes responsibility for controls, the cloud customer can use their resources to focus on the controls for which they remain responsible.

The organization can thus focus its resources on the remaining security controls and on vetting how the cloud service provider manages the security controls for which it is responsible.

With Office 365, customers dramatically reduce the number of NIST 800-53 controls they are responsible for as opposed to an on premises deployment.

When customers use Office 365, Microsoft helps them manage 79 percent of the 1,021 NIST 800-53 controls, so customers need only focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Customers that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.

Tools for comprehensive and efficient compliance

Microsoft Compliance Manager is a feature in Microsoft 365 compliance center. It uses signals from the customer’s Microsoft 365 tenant, Microsoft’s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework (CSF), NIST 800-53, and the US Protecting and Securing Chemical Facilities from Terrorist Attacks Act (H.R. 4007), as well as more than 330 standards-based assessments globally. You can also create custom templates based on other standards or mapped to your own policies and control set.

With each Compliance Manager assessment template, you get simplified guidance on “what to do” to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft’s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down actions that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.

For technical actions, you get step-by-step guidance on how to use Microsoft security, compliance, identity, or management solutions to implement and test technical actions. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical actions on Compliance Manager.

The Microsoft 365 Compliance Manager Solutions page, showing how the various solutions contribute to Compliance Score and compliance posture.

You can use the custom assessment feature to “extend” Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to track and manage compliance across all your assets.

There are different template sets available for the different license levels.

Microsoft updates the assessment templates when the standards change, relieving the customer of this responsibility. The changes are called out to the customer and the option to update the assessment is provided.

Compliance Manager tracks, reports, and provides visualizations for:

  • Microsoft-managed controls: these are controls for Microsoft cloud services, for which Microsoft is responsible for implementing.
  • Your controls: these are controls implemented and managed by your organization, sometimes referred to as “customer-managed controls.”
  • Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing.

The assessments are provided with visualizations that allow the user to drill down into the individual control status and view evidence. High impact improvement actions are suggested.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework assessment dashboard.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework controls view with benchmark visualization.

Compliance Manager covers both the Microsoft and customer-managed controls as part of the shared cloud security and compliance responsibility model. Automated workflows and evidence repositories are provided for customer-managed and shared controls.

Microsoft 365 customer control workflow. Assign a control to a team member to provide input and upload evidence on a schedule to support customer's compliance program.

You can assign a stakeholder and an automated message with instructions and upload link is provided on a schedule to remind them of the compliance activity required, report status, and upload evidence. This provides an efficient and defensible system to respond to auditors and benchmark compliance programs.

Many of the controls that enable compliance for critical infrastructure operators are common across the standards, so implementing a control once enables compliance across multiple standards.

Mapping controls across standards such as:

NIST CSF Category NIST CSF Subcategory NIST 800-53 Rev. 4 Control ISO 27001 Control NERC CIP Control
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users. NIST SP 800-53 Rev. 4 AC-2, IA Family ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 CIP-004-6 – Access Management Program, parts 4 and 5

This crosswalk across standards is part of the Compliance Manager and populated automatically across a customer’s assessments.

Microsoft 365 Compliance Manager, control mapped across multiple standards. New standards based assessments in Compliance Manager are automatically populated with controls that have been implemented.

The level of effort to benchmark and report compliance with a new standards regime is dramatically reduced.

IT and ICS convergence is a continuing trend for critical infrastructure operators. Attack methodologies, surfaces, and threat actors are crossing over to put our most critical resources at risk. Compliance regimes must be efficiently met in an auditable way to protect the availability of our systems. Microsoft provides the range of tools described above to help you manage across the IT and ICS environments.

Learn more

Learn more about Microsoft Compliance Manager and how it helps simplify compliance and reduce risk.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Meet critical infrastructure security compliance requirements with Microsoft 365 appeared first on Microsoft Security.

Securing and governing data in a new hybrid work reality

March 2nd, 2021 No comments

The past year has led to an evolution in not only how we think about work, but more importantly, where work gets done. Arguably, gone are the days that your organization’s data is limited to the protected confines of your corporate network as your people continue to work remotely, return in some capacity to the office, or even adopt some hybrid of the two. With your people working across networks, devices, clouds, and apps, how do you ensure your data remains not only secure but compliant?

A culture of security starts by securing data where people get work done. We have been investing in innovation to make this easier, and I’m sharing with you some additional capabilities that enable you to extend data protection and governance across apps, clouds, endpoints, and on-premises file repositories that keep your people collaborative and productive while ensuring your most valuable asset—your data—remains secure and compliant wherever it lives.

Co-authoring of Microsoft Information Protection-protected documents now available in preview

With the shift to remote work, people are creating, storing, and sharing data in new ways. Collaboration and productivity are critical to getting work done, but you still need to ensure that the data remains safe wherever it is. Data classification in Microsoft Information Protection protects your business-critical data so your people can collaborate securely without having to sacrifice productivity.

Today we are announcing the ability for multiple users to simultaneously edit a Microsoft Office document that has been encrypted using Microsoft Information Protection, now in preview. In the past, you had to choose between encrypting sensitive content and collaborating on it. If you encrypted the content, only one person could edit at a time. Everyone else would be locked out, and AutoSave would be disabled to preserve the encryption. With this new unique capability, multiple people can now be co-authors on a Word, Excel, or PowerPoint document simultaneously, frictionlessly, with auto-save, while maintaining the sensitivity labeling and document protections.

Learn more on Tech Community and Microsoft docs.

Microsoft 365 data loss prevention now available in preview for Chrome and on-premises

Enabling a comprehensive and flexible approach to data loss prevention solutions is one of the most important ways to protect your data.  We have been investing heavily in this area, and our unified Data Loss Prevention (DLP) solution—a key part of Microsoft Information Protection—understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party software as a service (SaaS) applications, and more—on-premises or in the cloud. Microsoft’s unified data loss prevention approach provides simplicity, enabling you to set a data loss prevention (DLP) policy once and have it enforced across services, endpoints, and first-and third-party apps.

A few months ago, we announced Endpoint DLP, which provides built-in data loss prevention into Windows 10 and Microsoft Edge. Today we’re announcing that we are extending Microsoft’s unified DLP capabilities natively to Chrome browsers and on-premises file shares and SharePoint Server.

You can learn more about this preview on Tech Community.

Microsoft Azure Purview provides new multi-cloud support

In December 2020, we announced Azure Purview, a unified data governance service that facilitates the mapping and control of organizational data no matter where it resides. Azure Purview is integrated with Microsoft Information Protection, which means you can apply the same sensitivity labels defined in Microsoft 365 Compliance Center to your data in Azure.

Today we’re sharing that we are extending Azure Purview’s ability to automatically scan and classify data to other platforms, such as AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database. Available now in preview, you can now automatically scan and classify data residing within various on-premises data stores using the Azure Purview Data Map.

We are also expanding the insight available within Azure Purview. Available now in preview, Azure Purview can now scan Azure Synapse Analytics workspaces, which enables you to discover and govern data across your serverless and dedicated SQL pools. This expands on Azure Purview’s existing tools enabling customers to scan data across various sources via out-of-the-box connectors in the Data Map.

You can learn more in the Azure Purview blog.

Microsoft 365 Insider Risk Management Analytics available in preview

Another important component of securing your data as people work in new and different ways is effectively managing insider risk. Balancing the ability to quickly identify and manage insider risks while maintaining a dynamic culture of trust and collaboration is a priority for security leaders.

With privacy built-in, pseudonymization on by default, and strong role-based access controls, Insider Risk Management in Microsoft 365 is used by businesses worldwide to quickly get started using machine learning to identify insider risks and take action with integrated collaboration workflows.

Today we’re announcing Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management Machine Learning engine to identify potential risky activity with privacy built-in by design. Insider Risk Management Analytics will start rolling out to tenants in public preview in mid-March 2021.

For more information, check out the Tech Community blog.

Continued investments to help you address compliance and risk

We’ve been hard at work across our entire portfolio to ensure you have the capabilities you need to protect and govern your data while addressing regulatory compliance and eDiscovery. Here are a few more announcements we’re making today:

  • Additional assessment templates and enhanced capabilities in Compliance Manager to increase regulation visibility, further enrich the user experience, and save you valuable time.
  • Further guidance to get started with Advanced Audit to support your forensic investigations when you suspect a data breach.

In addition, our partner ecosystem plays a critical role in helping you to address your compliance and risk management needs. I’m announcing today that we are expanding the Microsoft Intelligent Security Association (MISA) to include risk management and compliance partners to enable greater scale and customization.

We will continue to innovate and work closely alongside you, our partners, and the industry to improve compliance and security for everyone. We’re on this journey together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing and governing data in a new hybrid work reality appeared first on Microsoft Security.

What we like about Microsoft Defender for Endpoint

February 22nd, 2021 No comments

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA 

It’s no secret that the security industry generally likes Microsoft Defender for Endpoint. After a few months of using and integrating it with our platform here at Expel, we feel the same.

On Expel’s EXE Blog, we regularly share our thought process on how we think about security operations at scale at Expel and the decision support (or additional context) we provide our analysts through automation.

In short, Defender for Endpoint makes it easy for us to achieve our standard of investigative quality and response time, but it doesn’t require a heavy lift from our analysts. And that’s good news both for our customers and for us.

So, what is Microsoft Defender for Endpoint?

Defender for Endpoint is an enterprise endpoint security product that supports Mac, Linux, and Windows operating systems, along with Android and iOS. There are lots of cool things that Defender for Endpoint does at an administrative level (such as attack surface reduction and configurable remediation). However, from our vantage point, we know it best for its detection and response capabilities.

Defender for Endpoint is unique because not only does it combine an Endpoint Detection and Response (EDR) and AV detection engine into the same product, but for Windows 10 hosts, this functionality is built into the operating system, removing the need to install an endpoint agent.

With an appropriate Microsoft license, Defender for Endpoint and Windows 10 provide out-of-the-box protection without the need to mass-deploy software or provision sensors across your fleet.

How EDR tools help us as an XDR vendor

When we integrate with an EDR product like Defender for Endpoint in support of our customers, our goal is to predict the investigative questions that an analyst will ask and then automate the action of getting the necessary data from that tool.

This frees up our analysts to make the decision—versus making them spend time extracting the right data.

We think Defender for Endpoint provides the right toolset that helps us reach that goal—and removes some burden from our analysts—thanks to its APIs.

Thanks to Defender for Endpoint’s robust APIs, we augmented its capability to provide upfront decision support to our analysts. As a result, we’re able to arm them with the answers to the basic investigative questions we ask ourselves with every alert.

To find these answers, there are a few specific capabilities of Defender for Endpoint we use that allow us to pull this information into each alert:

  • Advanced hunting database.
  • Prevalence information.
  • Detailed process logging.
  • AV actions.

This way, our analysts don’t need to worry about fiddling with the tool but instead focus on analyzing the rich data it provides.

Check out a real-life example of how Expel analysts use Defender for Endpoint to triage an alert on behalf of a customer.

Defender for Endpoint helps reduce our alert-to-fix time

The decision support—or additional context about an alert—that Defender for Endpoint enables us to generate is powerful because it allows us to become specialists at analysis rather than specialists of a specific technology.

Defender for Endpoint provides a platform that allows our analysts to quickly and accurately answer important questions during an investigation.

Most importantly, though, having these capabilities emulated in the API allowed us to build on top of the Defender for Endpoint platform to be more efficient in providing high-quality detection and response.

And that’s a win-win for both Expel and our customers.

Learn more

To learn more about Expel, visit our listing on the Azure Marketplace.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post What we like about Microsoft Defender for Endpoint appeared first on Microsoft Security.

Recent enhancements for Microsoft Power Platform governance

February 1st, 2021 No comments

An emerging trend in digital transformation efforts has been the rise of low-code development platforms. Of course, these low-code platforms must be grounded in best-of-breed governance capabilities which include security and compliance features. Without strong governance, the full benefits of low-code development cannot be realized. It’s only natural that any low-code platform chosen by an organization must have strong security and compliance capabilities. Microsoft has developed the Power Platform which includes Power Apps, Power Automate, Power Virtual Agents, and Power BI to serve our customer’s needs for a robust low-code development platform that includes app development, automation, chatbots, and rich, detailed data analysis and visualization. We previously reported on the fundamental security and compliance capabilities offered with Microsoft Flow which was renamed Power Automate. In this blog, we’re going to discuss the integrated security and compliance capabilities across the Power Platform and provide an update on the new capabilities we’ve launched.

Foundations of governance

As the number of developers grows, governance becomes a key criterion to ensure digital transformation. As such, IT must create stronger guardrails to ensure the growing numbers of developers and the assets they create all remain compliant and secure. The Power Platform’s governance approach is multi-step with a focus on security, monitoring, administrative management, and application lifecycle management (figure 1). Check out our detailed governance and administration capabilities. The Power Platform also offers a Center of Excellence Starter Kit which organizations can use to evolve and educate employees on governance best practices. The Power Platform comes equipped with features that help reduce the complexity of governing your environment and empowers admins to unlock the greatest benefits from their Power Platform services. We’re reporting some of our newest capabilities to protect your organization’s data with tenant restrictions and blocking email exfiltration. We’re also announcing new analytics reports available for the robotic process automation (RPA) capability recently launched with Power Automate.

The Power Platform multi-step governance strategy

Figure 1: The Power Platform multi-step governance strategy.

Cross-tenant inbound and outbound restrictions using Azure Active Directory

The Power Platform offers access to over 400 connectors to today’s most popular enterprise applications. Connectors are proxies or wrappers around an API that allows the underlying service to ‘talk’ to Power Automate, Power Apps, and Azure Logic Apps. Control and access to these connectors and the data residing in the applications is a crucial aspect of a proactive governance and security approach. To this end, we have recently enhanced the cross-tenant inbound and outbound restrictions for Power Platform connectors. The Power Platform leverages Azure Active Directory (Azure AD) for controlling user authentication and access to data for important connectors such as Microsoft first-party services. While tenant restrictions can be created with Azure AD all up, enabling organizations to control access to software as a service (SaaS) cloud applications and services based on the Azure AD tenant used for single sign-on, they cannot target specific Microsoft services such as Power Platform exclusively. Organizations can opt to isolate the tenant for Azure AD-based connectors exclusively for Power Platform, using Power Platform’s tenant isolation capability. Power Platform tenant isolation works for connectors using Azure AD-based authentication such as Office 365 Outlook or SharePoint. Power Platform’s tenant isolation can be one way or two way depending on the specific use case. Tenant admins can also choose to allow one or more specific tenants in inbound or outbound direction for connection establishment while disallowing all other tenants. Learn more about tenant restrictions and tenant isolation. For now, this capability is available through support and will soon be available for admin self-service using Power Platform admin center.

In addition to leveraging Power Platform tenant isolation’s ability to prevent data exfiltration and infiltration for Azure AD-based connectors, admins can safeguard against connectors using external identity providers such as Microsoft account, Google, and much more—creating a data loss prevention policy that classifies the connector under the Blocked group.

Email exfiltration controls

Digital transformation has opened a variety of new communications channels. However, email remains the foundational method of digital communication and Microsoft Outlook continues as one of the dominant email services for enterprises. Preventing the exfiltration of sensitive data via email is crucial to maintaining enterprise data security. To this end, we have added the ability for Power Platform admins to prevent emails sent through Power Platform to be distributed to external domains. This is done by setting Exchange mail rules based on specific SMTP headers that are inserted in emails sent through Power Automate and Power Apps using the Microsoft 365 Exchange and Outlook connector. The SMTP headers can be used to create appropriate exfiltration (unauthorized transfer of data from one device to another) rules in Microsoft Exchange for outbound emails. For more details on these headers auto-inserted through Microsoft 365 Outlook connector, see SMTP headers. With the new controls, admins can easily block the exfiltration of forwarded emails and exempt specific flows (automated workflow created with Power Automate) or apps from exfiltration blocking. To block the exfiltration of forwarded emails, admins can set up Exchange mail flow rules to monitor or block emails sent by Power Automate and or Power Apps using the Microsoft 365 Outlook connector. Figure 2 is an example SMTP header for an email sent using Power Automate with the reserved word ‘Power Automate’ in the application header type.

Power Platform SMTP email header with reserved word ‘Power Automate’

Figure 2: Power Platform SMTP email header with reserved word ‘Power Automate.’

The SMTP header also includes the operation ID includes the type of email, which in figure 2 is a forwarded email. Exchange admins can use these headers to set up exfiltration blocking rules in the Exchange admin center. As you can see in figure 2, the SMTP header also includes a workflow identifier as the new ‘User-Agent’ header which is equal to the app or flow ID. Admins can exempt some flows (or apps) from the exfiltration due to the business scenario or use the workflow ID as part of the user-agent header to do the same. Learn more about how Power Platform helps admins prevent email exfiltration with these sophisticated new controls.

Powerful analytics for monitoring robotic process automation processes

One of the most exciting new capabilities offered with the Power Platform is Desktop Flows (previously known as UI flows) which provide robotic process automation (RPA)  available through Power Automate. Along with this powerful new feature, we have launched new analytics dashboards to ensure admins have full visibility with new RPA processes. Admins can view the overall status of automation that runs in the organization and monitor the analytics for automation that’s built with RPA automation from the Power Platform admin center. These analytics reports are accessible to users granted environment admin privilege. Admins can access the Power Platform admin center by clicking the Admin Center from the Power Automate portal settings menu. From the admin center, admins can access either Cloud flows (non-RPA automation) or Desktop flows. The Desktop flows page offers three types of reports:

  • Runs: Gives you an overview of daily, weekly, and monthly desktop flows run statics.
  • Usage: Usage of the different RPA processes.
  • Created: Analytics for recently created RPA processes.

Figure 3 shows an example of the new Runs report available in the admin center for Desktop flows. You can get more details on these powerful new analytics capabilities from our Microsoft docs page and our announcement blog. Check them both out.

New analytics ‘Run’ report for Desktop flows in Power Platform Admin Center

Figure 3: New analytics ‘Run’ report for Desktop flows in Power Platform admin center.

Join our community and get started today

Join the growing Power Platform community so you can get the latest updates, join discussions, and get ideas on how the Power Platform can help your organization. You can also learn how the products work from these learning modules available at Microsoft Learn. Be sure to check out some of our great assets which will get you more knowledgeable about the powerful tools available to ensure your organization benefits from low-code development with the Power Platform while adhering to some of the industry’s best compliance and security standards.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Recent enhancements for Microsoft Power Platform governance appeared first on Microsoft Security.

Simplify compliance and manage risk with Microsoft Compliance Manager

January 14th, 2021 No comments

The cost of non-compliance is more than twice that of compliance costs. Non-compliance with the ever-increasing and changing regulatory requirements can have a significant impact on your organization’s brand, reputation, and revenue. According to a study by the Ponemon Institute and Globalscape, being compliant will cost you less compared to business disruptions, loss of revenue, and hefty fines.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

  • Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
  • Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
  • Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
  • Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

  • Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
  • Workflow functionality to help you efficiently complete risk assessments.
  • Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
  • Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

shows the Shared responsibility model

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

shows the NIST examples of shared responsibilities

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

  • Mandatory or discretionary.
  • Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Shows the Compliance Score from Microsoft Compliance Manager

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security.

Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact

January 6th, 2021 No comments

GDPR, HIPPA, GLBA, all 50 U.S. States, and many countries have privacy breach reporting requirements. If an organization experiences a breach of customer or employee personal information, they must report it within the required time frame. The size and scope of this reporting effort can be massive. Using Microsoft 365 Advanced Audit and Advanced eDiscovery to better understand the scope of the breach can minimize the burden on customers as well as the financial and reputational cost to the organization.

A changing privacy landscape

In 2005 ChoicePoint, a Georgia-based financial data aggregator had a data breach of 145,000 of its customers. There were multiple security lapses and resulting penalties, but initially, only ChoicePoint’s California-based customers were required to be notified because, at the time, California, with California Senate Bill 1386, was the only state that had a mandatory privacy breach notification law.

Since that time, all 50 U.S. States have put in place mandatory privacy breach notification laws. Countries in the Americas, the Middle East, Europe, and Asia have adopted privacy standards including mandatory breach notification. Broader regulations that address this issue include California Consumer Privacy Act, China’s Personal Information Security Specification, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), and the European General Data Protection Regulation (GDPR). Given how often these laws are added or updated, it’s challenging for any organization to keep up. As one solution, Microsoft 365 Compliance Manager provides a set of continually updated assessments (174 and growing) to assist our customers with these standards.

A board-level business risk

The reputational and financial risk to a company from a privacy breach can be massive. For example, under California Civil Code 1798.80, which deals with the breach of personal health information, there is a penalty of up to $25,000 per patient record breached. For many standards, there are not only regulatory penalties imposed, but also the right of private action by those whose records have been breached (such as, those who have had their records breached can sue for damages, creating financial liability for a company beyond the regulatory penalties).

There are timeframes under which notification must be made. The California Code requires notification to the regulator within 15 days after unauthorized disclosure is detected. Article 33 of GDPR requires notification to the regulator within 72 hours after the organization becomes aware of the breach.

According to a list compiled by the Infosec Institute, the average cost of a data breach in 2019 was $3.9 million but can range as high as $2 billion in cases like the Equifax breach of 2017.

The reputational damage associated with a breach of customer, employee, or other stakeholders’ personal or business information can substantially reduce a company’s value.

The scope of notification (if any is needed at all) and remediation depends on understanding the scope of the breach in a timely fashion. In the absence of reliable information, companies need to make worst-case assumptions that may result in larger notifications, higher costs, and unnecessary hardship for customers and other stakeholders.

Preparation for breach

As security and compliance professionals, our priority is to avoid breaches with a defense in depth strategy including Zero Trust architecture.

Microsoft has comprehensive security solutions for Microsoft 365, as well as compliance and risk management solutions that enable our compliance pillar framework:

But we also must prepare for breaches even as we defend against them. Part of that preparation is putting our organization in a position to scope a breach and limit its impact. This means ensuring we have the data governance and signal in place before the breach happens. Security professionals know that they have to deploy solutions like Data Loss Prevention, firewalls, and encryption to defend against attacks, but they may not focus as much on having the right audit data available and retained, and visualizations and playbooks in place beforehand to scope a future breach.

Use Microsoft 365 Advanced Audit and Advanced eDiscovery to investigate compromised accounts

The Microsoft 365 Advanced Audit solution makes a range of data available that is focused on what will be useful to respond to crucial events and forensic investigations. It retains this data for one year (rather than the standard 90-day retention), with an option to extend the retention to ten years. This keeps the audit logs available to long-running investigations and to respond to regulatory and legal obligations.

These crucial events can help you investigate possible breaches and determine the scope of compromise. Advanced Audit provides the following crucial events:

There are built-in default alert policies that use the Advanced Audit data to provide situational awareness either through Microsoft 365’s own security and compliance portal, through Microsoft’s Azure Sentinel cloud-native SIEM, or through a customer’s third-party SIEM. A customer can create customized alerts to use the audit data as well.

Let’s look at how a customer might use Advanced Audit to investigate a compromised account and scope the extent of a data breach:

In an account takeover, an attacker uses a compromised user account to gain access and operate as a user. The attacker may or may not have intended to access the user’s email. If they intend to access the user’s email, they may or may not have had the chance to do so. This is especially true if the defense in-depth and situational awareness discussed above is in place. The attack may have been detected, password changed, account locked, and more.

If the user’s email has confidential information of customers or other stakeholders, we need to know if this email was accessed. We need to separate legitimate access by the mailbox owner during the account takeover from access by the attacker.

With Advanced Audit, we have this ability. Without it, a customer will have to assume all information in the user’s mailbox is now in the hands of the attacker and proceed with reporting and remediation on this basis.

The MailItemsAccessed audit data item will indicate if a mailbox item has been accessed by a mail protocol. It covers mail accessed by both sync and bind. In the case of sync access, the mail was accessed by a desktop version of the Outlook client for Windows or Mac. In bind access, the InternetMessageId of the individual message will be recorded in the audit record.

We have the ability to forensically analyze mail access via a desktop client or via Outlook Web Access.

We also need to differentiate between the mailbox owner’s legitimate access to a mail item during the attack time period and access by the attacker. We can do this by examining the audit records to see the context of the access, including the session ID and IP address used for access. We match these with other audit records and known good access by the user.

Advanced Audit retains other events like Teams Joins, File Accessed, Messages Sent, Searches Queries, and many others that can support a breach analysis.

When we’ve properly scoped the data that the attacker has had access to, we want to deep dive and inspect the content.

With Advanced eDiscovery we can collect all emails, documents, Microsoft Teams, and Yammer interactions of the account that was taken over. We can search for confidential information and metadata to identify the material in question:

There is metadata for each item which, for emails, includes InternetMessageID as well as many other items such as from, to, and when it was sent, and any Microsoft Information Protection sensitivity label.

Advanced Audit and Advanced eDiscovery are an important part of an effective security risk and compliance strategy. These Microsoft 365 native tools allow our customers to understand the true scope of a breach. It has the potential to substantially reduce or eliminate the reporting requirements stemming from a compromised account. Advanced Audit can reduce the financial and reputational damage to a company, its customers, employees, partners, and other stakeholders.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact appeared first on Microsoft Security.

Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available

November 10th, 2020 No comments

Microsoft Endpoint Data Loss Prevention

Endpoint Data Loss Prevention (DLP) | What it is and how to set it up in Microsoft 365.

Watch today

Managing and protecting data is critical to any organization. Data is growing exponentially, and remote work is making it even harder to manage risks around data. In fact, a recent Microsoft survey of security and compliance decision-makers found that data leaks are the top concern in remote and hybrid work scenarios.

To help our customers to address this challenge, today we are excited to announce the general availability of Microsoft Endpoint Data Loss Prevention (DLP).

A unified approach to data loss prevention

At Microsoft, we have long invested in developing information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party SaaS applications, and more—on premises or in the cloud. This unified data loss prevention approach provides simplicity, enabling you to set a DLP policy once and have it enforced across services, devices, and first-and third-party apps.

Endpoint DLP builds on the labeling and classification in Microsoft Information Protection and extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on endpoints. It’s built into Windows 10, the Microsoft 365 Apps, and Microsoft Edge—without the need to deploy additional software on the device, which eliminates friction and makes it far easier to have visibility into your data. For users, it ensures security, without compromising productivity. Endpoint DLP provides policy tips to help educate users when they are about to violate a policy. It’s also integrated with Microsoft Defender for Endpoint (formerly known as Microsoft Defender Advanced Threat Protection), which can help you prioritize incident response based on additional factors.

New capabilities based on public preview feedback

With the general availability today, we’re happy to share that we’ve added additional capabilities as a part of the public preview program based on valuable feedback from our customers.

Last month, we also announced the addition of integration of unified data loss prevention with Microsoft Cloud App Security (MCAS) in public preview, allowing you to extend data protection to non-Microsoft cloud apps. For example, say a user is trying to share a document in a third-party app on his or her mobile device. Because Microsoft Cloud App Security helps protect cloud apps, the same DLP policy will be triggered, both the end-user and the admin will receive a notification, and in this case, the link will be automatically disabled.

In addition, we heard feedback from some of you that you’d like to be able to leverage your existing security investments. Endpoint DLP integrates with Microsoft Defender for Endpoint, but it is also compatible with most anti-virus software, which enables you to have a choice and extend the investments you’ve already made.

Today’s general availability announcement is only the beginning. We are also excited to announce some new capabilities going into preview today:

  • Sensitivity labels are now included as a condition for Microsoft Data Loss Prevention (DLP) policies. This lets you define new enforcement actions and locations within Endpoint DLP that take into account the sensitivity context of information to better meet protection requirements.

Using sensitivity labeling as a condition of a policy in Endpoint DLP.

Figure 1: Using sensitivity labeling as a condition of a policy in Endpoint DLP.

  • A new dashboard within Microsoft 365 compliance center helps you to manage DLP alerts. Alerts provide details about DLP events—including the sensitive information types detected in the content, confidence score rating, and event count—to help DLP reviewers quickly identify high-risk events so they can more effectively triage and remediate events.

Data loss prevention event alerts show in the new dashboard in Microsoft 365 compliance center.

Figure 2: Data loss prevention event alerts show in the new dashboard in Microsoft 365 compliance center.

  • New conditions and exceptions announced in public preview enhance the already existing predicate capabilities in DLP. Mail flow predicates provide a high degree of flexibility to configure the applicable ‘include’ and ‘exclude’ conditions in DLP policies to ensure that specific policies are applied to emails that only match the defined conditions.

New conditions and exceptions you can extend to your DLP policies to email messages.

Figure 3: New conditions and exceptions you can extend to your DLP policies to email messages.

You can learn a lot more about these new public preview capabilities in the TechCommunity blog.

Protecting your data

We continue to invest in providing you with the tools and visibility you need to help to protect your most precious asset – your data.

Endpoint DLP general availability will start rolling out to customers’ tenants in Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance starting today. Learn more about Endpoint DLP by reading the TechCommunity blog and visiting our documentation. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Extend data loss prevention to your devices with Microsoft Endpoint Data Loss Prevention, now generally available appeared first on Microsoft Security.

Unilever CISO on balancing business risks with cybersecurity

October 29th, 2020 No comments

Imagine showing up to work every day knowing that your job requires protecting 160,000 employees creating more than 450 products around the world—tea, ice cream, personal care, laundry and dish soaps—across a customer base of more than two and a half billion people every day. Unilever Chief Information Security Officer (CISO) Bobby Ford embraces the challenge, summing up his proactive approach this way: “I believe the responsibility of our group—the cybersecurity risk management group—is to enable the business to take risks.”

In this episode of “The Shiproom” I talk with Bobby about striking that balance between risk versus business needs, along with some of his strategies for protecting Unilever’s global workforce. We also discuss the ongoing challenges of communication and collaboration between the business and security sides of an organization. “I’m not the captain of the ‘no’ police,” Bobby explains. “Recognizing that the organization has to take risks—that’s what it means to be in business.”

On managing those risks, Bobby provides a useful metaphor: “For me, a mature cybersecurity strategy happens at the intersection of business intelligence and threat intelligence.” We discuss what constitutes threat intelligence, and why it’s important to maintain an ongoing conversation between business and security—so that decisions aren’t made in a vacuum.

Bobby also addresses the importance of diversity in the workplace, including “diversity of thought” and why a diverse workforce makes for better security. “The simplest answer is that the adversary is diverse. It’s hard to combat and defend against a diverse opponent when you lack diversity [on your team].”

We also discuss British food, arm wrestling, the Queen, shampoo, quesadillas, wombats, and more. Check out the whole discussion on:

What’s next

In an upcoming Shiproom episode, I’ll talk with Kurt John, CISO at Siemens USA. Kurt is listed in Security Magazine’s top 10 most influential cybersecurity leaders, and he’s a board member of the Virginia Innovation Partnership Authority tasked with enhancing Virginia’s tech-based economy. Kurt also serves on a special cybersecurity committee organized by the Under-Secretary-General of the United Nations. Don’t miss it.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Unilever CISO on balancing business risks with cybersecurity appeared first on Microsoft Security.

Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance

September 22nd, 2020 No comments

As we talk with a broad range of customers in the current environment, we hear some consistent challenges businesses are facing. With so many remote workers, people are creating, sharing, and storing data in new ways, which fosters productivity, but can also introduce new risks. A recent Microsoft poll of Chief Information Security Officers (CISOs) revealed that providing secure remote access to resources, apps, and data is their top concern.

To help companies better protect their data, mitigate risk, and address compliance regulations, especially in this time of flexible work, we are announcing several new capabilities across Microsoft Compliance, including:

  • General availability of Microsoft Compliance Manager to address industry regulations and custom requirements.
  • New connectors and APIs to help you to extend Microsoft compliance capabilities to third-party apps.
  • Ability to protect native and third-party cloud apps through unified data loss prevention (DLP), now extended to Microsoft Cloud App Security (MCAS) in public preview.
  • Expanded security and compliance capabilities built directly into Microsoft Teams.

Read on to learn more about these and additional features beginning to roll out today in Microsoft 365 Compliance. You can also check out what Jeff Teper, Corporate Vice President for Microsoft 365, has to say about Microsoft Compliance.

Addressing the complexity of data regulations with Microsoft Compliance Manager

In addition to the talent shortage and complexity of compliance management, customers also face the need to comply with an increased volume and frequency of regulations, with hundreds of updates a day globally to thousands of industry and regional regulations. Additionally, the complexity of regulations makes it challenging for organizations to know specific actions to take and their impact.

Compliance Manager offers a vast library of assessments for expanded regulatory coverage, built-in automation to detect tenant settings, and step-by-step guidance to help you manage risk. Compliance Manager translates complex regulatory requirements to specific technical controls, and through compliance score, provides a quantifiable measure of risk assessment. Generally available today, Compliance Manager brings together the existing Compliance Manager and Compliance Score solutions in the Microsoft 365 compliance center.

Now, with more than 150 out-of-the-box and scalable assessments in Compliance Manager, you can address industry- and region-specific requirements, while also meeting multiple requirements through a single action.

The flexibility of custom assessments also allows you to extend compliance and risk management beyond Microsoft 365 to meet your specific business needs. For example, if you are currently tracking compliance of your SAP data in an Excel file, you can bring that into Compliance Manager.

You can learn more about Compliance Manager on Tech Community. Check out Frost Bank’s experience with Compliance Manager on the Microsoft Customer site.

Extending compliance capabilities to manage data risk beyond Microsoft 365

To provide greater visibility into your data, wherever it lives, we are making new connectors available that can pull data from other apps into Microsoft Compliance (including Microsoft Information Protection, Insider Risk Management, Communication Compliance, and eDiscovery) to help you to reason over, protect, and govern that data. These new connectors – available in partnership with Globanet and Telemessage – include SMS/text connectors for various telecom operators (e.g., AT&T, Verizon, T-Mobile, etc.), WhatsApp, Zoom, and Slack.

A key ask from our partners and customers is the ability to access Microsoft Compliance solutions and integrate them with existing applications and services that are part of broader compliance, security, and operations (SecOps) ecosystems, including Symantec, McAfee, and Relativity.

To help, we are announcing new APIs, which are part of the broader Microsoft Graph ecosystem:

  • Teams Data Loss Prevention (DLP) API: Allows third-party products to integrate and enable data loss prevention capabilities for Microsoft Teams.
  • eDiscovery API: Allows the automation of Advanced eDiscovery processes, including case creation and the entire legal hold notification workflow to communicate with custodians involved in a case.
  • Teams Export API: Allows the export of Teams Messages (1:1 and group chat) along with attachments (file links and sticker), emojis, GIFs, and user @Mentions. This API supports polling daily Teams messages and allows archiving of deleted messages up to 30 days.

An image showing the Microsft 365 Compliance ecosystem.

Figure 1: Extending compliance beyond Microsoft 365 — We have partnered with Globanet and Telemessage to deliver ready-to-use connectors. All Microsoft and ​third-party built connectors are now available in a single catalog.

You can learn more in the Tech Community blog.

Extending unified data loss prevention to Microsoft Cloud App Security (MCAS)

Having the right data protection and governance approach is critical to not only addressing regulatory compliance but also to mitigating risks around data leakage.

Microsoft Information Protection helps you to identify your data and ensure you have the right data classification in place to properly protect and govern that data, which enables you to apply data loss prevention (DLP) to enforce policies against that data. In July, we announced the public preview of Microsoft Endpoint Data Loss Prevention (DLP), which builds on the labeling and classification in Microsoft Information Protection. Endpoint DLP extends the existing DLP capabilities in Microsoft 365, helping you to meet compliance requirements and protect sensitive information on devices by restricting what data apps can access. Endpoint DLP is also natively integrated with the new Microsoft Edge browser, providing additional policy options to restrict the flow of data when accessing web sites.

Today we announce the extension of Microsoft data loss prevention solutions to Microsoft Cloud App Security. This new capability, now in public preview, extends the integration for DLP policy-based content inspection across connected applications such as Dropbox, Box, Google Drive, Webex, One Drive, SharePoint, and others. This extension of Microsoft data loss prevention solutions to MCAS helps users remain continuously compliant when using popular native and third-party cloud apps and helps to ensure sensitive content is not accidentally or inappropriately shared. MCAS uses the same policy framework and more than 150 sensitive information types that is common across all Microsoft data loss prevention solutions, to provide a familiar, consistent, and seamless experience.

You can learn more about our unified approach to data loss prevention on Tech Community.

Additional security and compliance features, including Advanced eDiscovery, being added to Microsoft Teams

As Microsoft Teams usage has grown with the shift to remote work, organizations are looking for seamless integration in order to keep their data and employees secure and compliant.

With the volume of business conversations happening now in Microsoft Teams, we are also adding additional security and compliance features, including:

  • Advanced eDiscovery now supports live documents and links shared in Microsoft Teams. Advanced eDiscovery automatically collects documents from a storage location, such as SharePoint or OneDrive, to pull the content into an eDiscovery case. The attachments are collected, reviewed, and exported along with the Teams conversations so customers don’t need to manually find and collect the documents one by one.
  • Auto-apply retention policies for Microsoft Teams meeting recording allow you to retain and delete recordings with in-place governance, which means the retention policies apply wherever the recordings are saved without the need to export elsewhere. When the rollout for this begins in October, we will provide guidance on how you can leverage Keyword Query Languages to create retention policies for Teams meeting recordings.
  • We now include Teams-specific actions in Compliance Manager, which provide guidance around improvement and implementation of actions you can take to help to align with protection regulations and standards.
  • We are also announcing Customer Key support for Teams. Microsoft helps keep Teams data safe by encrypting it while at rest in Microsoft datacenters. Now we are extending this capability to enable customers to add a layer of encryption using their own keys for Teams, similar to Exchange Online, SharePoint Online, and OneDrive.  
  • Insider Risk Management now offers native integration with Microsoft Teams to securely coordinate, collaborate, and communicate on a case with relevant stakeholders in the organization. When an Insider Risk management case is created, a private Microsoft Teams team will also be created and bound to the case for its duration. This Microsoft Teams team will, by default, include insider risk management analysts and investigators, and additional contributors such as HR and Legal, can be added as appropriate. With Teams integration, stakeholders can:
    • Use channel conversations to coordinate and track review/response activities.
    • Share, store, and review relevant files and associate evidence. 

Additional new capabilities coming to Microsoft Compliance

While I’ve discussed some of the biggest areas of investment for us in Microsoft Compliance, there are many additional new capabilities we’re excited to bring to you today:

  • Microsoft Information Protection now includes more than 150 sensitive data types, improvements to Exact Data Match, the general availability of automatic labeling in Office apps, and more.
  • Microsoft Information Governance and Records Management include new in-place retention and deletion policies for Yammer messages (rolling out now in public preview), as well as integration with the new SharePoint Syntex.
  • Insider Risk Management now integrates with Power Automate, provides a richer investigation experience, and includes expanded signal visibility to badging systems for building security.
  • Communication Compliance now provides enhanced visibility across a variety of communication channels and integration with Power Automate.
  • Advanced eDiscovery now has improved workflows, support for linked content in emails or chat messages, and enhanced collection experience.
  • Advanced Audit now includes two new audit events to help with forensic investigations and the ability to add 10-year audit log retention.

Remote and hybrid work scenarios have demonstrated that there has never been a more important time to invest in security and compliance. Get started today with Microsoft 365. To learn more about Microsoft Compliance and gain more technical training, visit the Virtual Hub today.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Enable secure remote work, address regulations and uncover new risks with Microsoft Compliance appeared first on Microsoft Security.

What’s new in Microsoft 365 Compliance and Risk Management

June 11th, 2020 No comments

The world has dramatically changed over the past three months. As Satya shared in our recent quarterly earnings, we have seen two years’ worth of digital transformation in two months. With that significant amount of rapid change, it’s more important than ever to make sure your business-critical data is kept private and secure while ensuring you remain compliant with privacy laws and regulations.

As the world continues to adjust, many of the customers I’ve been talking with lately have started to focus on cost optimization—how to do more with what they already have or even consolidate the number of systems they have to maintain.

Within Microsoft 365 Compliance, we have been working alongside many of you to help you through the crisis, as well as continue to evaluate the implications of tech decisions on security, privacy, and compliance. With that in mind, here’s a summary of some of the investments we’ve made in the last two months in Microsoft 365 Compliance to help you to get the most out of Microsoft 365 and take a more integrated approach to secure, protect, and manage your data, while mitigating risk.

Data protection

With Microsoft Information Protection (MIP), we are building a unified set of capabilities for classification, labeling, and protection not only in Office apps, but also in other popular productivity services where information resides (e.g., OneDrive, SharePoint, and Exchange). For example, to help you to have a more holistic understanding of the sensitive data in your digital estate, we recently announced the general availability of the data classification capabilities in the Microsoft 365 compliance center. These capabilities enable you to discover, classify, review, and monitor your data and establish appropriate policies to better protect and govern critical data (e.g., by applying sensitivity and retention labels or data loss prevention policies).

Another core component of Microsoft Information Protection is the ability to apply sensitivity labels. You can apply a sensitivity label to important documents or emails and associate it with protection policies and actions like encryption and visual marking. You can also be assured that the protection will persist with the document throughout its lifecycle. You can also apply sensitivity labels to a Microsoft Teams site, SharePoint site, or Microsoft 365 group and help to ensure appropriate device and privacy settings.

Since labeling can help you to protect your data, you need a method that will scale with the vast amount of data you have. To help you achieve that scale, we are announcing general availability for automatic classification with sensitivity labels for documents stored on OneDrive and SharePoint, and for emails in transit in Exchange.

Users can also manually classify emails and documents by applying these labels based on their assessment of the content and their interpretation of the organizational guidelines. In fact, we recently announced the general availability of sensitivity labels with protection for Office files in SharePoint and OneDrive. Now your users can apply sensitivity labels, with protection policies, not just in Office apps on Windows, Mac, iOS, and Android but also in Office on the web. For files labeled and protected with encryption and stored in SharePoint and OneDrive, your users can search for content within these documents, coauthor using Office web apps, and be assured that the protection will persist even after the document is downloaded.

We have also worked with other productivity tools like Microsoft Power BI to make it easy to apply a sensitivity label to Power BI artifacts—including dashboards and reports that are created from a single or multiple data sources. This helps to ensure the persistent protection of the data—even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings. Now generally available, when you connect to a Power BI dataset from Excel, that dataset’s sensitivity label will be inherited and applied to the Excel file and all associated outcomes like headers, footers, and encryption.

Data governance

The increased volume of information and multiple collaboration tools can create complexity for managing business records with serious cost and risk implications. As organizations across a variety of industries face ever-increasing regulations, many companies move data to different systems of record to manage them and comply with regulations. However, moving content to a different system, instead of managing it in place, can increase the risk of missing records or not declaring them properly.

We have also worked with other productivity tools like Microsoft Power BI to make it easy to apply Microsoft Information Protection’s sensitivity label to Power BI artifacts – including dashboards, datasets, dataflows and reports. Now generally available, this ensures the persistent protection of the data – even if exported to a file format such as Excel, as the exported file inherits the sensitivity label and associated protection settings. Rolling out soon is the persistence of label and protection when you embed a Power BI report in Microsoft Teams or when you maintain a live connection between an Excel file and a labeled Power BI data set.

Compliance and security in Microsoft Teams

With the move to remote work, many companies are operating solely in platforms like Microsoft Teams to stay connected, productive, and collaborative and keep their businesses moving forward. However, the move to remote work only seems to amplify the need for security, privacy, and compliance. We built Teams with that mind. Data in Teams is encrypted at rest and in transport, and uses secure real-time protocol for video, audio, and desktop sharing.

Last month, we shared that there are also several tools that help you remain in control and protect sensitive documents and data in Microsoft 365. For example, you can restrict Teams experiences for guests and people outside of your organization. You can also govern the apps to which each user has access. Setting up DLP policies in Teams can protect your data and take specific actions when sensitive information is shared.

There’s so much more. Read the Microsoft 365 blog for details.

Managing insider risk and maintaining your culture

We also know that stressful events contribute to the likelihood of insider risks, such as leakages, IP theft, or data harassment. Insider Risk Management looks at activity from across Microsoft 365, including Teams, to identify potential suspicious activity early.

Communication Compliance, part of the new Insider Risk Management solution set in Microsoft 365, leverages machine learning to quickly identify and take action on code of conduct policy violations in company communications channels, including Teams. Communication Compliance reasons over language used in Teams—and now also Yammer—which may indicate issues related to threats (harm to oneself or others). Detecting this type of language in a timely manner not only minimizes the impact of internal risk, but also can help to support employee mental health in uncertain times like this.

Commitment to continued investment

This new remote work world makes data protection, governance, and security arguably more important than ever. We continue to innovate across Microsoft 365 Compliance to ensure you have the tools you need to help keep your data safe while addressing compliance and proper risk management.

The post What’s new in Microsoft 365 Compliance and Risk Management appeared first on Microsoft Security.

Categories: Compliance, cybersecurity, Microsoft 365 Tags:

NERC CIP Compliance in Azure vs. Azure Government cloud

April 20th, 2020 No comments

As discussed in my last blog post on North American Electric Reliability Corporation—Critical Infrastructure Protection (NERC CIP) Compliance in Azure, U.S. and Canadian utilities are now free to benefit from cloud computing in Azure for many NERC CIP workloads. Machine learning, multiple data replicas across fault domains, active failover, quick deployment and pay for use benefits are now available for these NERC CIP workloads.

Good candidates include a range of predictive maintenance, asset management, planning, modelling and historian systems as well as evidence collection systems for NERC CIP compliance itself.

It’s often asked whether a utility must use Azure Government Cloud (“Azure Gov”) as opposed to Azure public cloud (“Azure”) to host their NERC CIP compliant workloads. The short answer is that both are an option.  There are several factors that bear on the choice.

U.S. utilities can use Azure and Azure Gov for NERC CIP workloads. Canadian utilities can use Azure.

There are some important differences that should be understood when choosing an Azure cloud for deployment.

Azure and Azure Gov are separate clouds, physically isolated from each other. They both offer U.S. regions. All data replication for both can be kept within the U.S.

Azure also offers two Canadian regions, one in Ontario and one in Quebec, with data stored exclusively in Canada.

Azure Gov is only available to verified U.S. federal, state, and local government entities, some partners and contractors. It has four regions: Virginia, Iowa, Arizona and Texas. Azure Gov is available to U.S.-based NERC Registered Entities.

We are working toward feature parity between Azure and Azure Gov. A comparison is provided here.

The security controls are the same for Azure and Azure Gov clouds. All U.S. Azure regions are now approved for FedRAMP High impact level.

Azure Gov provides additional assurances regarding U.S. government-specific background screening requirements. One of these is verification that Azure Gov operations personnel with potential access to Customer Data are U.S. persons. Azure Gov can also support customers subject to certain export controls laws and regulations. While not a NERC CIP requirement, this can impact U.S. utility customers.

Azure Table 1

Under NERC CIP-004, utilities are required to conduct background checks.

Microsoft U.S. Employee Background Screening

Microsoft US Employee Background Screening

Microsoft’s background checks for both Azure and Azure Gov exceed the requirements of CIP 004.

NERC is not prescriptive on the background check that a utility must conduct as part of its compliance policies.

A utility may have a U.S. citizenship requirement as part of its CIP-004 compliance policy which covers both its own staff and the operators of its cloud infrastructure. Thus, if a utility needs U.S. citizens operating its Microsoft cloud in order to meet its own CIP-004 compliance standards, it can use Azure Gov for this purpose.

A utility may have nuclear assets that subject it to U.S. Department of Energy export control requirements (DOE 10 CFR Part 810) on Unclassified Controlled Nuclear Information. This rule covers more than the export of nuclear technology outside the United States, it also covers the transmission of protected information or technology to foreign persons inside the U.S. (e.g., employees of the utility and employees of the utility’s cloud provider).

Since access to protected information could be necessary to facilitate a support request, this should be considered if the customer has DOE export control obligations. Though the NERC assets themselves may be non-nuclear, the utility’s policy set may extend to its entire fleet and workforce regardless of generation technology. Azure Gov, which requires that all its operators be U.S. citizens, would facilitate this requirement.

Azure makes the operational advantages, increased security and cost savings of the cloud available for many NERC CIP workloads. Microsoft provides Azure and Azure Gov clouds for our customers’ specific needs.  Microsoft continues its work with regulators to make our cloud available for more workloads, including those requiring compliance with NERC CIP standards. The utility (Registered Entity) is ultimately responsible for NERC CIP compliance and Microsoft continues to work with customers and partners to simplify the efforts to prepare for audits.

Thanks to Larry Cochrane and Stevan Vidich for their leadership on Microsoft’s NERC CIP compliance viewpoint and architecture. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity. To learn more about our Security solutions visit our website.

 

(c) 2020 Microsoft Corporation. All rights reserved. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

The post NERC CIP Compliance in Azure vs. Azure Government cloud appeared first on Microsoft Security.