Swedish Windows Security User Group

Organizations need to protect their sensitive data including intellectual property, trade secrets, customer data, and personally identifiable information from both insiders and external cyber attackers. In fact, 80 percent of organizations experience more than one data breach in their lifetime.¹ With global, industry, and national-level regulations, the need to protect sensitive data and prevent data exfiltration has never been more urgent than it is now.

To help our customers navigate this complex data landscape, we are focused on delivering secure, intelligent, and user-centric solutions that provide visibility, reduce complexity, and mitigate risk. Over the past few years, we significantly increased our investment in building our Microsoft Purview data security capabilities across our information protection, data loss prevention (DLP), and insider risk management solutions, as well as our privacy solution: Microsoft Priva. A few recent capabilities are advanced ready-to-use machine learning-enabled classifiers, Adaptive Protection, a DLP migration assistant tool (on-premises DLP to cloud-native DLP), and right to be forgotten for Microsoft Priva Subject Rights Requests.

I am delighted to announce that Forrester listed Microsoft as a Leader in its  2023 Wave for Data Security Platforms. The Forrester Wave report evaluates the data security platform market and provides a detailed overview of the current offering, strategy, and market presence of these vendors. Microsoft received the highest possible score in the current offering category for data classification, data threat and risk visibility, data masking or redaction, encryption, rights management, privacy use cases, and integrations for Zero Trust criteria; and in the strategy category for the product vision, execution roadmap, and community engagement criteria.  

We believe our investments in advanced classification technology, data threats and risk visibility, rights management, and privacy resulted in this recognition.

The Forrester report also acknowledges: “Microsoft shines with its ecosystem approach—if you go all in,” wrote Heidi Shey, Forrester Principal Analyst, in the report. “Microsoft Purview brings together capabilities to 1. understand and govern data; 2. safeguard data; and 3. improve risk and compliance posture. But Microsoft’s security capabilities go beyond Microsoft Purview. By design, the entire Microsoft ecosystem working together multiplies its value via telemetry from across the environment.” She added, “The power of Microsoft’s telemetry is evident in its capabilities for identifying data threats and risk visibility. These offer strong controls for data masking, encryption, and rights management.”

Our work isn’t stopping there, however. We continue to work closely with our customers to gather feedback to help us build better products. Your input provides critical insights as we strive to create solutions to help you on your data security journey.

Learn more

Read this complimentary copy of The Forrester Wave: Data Security Platforms, Q1 2023 for the analysis behind Microsoft’s position as a Leader.

Read more about Microsoft’s recognition as a leader in cloud security, email security, security analytics, and more:

• Forrester names Microsoft a Leader in 2022 Enterprise Detection and Response Wave report.
• Forrester names Microsoft a Leader in Q4 2022 Security Analytics Platforms Wave report
• Microsoft achieves a Leader placement in Forrester Wave for XDR, Q4 2021.
• Forrester names Microsoft a Leader in The Forrester Wave: Cloud Security Gateways, Q2 2021.
• Forrester names Microsoft a Leader in the 2021 Enterprise Email Security Wave.
• Microsoft is a Leader in the 2021 Forrester Endpoint Security Software as a Service Wave.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Cost of a Data Breach Report 2022, IBM. 2022.

The Forrester Wave is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave are trademarks of Forrester Research, Inc. The Forrester Wave is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The post Microsoft recognized as a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023 appeared first on Microsoft Security Blog.

Today, Microsoft announced the successful completion of the Cloud Data Management Capabilities (CDMC) 14 Key Controls and Automations certification, conducted by Accenture and Avanade, accelerating the industry’s move to the cloud. The 14 Key Controls and Automations are a part of the EDM Council’s Cloud Data Management Capabilities framework formulated as a best practice to help all industries accelerate the migration of sensitive and non-sensitive data to the cloud with confidence. This certification demonstrates Microsoft’s commitment to providing comprehensive CDMC cloud data management automations and controls for protecting sensitive data to accelerate trusted cloud adoption.

When we first joined the EDM Council’s CDMC Work Group in May 2020, Microsoft was at the beginning of its journey building out what is now known as Microsoft Purview, our unified data governance and compliance solution. We joined over 300 industry data thought leaders with representation from the world’s largest banks and technology companies to identify a control standard to keep data safe. 

Every organization we have had the opportunity to engage with is looking to accelerate its use of data to drive its business outcomes. Best practices for how to govern data as it moves to and is born in the cloud were a constant area of discussion and need. This is why we were so excited to partner with the EDM Council and thought leaders around the globe to make data governance practice in the cloud simpler and more approachable, allowing everyone to derive more value from data.

“Across every industry, we’ve seen that clients who are capitalizing on data are driving innovation and competitive advantage. Avanade clients are transforming their business through data strategies and capabilities including data fabric, data mesh, and modern analytics and governance at scale. With the CDMC certification of Microsoft’s cloud platform, our clients will be able to leverage industry-leading governance best practices advanced by the EDM Council, and we will expand this to more organizations and achieve stronger business outcomes.”—Simon Thomas, Global Head of Data and AI, Avanade

The 14 Key Controls and Automations

Governance and accountability

1. Data Control Compliance must be monitored for all data assets containing sensitive data through metrics and automated notifications.
2. The Ownership field in a data catalog must be populated for all sensitive data or otherwise reported to a defined workflow.
3. A register of Authoritative Data Sources and Provisioning Points must be populated for all data assets containing sensitive data.
4. The Data Sovereignty and Cross-Border Movement of sensitive data must be recorded, auditable, and controlled according to defined policy.

Cataloging and classification

5. Cataloging must be automated for all data at the point of creation or ingestion, with consistency across all environments.
6. Classification must be automated for all data at the point of creation or ingestion and must always be on.

Accessibility and usage

7. Entitlements and Access for Sensitive Data must default to the creator and owner and access must be tracked for all sensitive data.
8. Data Consumption Purpose must be provided for all Data Sharing Agreements involving sensitive data.

Protection and privacy

9. Appropriate Security Controls must be enabled for sensitive data and evidence must be recorded.
10. Data Privacy Impact Assessments must be automatically triggered for all personal data according to its jurisdiction.

Data lifecycle

11. Data Quality Measurement must be enabled for sensitive data with metrics distributed when available.
12. Data Retention, Archiving, and Purging must be managed according to a defined retention schedule.

Data and technical architecture

13. Data Lineage information must be available for all sensitive data.
14. Cost Metrics directly associated with data use, storage, and movement must be available in the catalog.

In today’s environment, many organizations are looking to set the data foundation in place to quickly adhere to ever-changing regulatory requirements across multi-jurisdictions. They’re also looking for the confidence that data is properly protected no matter where it resides. Without having the foundational layer in place, analytics and AI will not deliver trusted insights. This milestone for the industry allows organizations to balance their offensive and defensive position when it comes to generating value from their data and meeting compliance standards.

“The Cloud Data Management Capabilities framework represents the best practices in data on cloud from a huge number of financial services companies and other leading data practitioners from across other industry groups. It is great to see Microsoft natively certifying their platform against CDMC key controls, automating the most important capabilities in data management, which will help accelerate adoption of cloud services. We are excited by their continuing contributions to extend CDMC into new areas this year.”—Oli Bage, Co-chair of CDMC Work Group and Head of Architecture for Data and Analytics, London Stock Exchange Group

“Microsoft’s certification of the CDMC 14 Automated Key Controls is an impressive accomplishment because it marks the completion of a comprehensive, in-depth confirmation of their cloud leadership. Having its cloud platform independently certified will give Microsoft’s clients even greater confidence in accelerating their own adoption of cloud and hybrid-cloud strategies with the assurance that their data is controlled and protected.”—John Bottega, President, EDM Council

Microsoft’s certification allows client companies across all sectors to implement best practices within their own operational environments and ensure that the 14 Key Controls will protect their sensitive data cross-jurisdiction and speed their own certification against the CDMC Key Controls.

About Avanade

Avanade is the leading provider of innovative digital, cloud and advisory services, industry solutions, and design-led experiences across the Microsoft ecosystem. Every day, their 60,000 professionals in 26 countries make a genuine human impact on clients, employees, and customers.

They have been recognized, together with their parent, Accenture, as Microsoft Global SI Partner of the Year more than any other company. With the most Microsoft certifications (60,000 plus) and 18 (out of 18) Gold-level Microsoft competencies, they are uniquely positioned to help businesses grow and solve their toughest challenges.

They are a people-first company, committed to providing an inclusive workplace where employees feel comfortable being their authentic selves. As a responsible business, they are building a sustainable world and helping young people from underrepresented communities fulfill their potential.

Majority owned by Accenture, Avanade was founded in 2000 by Accenture LLP and Microsoft Corporation. Learn more about Avanade.

About EDM Council

EDM Council is the global association created to elevate the practice of data management and analytics as a business and operational priority. The Council is the leading global advocate for the development and implementation of data standards, best practices, and comprehensive training and certification programs. With over 350 organizations from the Americas, Europe, the Middle East, Africa, and Asia, and over 25,000 data management professionals as members, the EDM Council provides a venue for data professionals to interact, communicate, and collaborate on the challenges and advances in data management and analytics as critical organizational functions. For more, visit the EDM Council.

Learn more

1. Get started accelerating your cloud data program with a CDMC Assessment and learn more about Microsoft Purview, our unified data governance platform.
2. You can also discover best practices for cloud data management from the EDM Council’s CDMC framework, including a free download.
3. For more information, read about how Microsoft’s data transformation journey, best practices, and CDMC partnership Whitepaper on the CDO Seat at the Cloud Table.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft achieves first native Cloud Data Management Capabilities certification appeared first on Microsoft Security Blog.

We’re living in a seismic era for data security. Chief information security officers (CISOs) have to contend with a digital landscape that seems to shift daily as more organizations move to remote and hybrid work, redrawing the boundaries for how data is used and shared. The cloud has enabled continuous collaboration, with employees creating and sharing documents easily through chat and email. This unbounded digital estate has also created new opportunities for data exfiltration, and that possibility has many organizations rethinking their approach to data loss prevention (DLP).

Forward-thinking organizations are seeking to future-proof their DLP strategy with a comprehensive solution that scales across all applications, services, endpoints, and platforms. To help those that may be considering a DLP migration, Microsoft spoke to more than 300 data and compliance professionals to create the white paper “Data Loss Prevention: From on-premises to cloud.” We’ve presented some of the study’s highlights here, including common DLP states in use, challenges in migrating to a new DLP solution, best practices, and the benefits of adopting a cloud-native DLP solution.

“Data is not confined in a certain area. In today’s environment, it’s everywhere: someone else’s phone, tablet, data center, or software as a service application—because of that, you definitely see a lot more breaches happening.”

—Vice President, Information Security Officer, Financial Services

The stages of DLP deployment

We can define DLP as the people, processes, and technology that ensure data is not lost, misused, or accessed by unauthorized users. Our research revealed that 70 percent of companies see their DLP solution as a focal point of their overall data protection strategy. For that reason, a good DLP solution uses a holistic approach to protect the organization’s data assets, aid regulatory compliance, and prevent data leakage by monitoring all endpoints, apps, services, and the cloud—anywhere data is stored or shared. Most respondents said their ideal solution would be cloud-native DLP, which could provide scalability and flexibility, balancing protection and productivity.

An organization’s DLP can exist in five different stages with regard to deployment, starting from 100 percent on-premises (obsolete) and moving to 100 percent cloud-native (ideal). For this study, we focused on the three stages in the middle that involve some level of cloud deployment.

1. On-premises—anchored: In this stage, an organization’s DLP is roughly 40 percent cloud and 60 percent on-premises. These organizations often have concerns about cloud migration, whether because of misconceptions or real difficulties related to migrating a larger amount of on-premises data. They tend to be highly focused on maintaining their current infrastructure and managing device agents through on-premises DLP solutions. This stage is the costliest in terms of staff hours and infrastructure required. Organizations at this stage also report the lowest level of perceived success and confidence in their current DLP program.
2. Hybrid: Looking to push their program forward, these organizations currently have amostly equal split between on-premises and cloud DLP. They see their biggest challenges around custom integrations and tend to evaluate new DLP solutions annually, seeking improvements in scalability, flexibility, and accuracy. They expend a lot of effort stitching together and managing multiple DLP solutions to support their hybrid data environments.
3. Cloud-focused: These organizations are farthest along in their migration plans—60 percent cloud and 40 percent on-premises—and have the highest level of confidence and perceived success in their DLP program. Their goal is to improve visibility into their data, and they tend to evaluate new DLP solutions at a slower rate (every two to three years). They also experience fewer challenges with their current DLP programs and have a clearer understanding of their data. Their main challenge lies in ensuring that employees are following DLP policies for handling sensitive data.

Overall, the study found that organizations in on-premises-anchored states are experiencing the most discomfort. Hybrid organizations report feeling like they’re in a holding pattern, spending time and effort maintaining complex integrations and multiple DLP solutions across data environments. Fifty-nine percent of organizations with a hybrid DLP configuration report a desire to move to a cloud DLP solution.

The goal—cloud-native DLP: Beyond the cloud-focused stage, this is the desired destination. At this point, an organization’s DLP solution is fully cloud-native and the firm can benefit from scalable, holistic data protection across applications, services, endpoints, and platforms—all without hindering productivity or adding staff.

“It doesn’t make sense to maintain two or three different solutions because then you have to keep them updated, you have to make sure that there’s not a whole lot of difference between one, two, and three. So, you want to create the benefits and the economic savings of standardization. That’s why consolidation is critical.”

—Director, Technology Services

Benefits of leveraging a cloud-native DLP solution

In migrating your DLP solution, there are two options: a cloud-based or a cloud-native DLP solution. Both types will require the recreation of legacy policies, so how can you decide which solution better suits your organization?

• Cloud-based: This type of DLP solution integrates with your existing cloud and on-premises environments but isn’t natively built in the cloud environment or productivity suite. Therefore, it relies on installing and updating agents and custom integrations. Many cloud-based DLP solutions start on-premises and evolve into the cloud.
• Cloud-native: These DLP solutions are built in the cloud from the start. Meaning, this type of data protection already exists in a scalable, holistic environment. Cloud-native DLP is built into the cloud environment and productivity suite by the cloud and collaboration tools provider.

Organizations that use a cloud DLP solution were twice as likely to say that cloud-native DLP solutions are easier to scale and provide a better balance of data protection and productivity. A cloud-native solution can also help reduce costs by eliminating the need for agents, infrastructure, or custom integrations while replacing inefficient silos and patchwork solutions that can create vulnerabilities. Organizations may also see improved performance because the data has to make fewer hops, enabling greater productivity.

As a cloud-native DLP solution, Microsoft Purview Data Loss Prevention provides all of the above benefits, with the added power of Adaptive Protection to help apply DLP policies dynamically based on users’ risk levels. By leveraging machine learning in Microsoft Purview Insider Risk Management, Adaptive Protection can understand how users are interacting with data, assign risk levels, and automatically tailor DLP controls. This enables DLP policies to become dynamic, ensuring that the strictest policies—such as blocking data sharing—are applied only to high-risk users. Microsoft Purview Data Loss Prevention does all this automatically wherever data is accessed or shared, so you can protect more data (with less).

Key challenges of migrating to a DLP solution

To better understand the barriers keeping companies from moving to cloud-native DLP, the study looked at the on-premises-anchored respondents, who are nearly twice as likely to cite apprehension about the unknown as a barrier to migration. We found five common themes reported as challenges preventing their DLP cloud migration:

1. Dealing with the unknown: Reasons for being apprehensive about a cloud migration broke down predictably across roles. C-suite executives worried about the cost of a DLP migration, while IT administrators reported feeling uneasy about the perceived time and resources required. IT managers were uncertain about the unknowns of a new DLP solution, which potentially makes them hesitant to promote a cloud-based DLP solution when the one they’ve been using is still working (even if performance is unsatisfactory).
2. Funding the DLP migration: Nearly 60 percent of organizations surveyed reported cost as a top barrier to migration. With organizations in the on-premises–anchored category, the figure rose to 70 percent. It’s appropriate for a business to consider costs first; however, upfront migration costs are often mitigated by reduced infrastructure and maintenance costs down the road. And with fewer IT professionals required to protect data, those resources can be leveraged elsewhere.
3. Complexity of the problem: According to the study, on-premises-anchored organizations experience the highest levels of discomfort around DLP migration, with 73 percent naming it a top concern. Likewise, half of hybrid and cloud-focused companies who’ve gone through some of the migration process also stressed the high impact of data transformation. Nearly 50 percent of all organizations report that the challenge of re-engineering and recreating policies is preventing them from taking the next step.
4. Balancing protection and productivity: Nearly half (48 percent) of on-premises-anchored organizations say DLP gets in the way of productivity, whereas cloud-focused companies show the least concern about productivity impacts. On-premises–anchored organizations are also more likely (58 percent) than hybrid or cloud-focused companies to run their DLP solutions in audit-only mode, due to the perceived impact that blocking mode may have on productivity. However, because of access to more granular controls, cloud-focused organizations have greater control over where data exfiltration is likely to happen—striking the right balance.
5. Education of employees and administrators: On-premises-anchored companies face more challenges in educating employees on optimal data-handling practices, as well as educating administrators on better policy design. Cloud-focused and hybrid groups reported fewer challenges around education, viewing it as an important part of a holistic data-protection strategy. By prioritizing education, organizations can decrease data exfiltration risks and free up administrators to focus on other high-priority issues.

In an encouraging finding, respondents who’ve had experience migrating to a cloud-native solution report that the journey is not as difficult as others might imagine. Cloud-focused organizations were 46 percent less likely to say it’s risky to switch solutions. For the same firms, 60 percent were less likely to worry about losing control of their DLP program after migrating. They’re also 35 percent less likely to view recreating policies from their legacy DLP solutions as a major concern. In other words, migrating your DLP to a cloud-native solution isn’t as scary as it might seem.

Four best practices for migrating your DLP solution to the cloud

Moving to the cloud helps your organization future-proof its DLP solution, protecting your data across endpoints, clouds, and platforms with speed and scalability that on-premises solutions can’t match. By following a few guiding principles, your organization can achieve an effective DLP program that builds confidence and drives success.

1. Use a cloud-native DLP with a holistic approach: A robust DLP strategy emphasizes people, processes, and education in addition to technology. Look for a solution partner that offers integrations with other key elements of a holistic data-protection strategy, like the ability to classify and label data and address insider risks. Prioritize solutions that offer a trial period; this helps alleviate anxiety and convince reluctant stakeholders that a successful migration is within reach.
2. Recognize your apprehension so you can overcome it: Identify organizational challenges, then weigh those against the many benefits of migration, such as scalability and cost savings. Don’t let exaggerated worries hold your organization back from creating the efficient DLP solution it needs to maintain growth and respond to a changing data landscape.
3. Ensure security without compromising productivity: Striking the right balance between data protection and productivity is essential. Getting there requires a solution that allows for granular policy configuration, helping admins fine-tune policies to fit the way your organization accesses, shares, and stores data.
4.  Choose the right solution provider and take advantage of migration tools: A good solution provider understands the challenges of migration and offers tools that automatically convert policies from legacy solutions. This reduces manual work and helps reduce anxiety among stakeholders. A provider that offers documentation and support adds greater value.

For a small number of organizations, industry regulations, compliance, or budget constraints may prevent them from fully migrating to the cloud. However, our study concludes that the cloud-native state provides the ideal DLP approach for a majority of companies, with migration from the other stages as an inevitable progression.

Migrate to a cloud-native DLP solution—Microsoft is here to help

To learn more about migrating your DLP solution, make sure to download the complete study, Data Loss Prevention: From on-premises to cloud, containing 44 pages of valuable insights gathered from more than 300 DLP and compliance professionals. For an in-depth example of DLP migration complete with screenshots, check out this special how-to blog written by my colleague, Shilpa Bothra, Senior Product Marketing Manager for Microsoft Purview Data Loss Prevention: Easily migrate your Symantec DLP policies to Microsoft Purview Data Loss Prevention. And don’t forget to join us for the inaugural Microsoft Secure, March 28, 2023, where you can learn the latest cloud defense insights and be among the first to see the AI-powered future of cybersecurity.

Learn more about Microsoft Purview Data Loss Prevention.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Gain flexibility and scale with a cloud-native DLP solution appeared first on Microsoft Security Blog.

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA. 

Data security and compliance are a top priority for leaders as cyberattacks are on the rise. In fact, attacks have increased by 32 percent in the past year, and 1 in 40 organizations has fallen victim to ransomware.¹ To protect high-value business documents such as partnership agreements, service contracts, and purchase orders, which are typically shared as PDFs, organizations require the best possible security, compliance, and information protection. This will ensure only the most important stakeholders can view, manage, and approve these important documents.

As more workflows become digitized, protecting information is becoming more crucial. To avoid these scenarios, a secure, unified workflow is needed. This allows IT and business leaders to control who can view and access digitized documents and data, ensuring they are stored securely and for the appropriate duration.

Figure 1. The “Select a Microsoft Sensitivity Label” available within the Protect tool in Adobe Acrobat.

Adobe is committed to security

Together with Microsoft, Adobe builds value by earning trust with their customers, who are counting on them to do the right thing when it comes to their data and their business. When Adobe engages with its customers, they have a responsibility to treat their data with care. Customers entrust Adobe with their data, and in exchange, they expect them to be world-class at securing it, governing it, and protecting it. Doing the right thing means taking a proactive approach to data protection—embedding security and compliance from the ground up.

Acrobat helps users enhance the security of confidential documents such as partnership agreements, service contracts, and purchase orders by offering the option to add passwords or utilize certificates. To learn more about the defense-in-depth approach and security procedures implemented by Adobe, read the whitepaper “Adobe Acrobat with Document Cloud Services Security Overview.”²

Together Microsoft and Adobe care about customers’ data security

Adobe and Microsoft, as trusted providers of business solutions used by millions, are joining forces to bring unparalleled modern work experiences to customers globally. Adobe is combining the innovations of Adobe Document Cloud and Microsoft Cloud to make the modern, secure, connected, and hybrid workplace a reality.

Microsoft Purview Information Protection helps organizations discover, identify, classify, and protect sensitive data that is business critical, then manage and protect it across their digital estate. Adobe, together with Microsoft, introduced new functionality at Microsoft Ignite in October 2022 that brings the same classification, labeling, and protection already available to Microsoft Word documents, Excel spreadsheets, and PowerPoint presentations to the PDF file format through Acrobat Desktop.³

Organizations using Microsoft Purview Information Protection can now apply and edit sensitivity labels and policies to PDFs using the latest versions of Acrobat Pro or Standard (version 22.003.20258 or later) without needing a separate plug-in or installation. Acrobat leverages the Microsoft Purview Information Protection SDK to make the user experience intuitive, considering finer details such as label descriptions, embedded content markings, and justification logic. Along with manual labels, Acrobat also supports default labeling, mandatory labeling, and user-defined permissions for customized access.

Figure 2. See the benefit of the integration for a company that shares labeled PDFs with external organizations. This integration reduces time to value and improves productivity.

Consider a company that works with various external clients. If they share a labeled PDF with these external clients, and those clients don’t have the right plug-in installed to open and view the PDF, it may take days before their IT admin responds to their request. This may cause them to try risky alternative approaches to open the PDF. With this integration, as illustrated in Figure 2, the external client that has Microsoft Purview Information Protection for Acrobat enabled by their IT admin will be able to view the document without needing to download a plug-in. Similarly, applying a label previously required an older information protection client and then opening the PDF in an information protection-supported PDF viewer. Now, these actions can be done from within Acrobat Pro or Standard desktop versions directly.

How the Microsoft and Acrobat integration works

For Acrobat Pro or Standard users with a Microsoft 365 E3 or higher subscription, information protection can be accessed within Adobe Acrobat through the Protect tool. A sensitivity label can be applied using the “Select a Microsoft Sensitivity label” option. The sensitivity label dialog box displays a list of labels already configured in the Microsoft Purview Compliance Portal, ensuring consistency across Microsoft 365 apps and Acrobat. Each sensitivity label can include headers, footers, and watermarks to visually indicate the applied label. Check out this video for a demonstration of how to add a label.

An IT administrator can enable this feature for your organization. Consult the Microsoft Purview Information Protection support in Acrobat installation instructions for help. To gain further knowledge on how to secure PDFs and mitigate risk with Microsoft Purview Information Protection, watch this on-demand webinar.

Who benefits from this Microsoft and Adobe Acrobat integration?

The integration of information protection labeling in Adobe Acrobat has proven valuable for customers in regulated industries, such as government, healthcare, and financial services, as well as in departments such as legal, HR, finance, and procurement. This integration provides a heightened level of data security, which is highly valued by chief information security officers.

What is Adobe excited for next?

Protecting customers’ digital assets is Adobe’s top priority, and they believe this integration is a game-changing and essential feature. This journey started in 2018 with Adobe Acrobat and Reader apps supporting consistent viewing of PDFs protected by Microsoft Purview Information Protection. Adobe is now adding the ability to apply and edit Microsoft sensitivity labels to PDFs natively in the Acrobat desktop version, with plans to support information protection use cases for PDFs (viewing, labeling, and persistent protection during export workflows) on mobile and web platforms in the future.

About Adobe

Adobe Document Cloud helps turn manual document processes into efficient digital ones with the world’s leading PDF and e-signature solutions. Learn more about Acrobat support for Microsoft Purview Information Protection.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit the website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.  

Learn more about Microsoft Purview Information Protection.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Check Point Research: Weekly Cyber Attacks increased by 32% Year-Over-Year; 1 out of 40 organizations impacted by Ransomware, Check Point blog. July 26, 2022.

²Adobe Acrobat with Document Cloud Services Security Overview, Adobe. 2022.

³A simple approach to data protection, Microsoft. October 13, 2022.

The post Get integrated Microsoft Purview Information Protection in Adobe Acrobat—now available appeared first on Microsoft Security Blog.

In my practice as a Microsoft Global Black Belt, I focus on the technical and business enablement aspects of protecting organizations from cyber threats with tools like Microsoft 365 Defender, Microsoft Purview and Microsoft Sentinel. In my role as a board member for another publicly traded company, the conversation is about creating value for our shareholders and managing risks in alignment with our business goals. Compliance is an important risk. Shifting gears and having the right conversations with the right stakeholders is critical to being effective, whatever your role.

When I read the United States Securities and Exchange Commission (SEC) proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, I saw an opportunity for cybersecurity professionals to add value to their organizations and to further their conversations with the board of directors. The proposed rule is on the Office of Management and Budget’s regulatory calendar for April 2023.¹

The information disclosed by companies under this rule would be submitted in eXtensible Business Reporting Language (XBRL) to be made broadly available to market participants for comparison, filtering, and analysis.² This is important to the board from both a compliance and a shareholder value perspective. It’s an opportunity for a company to differentiate itself from competitors through its cultural and infrastructure investments in IT security.

Proposed SEC rule on cybersecurity risk management, strategy, governance, and incident disclosure

The March 9, 2022, SEC proposed rules³ for publicly traded companies supplement the SEC’s guidance of October 13, 2011,⁴ and February 26, 2018,⁵ regarding disclosure of cybersecurity breaches and incidents. It makes the requirements more comprehensive, including reporting on:

• Cybersecurity incidents and updating incidents previously reported.
• The company’s policies and procedures for detecting and dealing with cybersecurity risks.
• Oversight of cybersecurity governance by the board of directors.
• Management’s role and expertise in cybersecurity risk management, including policies, procedures, and strategy.
• Reporting on the board of director’s cybersecurity expertise.

This would require the board to become more aware of and involved in the company’s cyber risk posture. The chief information security officer (CISO) is best positioned to enable the board in this regard. The SEC guidance encourages the board to seat directors with cybersecurity expertise and perhaps stand up a cybersecurity committee.

Reporting of cybersecurity incidents

Reporting of cyber incidents including breaches is the focus of the existing SEC rules. The proposal expands this to require reporting within four business days of the date that the company determines it to be material. Included in the reporting is when the incident is discovered, if it is ongoing, the scope, if data was stolen or accessed, its effect on operations, and the status of remediation.

The scope of reportable incidents would be expanded to include those smaller incidents, which, in the aggregate, become material.

The term “material” is defined as whether a reasonable shareholder would consider it important, leaving some room for interpretation.

The proposal requires that the company update its reporting on an incident with any material changes in its quarterly or annual report.

This makes it all the more important that companies have tools in place to prevent attacks and minimize time to detection, like Microsoft 365 Defender and Microsoft Sentinel. They need to minimize the impact of a breach.⁶ A data breach may be reportable to regulators and customers or a minor incident dealt with by the security team. The company needs the tools, like Microsoft Purview Premium Audit, to know which.⁷ Without the right tools in place before the incident, a company may have to do more reporting to regulators and the marketplace than is necessary.

Disclosure of cybersecurity risk management, strategy, and governance

Companies would be required to disclose if they have a cybersecurity risk assessment program and to describe it. This includes how the company works with auditors, consultants, and other third parties.   

They would be required to describe how they protect, detect, and minimize the effects of cybersecurity incidents. They would describe their cybersecurity policies and procedures, including business continuity and disaster recovery. They would describe how they select, retain, and use third parties to enable these activities and also how cybersecurity considerations affect the selection of service providers. They would describe how past cybersecurity incidents have influenced these as lessons learned.

How the selection of partners, including cloud service providers, affects the company’s security posture would be communicated to the marketplace. The company needs information to assess this and ensure that the vendor is a good security partner throughout the relationship.

Microsoft provides the service trust portal to give our customers the third-party assessments and evidence they need to make informed decisions and to support them during assessments and audits. We provide information for Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 customers to help comply with a wide range of global, regional, industry, and government regulations with our Microsoft compliance offerings documentation.⁸ For customers to assess their compliance with more than 350 regulatory standards in Microsoft 365,⁹ we offer Microsoft Purview Compliance Manager.¹⁰ For Azure customers, Microsoft provides the Regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds.¹¹

Companies would be required to describe how cybersecurity incidents have or might in the future affect their operations and financial performance and how these risks are dealt with as part of the company’s business planning.

This aligns with corporate governance scoring that credits companies for the investment, planning, and expertise in IT security.¹² It provides an increased return on a company’s cultural and infrastructure investments in IT security.

Disclosure regarding governance and the board of director’s cybersecurity expertise

Companies would disclose their cybersecurity governance including a description of both how the board and how management provide oversight, assess, and manage cybersecurity risk. They would describe management’s cybersecurity expertise and role in cybersecurity for the company.

Companies would disclose each board member with cybersecurity expertise and describe it under the proposed rule. The proposed rule is not prescriptive as to what constitutes expertise. It provides some examples such as experience in information security, policy, architecture, engineering, incident response, certifications, or degrees.

This may encourage organizations to select directors with these skill sets. It may also encourage a company to stand up a cybersecurity committee within the board.

This will likely mean that the CISO will be enabled to advocate for the needs of the information security program, and communicate the security posture and plans to an informed audience. It may provide opportunities for cybersecurity professionals to serve on boards.

Microsoft can help security teams meet this opportunity

Whatever the final content of the SEC rule, it will be an opportunity for the CISO to increase and highlight the value of the IT security function. It will expand the scope of their communications with the board. It will supplement the business case for investment in IT security. By making information on a company’s cybersecurity posture and governance broadly available, stakeholders can make better-informed decisions about cyber risk. This helps transition IT security from a cost center to a business enabler where it belongs.

Learn more about Microsoft 365 Defender, Microsoft Purview and Microsoft Sentinel.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

---

¹Regulatory calendar, Office of Information and Regulatory Affairs. 2023.

²An Introduction to XBRL, XBRL.org.

3Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC. March 9, 2022.

⁴CF Disclosure Guidance: Topic No. 2, SEC. October 13, 2011.

⁵Commission Statement and Guidance on Public Company Cybersecurity Disclosures, SEC. February 26, 2018.

⁶Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact, Steve Vandenberg. January 6, 2021.

⁷Auditing solutions in Microsoft Purview, Microsoft Learn. February 21, 2023.

⁸Microsoft compliance offerings, Microsoft Learn.

⁹Compliance Manager templates list, Microsoft Learn. February 22, 2023.

¹⁰Microsoft Purview Compliance Manager, Microsoft Learn. February 22, 2023.

¹¹Customize the set of standards in your regulatory compliance dashboard, Microsoft Learn. February 8, 2023.

¹²IT security: An opportunity to raise corporate governance scores, Steve Vandenberg. August 8, 2022.

The post SEC cyber risk management rule—a security and compliance opportunity appeared first on Microsoft Security Blog.

What does it mean to be a multicloud organization? As the name implies, the term describes a model of cloud computing where an organization uses multiple clouds—two or more public clouds, private clouds, or a combination of public, private, and edge clouds—to distribute applications and services. Subscribing to multiple cloud vendors can help your business access best-of-breed solutions along with competitive pricing.

The downside? Using multiple cloud platforms can create inconsistent infrastructures that don’t scale across environments. This can lead to teams working in silos—bringing increased complexity, additional costs, network security gaps, and risks to business-critical applications and data. It’s not unheard of for some organizations to own 80 to 100 different security tools stitched across hybrid and multicloud environments, while still wondering: are we secure? In this blog, we’ll help you answer that question by detailing four qualities a multicloud data-protection solution should provide and how Microsoft Purview can help unify security, compliance, and data protection across your enterprise.

Multiple clouds require unified data protection

Enabling multicloud integration and automation at scale is essential for fostering a robust partner ecosystem. Since 89 percent of enterprise customers have moved to a multicloud environment, maintaining security across your expanding data estate is necessary.¹ Patchwork solutions can create vulnerabilities; whereas, a comprehensive solution is able to deliver seamless data protection and data governance across your entire digital estate.

Look for a multicloud security and data-protection solution that:

1. Unifies auto-discovery and protection of sensitive data. Your multicloud data-protection solution should provide comprehensive security and compliance tools that span both first- and third-party apps and services to include Personally Identifiable Information (PII), such as home addresses, date of birth, and Social Security Numbers. Look for features such as built-in sensitivity labeling within applications and services, including popup user notifications that help guide users on security best practices. These features help ensure all sensitive data is correctly classified and labeled so that files can’t be exfiltrated without proper permissions.

   A data-protection solution with rights management and automatic encryption of emails (and attachments), as well as co-authoring of encrypted documents, will help to ensure secure collaboration. Your multicloud security tool should be flexible enough to allow manual labeling of some sensitive files for leadership-only access (like mergers and acquisitions projects), while also enabling admins to automatically label and protect business files stored in Microsoft SharePoint or Microsoft Teams (like Confidential labels for Finance or HR records). This tool should also be able to scan and classify on-premises file shares, as well as cloud applications and services.

2. Protects sensitive files and documents from being exfiltrated to third-party applications and services. More than 40 percent of corporate data is dark.² Meaning, it’s not classified, protected, or governed. This invites risk in the form of sensitive data leakage, which can harm your reputation and, in the case of leaked PII, lead to costly litigation. Your multicloud security solution should be able to classify files and documents, apply sensitivity labels, provide sharing controls and file governance, and use near real-time data loss prevention policies to prevent data leakage across third-party apps.
3. Uses automated data discovery across structured and unstructured data. Every organization needs to be able to securely share data both internally and with partners and customers. That’s why your data protection solution needs to provide data scanning and classification for all types of assets across multicloud and on-premises environments. Metadata and descriptions of data assets should be integrated into a holistic map of your data estate. Atop this map, purpose-built apps can create environments for data discovery, access management, and insights about your data landscape.
4. Applies Zero Trust principles to your entire digital estate. This includes strong multifactor authentication to verify user identities, as well as ensuring all endpoints are in compliance. Your data-protection solution should also ensure that governance and compliance policies are built in, and continuous risk assessment and forensics capabilities are implemented. Other key functions should include classifying, labeling, and encrypting emails and documents, as well as adaptive access to software as a service (SaaS) applications and on-premises applications.

Integrate for comprehensive protection

Overcoming the siloed approach in a multicloud environment can be a challenge. However, the risks are too great to make do with ad-hoc, patchwork security solutions. Beyond PII, also at stake is your business’s intellectual property (IP), financial statements, organizational structures, employee contacts, and other information that could be targeted with ransomware, phishing, and password attacks.

Microsoft Purview’s information protection and governance capabilities help your organization address potential data vulnerabilities across a multicloud environment by integrating information protection and data lifecycle management, along with data loss prevention, insider risk management, and eDiscovery. Microsoft Purview’s data governance portal helps manage your entire data landscape—on-premises, multicloud, and SaaS—allowing you to create a comprehensive, up-to-date map of your data wherever it resides. This unified governance enables data curators and security admins to keep your data secure; all while empowering users to find the trustworthy data they need.

Microsoft Priva adds another layer of protection with privacy risk management, helping to identify data-privacy risks and automate mitigation wherever the data lives. To accommodate individuals making requests to review or manage their personal data about themselves, Microsoft Priva Subject Rights Requests includes the Microsoft Graph subject rights requests API. This powerful API helps your organization do more with less by automating searches across Microsoft Exchange, Microsoft OneDrive, SharePoint, or Teams.

And to protect the business-critical apps you rely on, Microsoft Defender for Cloud Apps helps you classify sensitive information using real-time controls that monitor data accessed across your multicloud environment. As a cloud access security broker (CASB), Defender for Cloud Apps blocks attacks against your apps using automated identity governance, and it integrates seamlessly with Microsoft Entra Permissions Management to root out and remediate permission risks.

Look for a built-in data protection solution

Any data-protection solution needs to address the four areas discussed—unified discovery and protection, protection against data exfiltration, control of unstructured data, and a foundation of Zero Trust—across hybrid and multicloud environments. Both Microsoft 365 and Microsoft Azure are purpose-built with Zero Trust as a core architectural principle. And with comprehensive, integrated solutions for information protection, data governance, risk management, and compliance, Microsoft Purview builds on all four pillars—so you can move forward, fearless.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹How Many Companies Use Cloud Computing in 2022? All You Need To Know, Jacquelyn Bulao, Tech Jury, November 26, 2022.

²Unlocking the hidden value of dark data, Maria Korolov, CIO. August 11, 2022.

The post 4 things to look for in a multicloud data protection solution appeared first on Microsoft Security Blog.

At Microsoft Security, we understand how challenging it is to protect your most important asset, your data, in today’s threat landscape. You’re faced with evolving challenges—from empowering employees for greater productivity to eliminating gaps in your infrastructure—all while trying to protect your data across a hybrid work environment. And in the current economic climate, getting maximum value from your existing security investments is paramount. That’s why, in the past year, we’ve further enhanced our data protection and data governance products to better fit your needs. The results include two integrated and powerful solutions: Microsoft Purview and Microsoft Priva.

At this year’s Microsoft Ignite event, I co-hosted a special presentation on how your security and compliance teams can better manage risk, govern your data (wherever it resides), and maintain compliance. We also shared new product updates and insights to help your team get the most from your Microsoft security investments, as well as announced an exciting new capability that integrates Microsoft Purview natively within Adobe Acrobat. This type of extensible, multicloud, and multiplatform protection allows you to get more from the tools you already have. In this blog post, we’ll look at some of those scenarios where Microsoft Purview and Priva can help simplify data governance across your enterprise today.

New Adobe and Microsoft Purview integration delivers seamless security

Microsoft Purview’s mission is to help customers protect their entire data estate: that includes non-Microsoft environments as well. At this year’s Ignite presentation, we demonstrated a new capability that integrates Microsoft Purview Information Protection natively within the desktop version of Adobe Acrobat—accessible directly from the Protect tool. That means users now have the ability to apply and edit information-protection labels and policies directly to PDF documents. This integration brings the same classification, labeling, and protection already available in Microsoft Office file formats to PDF.

Over the next few months, we’ll continue to add new features that enhance support for PDFs in Acrobat add-ins, as well as for Acrobat Export PDF and mobile versions.

Streamlining data protection

Data is the lifeblood of your organization. It provides crucial insights that give your business a competitive advantage and empowers your employees to do more. For that reason, it’s critical to protect your data at every stage—from creation to storage—both from external threats and internal risks. That requires creating a layered defense strategy.

The first layer of defense: Discover and understand the sensitive data within your organization. You need to know where your data is, who’s accessing it, how it’s being shared and stored, and where it’s traveling. Considering that data storage is forecast to increase at a compound annual growth rate of 19.2 percent from 2020 to 2025, gaining complete visibility over your data estate is crucial.¹ At this first line of defense, Microsoft Purview Information Protection helps you classify and label your data across your entire data estate, both on-premises and in multicloud environments. By providing a single pane of glass to track and manage your data, Microsoft Purview helps to improve your team’s efficiency while tightening data protection.

Recent updates for Microsoft Purview Information Protection:

• Improvements in built-in features for Office that enhance visibility and encourage user adoption of sensitivity labels (such as the sensitivity label bar in Microsoft Word, Excel, PowerPoint, and Outlook; also, PDFs created in Office now inherit the source file’s sensitivity, encryption, and content marks).
• General availability: Co-authoring on documents protected with Microsoft Purview Information Protection is now generally available for Word, Excel, PowerPoint, and Office Mobile applications on Android and iOS devices.
• Preview: 42 new credentials for sensitive information that enable organizations to detect a wide range of digital authentication types (also known as “secrets”), such as user credentials, default passwords, and API and token access keys for Microsoft Azure, Amazon Web Services (AWS), and Google cloud resources.
• Preview: Server-side auto-labeling support for more than 24 new pre-trained, out-of-the-box classifiers that can be used to quickly discover and auto-classify more than 100 types of sensitive content in categories such as intellectual property (IP) and trade secrets, healthcare, operations, financial information, and HR-related information.

Lowering insider risk

Data breaches arising from insider actions are estimated to cost businesses an average of USD7.5 million annually. For that reason, it’s important to understand all data access and usage patterns within your organization. What does normal activity look like? Which types of activity should be flagged as risky? Understanding internal data usage can help protect against compliance violations and worse, including IP theft, insider trading, confidentiality violations, and other damaging outcomes.

The second layer of defense: Manage data security risks within your organization. Working in tandem with a holistic approach to managing internal risk, Microsoft Purview Insider Risk Management identifies potential risks and enables security teams to quickly take action. By bringing together the right people, processes, training, and tools, organizations that approach insider risk holistically are more likely to emphasize user privacy, foster collaboration, and use positive deterrents such as training and feedback loops as part of their data-protection strategy. The one-click analytics report allows you to generate aggregated, de-identified insights on risky activity over the past 48 hours—before you’ve even set up your first policy. Insights include the percentage of users who have performed exfiltration activities, such as downloading sensitive data, with an additional breakdown by activity type. To learn more about potential risks within your own organization, view the new Microsoft insider risk report.

All names in insider risk alerts are pseudonymized by default. This helps your data security team take a privacy-first approach. By clicking on a specific alert, you’ll be able to see a summary of all of the risk factors. Sequencing allows you to correlate across activities that involve the same files. This correlation can help your security team understand the possible intent behind the activities so you can reduce time to action. For example, you might see that just before a user submitted their resignation, they downloaded and exfiltrated confidential files, then deleted the files from their device to cover their tracks. Understanding this sequence of activities helps your security team decide when and how to take action.

Using sequences as triggers for your policies improves the signal quality of your alerts and focuses policy detection on users who have performed multiple-stage sequences. Priority Content Only Scoring, configurable in the policy wizard, empowers your team to focus policy detection on the most sensitive content. All of these insights help you better understand potential risks, so you can set up policies that meet the unique needs of your organization. With this information, analysts in your organization can take appropriate actions to help make sure users remain in compliance.

Recent updates for Microsoft Purview Insider Risk Management:

• Preview: Enhancements to triage and detection capabilities, including new abilities to customize a security trigger in the “data leaks” policy to surface when a user performs a sequence, to create policies with sequences without any other required underlying policy indicator selections, and fine-tune security policies directly from the alert review experience.
• Preview: Information type and trainable classifier exclusions, which means that actions related to file activities on the endpoint, SharePoint, Microsoft Teams, OneDrive, or Exchange will not generate alerts if the excluded sensitive information type or trainable classifier is matched with the content of the activity performed by the user.
• Preview: Ability to prioritize alerts for potential high-impact users with new risk booster score capabilities. Alerts for users found to have a potentially higher impact will have a higher priority alert in the dashboard, based on the frequency of accessing higher sensitivity content, like sensitive information types, labels, or priority content, compared with others in the organization, and if they are a leader in the organization based on Microsoft Azure Active Directory (Azure AD) configurations.

Protecting against data loss

The third layer of defense: Incorporate an integrated, in-depth approach to prevent data loss or unauthorized use. Among business leaders who responded to a 2021 survey, 62 percent felt that their companies should do more to protect customer data.² Microsoft Purview Data Loss Prevention (DLP) provides a balance between protection and productivity, ensuring the proper access controls are in place and policies are set to prevent actions such as improperly saving, storing, or printing sensitive data.  

Recent updates for Microsoft Purview Data Loss Prevention:

• Preview: Ability to create groups of printers, removable storage, network share path, and sensitive sites, as well as assign different restrictive actions to each group. As an example, you will be able to block the printing of sensitive information on all printer groups and allow printing on your corporate printers.  
• Preview: Ability to configure complex policy rules using “AND/OR/NOT” associations and create nested groups. 
• Preview: Visibility into contextual evidence, including sensitive content, surrounding characters, and other metadata on a DLP policy match on endpoint devices.
• Preview: Improvements in the speed of detecting and classifying sensitive content shared on Teams chat and channel messages to enforce DLP policies. 
• General availability: Ability to detect the presence of password-protected files on endpoint devices and configure specific restrictions for these files. 

These three components—Information Protection, Insider Risk Management, and Data Loss Prevention—form an integrated, holistic data-protection strategy that helps keep your organization’s data safe, wherever it lives.

Automating privacy

As more countries enact modern General Data Protection Regulation (GDPR) type regulations, consumers are demanding better controls over their data. This has spurred more organizations to move from a compliance-driven approach to privacy toward a more human-centric one. Toward that goal, Microsoft Priva currently offers two products to help manage privacy:

Privacy Risk Management helps organizations identify personal data and critical privacy risks and empowers employees to make smart data-handling decisions. With Priva, admins can configure a data minimization policy—automatically triggering an email to the data owner—so the person can review and delete unused files right from their Outlook inbox.

Subject Rights Requests help organizations manage requests at scale and respond with confidence. With the new pre-configured templates, admins can quickly create a data export request for a former employee. Once the data is collected, Priva can automatically detect files containing co-mingled personal data or confidential information; then admins can review and redact the data to avoid leakage. With the latest update, admins can now import files outside of Microsoft 365 to leverage this powerful review experience. Learn more about these new updates in this Priva Tech Community post.

Additional product updates

We’re also adding new features and capabilities within other product areas in our Microsoft Purview portfolio. These new features and enhancements will benefit your organization through granular eDiscovery, comprehensive audit controls, more effective data lifecycle management, and easier compliance.

Enhanced eDiscovery for the cloud

• Helping organizations meet their regulatory obligations for discovery, Microsoft Purview eDiscovery (Premium) now supports the ability to discover the exact version of a needed document, even when originally shared as a cloud attachment. This feature is currently available in preview.
• Drive efficiency across eDiscovery processes with improved usability and workflows. To learn more, read the eDiscovery blog post.

New search experience and security controls for Microsoft Purview Audit

• Improved search experience for Microsoft Purview Audit is now generally available and provides the following key improvements:
  • Search jobs continue to run, even if you close the browser.
  • Completed search jobs are now stored for 30 days, giving organizations the ability to reference and re-use historical audit searches.
  • Export up to half a million records in each search.
  • Each Purview Audit user can perform up to 10 concurrent search jobs at the same time.
• Given the sensitivity of Audit log data, many organizations want to add additional layers of protection to their data. Customer Key, coming soon to preview, allows organizations to use their own data encryption keys, giving them complete control over access to their data. To learn more, read the Advanced Audit blog post.

Microsoft Graph APIs and Power Automate workflows for Data Lifecycle Management

Microsoft Purview Data Lifecycle Management helps organizations manage the lifecycle of data. You can automatically retain, delete, and store data and records in a compliant manner. This solution delivers on our vision to protect and govern data wherever it lives. We have four exciting releases to tell you about:

• Power Automate integration helps you to customize lifecycle management workflows to meet your organization’s unique requirements. Now in preview. To learn more, read the Data Lifecycle Management blog.
• The ability to apply retention labels to files in Microsoft Teams enables users to apply retention and deletion settings where they do their work—in the Files tab of a Teams channel. Now generally available.
• Our new feature to find and retain cloud attachments helps admins undertaking investigations, as well as helping to meet financial services industry regulations. This feature keeps and associates the version of a file shared in a Teams message or email for later retrieval through eDiscovery (Premium). Now in preview.
• Microsoft Graph APIs for Records Management help organizations create new retention labels and manage event-based retention (now in beta). This release is our first round of APIs, with more coming in 2023.

Enhanced compliance and data residency

Microsoft Purview Compliance Manager helps organizations simplify compliance and reduce risk. It translates complex regulatory requirements into specific controls, allowing organizations to constantly assess, monitor, and improve their compliance posture—all while saving time and money. So, what’s new in Compliance Manager?

• New templates: Easily translate more than 350 regulations into tangible actions for your organization to improve its compliance posture.
• Continuous assessments: Last year we announced the ability to eliminate blind spots by adding continuous testing for technical controls. Today, we’re excited to share that we’ve added Microsoft Priva and App Governance as our newest first-party solutions.

More to come

I’d be remiss to not talk to you about some of the exciting capabilities we have coming up. For Microsoft Purview, you will start to see integrations across Microsoft 365 and Microsoft Azure to help increase the visibility of your data and easily automate data classification. For Microsoft Priva, you’ll soon see more multicloud privacy management capabilities that help you automate privacy controls and strengthen your privacy program. To learn more about potential risks within your own organization, read the new Microsoft insider risk report. Also, be sure to read Microsoft Security Corporate Vice President of Compliance, Identity, and Management Vasu Jakkal’s blog with highlights from her keynote address and insights into her vision for the Microsoft Security family of products and beyond.

Learn more

Learn more about Microsoft Purview and Microsoft Priva.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

²Data privacy is a growing concern for more consumers, Lance Whitney. August 17, 2021.

The post How Microsoft Purview and Priva help simplify data protection appeared first on Microsoft Security Blog.

At Microsoft Security, we understand how challenging it is to protect your most important asset, your data, in today’s threat landscape. You’re faced with evolving challenges—from empowering employees for greater productivity to eliminating gaps in your infrastructure—all while trying to protect your data across a hybrid work environment. And in the current economic climate, getting maximum value from your existing security investments is paramount. That’s why, in the past year, we’ve further enhanced our data protection and data governance products to better fit your needs. The results include two integrated and powerful solutions: Microsoft Purview and Microsoft Priva.

At this year’s Microsoft Ignite event, I co-hosted a special presentation on how your security and compliance teams can better manage risk, govern your data (wherever it resides), and maintain compliance. We also shared new product updates and insights to help your team get the most from your Microsoft security investments, as well as announced an exciting new capability that integrates Microsoft Purview natively within Adobe Acrobat. This type of extensible, multicloud, and multiplatform protection allows you to get more from the tools you already have. In this blog post, we’ll look at some of those scenarios where Microsoft Purview and Priva can help simplify data governance across your enterprise today.

New Adobe and Microsoft Purview integration delivers seamless security

Microsoft Purview’s mission is to help customers protect their entire data estate: that includes non-Microsoft environments as well. At this year’s Ignite presentation, we demonstrated a new capability that integrates Microsoft Purview Information Protection natively within the desktop version of Adobe Acrobat—accessible directly from the Protect tool. That means users now have the ability to apply and edit information-protection labels and policies directly to PDF documents. This integration brings the same classification, labeling, and protection already available in Microsoft Office file formats to PDF.

Over the next few months, we’ll continue to add new features that enhance support for PDFs in Acrobat add-ins, as well as for Acrobat Export PDF and mobile versions.

Streamlining data protection

Data is the lifeblood of your organization. It provides crucial insights that give your business a competitive advantage and empowers your employees to do more. For that reason, it’s critical to protect your data at every stage—from creation to storage—both from external threats and internal risks. That requires creating a layered defense strategy.

The first layer of defense: Discover and understand the sensitive data within your organization. You need to know where your data is, who’s accessing it, how it’s being shared and stored, and where it’s traveling. Considering that data storage is forecast to increase at a compound annual growth rate of 19.2 percent from 2020 to 2025, gaining complete visibility over your data estate is crucial.¹ At this first line of defense, Microsoft Purview Information Protection helps you classify and label your data across your entire data estate, both on-premises and in multicloud environments. By providing a single pane of glass to track and manage your data, Microsoft Purview helps to improve your team’s efficiency while tightening data protection.

Recent updates for Microsoft Purview Information Protection:

• Improvements in built-in features for Office that enhance visibility and encourage user adoption of sensitivity labels (such as the sensitivity label bar in Microsoft Word, Excel, PowerPoint, and Outlook; also, PDFs created in Office now inherit the source file’s sensitivity, encryption, and content marks).
• General availability: Co-authoring on documents protected with Microsoft Purview Information Protection is now generally available for Word, Excel, PowerPoint, and Office Mobile applications on Android and iOS devices.
• Preview: 42 new credentials for sensitive information that enable organizations to detect a wide range of digital authentication types (also known as “secrets”), such as user credentials, default passwords, and API and token access keys for Microsoft Azure, Amazon Web Services (AWS), and Google cloud resources.
• Preview: Server-side auto-labeling support for more than 24 new pre-trained, out-of-the-box classifiers that can be used to quickly discover and auto-classify more than 100 types of sensitive content in categories such as intellectual property (IP) and trade secrets, healthcare, operations, financial information, and HR-related information.

Lowering insider risk

Data breaches arising from insider actions are estimated to cost businesses an average of USD7.5 million annually. For that reason, it’s important to understand all data access and usage patterns within your organization. What does normal activity look like? Which types of activity should be flagged as risky? Understanding internal data usage can help protect against compliance violations and worse, including IP theft, insider trading, confidentiality violations, and other damaging outcomes.

The second layer of defense: Manage data security risks within your organization. Working in tandem with a holistic approach to managing internal risk, Microsoft Purview Insider Risk Management identifies potential risks and enables security teams to quickly take action. By bringing together the right people, processes, training, and tools, organizations that approach insider risk holistically are more likely to emphasize user privacy, foster collaboration, and use positive deterrents such as training and feedback loops as part of their data-protection strategy. The one-click analytics report allows you to generate aggregated, de-identified insights on risky activity over the past 48 hours—before you’ve even set up your first policy. Insights include the percentage of users who have performed exfiltration activities, such as downloading sensitive data, with an additional breakdown by activity type. To learn more about potential risks within your own organization, view the new Microsoft insider risk report.

All names in insider risk alerts are pseudonymized by default. This helps your data security team take a privacy-first approach. By clicking on a specific alert, you’ll be able to see a summary of all of the risk factors. Sequencing allows you to correlate across activities that involve the same files. This correlation can help your security team understand the possible intent behind the activities so you can reduce time to action. For example, you might see that just before a user submitted their resignation, they downloaded and exfiltrated confidential files, then deleted the files from their device to cover their tracks. Understanding this sequence of activities helps your security team decide when and how to take action.

Using sequences as triggers for your policies improves the signal quality of your alerts and focuses policy detection on users who have performed multiple-stage sequences. Priority Content Only Scoring, configurable in the policy wizard, empowers your team to focus policy detection on the most sensitive content. All of these insights help you better understand potential risks, so you can set up policies that meet the unique needs of your organization. With this information, analysts in your organization can take appropriate actions to help make sure users remain in compliance.

Recent updates for Microsoft Purview Insider Risk Management:

• Preview: Enhancements to triage and detection capabilities, including new abilities to customize a security trigger in the “data leaks” policy to surface when a user performs a sequence, to create policies with sequences without any other required underlying policy indicator selections, and fine-tune security policies directly from the alert review experience.
• Preview: Information type and trainable classifier exclusions, which means that actions related to file activities on the endpoint, SharePoint, Microsoft Teams, OneDrive, or Exchange will not generate alerts if the excluded sensitive information type or trainable classifier is matched with the content of the activity performed by the user.
• Preview: Ability to prioritize alerts for potential high-impact users with new risk booster score capabilities. Alerts for users found to have a potentially higher impact will have a higher priority alert in the dashboard, based on the frequency of accessing higher sensitivity content, like sensitive information types, labels, or priority content, compared with others in the organization, and if they are a leader in the organization based on Microsoft Azure Active Directory (Azure AD) configurations.

Protecting against data loss

The third layer of defense: Incorporate an integrated, in-depth approach to prevent data loss or unauthorized use. Among business leaders who responded to a 2021 survey, 62 percent felt that their companies should do more to protect customer data.² Microsoft Purview Data Loss Prevention (DLP) provides a balance between protection and productivity, ensuring the proper access controls are in place and policies are set to prevent actions such as improperly saving, storing, or printing sensitive data.  

Recent updates for Microsoft Purview Data Loss Prevention:

• Preview: Ability to create groups of printers, removable storage, network share path, and sensitive sites, as well as assign different restrictive actions to each group. As an example, you will be able to block the printing of sensitive information on all printer groups and allow printing on your corporate printers.  
• Preview: Ability to configure complex policy rules using “AND/OR/NOT” associations and create nested groups. 
• Preview: Visibility into contextual evidence, including sensitive content, surrounding characters, and other metadata on a DLP policy match on endpoint devices.
• Preview: Improvements in the speed of detecting and classifying sensitive content shared on Teams chat and channel messages to enforce DLP policies. 
• General availability: Ability to detect the presence of password-protected files on endpoint devices and configure specific restrictions for these files. 

These three components—Information Protection, Insider Risk Management, and Data Loss Prevention—form an integrated, holistic data-protection strategy that helps keep your organization’s data safe, wherever it lives.

Automating privacy

As more countries enact modern General Data Protection Regulation (GDPR) type regulations, consumers are demanding better controls over their data. This has spurred more organizations to move from a compliance-driven approach to privacy toward a more human-centric one. Toward that goal, Microsoft Priva currently offers two products to help manage privacy:

Privacy Risk Management helps organizations identify personal data and critical privacy risks and empowers employees to make smart data-handling decisions. With Priva, admins can configure a data minimization policy—automatically triggering an email to the data owner—so the person can review and delete unused files right from their Outlook inbox.

Subject Rights Requests help organizations manage requests at scale and respond with confidence. With the new pre-configured templates, admins can quickly create a data export request for a former employee. Once the data is collected, Priva can automatically detect files containing co-mingled personal data or confidential information; then admins can review and redact the data to avoid leakage. With the latest update, admins can now import files outside of Microsoft 365 to leverage this powerful review experience. Learn more about these new updates in this Priva Tech Community post.

Additional product updates

We’re also adding new features and capabilities within other product areas in our Microsoft Purview portfolio. These new features and enhancements will benefit your organization through granular eDiscovery, comprehensive audit controls, more effective data lifecycle management, and easier compliance.

Enhanced eDiscovery for the cloud

• Helping organizations meet their regulatory obligations for discovery, Microsoft Purview eDiscovery (Premium) now supports the ability to discover the exact version of a needed document, even when originally shared as a cloud attachment. This feature is currently available in preview.
• Drive efficiency across eDiscovery processes with improved usability and workflows. To learn more, read the eDiscovery blog post.

New search experience and security controls for Microsoft Purview Audit

• Improved search experience for Microsoft Purview Audit is now generally available and provides the following key improvements:
  • Search jobs continue to run, even if you close the browser.
  • Completed search jobs are now stored for 30 days, giving organizations the ability to reference and re-use historical audit searches.
  • Export up to half a million records in each search.
  • Each Purview Audit user can perform up to 10 concurrent search jobs at the same time.
• Given the sensitivity of Audit log data, many organizations want to add additional layers of protection to their data. Customer Key, coming soon to preview, allows organizations to use their own data encryption keys, giving them complete control over access to their data. To learn more, read the Advanced Audit blog post.

Microsoft Graph APIs and Power Automate workflows for Data Lifecycle Management

Microsoft Purview Data Lifecycle Management helps organizations manage the lifecycle of data. You can automatically retain, delete, and store data and records in a compliant manner. This solution delivers on our vision to protect and govern data wherever it lives. We have four exciting releases to tell you about:

• Power Automate integration helps you to customize lifecycle management workflows to meet your organization’s unique requirements. Now in preview. To learn more, read the Data Lifecycle Management blog.
• The ability to apply retention labels to files in Microsoft Teams enables users to apply retention and deletion settings where they do their work—in the Files tab of a Teams channel. Now generally available.
• Our new feature to find and retain cloud attachments helps admins undertaking investigations, as well as helping to meet financial services industry regulations. This feature keeps and associates the version of a file shared in a Teams message or email for later retrieval through eDiscovery (Premium). Now in preview.
• Microsoft Graph APIs for Records Management help organizations create new retention labels and manage event-based retention (now in beta). This release is our first round of APIs, with more coming in 2023.

Enhanced compliance and data residency

Microsoft Purview Compliance Manager helps organizations simplify compliance and reduce risk. It translates complex regulatory requirements into specific controls, allowing organizations to constantly assess, monitor, and improve their compliance posture—all while saving time and money. So, what’s new in Compliance Manager?

• New templates: Easily translate more than 350 regulations into tangible actions for your organization to improve its compliance posture.
• Continuous assessments: Last year we announced the ability to eliminate blind spots by adding continuous testing for technical controls. Today, we’re excited to share that we’ve added Microsoft Priva and App Governance as our newest first-party solutions.

More to come

I’d be remiss to not talk to you about some of the exciting capabilities we have coming up. For Microsoft Purview, you will start to see integrations across Microsoft 365 and Microsoft Azure to help increase the visibility of your data and easily automate data classification. For Microsoft Priva, you’ll soon see more multicloud privacy management capabilities that help you automate privacy controls and strengthen your privacy program. To learn more about potential risks within your own organization, read the new Microsoft insider risk report. Also, be sure to read Microsoft Security Corporate Vice President of Compliance, Identity, and Management Vasu Jakkal’s blog with highlights from her keynote address and insights into her vision for the Microsoft Security family of products and beyond.

Learn more

Learn more about Microsoft Purview and Microsoft Priva.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

²Data privacy is a growing concern for more consumers, Lance Whitney. August 17, 2021.

The post How Microsoft Purview and Priva help simplify data protection appeared first on Microsoft Security Blog.

The risk landscape for organizations has changed significantly in the past few years. The amount of data captured, copied, and consumed is expected to grow to more than 180 zettabytes through 2025.¹  Traditional ways of identifying and mitigating risks don’t always work. Historically, organizations have focused on external threats; however, risks from within the organization can be just as prevalent and harmful. These internal risks include unprotected and ungoverned data, accidental or intentional data oversharing, as well as the risks for failing to meet ever-changing regulations. Not to mention, with more than 300 million people working remotely, data is being created, accessed, shared, and stored outside of the traditional borders of business.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

The post Microsoft publishes new report on holistic insider risk management appeared first on Microsoft Security Blog.

The risk landscape for organizations has changed significantly in the past few years. The amount of data captured, copied, and consumed is expected to grow to more than 180 zettabytes through 2025.¹  Traditional ways of identifying and mitigating risks don’t always work. Historically, organizations have focused on external threats; however, risks from within the organization can be just as prevalent and harmful. These internal risks include unprotected and ungoverned data, accidental or intentional data oversharing, as well as the risks for failing to meet ever-changing regulations. Not to mention, with more than 300 million people working remotely, data is being created, accessed, shared, and stored outside of the traditional borders of business.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

The post Microsoft publishes new report on holistic insider risk management appeared first on Microsoft Security Blog.

Your data is a strategic asset. To benefit your business, data requires strict controls around structure, access, and lifecycle. However, most security leaders have doubts about data security—nearly 70 percent of chief information security officers (CISOs) expect to have their data compromised in a ransomware attack.¹ Part of the problem lies in traditional data-management solutions, which tend to be overly complex with multiple unconnected, duplicative processes augmented with point-wise integrations. This patchwork approach can expose infrastructure gaps that attackers will exploit.

In contrast, proactive data governance offers a holistic approach that conserves resources and simplifies the protection of your data assets. This integrated approach to data governance is a vital component of Zero Trust security and spans the complete lifecycle of your data. It also reduces the cost incurred by a data breach, both by shrinking the blast radius and preventing an attacker from moving laterally within your network. Microsoft Purview provides a comprehensive data governance solution designed to help manage your on-premises, multicloud, and software as a service (SaaS) data. To help you get more from your data, we’ve put together five guideposts.

1. Create a data map of all your data assets

Before you can protect your data, you’ll need to know where it’s stored and who has access. That means creating comprehensive descriptions of all data assets across your entire digital estate, including data classifications, how it’s accessed, and who owns it. Ideally, you should have a fully managed data scanning and classification service that handles automated data discovery, sensitive data classification, and mapping an end-to-end data lineage for every asset. You’ll also want to make data easily discoverable by labeling it with familiar business and technical search terms.

Storage is a vital component of any data map and should include technical, business, operational, and semantic metadata. This includes schema, data type, columns, and other information that can be quickly discovered with automated data scanning. Business metadata should include automated tagging of things like descriptions and glossary terms. Semantic metadata can include mapping to data sources or classifications, and operational metadata can include data flow activity such as run status and run time.

2. Build a decision and accountability framework

Once you know where all your data is located, you’ll need to document the roles and responsibilities of each asset. Start by answering seven basic questions:

1. How is our data accessed and used? 
2. Who is accountable for our data?
3. How will we respond when business or regulatory requirements change?  
4. What is the process for revoking access due to a role change or an employee leaving?
5. Have we implemented monitoring and reporting to track data access?
6. How do we handle lifecycle management?
7. Are we automating permissions management to enforce security and compliance?

In response to question number one, you should develop a detailed lifecycle for data access that covers employees, guests, partners, and vendors. When deciding what data someone may need to access, consider both the person’s role and how the data in question will be used. Business unit leaders should determine how much access each position requires.

Based on the information gathered, your IT and security partners can create role-based access controls (RBAC) for each employee position and partner or vendor request. The compliance team will then be responsible for monitoring and reporting to ensure that these controls are put into practice. Implementing a permissions management solution can also help your organization by preventing misuse and malicious exploitation of permissions. By automatically detecting anomalous alerts, your organization can reduce IT workloads, conserve resources, and increase user productivity.

3. Monitor access and use policies

Next, you’ll need to document the policies for each data repository. Determine who can access the data—including read versus write access—and how it can be shared and used in other applications or with external users. Will your organization be storing personal identifiable information (PII) such as names, identification numbers, and home or IP addresses in this repository? With any sensitive data, it’s imperative to enforce the Zero Trust principle of least privilege or just-in-time (JIT) access.

The JIT permissions model strengthens the principle of least privilege by reducing the attack surface to only those times when privileges are actively being used (unlike the all-day, every day attack surface of standing privileges). This is similar to the just-enough-privilege (JEP), wherein a user completes a request describing the task and data they need to access. If the request is approved, the user is provisioned with a temporary identity to complete the task. Once the task is completed, the identity can be disabled or deleted. There’s also a “broker-and-remove-access” approach, wherein standing privileged accounts are created and their credentials stored securely. Users must then provide a justification when requesting to use one of the accounts to access data for a specific amount of time.

Your organization can protect itself by maintaining a log of every request for elevated access (granted or declined), including when the access was revoked. All organizations, especially those storing PII, need to be able to prove to auditors and regulators that privacy policies are being enforced. Eliminating standing privileged accounts can help your organization avoid audit troubles.

4. Track both structured and unstructured data

Traditionally, data governance has focused on business files and emails. But stricter regulations now require organizations to ensure that all data is protected. This includes both structured and unstructured data shared on cloud apps, on-premises data, shadow IT apps—everything. Structured data is comprised of clearly defined data types with patterns that make them easily searchable, such as Microsoft Office or Google Docs. Unstructured data can include anything else, such as audio files, videos, and even social media posts.

So, should you leave it up to the individual asset owner to implement their own data protections across such a vast data landscape? An alternative that some of Microsoft’s customers have embraced involves developing a matrixed approach to data governance, wherein security and compliance experts help data owners meet requirements for protecting their data. In this scenario, a “common data matrix” is used to track how data domains are interacted with across your organization. This can help document which areas of your business can simply create data versus read, access, or remove data assets. Your data matrix should identify the data’s source, including any shadow IT systems in use. Make sure to capture any domains and sub-domains containing sensitive or confidential data, subject to government regulation. Also, documenting roles and responsibilities for each business unit allows everyone to understand who is using specific data for a particular job, as well as who is adding data into a system and who is responsible for it.

5. Delete data that’s no longer needed

“Dark data,” which organizations pay to store but goes underutilized in decision making, is now growing at a rate of 62 percent per year.² Given that most IT teams are already overstretched, asking them to stand guard over vast data lakes is not a recipe for security. So, how do you know when some data is no longer useful to your organization?

Sometimes the easiest way to protect data is to delete it. In keeping with the Zero Trust principle of “assume breach,” less data means less risk. Theft of intellectual property (IP) can be financially hazardous, whereas theft of customer PII can be disastrous long-term for your brand. Privacy laws require that businesses keep PII only for as long as it has served its original purpose.³ However, manually tracking which files are subject to deletion would be nearly impossible. A better approach is to implement ongoing controls to auto-expire PII or set up automated reminders for reviewing sensitive data to decide if it’s still needed.

Understanding the lifecycle of data makes it easier to delete when it’s no longer needed. An integrated data governance solution with intelligent machine learning capabilities can do the work for you, classifying content when it’s created and automatically applying appropriate sunset policies.⁴ Or, use multi-stage retention policies to automatically apply a new label at the end of a retention period.

Learn more

Proactive, holistic data governance is an integral part of data protection, spanning the complete lifecycle and helping drive business outcomes by ensuring that your data is discoverable, accurate, and secure. Microsoft Purview integrates and automates data governance by setting lifecycle controls on your sensitive data, protecting against data loss, and managing RBAC. To experience Purview in your organization, you’re welcome to start with a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Almost 70% of CISOs expect a ransomware attack, Danny Bradbury. October 19, 2021.

²September 2021 survey of 512 United States compliance decision-makers commissioned by Microsoft from Vital Findings.

³GDPR personal data—what information does this cover?, GDPR. 2022.

⁴Microsoft is committed to making sure AI systems are developed responsibly and in ways that warrant people’s trust. As part of this commitment, Microsoft Purview engineering teams are operationalizing the six core principles of Microsoft’s Responsible AI strategy to design, build and manage AI solutions. As part of our effort to responsibly deploy AI, we provide documentation, gating, scenario attestation, and more to help organizations use AI systems responsibly.

The post Data governance: 5 tips for holistic data protection appeared first on Microsoft Security Blog.

What is a corporate governance score?

Corporate governance scoring is increasingly important to boards of directors, executive leadership, and the investment community. If we want to enlist the support of a stakeholder, we have to talk about the things that are important to them. Sales revenue is important to sellers. Data breach risk gets the attention of the chief information security officer (CISO). Governance scores often affect executive compensation and the way an analyst rates a company’s stock. They are important to the board.     

If the IT security team communicates in terms of improving a corporate governance score, it will get their attention. Boards have a lot of demands on their attention as they prioritize the many risks and opportunities they need to navigate. Moving the needle on a benchmark they already care about helps them prioritize IT security. 

Corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore, are a focus area for boards, management, and investment analysts.¹ This is a language that they speak. If we want to advocate with these stakeholders, framing our IT security investments and actions in terms of an increased QualityScore is an effective way to do this.

Leaders in the corporate governance space have recognized the part that IT security plays in corporate governance and have included this in their scoring methodology. Cybersecurity is identified as a focus area in Principles of Corporate Governance for the board risk oversight and management strategic planning responsibilities,² as well as an evolving governance challenge in the Harvard Law School Forum on corporate governance.³ Security, particularly concerning data breaches, is identified by the Corporate Finance Institute as one of the principles of corporate governance.⁴

We’ll identify the specific ways that IT security governance can impact a company’s ISS Governance QualityScore, potentially driving analyst recognition, shareholder value, and executive compensation. This can help inform the board as they consider relative priorities and investments in IT security.

While the discussion is applicable to all geographies and segments, the scoring example we’ll use is for a United States-based company in the Standard and Poor’s (S&P) 500 index.

How corporate governance scores are calculated

The ISS ESG Governance QualityScore is a data-driven scoring and screening solution designed to help institutional investors monitor portfolio company governance. The ISS Governance QualityScore global coverage is applied to approximately 7,000 companies, including those represented in S&P 500, STOXX 600, Russell 3000, Nikkei 400, and others around the world.

The companies’ annual meeting notes, regulatory filings, and other public-facing information are reviewed quarterly and in real-time for some events to update the QualityScore.

The methodology is made available on the ISS website.⁵

To improve the organization’s QualityScore and map the impact of IT security investments and activities, it is important to understand the factors (questions) and how a score is calculated.

The topics scored include:

• Board structure.
• Compensation.
• Shareholder rights.
• Audit and risk oversight.

The audit and risk oversight section is where the IT security-related factors are located. We’ll focus our discussion on how to map and raise these factors.

A raw score based on the factors is calculated and ranked relative to companies in the same index or region to promote an “apples to apples” comparison, with a number from 1 to 10 assigned to each category. Figure 1 shows an example of a raw score and category score for each category for a United States-based company in the S&P 500.

Category	Category Raw Score	Category Score
Board Structure	25.0	7
Compensation	19.5	10
Shareholder Rights	28.0	5
Audit & Risk Oversight	56.5	4
	Overall Raw Score	Governance QualityScore
Total	129.0	8

Table 1. Score methodology example for S&P 500 United States-based company.

Rating Category	Questions Scored
Board Structure	51
Audit and Risk Oversight	21
Shareholder Rights	32
Compensation	37
Total	141

Table 2. Questions scored in each category for a United States-based company.

For the United States, there are 141 factors scored. Twenty-one are for the Audit and Risk Oversight category. Of these, 11 are related to information security. Thus, more than half of this category’s raw score that will be scaled to create the 1 to 10 QualityScore for the Audit and Risk Oversight category is related to IT security.

The definition of IT security-related questions differs from what an IT security and compliance professional will have encountered from working with the ISO, the NIST, or similar security standards. We’ll look at this next.

IT security conversation with the board and executives through the corporate governance lens

The factors used for the governance score are different from what we’d encounter in an IT audit. They don’t cover the fulsome controls and defense in depth that we’d expect as IT security professionals. Some are likely part of key performance indicators (KPIs) already tracked, such as those relating to awareness and training, financials, and breaches.

When a strategic plan or business case for an investment is presented to leadership, it can be mapped to the QualityScore factors. An improvement in the governance score can be forecasted.

An example is provided below for the implementation of Microsoft Purview Audit (Premium). This tool is a part of Microsoft 365, is easily deployed, and has no user impact or change management requirements. In the event of a credentials compromise, it provides forensic information to understand if there was a breach of sensitive information, what documents may have been accessed by the bad actor, and provides retention of audit data for long periods of time.

QuestionID	Question	Mapping for Microsoft Purview Audit (Premium)
402	Does the company disclose an approach to identifying and mitigating information security risks?	Audit (Premium) allows a company to identify the information accessed by a bad actor if an account is compromised. It provides forensic information to understand the consequences of a breach and remediate appropriately. This is part of risk mitigation.
406	What are the net expenses incurred from information security breaches over the last three years relative to total revenue?	Audit (Premium) makes information available that can differentiate a breach that has no impact from one that has a massive impact on the company, its partners, and its customers. Without this information, the company may incur massive costs for breach notification and mitigation that would not be necessary if the breach could be properly scoped.
407	Has the company experienced an information security breach in the last three years?	Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. Reporting information security compromises correctly, including knowing what is and is not a breach is a focus of Audit (Premium).
408	What are the net expenses incurred from information security breach penalties and settlements over the last three years relative to total revenue?	The expenses and penalties incurred due to an information security breach will vary greatly depending on the scope and impact of the breach. Expenses and penalties can be reduced as a result of the forensic information Audit (Premium) makes available.
409	Has the company entered into an information security risk insurance policy?	Insurers require underwriting to issue security risk insurance policies. Underwriting depends on the company’s IT security program, controls, and governance. Audit (Premium) is an important part of the security program, providing uniquely valuable forensic information.
412	How long ago did the most recent information security breach occur (in months)?	Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. It can enable a forensic investigation that scopes a breach in terms of time and the timing of bad actor activities in this period.

Table 3. Example Mapping of Microsoft Purview Audit (Premium) to ISS Governance QualityScore.

Alignment with the Governance QualityScore goes beyond the support of security solutions and investments.

Some of what the company may already have in place, like security training, standards-based audit, metrics, and reporting is part of the scoring. Communicating this so that it is reflected in the governance score increases the company’s return on investment and leadership’s awareness of the contributions of the security team.

The score will be boosted by having senior leadership regularly brief the board on information security matters.

Adding a board member with security experience will also boost the score. These will give the security function the attention and investment that it needs from leadership to increase the company’s security posture.

Conclusion

Showing how a company’s Governance QualityScore benefits from their investment in security demonstrates additional return on investment and wins support for the security program from a range of stakeholders. Stakeholders that may not recognize the value of IT security controls and processes or understand IT security risk may recognize the financial and brand value of an increased governance score.

As time goes on, the expectations for IT security to be part of corporate governance will increase. The focus on the breach will likely be broadened to a more holistic perspective. Additional factors will be considered and the impact of IT security on the overall scoring will increase.

Consider demonstrating how an IT security investment or activity will raise your company’s governance score along with other aspects of the business case and risk management when presenting to leadership to make a fulsome case for action.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.

---

¹Institutional Shareholder Services ESG Governance QualityScore, ISS. March 31, 2022.

²Principles of Corporate Governance, Harvard Law School Forum on Corporate Governance. September 8, 2016.

³Cybersecurity: An Evolving Governance Challenge, Harvard Law School Forum on Corporate Governance. March 15, 2020.

⁴Corporate Governance, Corporate Finance Institute. May 8, 2022.

⁵Governance QualityScore, ISS.

The post IT security: an opportunity to raise corporate governance scores appeared first on Microsoft Security Blog.

Compliance management is a complex process—one that gets increasingly more complicated the larger an organization grows. Microsoft knows this firsthand, not only because of our experience providing Security and Compliance solutions to customers but also because of the global reach and responsibility for maintaining compliance with a hefty number of regional and industry-specific regulations. Another thing Microsoft has learned along this journey is that the route is significantly smoother with an inclusive mindset and digital tools to ease the way.

In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:

• Providing you with fast access to requested data in the event of an external or internal investigation or legal action.
• Protecting company data as the workplace evolves is especially important given the growing use of personal devices for work and the increase in employees accessing company networks from outside the physical office for some or most of their week.
• Acting as good stewards—Chief Information Security Officers (CISOs) feel a sense of duty to protect their employees, partners, and customers to the best of their ability.

Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.

Assess your compliance posture

It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.

Broaden your idea of compliance

When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.

Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.

“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”

Involve everyone

Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.¹ Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.

Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.

“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”

Discover data and identify risks

In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.

The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.

Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.  

Simplify and automate compliance

Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.

Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.

“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”

Explore Microsoft Purview

Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.

Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

The post Discover 5 lessons Microsoft has learned about compliance management appeared first on Microsoft Security Blog.

Today, many enterprise organizations are multicloud and multiplatform. Critical enterprise data is located across clouds and platforms, requiring security and compliance no matter where it lives. To solve the complexity that comes with these environments, organizations have invested in multiple point solutions, which in turn can make it hard for them to manage the fragmented compliance and risk posture covering their entire data estate. To help organizations meet today’s global compliance and risk requirements across their multicloud, multiplatform data environments, we announced Microsoft Purview in April 2022.

Microsoft Purview is a portfolio of solutions for information protection, data governance, risk management, and compliance that enables organizations to effectively manage their data all from one place. It provides enhanced visibility that organizations can leverage across their environment to help close gaps that can lead to data exposure, simplify tasks through automation, stay up-to-date with regulatory requirements, and keep their most important asset—their data—secured. Partners play a critical role in helping customers manage their entire data estate. We’ve invested in connectors, APIs, and extensibility to support partners and help customers manage their data. 

Microsoft Purview product announcements

Today, we are excited to announce the general availability of the new Microsoft Graph APIs for Microsoft Purview eDiscovery. With the new Microsoft Purview eDiscovery APIs, organizations can leverage automation to streamline common, repetitive workflows that require a lot of manual effort in the product experience.

Customers and partners find automation and extensibility of eDiscovery workflows critically important because of the ability to reduce the potential for human error in highly sensitive workflows. For example, efficiently managing repeatable, defensible processes is critical to managing risk for organizations that have significant requirements for litigation and investigation.

Here are some of the ways partners are building value-added solutions and services using our Microsoft Purview eDiscovery APIs:

Relativity integrates with Microsoft Purview eDiscovery (Premium)

Relativity, Microsoft’s Security ISV of the Year for 2022, shared that “using the right tools to put business’s data into action is essential for many eDiscovery and compliance use cases. RelativityOne integration with Microsoft Purview eDiscovery significantly expedites the eDiscovery review process, minimizes data copies across multiple platforms, facilitates third-party collaboration, and ultimately reduces costs while the data remains secure within the Microsoft cloud. Now is the time to benefit from RelativityOne’s integration with Microsoft’s Purview’s eDiscovery platform,” said Chris Izsak, Strategic Partnerships GTM Manager, Relativity.

BDO’s Athenagy integrates with Microsoft Purview eDiscovery

BDO’s Athenagy creates dashboards using both Microsoft Purview eDiscovery and RelativityOne. Their “patent-pending business intelligence dashboards now provide legal, IT, and compliance professionals a whole new level of data transparency and cost containment by surfacing up critical insights inside both Microsoft Purview eDiscovery—using the newly released Microsoft Purview eDiscovery APIs—and RelativityOne tied to legal hold, collect, preservation, processing, and review for every investigation, compliance, and litigation matter,” said Daniel Gold, inventor of Athenagy and managing director of E-Discovery Managed Services, BDO.

Epiq Global integrates with Microsoft Purview eDiscovery

Epiq leverages Microsoft Purview eDiscovery APIs to create an end-to-end eDiscovery workflow. “Utilizing the Microsoft Purview eDiscovery APIs allows us to automate within Microsoft Purview to use inputs from our customer’s existing legal hold system of record to seamlessly orchestrate an end-to-end workflow including sending hold notices, preserving data in place, and performing searches, collections, and exports. When updates are made in the system of record, the changes are propagated directly to the appropriate piece of eDiscovery to ensure parity. An automated solution eliminates human error, reduces administrative costs, and ensures that eDiscovery processes are in sync with your issuance of legal holds,” said Jon Kessler, Vice President of Information Governance Services, Epiq.

Lighthouse integrates with Microsoft Purview eDiscovery

Lighthouse uses Microsoft Purview eDiscovery APIs to create “a rich and intuitive user experience, taking advantage of custodian data mapping, in-place preservation, modern attachment retrieval, and advanced culling. Our automation and orchestration solution is designed to improve user efficacy with job failure oversight, completion notification, and automatic provisioning and management of Azure storage containers. Clients embracing this solution benefit from automation and orchestration to fully leverage Purview Premium eDiscovery’s apps securely and at scale,” said John Collins, Director of Advisory Services, Lighthouse (winner of the Compliance and Privacy Trailblazer award for 2022).

Growth opportunities for partners

The opportunity for our partners who invest in the Microsoft compliance ecosystem continues to grow. Our partners are finding success by building value-added solutions and services around Microsoft’s solutions at an increasing rate. For example, partners are creating solutions that connect disparate information repositories for enterprise-wide compliance initiatives.

Microsoft partners continue to have the ability to participate in our successful go-to-market program, the partner build-intent workshops. These workshops cover the Microsoft Security portfolio and help drive customer success with Microsoft products and partner services through prescriptive scenarios that address the top pain points of our customers. These workshops have been updated to give partners the ability to uncover additional opportunities leveraging the most up-to-date tools and solutions. Discover all our partner workshops and get started with unlocking opportunities and value with your customers.

How Microsoft supports the partner ecosystem

The Microsoft Purview platform enables our customers and partners to adapt, extend, integrate, and automate information protection, data governance, risk management, and compliance scenarios. These capabilities are enabled through our investments in these key building blocks:

Microsoft Purview APIs: We are constantly expanding our API surface area. With our investments in Microsoft Graph APIs we currently enabling extensibility scenarios across Purview Information Protection, Purview Data Lifecycle Management, Purview eDiscovery, Purview Audit, and more. Partners are using these APIs to build value-added services and solve unique customer scenarios.

Microsoft Purview Data Connectors: To enable high-fidelity data ingestion—including sources such as Slack, Zoom, and WhatsApp, we have partnered with Veritas, TeleMessage, 17a-4, and CellTrust to deliver more than 70 ready-to-use connectors. Our extensibility push provides more opportunities for partners to join this connector ecosystem.

Microsoft Purview Data Catalog: Microsoft Purview’s unified data governance capabilities help with managing on-premises, multicloud, and software as a service (SaaS) data. Microsoft Purview Data Catalog supports multicloud data classification and covers data repositories such as Azure Cosmos DB and Amazon Web Services (AWS) S3 buckets. There is also an Atlas Kafka API that facilitates extensibility scenarios for our partners and customers.

Microsoft Purview Compliance Manager: With universal templates, we help partners and customers extend compliance management capabilities to non-Microsoft environments.

Power Automate integrations: Microsoft Purview solutions including Microsoft Purview Data Lifecycle Management, Insider Risk Management, and Communication Compliance have built-in Power Automate integrations. This offers unique opportunities for our partners and customers to streamline and automate workflows and business scenarios.

Another way Microsoft supports the ecosystem is through the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed service providers that have integrated their products and services with Microsoft’s security technology. Over the last year, MISA has extended its qualifying products to include a broad range of Microsoft Purview and Microsoft Priva products. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem.

Partner with Microsoft Purview

Here are a few ways that partners can join the Microsoft Purview ecosystem:

• For more information, check out the Microsoft Purview partner transform page.
• Explore the many opportunities for the partner ecosystem with Microsoft Purview.
• Reach out to our partners and explore their solutions.
• Check out our Microsoft Security Inspire blog post to learn more about how partners can help customers on the Microsoft platform.
• Get started with unlocking opportunities and value with your customers at our Partner Network.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How Microsoft Purview and Priva support the partner ecosystem appeared first on Microsoft Security Blog.

We are excited to share that Microsoft has been rated “Outstanding in Functionality” in the KuppingerCole Market Compass for Secure Collaboration, May 2022. Microsoft was also the only company to be awarded the highest possible score of “Strong Positive” in all five categories: security, deployment, interoperability, usability, and market standing for the Microsoft Purview Information Protection platform.

The Secure Collaboration Market Compass report covers solutions that protect sensitive data, which includes intellectual property or information restricted to certain audiences (such as trade secrets, some legal contracts, agreements, and financial statements), along with personally identifiable information (PII) and health information for regulatory standards such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). As companies shift towards remote hybrid work, protecting sensitive data that is continuously created and shared among employees, contractors, partners, and suppliers—while not impeding worker productivity—is becoming increasingly important. Enterprises today face the challenge of classifying large volumes of data, especially personal data, which is required by privacy regulations and laws worldwide.

At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. With Microsoft Purview Information Protection, we are building a unified set of capabilities for classification, labeling, and protection, not only in Microsoft Office apps but also in other popular productivity services where the information resides (such as SharePoint Online, Exchange Online, and Microsoft Teams), as well as endpoint devices.

“Microsoft Purview Information Protection provides a sophisticated classification system that can apply labeling to a document based on the creator, the context in which it was created, and/or the content within the document. The functionality is natively embedded into Office services and apps, and third-party applications via the information protection SDK. Sensitive information is discovered and labeled with out-of-the-box, custom, and machine learning (trainable) functionality,” Annie Bailey, KuppingerCole analyst, writes in the report. “Information such as credit card, social security number (SSN), person names, licenses, and business categories like healthcare or financial can be classified out-of-the-box. Custom fields include RegEx, Dictionary, Fingerprint, Named entities detection (e.g., person name, address, medical terms), Exact Data Match, and credentials.”

We are also pleased that KuppingerCole recognizes the breadth and depth of our Microsoft Purview Information Protection platform and called out these strengths:

•  Double Key Encryption provides additional security and governance control.
•  Built into frequently used enterprise applications.
•  Simulations to test policy effectiveness.
•  Interoperates with Microsoft and third-party event logs.
•  Automated and manual classification options.
•  Coverage of structured and unstructured data in the Microsoft environment.
•  Data loss prevention functionality in Teams chat.
•  Option for no configuration, default classification.

We have made significant investments in our Microsoft Purview solutions (such as Data Loss Prevention, Compliance Manager, Data Lifecycle Management, Insider Risk Management, and eDiscovery) and Microsoft Priva privacy solution that leverage our advanced classifiers, unified labeling and protection, sensitive information types, and policy authoring templates provided by our Microsoft Purview Information Protection platform.

More than 200 partners are part of our Microsoft Intelligent Security Association (MISA). Partners can leverage our labeling features through our Information Protection SDK, data connectors, and Graph APIs to provide integrations with Microsoft applications and services, security and compliance solutions, and their own products.

We are honored to have been designated as “Outstanding in Functionality” by KuppingerCole and rated the highest possible score of “Strong Positive” in five different categories.

Learn more

We invite you to read the full KuppingerCole Secure Collaboration report. For more information on our Microsoft Purview solutions, please visit our website. Visit the Microsoft Purview Information Protection platform page to learn more about how to protect your data wherever it lives.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post KuppingerCole rates Microsoft as outstanding in functionality for secure collaboration appeared first on Microsoft Security Blog.

“Compliance is all about risk management and lessening risk, and the same is true of Zero Trust.”

—Abbas Kudrati

What’s risk management and why is it important?

Risk management, the process of developing a strategy for addressing risk throughout its lifecycle, normally involves four phases: risk identification, assessment, response, and monitoring and reporting.

Risk management plays a critical role in helping organizations with their security posture enhancement. Taking insider incidents as an example, they are not only costly to organizations but also time-consuming to be contained. Given the limited resources available, we have seen many organizations often prioritize investment in security controls, which can address the more critical risks. As such, the return on investment (ROI) is maximized in effectively protecting the organizations’ assets as well as ensuring their business operations. Risk management is an ongoing activity. Are the long-established risk management programs in the enterprises staying on top of the evolving digital and threat landscapes?

With trends like digital transformation, cloud migration, and hybrid work, traditional trust boundaries are getting blurred. Perimeter-driven defense is no longer adequate in protecting against the rising attack vectors. More attention has been drawn to the Zero Trust security model that assumes attackers are in the enterprise environment and encourages organizations to always verify explicitly and enforce least-privilege access.

How can Zero Trust architecture help with risk management?

Microsoft approaches the following Zero Trust architecture as a reference for customers to defend their digital estates.

Let’s look at how Zero Trust architecture can help an organization effectively manage enterprise risk management practice throughout the four phases:

1. Identification: More thorough asset discovery and risk identification with the six pillars

In the initial step of risk management, organizations need to categorize the system and information processed, stored, and transmitted based on impact analysis. With prioritization, activities of identifying threats and vulnerability to the assets are then performed. The Zero Trust architecture emphasizes the full coverage of organization assets across the entire digital estate, with six pillars specified as identity, endpoint, network, data, application, and infrastructure. Following the reference architecture would allow organizations to obtain a holistic view of their IT landscapes and associated risks.

Some questions for organizations to consider during the asset discovery and risk identification phase:

• What types of structured and unstructured data do you create, process, and store? Are all data classified, labeled, and encrypted?
• What applications do you access? Are they in the cloud or on-premises?
• What types of infrastructure do you manage—in the cloud or on-premises?
• Who has access to your resources, including network, data, applications, and infrastructure? Are they internal or external stakeholders, human or non-human actors? How are the authentication and authorization of the identities enforced?
• From which endpoints are access to your resources allowed? Are they owned by a company or individuals? How is device management performed and compliance reviewed?
• What are the normal and abnormal paths of an identity accessing your resources of any kind?

2. Assessment: Continuous risk assessment as input to access control evaluation and enforcement

Typically, a risk assessment on an information asset is performed periodically or upon major changes. It allows organizations to determine the potential risks and evaluate if the existing processes and controls are sufficient to lower the risks to an acceptable level. In the more dynamic digital world where attacks happen at cloud speed, Zero Trust architecture recommends continuous risk assessment—each request shall be intercepted and verified explicitly by analyzing signals on user, location, device compliance, data sensitivity, and application type. In addition, rich intelligence and analytics can be leveraged to detect and respond to anomalies in real-time, enabling effective risk management at the request level.

In addition, the security controls included in the Zero Trust architecture enable defense-in-depth, which shall be taken into consideration during regular risk assessment at system or organizational levels. With identity being the new first line of defense, strong multifactor authentication helps to determine if the actor is who it claims to be, reducing the likelihood of unauthorized access. Device compliance check then helps to reduce the likelihood of actors using compromised or outdated endpoints to access organization resources. In case of a breach, network micro-segmentation based on least-privilege access principle will minimize the lateral movement of malicious actors, narrowing the attack surface and containing the damage. Encryption of data in transit and at rest renders data unreadable and unusable without decryption keys, further lessening the impact of data breaches.

3. Response: Real-time responsive measures to mitigate risks throughout the request life cycle

Zero Trust architecture can also be aligned with the four general categories of risk response strategies: tolerate, operate, monitor, and improve. By design, it is recommended that telemetry, state information, and risk assessment from threat protection shall all feed into the Zero Trust policy engine to enable automatic response to threats immediately. Upon collection and evaluation of all risk signals from various sources, Zero Trust policies shall be enforced in real-time to allow, deny, restrict, or further authenticate access requests. Such approaches offer great responsiveness to risks detected in real-time throughout a request lifecycle, allowing organizations to address risks in a timely manner.

4. Monitoring and reporting: Visibility at all levels empowering risk monitoring and reporting

Risk monitoring and reporting are also critical components to ensure risk governance and assurance. It is common for organizations to keep risk monitoring and reporting at the system level. With Zero Trust architecture, organizations would benefit from the flexibility of gaining visibility at all levels into risks. At the granular level, risks of a single-user identity or sign-in will be evaluated, logged, and reported. With IT and security tools integrated, other potential breach indicators like a high volume of data access and transfer and malware detection can be associated, allowing the first line of the risk management team to obtain all necessary details for investigation. The rich threat and vulnerability data can be further processed to offer an aggregated view of an organization’s risk posture, making the risk reporting to senior management and auditors more accurate and hassle-free. With the insights generated from risk monitoring and reporting, risk management strategy and policy can be continuously reviewed and improved to stay relevant and effective.

Learn more

Learn more about the Microsoft Zero Trust framework.

Organizations may leverage the free Microsoft Zero Trust Maturity Assessment Quiz to understand their current state of Zero Trust maturity and our recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to improve risk management using Zero Trust architecture appeared first on Microsoft Security Blog.

Data is the lifeblood of any organization. Whether you’re a Chief Information Security Officer (CISO) or aspiring to become one, protecting sensitive business data will be your main priority. But the job isn’t getting any easier. In 2021, the number of data breaches climbed 68 percent to 1,862, costing an average of USD4.24 million each.¹ The damage from a breach touches everyone, causing diminished brand equity and consumer trust, decreased shareholder confidence, failed audits, and increased scrutiny from regulatory agencies.

It’s easy to become so preoccupied with protecting against the next ransomware attack that you overlook risks within your own organization. Insider leaks of sensitive data, intellectual property (IP) theft, fraud, regulatory violations—any of these can crash a company (and your career) as quickly as a headline-grabbing breach. Given the breadth of today’s digital estate—on-premises, in the cloud, and at the edge—Microsoft Purview provides the inside-out, integrated approach that an effective CISO needs to reduce the risk of internal and external data breaches before they occur. Here are some things to consider, both when prioritizing for yourself and talking to your board of directors.

Mind your own house—insider threats

As the “Great Resignation” or “Great Reshuffle” rolls on, organizations worldwide are dealing with large numbers of people heading for the exits—and climbing aboard. Results from Microsoft’s most recent Work Trend Index indicate that 43 percent of employees are likely to consider changing jobs in the year ahead. This massive shift in employment status has been accompanied by the “Great Exfiltration.” Many of those transitioning employees will, intentionally or not, be leaving with sensitive data stored on personal devices or accessed through a third-party cloud. During 2021, 15 percent of workers uploaded more corporate data to personal cloud apps as compared to 2020. What’s more alarming, 2021 also saw 8 percent of exiting employees upload more than 100 times their usual data volume.²

As a CISO, you’re responsible for data spread across multiple platforms, devices, and workloads. You’ll need to consider how that technology interacts with your organization’s business processes. That includes having policies in place to prevent data exfiltration; especially if you work in a regulated industry, such as finance or healthcare. It starts with asking: Who can access the data? Where should the data reside (or not reside)? How can the data be used? How do we prevent oversharing? A modern data loss prevention (DLP) solution—cloud-native and comprehensive—enables you to centrally manage all your DLP policies across cloud services, devices, and on-premises file shares. Even better, this type of unified DLP solution requires no additional infrastructure or agents, helping to keep costs down. Even in a time of great change, today’s workplace requires that people remain free to create, manage, and share data across platforms and services. However, the organizations they work for are often constrained by limited resources and strict privacy standards when seeking to mitigate user risks. For that reason, you’ll need tools that can analyze insider threats and provide integrated detection and investigation capabilities. The best solution for insider threats will be:

• Transparent—balancing user privacy with organizational risk by using privacy-by-design architecture.
• Configurable—enabling policies based on your industry, geographical location, and business groups.
• Integrated—maintaining a workflow that’s integrated across all your data, wherever it resides.
• Actionable—providing insights to enable reviewer notifications, data investigations, and user investigations.

Protecting against insider threats should include templates and policy conditions that define which triggering events and risk indicators require examination. For that reason, your insider-risk solution should be able to look at potential risk patterns across the organization, as well as investigate risky activity with end-to-end workflows. Furthermore, a solution that helps detect code of conduct violations (harassing or threatening language, adult content, and sharing sensitive information) can be a reliable indicator for possible insider threats. Machine learning will help provide greater context around certain words or key phrases, so investigators can speed up remediation.

Automate and integrate your data strategy

Because many organizations resist going all-in on one vendor, most CISOs have to deal with data spread across a patchwork of on-premises and cloud storage. Though clunky, legacy data silos are a fact of life. If large volumes of “dark data” aren’t correctly classified as sensitive, then it becomes difficult to protect personally identifiable information (PII) or sensitive corporate IP and implement data loss prevention policies. A thrifty CISO needs to simplify wherever possible, using a comprehensive solution to help protect the entire digital estate. A good data management solution should provide both the flexibility for users to manually classify their documents, as well as system administrators applying auto-labeling and machine learning-trainable classifiers.

• Data discovery: It’s not unheard of to discover that an employee unknowingly stored a customer’s Social Security Number (SSN) on an unprotected site or a third-party cloud. That’s why you’ll want a data management solution like PII that automatically identifies sensitive data using built-in sensitive information types and regulatory policy templates, such as General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act of 1996 (HIPAA). And since sensitive data can land anywhere, the right solution needs to use automation to cast a wide net across on-premises, multicloud, operational, and software as a service (SaaS) data.

• Data classification: Look for unified built-in labeling that’s already integrated with broadly used applications and services, allowing users to further customize sensitivity levels for their specific needs. The right solution should also allow automatic labeling and policy enforcement across an organization for faster classification and data loss prevention deployment at enterprise scale. In addition, look for unified data management solutions that identify and classify sensitive data found on-premises, multicloud, and SaaS to create a holistic map of your entire data estate.

• Data governance: You want your organization’s data to be discoverable, trusted, and stored in a location where it can be readily protected. Storing data longer than necessary increases your risk of exposure in a breach. On the other hand, deleting data too quickly can put your organization at risk of regulatory violations. Data retention, records management, and machine learning capabilities solve this problem by classifying data and automatically applying lifecycle policies, helping you manage risk and liability by keeping only the data you need and deleting what you don’t.

Make data protection a team effort

A primary responsibility for any CISO is to protect the organization’s IP, such as software source code, patented designs, creative works—pretty much anything that gives the business a competitive edge. But with the growth of big data and changing regulatory standards, CISOs are also expected to protect user data, such as PII, personal health information (PHI), and payment card industry (PCI) data. Privacy laws are also increasing restrictions on the use, retention, and location of user data, both internally and with third-party vendors.

In addition, hybrid and multicloud services create new challenges by distributing data’s geographic origins, storage location, and user access points. Today’s CISO needs to work with colleagues in data protection, privacy, IT, HR, legal, and compliance, meaning, you may be sharing duties with a Chief Data Officer (CDO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Chief Information Officer (CIO). That’s a lot of acronyms at one table. So, rather than duplicate efforts or compete for territory, an effective CISO should adopt a unified solution for data protection that helps eliminate potential redundancies and keeps your entire security team working off the same script.

Bonus tip—simplify

We all know the days of firewalls and perimeter-based security aren’t coming back. Enabling an effective Zero Trust approach requires the ability to protect data across a multicloud, multiplatform environment. Microsoft’s decision to unify data protection, governance, and compliance capabilities as Microsoft Purview—bringing together the former Microsoft Azure Purview and Microsoft 365 Compliance portfolio under one brand—reflects our belief that organizations need a simpler approach to data protection.

If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹ Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

² With the ‘Great Resignation’ comes the ‘Great Exfiltration’, Kevin Townsend. January 11, 2022.

The post So you want to be a CISO: What you should know about data protection appeared first on Microsoft Security Blog.

The worldwide shift to a hybrid workplace has pushed us all to embrace ubiquitous connectivity. Those new connections have helped us become more collaborative; routinely editing and sharing documents in real-time from wherever we happen to be working. Instant messaging went from being a tool of convenience to a cornerstone of communication. People in business, operations, and technical roles became adept at stitching together disparate solutions to meet changing needs.

But constant connectivity brings evolving, inherent risks. Over the past two years, organizations have seen a massive increase in their digital footprint, leading to data fragmentation and growth across a multitude of applications, devices, and locations. The Great Reshuffle left blind spots within ever-enlarging data estates.¹ Dark data, which organizations pay to store, but goes underutilized in decision making, is now growing at a rate of 62 percent per year.²  Even the virtual office has created the risk of new collaboration mediums opening doors to harassment, sensitive data leaks, and other workplace policy infractions. It’s a big digital world for any organization to try to manage. 

The lines between risk roles are blurring 

Just as today’s big-data, multiplatform, hyper-connected workplace brings new vulnerabilities, the responsibility for protecting it is also in flux. For example, an organization with a Chief Data Officer (CDO), Chief Risk Officer (CRO)/Chief Compliance Officer (CCO), Chief Information Security Officer (CISO), and Chief Information Officer (CIO) has to choose whether they will duplicate, compete, or collaborate. Conditions that are driving the need for integrated risk management include:

• The pandemic: Ongoing decentralized work has reinforced the need for strategic, operational, and business continuity management. All of this requires cross-functional data sharing and coordination. 
• Nation-state attacks: Increasing sophistication and frequency of nation-state attacks is driving collaboration between compliance, data, and security functions. 
• Remote work: Virtual communication spaces require coordination between compliance, IT, and HR. 
• Evolving regulations: New requirements, like those from the Office of Foreign Assets Control (OFAC), Department of Justice (DOJ), and the European Union Whistleblower Directive require collaboration among all risk-management leaders.
• Data sharing: Requirements for continuous access to operational data across functions (read the DOJ’s requirements for compliance programs).  
• Growing CDO responsibilities: The CDO’s role may go beyond data management and protection to include business intelligence, AI, and machine learning. Because this role can overlap with a Chief Analytics Officer (CAO) and CISO, a unified solution for risk management is vital to eliminating redundancies.
• Governance and compliance: Overlap between information governance, records management, and data collection is driving the need for a comprehensive solution for managing data risk.

”In a tracking survey of over 500 US decision-makers, nearly all (95 percent) are concerned about challenges they face regarding data protection in 2021.” ³

The market has responded with dozens of products that force security, data governance, compliance, and legal teams to stitch together a patchwork of solutions. This approach not only strains resources, but it’s also ineffective. Security outcomes are worse—audits are failed and brand reputations are damaged.

”A survey of US decision-makers showed that to meet their compliance and data-protection needs, almost 80 percent had purchased multiple products, and a majority had purchased three or more.” ⁴

Introducing Microsoft Purview 

To meet the challenges of today’s decentralized, data-rich workplace, we’re introducing Microsoft Purview—a comprehensive set of solutions that help you govern, protect, and manage your entire data estate. This new brand family combines the capabilities of the former Azure Purview and the Microsoft 365 Compliance portfolio that customers already rely on, providing unified data governance and risk management for your organization.

The new Microsoft Purview:

• Helps you gain visibility into assets across your entire data estate.
• Enables easy access to all your data, security, and risk solutions. 
• Helps safeguard and manage sensitive data across clouds, apps, and endpoints.
• Manages end-to-end data risks and regulatory compliance.
• Empowers your organization to govern, protect, and manage data in new, comprehensive ways. 

Microsoft Purview brings together data governance from Microsoft Data and AI, along with compliance and risk management from Microsoft Security. Microsoft Purview is also complemented by identity and access management, threat protection, cloud security, endpoint management, and privacy management capabilities—creating a truly comprehensive approach to security.

Microsoft Purview at a glance

Securing multicloud and multiplatform environments

Because organizations now operate across multiple clouds and on-premises platforms, we’ve expanded Microsoft Purview’s capabilities to include data protection for macOS users, as well as offering new data classifiers, protection for mobile devices, and data lifecycle management.

• To extend Microsoft Purview’s capabilities for macOS users, we’re excited to announce the general availability (GA) of Microsoft Purview Data Loss Prevention (DLP) for macOS endpoints. Now organizations can extend their endpoint DLP insights and controls to devices running macOS (Catalina or higher). In addition, the preview of restricted app groups for Windows endpoints allows organizations to scope different access restrictions to sensitive files between a set of sanctioned or unsanctioned applications. Learn about Microsoft Purview DLP for macOS endpoint.
• Before sensitive data can be safely shared, it first needs to be identified. To that end, we’re extending our sensitive information type catalog with more than 50 new classifiers. The new classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva. Explore the new data classifiers in Microsoft Purview.
• With remote users now regularly accessing files from multiple locations, devices, and apps, organizations shouldn’t have to compromise on security for productivity. To help address this, the preview of co-authoring of encrypted documents for mobile devices (iOS and Android) enables multiple users to work simultaneously on Microsoft 365 apps and documents with autosave, allowing for enhanced real-time collaboration and productivity. Learn about co-authoring of encrypted documents.
• Within any document file’s lifecycle, organizations need to be able to configure retention and deletion settings. To help simplify that process, we’re announcing the preview of multi-stage retention in Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance), which automatically applies a new label when an item reaches the end of its retention period. Learn more about multi-stage retention from Microsoft Purview Data Lifecycle Management.

Protecting your business and employees in a hybrid work environment

Employees don’t gather around the water cooler anymore. They’re communicating across digital channels and personal and corporate devices. Microsoft Purview helps protect your organization’s data with Insider Risk Management, eDiscovery, Communication Compliance, and more.

• Many organizations have had to adapt to a changing workforce during the Great Reshuffle. Recent enhancements to the detection and investigation capabilities of Microsoft Purview Insider Risk Management help provide security teams with additional context and actionable insights to keep data secure, including expanded coverage with Microsoft Defender for Cloud Apps. Learn about Microsoft Purview Insider Risk Management.
• Sensitive data isn’t confined to business transactions. According to the 2022 Work Trend Index annual report from Microsoft, employees are communicating over a greater variety of digital channels. With so much internal chatter, robust data and document discovery are essential for organizations responding to both internal investigations and external inquiries. To help meet that need, we’re excited to announce additional capabilities for Microsoft Purview eDiscovery (Premium), which improve the identification of relevant data in Microsoft Teams and help manage legal holds with new reporting functionality. Learn about Microsoft Purview eDiscovery.
• To help organizations maintain a positive work culture and a strong commitment to user privacy, Microsoft Purview Communication Compliance helps detect code of conduct violations (including harassing or threatening language, adult content, and sharing sensitive information). We’re excited to announce new features, including expanded optical character recognition, machine learning model highlighting, reduced detection-to-investigation time, and step-by-step onboarding guidance. Protect your employees and business with Microsoft Purview Communications Compliance.
• To help organizations save time and manual efforts, we’re excited to announce the general availability of continuous compliance assessments in Microsoft Purview Compliance Manager. This feature allows customers to understand and act on over 150 recommendations across our suite of solutions—increasing customers’ ability to measure and manage their data handling from a single location. Learn more about continuous assessments in Microsoft Purview Compliance Manager.

Enhancing data governance across compliance and privacy imperatives

Microsoft Priva complements Microsoft Purview’s data governance and compliance portfolio. Acting as a separately available privacy management solution that proactively identifies and helps protect against privacy risks, Priva provides visibility into organizations’ privacy postures. This includes associated privacy risks arising from personal data transfers, overexposure, and hoarding. Priva’s policy-driven templates also help customers adhere to common privacy regulations and requirements.

At the same time, Priva provides the flexibility to customize policies for user groups, data locations, conditions, and notifications. As the foundation of enterprise privacy management, Priva automatically recommends risk-remediation actions and subject rights requests at scale—offering built-in review and redact capabilities and integration with business processes and APIs.

We protect data to protect people 

Regulations regarding data governance don’t exist in a vacuum. Their purpose is to help create a more ethical digital world. A strong solution is built around strong principles. It’s designed to protect customers’ data, keep employees’ workplaces safe, and protect the business. At Microsoft, we don’t do these things just because they’re required, we do them because they’re right.   

There’s no going back to the days of perimeter-based security. Enabling an effective Zero Trust approach requires the ability to govern, protect, and understand data coming from an ever-widening array of endpoints. Similarly, the number of tools we use for work will also grow. And with it, the challenge of having to protect data and manage risk across a multicloud and multiplatform environment. 

The unification of Microsoft’s data governance and compliance capabilities to Microsoft Purview reflects our belief that the world needs a simpler and more unified approach to data. We want to help you get the most out of your data while simultaneously managing risk and compliance. If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

Join other cybersecurity professionals at the Microsoft Security Summit digital event on May 12, 2022. Hear exciting product announcements and discover solutions you can use to lay the foundation for a safer and more innovative future. Register now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹How Microsoft can help reduce insider risk during the Great Reshuffle, Alym Rayani, Microsoft Security. February 28, 2022.

²Shed light on your dark data before GDPR comes into force, CIO, April 2018.

³September 2021 survey of 512 US compliance decision-makers commissioned by Microsoft from Vital Findings.

⁴February 2022 survey of 200 US compliance decision-makers (n=100 599-999 employees, n=100 1000+ employees) commissioned by Microsoft with MDC Research.

The post The future of compliance and data governance is here: Introducing Microsoft Purview appeared first on Microsoft Security Blog.

Aware of the potential risks of sensitive data if not managed properly, you’ve undertaken a data discovery process to learn where it’s all stored. You’ve classified this sensitive data—confidential information like credit card numbers and home addresses collected from customers, prospects, partners, and employees—as either non-business, public, general, confidential, or highly confidential. You’ve assessed the risks to better protect it from exposure and the risk of theft or loss. Your next step is to govern your data. But what does that mean and how do you launch a data governance plan?

Data governance is the process of managing data as a strategic asset. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy. All the preceding steps—data discovery, data classification, and data protection—are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.

To avoid those issues, ensure that you govern your data properly. Let’s explore three steps to take when building a data governance plan.

1. Set lifecycle controls on sensitive data

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.¹

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only “adequate, relevant and limited” personal data that is “necessary.”² GDPR also encourages you to pseudonymize and encrypt this personal information.

Your organization’s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it’s still in use or active. Another option is to have approvals in place before deleting documents to ensure you’re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.

2. Operationalize data governance

After setting lifecycle controls to manage your company’s sensitive data, it’s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn’t a set-it-and-forget-it situation. You’ll need ongoing processes to protect and govern sensitive data.

However, a company’s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company’s Data Governance Officer or legal department can offer guidance on what’s required.

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don’t properly label data as sensitive, you’ll be unable to locate, identify, or successfully govern it. 

3. Manage role-based access

A major tenant of Zero Trust, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don’t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance only at onboarding is that this doesn’t address changes in access necessary as employees change roles or leave the company.

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs—no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.

When deciding what data people need to access, consider both what they’ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It’s about ensuring that people have the right access to the right information at the right time.

Other questions to ask when building your plan include:

• How do you revoke access when someone no longer needs it due to a role change, offboarding, or another reason?
• Have you set up recurring and exception-based monitoring and reporting to check what people are doing with the access they have? 
• Could implementing a permissions management solution help reduce costs and workload to IT while increasing user productivity?

Organizations need to be able to prove to auditors and regulators that privacy policies are being followed and enforced within the company. Restricting network access based on the roles of individual users can assist with that.

Secure sensitive data with data governance

Data governance ensures that your data is discoverable, accurate, and trusted. Protect your sensitive data by launching a data governance plan that involves setting lifecycle controls of sensitive data, operationalizing data governance, and managing role-based access. As a follow-up to careful data discovery, data classification, and data protection, data governance can help you protect your sensitive data through its entire lifecycle according to industry regulations, which in turn will help you protect your employees, customers, prospects, and partners.

Read more about data governance and protecting sensitive data:

• Creating a modern data governance strategy to accelerate digital transformation
• Microsoft shares 4 challenges of protecting sensitive data and how to overcome them

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹GDPR personal data – what information does this cover?, GDPR.

²GDPR Article 5(1)(c), EUR-Lex. 2016.

The post 3 strategies to launch an effective data governance plan appeared first on Microsoft Security Blog.

Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. They also can diminish the trust of those who become the victims of identity theft, credit card fraud, or other malicious activities as a result of those breaches. In 2021, the number of data breaches climbed 68 percent to 1,862 (the highest in 17 years) with an average cost of USD4.24 million each.¹ About 45 million people were impacted by healthcare data breaches alone—triple the number impacted just three years earlier.²

Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual.

Every level of an organization—from IT operations and red and blue teams to the board of directors— could be affected by a data breach. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Let’s look at four of the biggest challenges of sensitive data and strategies for protecting it.

1. Discovering where sensitive data lives

The data discovery process can surprise organizations—sometimes in unpleasant ways. Sensitive data can live in unexpected places within your organization. For instance, an employee may have stored a customer’s SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Of an estimated 294 million people hacked in 2021, about 164 million were at risk because of data exposure events—when sensitive data is left vulnerable online.³   

The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Scans for data will pick up those surprise storage locations. However, it’s close to impossible to handle manually.

2. Classifying data to learn what’s most important

That leads right into data classification. Once the data is located, you must assign a value to it as a starting point for governance. The data classification process involves determining data’s sensitivity and business impact so you can knowledgeably assess the risks. This will make it easier to manage sensitive data in ways to protect it from theft or loss.

Microsoft uses the following classifications:

• Non-business: Data from your personal life that doesn’t belong to Microsoft.
• Public: Business data freely available and approved for public consumption.
• General: Business data not meant for a public audience.
• Confidential: Business data that can cause harm to Microsoft if overshared.
• Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Leveraging security products that enable auto-labeling of sensitive data across an enterprise is one method, among several that help overcome these data challenges.

3. Protecting important data

After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. They are accountable for protecting information and sharing data via processes and workflows that enable protection, while also not hindering workplace productivity.

Data leakage protection is a fast-emerging need in the industry. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Cyber incidents topped the barometer for only the second time in the survey’s history. At 44 percent, cyber incidents ranked higher than business interruptions at 42 percent, natural catastrophes at 25 percent, and pandemic outbreaks at 22 percent.⁴

4. Governing data to reduce unnecessary data risks

Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. You don’t want to store data longer than necessary because that increases the amount of data that could be exposed in a breach. And you don’t want to delete data too quickly and put your organization at risk of regulatory violations. Sometimes, organizations collect personal data to provide better services or other business value. For instance, you may collect personal data from customers who want to learn more about your services. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted.

How to approach sensitive data

The fallout from not addressing these challenges can be serious. Organizations can face big financial or legal consequences from violating laws or requirements. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. One of these fines was related to violating the GDPR’s personal data processing requirements. Another was because of insufficient detail to consumers in a privacy policy about data processing practices. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.⁵

Considering the potentially costly consequences, how do you protect sensitive data? As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation.

For data classification, we advise enforcing a plan through technology rather than relying on users. After all, people are busy, can overlook things, or make errors. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Trainable classifiers identify sensitive data using data examples.

Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. When considering plan protections, ask: Who can access the data? Where should the data live and where shouldn’t it live? How can the data be used?

Microsoft solutions offer audit capability where data can be watched and monitored but doesn’t have to be blocked. It can be overridden too so it doesn’t get in the way of the business. Also, consider standing access (identity governance) versus protecting files. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. 

Explore data protection strategies

Security breaches are very costly. Data discovery, data classification, and data protection strategies can help you find and better protect your company’s sensitive data. Learn more about how to protect sensitive data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

---

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

²Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. January 31, 2022.

³Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. January 25, 2022.

⁴Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. January 18, 2022.

⁶Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. January 17, 2022.

The post Microsoft shares 4 challenges of protecting sensitive data and how to overcome them appeared first on Microsoft Security Blog.