Archive

Archive for the ‘Compliance’ Category

How Microsoft Purview and Priva help simplify data protection

October 18th, 2022 No comments

At Microsoft Security, we understand how challenging it is to protect your most important asset, your data, in today’s threat landscape. You’re faced with evolving challenges—from empowering employees for greater productivity to eliminating gaps in your infrastructure—all while trying to protect your data across a hybrid work environment. And in the current economic climate, getting maximum value from your existing security investments is paramount. That’s why, in the past year, we’ve further enhanced our data protection and data governance products to better fit your needs. The results include two integrated and powerful solutions: Microsoft Purview and Microsoft Priva.

At this year’s Microsoft Ignite event, I co-hosted a special presentation on how your security and compliance teams can better manage risk, govern your data (wherever it resides), and maintain compliance. We also shared new product updates and insights to help your team get the most from your Microsoft security investments, as well as announced an exciting new capability that integrates Microsoft Purview natively within Adobe Acrobat. This type of extensible, multicloud, and multiplatform protection allows you to get more from the tools you already have. In this blog post, we’ll look at some of those scenarios where Microsoft Purview and Priva can help simplify data governance across your enterprise today.

New Adobe and Microsoft Purview integration delivers seamless security

Microsoft Purview’s mission is to help customers protect their entire data estate: that includes non-Microsoft environments as well. At this year’s Ignite presentation, we demonstrated a new capability that integrates Microsoft Purview Information Protection natively within the desktop version of Adobe Acrobat—accessible directly from the Protect tool. That means users now have the ability to apply and edit information-protection labels and policies directly to PDF documents. This integration brings the same classification, labeling, and protection already available in Microsoft Office file formats to PDF.

Over the next few months, we’ll continue to add new features that enhance support for PDFs in Acrobat add-ins, as well as for Acrobat Export PDF and mobile versions.

Streamlining data protection

Data is the lifeblood of your organization. It provides crucial insights that give your business a competitive advantage and empowers your employees to do more. For that reason, it’s critical to protect your data at every stage—from creation to storage—both from external threats and internal risks. That requires creating a layered defense strategy.

The first layer of defense: Discover and understand the sensitive data within your organization. You need to know where your data is, who’s accessing it, how it’s being shared and stored, and where it’s traveling. Considering that data storage is forecast to increase at a compound annual growth rate of 19.2 percent from 2020 to 2025, gaining complete visibility over your data estate is crucial.1 At this first line of defense, Microsoft Purview Information Protection helps you classify and label your data across your entire data estate, both on-premises and in multicloud environments. By providing a single pane of glass to track and manage your data, Microsoft Purview helps to improve your team’s efficiency while tightening data protection.

Recent updates for Microsoft Purview Information Protection:

  • Improvements in built-in features for Office that enhance visibility and encourage user adoption of sensitivity labels (such as the sensitivity label bar in Microsoft Word, Excel, PowerPoint, and Outlook; also, PDFs created in Office now inherit the source file’s sensitivity, encryption, and content marks).
  • General availability: Co-authoring on documents protected with Microsoft Purview Information Protection is now generally available for Word, Excel, PowerPoint, and Office Mobile applications on Android and iOS devices.
  • Preview: 42 new credentials for sensitive information that enable organizations to detect a wide range of digital authentication types (also known as “secrets”), such as user credentials, default passwords, and API and token access keys for Microsoft Azure, Amazon Web Services (AWS), and Google cloud resources.
  • Preview: Server-side auto-labeling support for more than 24 new pre-trained, out-of-the-box classifiers that can be used to quickly discover and auto-classify more than 100 types of sensitive content in categories such as intellectual property (IP) and trade secrets, healthcare, operations, financial information, and HR-related information.

Lowering insider risk

Data breaches arising from insider actions are estimated to cost businesses an average of USD7.5 million annually. For that reason, it’s important to understand all data access and usage patterns within your organization. What does normal activity look like? Which types of activity should be flagged as risky? Understanding internal data usage can help protect against compliance violations and worse, including IP theft, insider trading, confidentiality violations, and other damaging outcomes.

The second layer of defense: Manage data security risks within your organization. Working in tandem with a holistic approach to managing internal risk, Microsoft Purview Insider Risk Management identifies potential risks and enables security teams to quickly take action. By bringing together the right people, processes, training, and tools, organizations that approach insider risk holistically are more likely to emphasize user privacy, foster collaboration, and use positive deterrents such as training and feedback loops as part of their data-protection strategy. The one-click analytics report allows you to generate aggregated, de-identified insights on risky activity over the past 48 hours—before you’ve even set up your first policy. Insights include the percentage of users who have performed exfiltration activities, such as downloading sensitive data, with an additional breakdown by activity type. To learn more about potential risks within your own organization, view the new Microsoft insider risk report.

All names in insider risk alerts are pseudonymized by default. This helps your data security team take a privacy-first approach. By clicking on a specific alert, you’ll be able to see a summary of all of the risk factors. Sequencing allows you to correlate across activities that involve the same files. This correlation can help your security team understand the possible intent behind the activities so you can reduce time to action. For example, you might see that just before a user submitted their resignation, they downloaded and exfiltrated confidential files, then deleted the files from their device to cover their tracks. Understanding this sequence of activities helps your security team decide when and how to take action.

Using sequences as triggers for your policies improves the signal quality of your alerts and focuses policy detection on users who have performed multiple-stage sequences. Priority Content Only Scoring, configurable in the policy wizard, empowers your team to focus policy detection on the most sensitive content. All of these insights help you better understand potential risks, so you can set up policies that meet the unique needs of your organization. With this information, analysts in your organization can take appropriate actions to help make sure users remain in compliance.

Recent updates for Microsoft Purview Insider Risk Management:

  • Preview: Enhancements to triage and detection capabilities, including new abilities to customize a security trigger in the “data leaks” policy to surface when a user performs a sequence, to create policies with sequences without any other required underlying policy indicator selections, and fine-tune security policies directly from the alert review experience.
  • Preview: Information type and trainable classifier exclusions, which means that actions related to file activities on the endpoint, SharePoint, Microsoft Teams, OneDrive, or Exchange will not generate alerts if the excluded sensitive information type or trainable classifier is matched with the content of the activity performed by the user.
  • Preview: Ability to prioritize alerts for potential high-impact users with new risk booster score capabilities. Alerts for users found to have a potentially higher impact will have a higher priority alert in the dashboard, based on the frequency of accessing higher sensitivity content, like sensitive information types, labels, or priority content, compared with others in the organization, and if they are a leader in the organization based on Microsoft Azure Active Directory (Azure AD) configurations.

Protecting against data loss

The third layer of defense: Incorporate an integrated, in-depth approach to prevent data loss or unauthorized use. Among business leaders who responded to a 2021 survey, 62 percent felt that their companies should do more to protect customer data.2 Microsoft Purview Data Loss Prevention (DLP) provides a balance between protection and productivity, ensuring the proper access controls are in place and policies are set to prevent actions such as improperly saving, storing, or printing sensitive data.  

Recent updates for Microsoft Purview Data Loss Prevention:

  • Preview: Ability to create groups of printers, removable storage, network share path, and sensitive sites, as well as assign different restrictive actions to each group. As an example, you will be able to block the printing of sensitive information on all printer groups and allow printing on your corporate printers.  
  • Preview: Ability to configure complex policy rules using “AND/OR/NOT” associations and create nested groups. 
  • Preview: Visibility into contextual evidence, including sensitive content, surrounding characters, and other metadata on a DLP policy match on endpoint devices.
  • Preview: Improvements in the speed of detecting and classifying sensitive content shared on Teams chat and channel messages to enforce DLP policies. 
  • General availability: Ability to detect the presence of password-protected files on endpoint devices and configure specific restrictions for these files. 

These three components—Information Protection, Insider Risk Management, and Data Loss Prevention—form an integrated, holistic data-protection strategy that helps keep your organization’s data safe, wherever it lives.

Automating privacy

As more countries enact modern General Data Protection Regulation (GDPR) type regulations, consumers are demanding better controls over their data. This has spurred more organizations to move from a compliance-driven approach to privacy toward a more human-centric one. Toward that goal, Microsoft Priva currently offers two products to help manage privacy:

Privacy Risk Management helps organizations identify personal data and critical privacy risks and empowers employees to make smart data-handling decisions. With Priva, admins can configure a data minimization policy—automatically triggering an email to the data owner—so the person can review and delete unused files right from their Outlook inbox.

Subject Rights Requests help organizations manage requests at scale and respond with confidence. With the new pre-configured templates, admins can quickly create a data export request for a former employee. Once the data is collected, Priva can automatically detect files containing co-mingled personal data or confidential information; then admins can review and redact the data to avoid leakage. With the latest update, admins can now import files outside of Microsoft 365 to leverage this powerful review experience. Learn more about these new updates in this Priva Tech Community post.

Additional product updates

We’re also adding new features and capabilities within other product areas in our Microsoft Purview portfolio. These new features and enhancements will benefit your organization through granular eDiscovery, comprehensive audit controls, more effective data lifecycle management, and easier compliance.

Enhanced eDiscovery for the cloud

  • Helping organizations meet their regulatory obligations for discovery, Microsoft Purview eDiscovery (Premium) now supports the ability to discover the exact version of a needed document, even when originally shared as a cloud attachment. This feature is currently available in preview.
  • Drive efficiency across eDiscovery processes with improved usability and workflows. To learn more, read the eDiscovery blog post.

New search experience and security controls for Microsoft Purview Audit

  • Improved search experience for Microsoft Purview Audit is now generally available and provides the following key improvements:
    • Search jobs continue to run, even if you close the browser.
    • Completed search jobs are now stored for 30 days, giving organizations the ability to reference and re-use historical audit searches.
    • Export up to half a million records in each search.
    • Each Purview Audit user can perform up to 10 concurrent search jobs at the same time.
  • Given the sensitivity of Audit log data, many organizations want to add additional layers of protection to their data. Customer Key, coming soon to preview, allows organizations to use their own data encryption keys, giving them complete control over access to their data. To learn more, read the Advanced Audit blog post.

Microsoft Graph APIs and Power Automate workflows for Data Lifecycle Management

Microsoft Purview Data Lifecycle Management helps organizations manage the lifecycle of data. You can automatically retain, delete, and store data and records in a compliant manner. This solution delivers on our vision to protect and govern data wherever it lives. We have four exciting releases to tell you about:

  • Power Automate integration helps you to customize lifecycle management workflows to meet your organization’s unique requirements. Now in preview. To learn more, read the Data Lifecycle Management blog.
  • The ability to apply retention labels to files in Microsoft Teams enables users to apply retention and deletion settings where they do their work—in the Files tab of a Teams channel. Now generally available.
  • Our new feature to find and retain cloud attachments helps admins undertaking investigations, as well as helping to meet financial services industry regulations. This feature keeps and associates the version of a file shared in a Teams message or email for later retrieval through eDiscovery (Premium). Now in preview.
  • Microsoft Graph APIs for Records Management help organizations create new retention labels and manage event-based retention (now in beta). This release is our first round of APIs, with more coming in 2023.

Enhanced compliance and data residency

Microsoft Purview Compliance Manager helps organizations simplify compliance and reduce risk. It translates complex regulatory requirements into specific controls, allowing organizations to constantly assess, monitor, and improve their compliance posture—all while saving time and money. So, what’s new in Compliance Manager?

  • New templates: Easily translate more than 350 regulations into tangible actions for your organization to improve its compliance posture.
  • Continuous assessments: Last year we announced the ability to eliminate blind spots by adding continuous testing for technical controls. Today, we’re excited to share that we’ve added Microsoft Priva and App Governance as our newest first-party solutions.

More to come

I’d be remiss to not talk to you about some of the exciting capabilities we have coming up. For Microsoft Purview, you will start to see integrations across Microsoft 365 and Microsoft Azure to help increase the visibility of your data and easily automate data classification. For Microsoft Priva, you’ll soon see more multicloud privacy management capabilities that help you automate privacy controls and strengthen your privacy program. To learn more about potential risks within your own organization, read the new Microsoft insider risk report. Also, be sure to read Microsoft Security Corporate Vice President of Compliance, Identity, and Management Vasu Jakkal’s blog with highlights from her keynote address and insights into her vision for the Microsoft Security family of products and beyond.

Learn more

Learn more about Microsoft Purview and Microsoft Priva.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

2Data privacy is a growing concern for more consumers, Lance Whitney. August 17, 2021.

The post How Microsoft Purview and Priva help simplify data protection appeared first on Microsoft Security Blog.

How Microsoft Purview and Priva help simplify data protection

October 18th, 2022 No comments

At Microsoft Security, we understand how challenging it is to protect your most important asset, your data, in today’s threat landscape. You’re faced with evolving challenges—from empowering employees for greater productivity to eliminating gaps in your infrastructure—all while trying to protect your data across a hybrid work environment. And in the current economic climate, getting maximum value from your existing security investments is paramount. That’s why, in the past year, we’ve further enhanced our data protection and data governance products to better fit your needs. The results include two integrated and powerful solutions: Microsoft Purview and Microsoft Priva.

At this year’s Microsoft Ignite event, I co-hosted a special presentation on how your security and compliance teams can better manage risk, govern your data (wherever it resides), and maintain compliance. We also shared new product updates and insights to help your team get the most from your Microsoft security investments, as well as announced an exciting new capability that integrates Microsoft Purview natively within Adobe Acrobat. This type of extensible, multicloud, and multiplatform protection allows you to get more from the tools you already have. In this blog post, we’ll look at some of those scenarios where Microsoft Purview and Priva can help simplify data governance across your enterprise today.

New Adobe and Microsoft Purview integration delivers seamless security

Microsoft Purview’s mission is to help customers protect their entire data estate: that includes non-Microsoft environments as well. At this year’s Ignite presentation, we demonstrated a new capability that integrates Microsoft Purview Information Protection natively within the desktop version of Adobe Acrobat—accessible directly from the Protect tool. That means users now have the ability to apply and edit information-protection labels and policies directly to PDF documents. This integration brings the same classification, labeling, and protection already available in Microsoft Office file formats to PDF.

Over the next few months, we’ll continue to add new features that enhance support for PDFs in Acrobat add-ins, as well as for Acrobat Export PDF and mobile versions.

Streamlining data protection

Data is the lifeblood of your organization. It provides crucial insights that give your business a competitive advantage and empowers your employees to do more. For that reason, it’s critical to protect your data at every stage—from creation to storage—both from external threats and internal risks. That requires creating a layered defense strategy.

The first layer of defense: Discover and understand the sensitive data within your organization. You need to know where your data is, who’s accessing it, how it’s being shared and stored, and where it’s traveling. Considering that data storage is forecast to increase at a compound annual growth rate of 19.2 percent from 2020 to 2025, gaining complete visibility over your data estate is crucial.1 At this first line of defense, Microsoft Purview Information Protection helps you classify and label your data across your entire data estate, both on-premises and in multicloud environments. By providing a single pane of glass to track and manage your data, Microsoft Purview helps to improve your team’s efficiency while tightening data protection.

Recent updates for Microsoft Purview Information Protection:

  • Improvements in built-in features for Office that enhance visibility and encourage user adoption of sensitivity labels (such as the sensitivity label bar in Microsoft Word, Excel, PowerPoint, and Outlook; also, PDFs created in Office now inherit the source file’s sensitivity, encryption, and content marks).
  • General availability: Co-authoring on documents protected with Microsoft Purview Information Protection is now generally available for Word, Excel, PowerPoint, and Office Mobile applications on Android and iOS devices.
  • Preview: 42 new credentials for sensitive information that enable organizations to detect a wide range of digital authentication types (also known as “secrets”), such as user credentials, default passwords, and API and token access keys for Microsoft Azure, Amazon Web Services (AWS), and Google cloud resources.
  • Preview: Server-side auto-labeling support for more than 24 new pre-trained, out-of-the-box classifiers that can be used to quickly discover and auto-classify more than 100 types of sensitive content in categories such as intellectual property (IP) and trade secrets, healthcare, operations, financial information, and HR-related information.

Lowering insider risk

Data breaches arising from insider actions are estimated to cost businesses an average of USD7.5 million annually. For that reason, it’s important to understand all data access and usage patterns within your organization. What does normal activity look like? Which types of activity should be flagged as risky? Understanding internal data usage can help protect against compliance violations and worse, including IP theft, insider trading, confidentiality violations, and other damaging outcomes.

The second layer of defense: Manage data security risks within your organization. Working in tandem with a holistic approach to managing internal risk, Microsoft Purview Insider Risk Management identifies potential risks and enables security teams to quickly take action. By bringing together the right people, processes, training, and tools, organizations that approach insider risk holistically are more likely to emphasize user privacy, foster collaboration, and use positive deterrents such as training and feedback loops as part of their data-protection strategy. The one-click analytics report allows you to generate aggregated, de-identified insights on risky activity over the past 48 hours—before you’ve even set up your first policy. Insights include the percentage of users who have performed exfiltration activities, such as downloading sensitive data, with an additional breakdown by activity type. To learn more about potential risks within your own organization, view the new Microsoft insider risk report.

All names in insider risk alerts are pseudonymized by default. This helps your data security team take a privacy-first approach. By clicking on a specific alert, you’ll be able to see a summary of all of the risk factors. Sequencing allows you to correlate across activities that involve the same files. This correlation can help your security team understand the possible intent behind the activities so you can reduce time to action. For example, you might see that just before a user submitted their resignation, they downloaded and exfiltrated confidential files, then deleted the files from their device to cover their tracks. Understanding this sequence of activities helps your security team decide when and how to take action.

Using sequences as triggers for your policies improves the signal quality of your alerts and focuses policy detection on users who have performed multiple-stage sequences. Priority Content Only Scoring, configurable in the policy wizard, empowers your team to focus policy detection on the most sensitive content. All of these insights help you better understand potential risks, so you can set up policies that meet the unique needs of your organization. With this information, analysts in your organization can take appropriate actions to help make sure users remain in compliance.

Recent updates for Microsoft Purview Insider Risk Management:

  • Preview: Enhancements to triage and detection capabilities, including new abilities to customize a security trigger in the “data leaks” policy to surface when a user performs a sequence, to create policies with sequences without any other required underlying policy indicator selections, and fine-tune security policies directly from the alert review experience.
  • Preview: Information type and trainable classifier exclusions, which means that actions related to file activities on the endpoint, SharePoint, Microsoft Teams, OneDrive, or Exchange will not generate alerts if the excluded sensitive information type or trainable classifier is matched with the content of the activity performed by the user.
  • Preview: Ability to prioritize alerts for potential high-impact users with new risk booster score capabilities. Alerts for users found to have a potentially higher impact will have a higher priority alert in the dashboard, based on the frequency of accessing higher sensitivity content, like sensitive information types, labels, or priority content, compared with others in the organization, and if they are a leader in the organization based on Microsoft Azure Active Directory (Azure AD) configurations.

Protecting against data loss

The third layer of defense: Incorporate an integrated, in-depth approach to prevent data loss or unauthorized use. Among business leaders who responded to a 2021 survey, 62 percent felt that their companies should do more to protect customer data.2 Microsoft Purview Data Loss Prevention (DLP) provides a balance between protection and productivity, ensuring the proper access controls are in place and policies are set to prevent actions such as improperly saving, storing, or printing sensitive data.  

Recent updates for Microsoft Purview Data Loss Prevention:

  • Preview: Ability to create groups of printers, removable storage, network share path, and sensitive sites, as well as assign different restrictive actions to each group. As an example, you will be able to block the printing of sensitive information on all printer groups and allow printing on your corporate printers.  
  • Preview: Ability to configure complex policy rules using “AND/OR/NOT” associations and create nested groups. 
  • Preview: Visibility into contextual evidence, including sensitive content, surrounding characters, and other metadata on a DLP policy match on endpoint devices.
  • Preview: Improvements in the speed of detecting and classifying sensitive content shared on Teams chat and channel messages to enforce DLP policies. 
  • General availability: Ability to detect the presence of password-protected files on endpoint devices and configure specific restrictions for these files. 

These three components—Information Protection, Insider Risk Management, and Data Loss Prevention—form an integrated, holistic data-protection strategy that helps keep your organization’s data safe, wherever it lives.

Automating privacy

As more countries enact modern General Data Protection Regulation (GDPR) type regulations, consumers are demanding better controls over their data. This has spurred more organizations to move from a compliance-driven approach to privacy toward a more human-centric one. Toward that goal, Microsoft Priva currently offers two products to help manage privacy:

Privacy Risk Management helps organizations identify personal data and critical privacy risks and empowers employees to make smart data-handling decisions. With Priva, admins can configure a data minimization policy—automatically triggering an email to the data owner—so the person can review and delete unused files right from their Outlook inbox.

Subject Rights Requests help organizations manage requests at scale and respond with confidence. With the new pre-configured templates, admins can quickly create a data export request for a former employee. Once the data is collected, Priva can automatically detect files containing co-mingled personal data or confidential information; then admins can review and redact the data to avoid leakage. With the latest update, admins can now import files outside of Microsoft 365 to leverage this powerful review experience. Learn more about these new updates in this Priva Tech Community post.

Additional product updates

We’re also adding new features and capabilities within other product areas in our Microsoft Purview portfolio. These new features and enhancements will benefit your organization through granular eDiscovery, comprehensive audit controls, more effective data lifecycle management, and easier compliance.

Enhanced eDiscovery for the cloud

  • Helping organizations meet their regulatory obligations for discovery, Microsoft Purview eDiscovery (Premium) now supports the ability to discover the exact version of a needed document, even when originally shared as a cloud attachment. This feature is currently available in preview.
  • Drive efficiency across eDiscovery processes with improved usability and workflows. To learn more, read the eDiscovery blog post.

New search experience and security controls for Microsoft Purview Audit

  • Improved search experience for Microsoft Purview Audit is now generally available and provides the following key improvements:
    • Search jobs continue to run, even if you close the browser.
    • Completed search jobs are now stored for 30 days, giving organizations the ability to reference and re-use historical audit searches.
    • Export up to half a million records in each search.
    • Each Purview Audit user can perform up to 10 concurrent search jobs at the same time.
  • Given the sensitivity of Audit log data, many organizations want to add additional layers of protection to their data. Customer Key, coming soon to preview, allows organizations to use their own data encryption keys, giving them complete control over access to their data. To learn more, read the Advanced Audit blog post.

Microsoft Graph APIs and Power Automate workflows for Data Lifecycle Management

Microsoft Purview Data Lifecycle Management helps organizations manage the lifecycle of data. You can automatically retain, delete, and store data and records in a compliant manner. This solution delivers on our vision to protect and govern data wherever it lives. We have four exciting releases to tell you about:

  • Power Automate integration helps you to customize lifecycle management workflows to meet your organization’s unique requirements. Now in preview. To learn more, read the Data Lifecycle Management blog.
  • The ability to apply retention labels to files in Microsoft Teams enables users to apply retention and deletion settings where they do their work—in the Files tab of a Teams channel. Now generally available.
  • Our new feature to find and retain cloud attachments helps admins undertaking investigations, as well as helping to meet financial services industry regulations. This feature keeps and associates the version of a file shared in a Teams message or email for later retrieval through eDiscovery (Premium). Now in preview.
  • Microsoft Graph APIs for Records Management help organizations create new retention labels and manage event-based retention (now in beta). This release is our first round of APIs, with more coming in 2023.

Enhanced compliance and data residency

Microsoft Purview Compliance Manager helps organizations simplify compliance and reduce risk. It translates complex regulatory requirements into specific controls, allowing organizations to constantly assess, monitor, and improve their compliance posture—all while saving time and money. So, what’s new in Compliance Manager?

  • New templates: Easily translate more than 350 regulations into tangible actions for your organization to improve its compliance posture.
  • Continuous assessments: Last year we announced the ability to eliminate blind spots by adding continuous testing for technical controls. Today, we’re excited to share that we’ve added Microsoft Priva and App Governance as our newest first-party solutions.

More to come

I’d be remiss to not talk to you about some of the exciting capabilities we have coming up. For Microsoft Purview, you will start to see integrations across Microsoft 365 and Microsoft Azure to help increase the visibility of your data and easily automate data classification. For Microsoft Priva, you’ll soon see more multicloud privacy management capabilities that help you automate privacy controls and strengthen your privacy program. To learn more about potential risks within your own organization, read the new Microsoft insider risk report. Also, be sure to read Microsoft Security Corporate Vice President of Compliance, Identity, and Management Vasu Jakkal’s blog with highlights from her keynote address and insights into her vision for the Microsoft Security family of products and beyond.

Learn more

Learn more about Microsoft Purview and Microsoft Priva.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

2Data privacy is a growing concern for more consumers, Lance Whitney. August 17, 2021.

The post How Microsoft Purview and Priva help simplify data protection appeared first on Microsoft Security Blog.

Microsoft publishes new report on holistic insider risk management

October 6th, 2022 No comments

The risk landscape for organizations has changed significantly in the past few years. The amount of data captured, copied, and consumed is expected to grow to more than 180 zettabytes through 2025.1  Traditional ways of identifying and mitigating risks don’t always work. Historically, organizations have focused on external threats; however, risks from within the organization can be just as prevalent and harmful. These internal risks include unprotected and ungoverned data, accidental or intentional data oversharing, as well as the risks for failing to meet ever-changing regulations. Not to mention, with more than 300 million people working remotely, data is being created, accessed, shared, and stored outside of the traditional borders of business.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

The post Microsoft publishes new report on holistic insider risk management appeared first on Microsoft Security Blog.

Microsoft publishes new report on holistic insider risk management

October 6th, 2022 No comments

The risk landscape for organizations has changed significantly in the past few years. The amount of data captured, copied, and consumed is expected to grow to more than 180 zettabytes through 2025.1  Traditional ways of identifying and mitigating risks don’t always work. Historically, organizations have focused on external threats; however, risks from within the organization can be just as prevalent and harmful. These internal risks include unprotected and ungoverned data, accidental or intentional data oversharing, as well as the risks for failing to meet ever-changing regulations. Not to mention, with more than 300 million people working remotely, data is being created, accessed, shared, and stored outside of the traditional borders of business.

Core to a security team’s mission is protecting the company’s assets, especially its data. Strong data protection requires securing the most sensitive or critical data, preventing that data from leaving the organization, and managing potential risks inside and outside of your environment.

And managing internal risks can be challenging because it requires analyzing millions of daily signals to detect potentially risky user actions that may lead to a data security incident. For example, what confidential files are your users sharing or accessing? Are users sharing sensitive files externally? Are they downloading files to unapproved devices or uploading them to unapproved locations? All the while, you must balance security controls and productivity, and ensure user privacy is built into your program.

To be effective in addressing insider risks, it’s critical that organizations start thinking about how and why they should be implementing a holistic data protection strategy across their entire organization that encompasses people, processes, training, and tools. At Microsoft, we transitioned from a fragmented insider risk management approach to one in which we addressed it holistically by taking a more comprehensive approach, getting more buy-in from organizational leadership, and making sure user privacy is built in from the get-go.

Following our own transition, Microsoft wanted to better understand how organizations are approaching insider risk management, specifically how some of these security and compliance teams were thinking about insider risk management holistically. Today we’re publishing our first Microsoft report specifically addressing insider risk, “Building a Holistic Insider Risk Management program.”

This Microsoft-commissioned report lays out several new insights about how organizations go from a fragmented approach to insider risk management to a holistic one, addressing potential risks from multiple lenses as part of a greater data protection strategy, with cross-leadership buy-in. For example, we found that more than 90 percent of holistic organizations believe privacy controls should be used in the early stages of investigations. Holistic organizations also get more buy-in on their risk programs from other departments, like legal, HR, or compliance teams, which is critical to building a culture of security. Furthermore, they put a greater emphasis on training with 92 percent agreeing that “training and education are vital to proactively address and reduce insider risks,” compared with 50 percent of fragmented organizations.

The report also shares best practices for organizations who endeavor to approach insider risk management more holistically and build a program that fosters trust, empowers users, and makes privacy a priority.

You can read the full report here.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Volume of data/information created, captured, copied, and consumed worldwide from 2010 to 2020, with forecasts from 2021 to 2025, Statista. September 8, 2022.

The post Microsoft publishes new report on holistic insider risk management appeared first on Microsoft Security Blog.

Data governance: 5 tips for holistic data protection

August 24th, 2022 No comments

Your data is a strategic asset. To benefit your business, data requires strict controls around structure, access, and lifecycle. However, most security leaders have doubts about data security—nearly 70 percent of chief information security officers (CISOs) expect to have their data compromised in a ransomware attack.1 Part of the problem lies in traditional data-management solutions, which tend to be overly complex with multiple unconnected, duplicative processes augmented with point-wise integrations. This patchwork approach can expose infrastructure gaps that attackers will exploit.

In contrast, proactive data governance offers a holistic approach that conserves resources and simplifies the protection of your data assets. This integrated approach to data governance is a vital component of Zero Trust security and spans the complete lifecycle of your data. It also reduces the cost incurred by a data breach, both by shrinking the blast radius and preventing an attacker from moving laterally within your network. Microsoft Purview provides a comprehensive data governance solution designed to help manage your on-premises, multicloud, and software as a service (SaaS) data. To help you get more from your data, we’ve put together five guideposts.

1. Create a data map of all your data assets

Before you can protect your data, you’ll need to know where it’s stored and who has access. That means creating comprehensive descriptions of all data assets across your entire digital estate, including data classifications, how it’s accessed, and who owns it. Ideally, you should have a fully managed data scanning and classification service that handles automated data discovery, sensitive data classification, and mapping an end-to-end data lineage for every asset. You’ll also want to make data easily discoverable by labeling it with familiar business and technical search terms.

Storage is a vital component of any data map and should include technical, business, operational, and semantic metadata. This includes schema, data type, columns, and other information that can be quickly discovered with automated data scanning. Business metadata should include automated tagging of things like descriptions and glossary terms. Semantic metadata can include mapping to data sources or classifications, and operational metadata can include data flow activity such as run status and run time.

2. Build a decision and accountability framework

Once you know where all your data is located, you’ll need to document the roles and responsibilities of each asset. Start by answering seven basic questions:

  1. How is our data accessed and used? 
  2. Who is accountable for our data?
  3. How will we respond when business or regulatory requirements change?  
  4. What is the process for revoking access due to a role change or an employee leaving?
  5. Have we implemented monitoring and reporting to track data access?
  6. How do we handle lifecycle management?
  7. Are we automating permissions management to enforce security and compliance?

In response to question number one, you should develop a detailed lifecycle for data access that covers employees, guests, partners, and vendors. When deciding what data someone may need to access, consider both the person’s role and how the data in question will be used. Business unit leaders should determine how much access each position requires.

Based on the information gathered, your IT and security partners can create role-based access controls (RBAC) for each employee position and partner or vendor request. The compliance team will then be responsible for monitoring and reporting to ensure that these controls are put into practice. Implementing a permissions management solution can also help your organization by preventing misuse and malicious exploitation of permissions. By automatically detecting anomalous alerts, your organization can reduce IT workloads, conserve resources, and increase user productivity.

3. Monitor access and use policies

Next, you’ll need to document the policies for each data repository. Determine who can access the data—including read versus write access—and how it can be shared and used in other applications or with external users. Will your organization be storing personal identifiable information (PII) such as names, identification numbers, and home or IP addresses in this repository? With any sensitive data, it’s imperative to enforce the Zero Trust principle of least privilege or just-in-time (JIT) access.

The JIT permissions model strengthens the principle of least privilege by reducing the attack surface to only those times when privileges are actively being used (unlike the all-day, every day attack surface of standing privileges). This is similar to the just-enough-privilege (JEP), wherein a user completes a request describing the task and data they need to access. If the request is approved, the user is provisioned with a temporary identity to complete the task. Once the task is completed, the identity can be disabled or deleted. There’s also a “broker-and-remove-access” approach, wherein standing privileged accounts are created and their credentials stored securely. Users must then provide a justification when requesting to use one of the accounts to access data for a specific amount of time.

Your organization can protect itself by maintaining a log of every request for elevated access (granted or declined), including when the access was revoked. All organizations, especially those storing PII, need to be able to prove to auditors and regulators that privacy policies are being enforced. Eliminating standing privileged accounts can help your organization avoid audit troubles.

4. Track both structured and unstructured data

Traditionally, data governance has focused on business files and emails. But stricter regulations now require organizations to ensure that all data is protected. This includes both structured and unstructured data shared on cloud apps, on-premises data, shadow IT apps—everything. Structured data is comprised of clearly defined data types with patterns that make them easily searchable, such as Microsoft Office or Google Docs. Unstructured data can include anything else, such as audio files, videos, and even social media posts.

So, should you leave it up to the individual asset owner to implement their own data protections across such a vast data landscape? An alternative that some of Microsoft’s customers have embraced involves developing a matrixed approach to data governance, wherein security and compliance experts help data owners meet requirements for protecting their data. In this scenario, a “common data matrix” is used to track how data domains are interacted with across your organization. This can help document which areas of your business can simply create data versus read, access, or remove data assets. Your data matrix should identify the data’s source, including any shadow IT systems in use. Make sure to capture any domains and sub-domains containing sensitive or confidential data, subject to government regulation. Also, documenting roles and responsibilities for each business unit allows everyone to understand who is using specific data for a particular job, as well as who is adding data into a system and who is responsible for it.

5. Delete data that’s no longer needed

“Dark data,” which organizations pay to store but goes underutilized in decision making, is now growing at a rate of 62 percent per year.2 Given that most IT teams are already overstretched, asking them to stand guard over vast data lakes is not a recipe for security. So, how do you know when some data is no longer useful to your organization?

Sometimes the easiest way to protect data is to delete it. In keeping with the Zero Trust principle of “assume breach,” less data means less risk. Theft of intellectual property (IP) can be financially hazardous, whereas theft of customer PII can be disastrous long-term for your brand. Privacy laws require that businesses keep PII only for as long as it has served its original purpose.3 However, manually tracking which files are subject to deletion would be nearly impossible. A better approach is to implement ongoing controls to auto-expire PII or set up automated reminders for reviewing sensitive data to decide if it’s still needed.

Understanding the lifecycle of data makes it easier to delete when it’s no longer needed. An integrated data governance solution with intelligent machine learning capabilities can do the work for you, classifying content when it’s created and automatically applying appropriate sunset policies.4 Or, use multi-stage retention policies to automatically apply a new label at the end of a retention period.

Learn more

Proactive, holistic data governance is an integral part of data protection, spanning the complete lifecycle and helping drive business outcomes by ensuring that your data is discoverable, accurate, and secure. Microsoft Purview integrates and automates data governance by setting lifecycle controls on your sensitive data, protecting against data loss, and managing RBAC. To experience Purview in your organization, you’re welcome to start with a free trial.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Almost 70% of CISOs expect a ransomware attack, Danny Bradbury. October 19, 2021.

2September 2021 survey of 512 United States compliance decision-makers commissioned by Microsoft from Vital Findings.

3GDPR personal data—what information does this cover?, GDPR. 2022.

4Microsoft is committed to making sure AI systems are developed responsibly and in ways that warrant people’s trust. As part of this commitment, Microsoft Purview engineering teams are operationalizing the six core principles of Microsoft’s Responsible AI strategy to design, build and manage AI solutions. As part of our effort to responsibly deploy AI, we provide documentation, gating, scenario attestation, and more to help organizations use AI systems responsibly.

The post Data governance: 5 tips for holistic data protection appeared first on Microsoft Security Blog.

IT security: an opportunity to raise corporate governance scores

August 8th, 2022 No comments

What is a corporate governance score?

Corporate governance scoring is increasingly important to boards of directors, executive leadership, and the investment community. If we want to enlist the support of a stakeholder, we have to talk about the things that are important to them. Sales revenue is important to sellers. Data breach risk gets the attention of the chief information security officer (CISO). Governance scores often affect executive compensation and the way an analyst rates a company’s stock. They are important to the board.     

If the IT security team communicates in terms of improving a corporate governance score, it will get their attention. Boards have a lot of demands on their attention as they prioritize the many risks and opportunities they need to navigate. Moving the needle on a benchmark they already care about helps them prioritize IT security. 

Corporate governance benchmarks, such as the Institutional Shareholder Services (ISS) ESG Governance QualityScore, are a focus area for boards, management, and investment analysts.1 This is a language that they speak. If we want to advocate with these stakeholders, framing our IT security investments and actions in terms of an increased QualityScore is an effective way to do this.

Leaders in the corporate governance space have recognized the part that IT security plays in corporate governance and have included this in their scoring methodology. Cybersecurity is identified as a focus area in Principles of Corporate Governance for the board risk oversight and management strategic planning responsibilities,2 as well as an evolving governance challenge in the Harvard Law School Forum on corporate governance.3 Security, particularly concerning data breaches, is identified by the Corporate Finance Institute as one of the principles of corporate governance.4

We’ll identify the specific ways that IT security governance can impact a company’s ISS Governance QualityScore, potentially driving analyst recognition, shareholder value, and executive compensation. This can help inform the board as they consider relative priorities and investments in IT security.

While the discussion is applicable to all geographies and segments, the scoring example we’ll use is for a United States-based company in the Standard and Poor’s (S&P) 500 index.

How corporate governance scores are calculated

The ISS ESG Governance QualityScore is a data-driven scoring and screening solution designed to help institutional investors monitor portfolio company governance. The ISS Governance QualityScore global coverage is applied to approximately 7,000 companies, including those represented in S&P 500, STOXX 600, Russell 3000, Nikkei 400, and others around the world.

The companies’ annual meeting notes, regulatory filings, and other public-facing information are reviewed quarterly and in real-time for some events to update the QualityScore.

The methodology is made available on the ISS website.5

To improve the organization’s QualityScore and map the impact of IT security investments and activities, it is important to understand the factors (questions) and how a score is calculated.

The topics scored include:

  • Board structure.
  • Compensation.
  • Shareholder rights.
  • Audit and risk oversight.

The audit and risk oversight section is where the IT security-related factors are located. We’ll focus our discussion on how to map and raise these factors.

A raw score based on the factors is calculated and ranked relative to companies in the same index or region to promote an “apples to apples” comparison, with a number from 1 to 10 assigned to each category. Figure 1 shows an example of a raw score and category score for each category for a United States-based company in the S&P 500.

Category Category Raw Score Category Score
Board Structure 25.0 7
Compensation 19.5 10
Shareholder Rights 28.0 5
Audit & Risk Oversight 56.5 4
Overall Raw Score Governance QualityScore
Total 129.0 8

Table 1. Score methodology example for S&P 500 United States-based company.

Rating Category Questions Scored
Board Structure 51
Audit and Risk Oversight 21
Shareholder Rights 32
Compensation 37
Total 141

Table 2. Questions scored in each category for a United States-based company.

For the United States, there are 141 factors scored. Twenty-one are for the Audit and Risk Oversight category. Of these, 11 are related to information security. Thus, more than half of this category’s raw score that will be scaled to create the 1 to 10 QualityScore for the Audit and Risk Oversight category is related to IT security.

The definition of IT security-related questions differs from what an IT security and compliance professional will have encountered from working with the ISO, the NIST, or similar security standards. We’ll look at this next.

IT security conversation with the board and executives through the corporate governance lens

The factors used for the governance score are different from what we’d encounter in an IT audit. They don’t cover the fulsome controls and defense in depth that we’d expect as IT security professionals. Some are likely part of key performance indicators (KPIs) already tracked, such as those relating to awareness and training, financials, and breaches.

When a strategic plan or business case for an investment is presented to leadership, it can be mapped to the QualityScore factors. An improvement in the governance score can be forecasted.

An example is provided below for the implementation of Microsoft Purview Audit (Premium). This tool is a part of Microsoft 365, is easily deployed, and has no user impact or change management requirements. In the event of a credentials compromise, it provides forensic information to understand if there was a breach of sensitive information, what documents may have been accessed by the bad actor, and provides retention of audit data for long periods of time.

QuestionID Question Mapping for Microsoft Purview Audit (Premium)
402 Does the company disclose an approach to identifying and mitigating information security risks? Audit (Premium) allows a company to identify the information accessed by a bad actor if an account is compromised. It provides forensic information to understand the consequences of a breach and remediate appropriately. This is part of risk mitigation.
406 What are the net expenses incurred from information security breaches over the last three years relative to total revenue? Audit (Premium) makes information available that can differentiate a breach that has no impact from one that has a massive impact on the company, its partners, and its customers. Without this information, the company may incur massive costs for breach notification and mitigation that would not be necessary if the breach could be properly scoped.
407 Has the company experienced an information security breach in the last three years? Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. Reporting information security compromises correctly, including knowing what is and is not a breach is a focus of Audit (Premium).
408 What are the net expenses incurred from information security breach penalties and settlements over the last three years relative to total revenue? The expenses and penalties incurred due to an information security breach will vary greatly depending on the scope and impact of the breach. Expenses and penalties can be reduced as a result of the forensic information Audit (Premium) makes available.
409 Has the company entered into an information security risk insurance policy? Insurers require underwriting to issue security risk insurance policies. Underwriting depends on the company’s IT security program, controls, and governance. Audit (Premium) is an important part of the security program, providing uniquely valuable forensic information.
412 How long ago did the most recent information security breach occur (in months)? Audit (Premium) can differentiate between account compromise that has no impact and may not be reportable as opposed to a breach requiring large-scale reporting and remediation. It can enable a forensic investigation that scopes a breach in terms of time and the timing of bad actor activities in this period.

Table 3. Example Mapping of Microsoft Purview Audit (Premium) to ISS Governance QualityScore.

Alignment with the Governance QualityScore goes beyond the support of security solutions and investments.

Some of what the company may already have in place, like security training, standards-based audit, metrics, and reporting is part of the scoring. Communicating this so that it is reflected in the governance score increases the company’s return on investment and leadership’s awareness of the contributions of the security team.

The score will be boosted by having senior leadership regularly brief the board on information security matters.

Adding a board member with security experience will also boost the score. These will give the security function the attention and investment that it needs from leadership to increase the company’s security posture.

Conclusion

Showing how a company’s Governance QualityScore benefits from their investment in security demonstrates additional return on investment and wins support for the security program from a range of stakeholders. Stakeholders that may not recognize the value of IT security controls and processes or understand IT security risk may recognize the financial and brand value of an increased governance score.

As time goes on, the expectations for IT security to be part of corporate governance will increase. The focus on the breach will likely be broadened to a more holistic perspective. Additional factors will be considered and the impact of IT security on the overall scoring will increase.

Consider demonstrating how an IT security investment or activity will raise your company’s governance score along with other aspects of the business case and risk management when presenting to leadership to make a fulsome case for action.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. This document is not intended to communicate legal advice or a legal or regulatory compliance opinion. Each customer’s situation is unique, and legal and regulatory compliance should be assessed in consultation with their legal counsel.


1Institutional Shareholder Services ESG Governance QualityScore, ISS. March 31, 2022.

2Principles of Corporate Governance, Harvard Law School Forum on Corporate Governance. September 8, 2016.

3Cybersecurity: An Evolving Governance Challenge, Harvard Law School Forum on Corporate Governance. March 15, 2020.

4Corporate Governance, Corporate Finance Institute. May 8, 2022.

5Governance QualityScore, ISS.

The post IT security: an opportunity to raise corporate governance scores appeared first on Microsoft Security Blog.

Discover 5 lessons Microsoft has learned about compliance management

July 25th, 2022 No comments

Compliance management is a complex process—one that gets increasingly more complicated the larger an organization grows. Microsoft knows this firsthand, not only because of our experience providing Security and Compliance solutions to customers but also because of the global reach and responsibility for maintaining compliance with a hefty number of regional and industry-specific regulations. Another thing Microsoft has learned along this journey is that the route is significantly smoother with an inclusive mindset and digital tools to ease the way.

In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:

  • Providing you with fast access to requested data in the event of an external or internal investigation or legal action.
  • Protecting company data as the workplace evolves is especially important given the growing use of personal devices for work and the increase in employees accessing company networks from outside the physical office for some or most of their week.
  • Acting as good stewards—Chief Information Security Officers (CISOs) feel a sense of duty to protect their employees, partners, and customers to the best of their ability.

Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.

Assess your compliance posture

It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.

Broaden your idea of compliance

When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.

Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.

“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”

Involve everyone

Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.1 Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.

Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.

“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”

Discover data and identify risks

In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.

The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.

Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.  

Simplify and automate compliance

Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.

Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.

“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”

Explore Microsoft Purview

Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.

Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

The post Discover 5 lessons Microsoft has learned about compliance management appeared first on Microsoft Security Blog.

How Microsoft Purview and Priva support the partner ecosystem

July 20th, 2022 No comments

Today, many enterprise organizations are multicloud and multiplatform. Critical enterprise data is located across clouds and platforms, requiring security and compliance no matter where it lives. To solve the complexity that comes with these environments, organizations have invested in multiple point solutions, which in turn can make it hard for them to manage the fragmented compliance and risk posture covering their entire data estate. To help organizations meet today’s global compliance and risk requirements across their multicloud, multiplatform data environments, we announced Microsoft Purview in April 2022.

Three columns with text explaining that Microsoft Purview helps customers understand and govern data across their environment, safeguard their data across clouds, apps, and devices, and improve data risk and compliance posture with regulatory requirements.

Microsoft Purview is a portfolio of solutions for information protection, data governance, risk management, and compliance that enables organizations to effectively manage their data all from one place. It provides enhanced visibility that organizations can leverage across their environment to help close gaps that can lead to data exposure, simplify tasks through automation, stay up-to-date with regulatory requirements, and keep their most important asset—their data—secured. Partners play a critical role in helping customers manage their entire data estate. We’ve invested in connectors, APIs, and extensibility to support partners and help customers manage their data. 

Microsoft Purview product announcements

Today, we are excited to announce the general availability of the new Microsoft Graph APIs for Microsoft Purview eDiscovery. With the new Microsoft Purview eDiscovery APIs, organizations can leverage automation to streamline common, repetitive workflows that require a lot of manual effort in the product experience.

Customers and partners find automation and extensibility of eDiscovery workflows critically important because of the ability to reduce the potential for human error in highly sensitive workflows. For example, efficiently managing repeatable, defensible processes is critical to managing risk for organizations that have significant requirements for litigation and investigation.

Here are some of the ways partners are building value-added solutions and services using our Microsoft Purview eDiscovery APIs:

Relativity integrates with Microsoft Purview eDiscovery (Premium)

Relativity, Microsoft’s Security ISV of the Year for 2022, shared that “using the right tools to put business’s data into action is essential for many eDiscovery and compliance use cases. RelativityOne integration with Microsoft Purview eDiscovery significantly expedites the eDiscovery review process, minimizes data copies across multiple platforms, facilitates third-party collaboration, and ultimately reduces costs while the data remains secure within the Microsoft cloud. Now is the time to benefit from RelativityOne’s integration with Microsoft’s Purview’s eDiscovery platform,” said Chris Izsak, Strategic Partnerships GTM Manager, Relativity.

Relativity's RelOne user experience showing integration with Microsoft Purview eDiscovery.

BDO’s Athenagy integrates with Microsoft Purview eDiscovery

BDO’s Athenagy creates dashboards using both Microsoft Purview eDiscovery and RelativityOne. Their “patent-pending business intelligence dashboards now provide legal, IT, and compliance professionals a whole new level of data transparency and cost containment by surfacing up critical insights inside both Microsoft Purview eDiscovery—using the newly released Microsoft Purview eDiscovery APIs—and RelativityOne tied to legal hold, collect, preservation, processing, and review for every investigation, compliance, and litigation matter,” said Daniel Gold, inventor of Athenagy and managing director of E-Discovery Managed Services, BDO.

Athenagy's user experience showing data from Microsoft Purview eDiscovery.

Epiq Global integrates with Microsoft Purview eDiscovery

Epiq leverages Microsoft Purview eDiscovery APIs to create an end-to-end eDiscovery workflow. “Utilizing the Microsoft Purview eDiscovery APIs allows us to automate within Microsoft Purview to use inputs from our customer’s existing legal hold system of record to seamlessly orchestrate an end-to-end workflow including sending hold notices, preserving data in place, and performing searches, collections, and exports. When updates are made in the system of record, the changes are propagated directly to the appropriate piece of eDiscovery to ensure parity. An automated solution eliminates human error, reduces administrative costs, and ensures that eDiscovery processes are in sync with your issuance of legal holds,” said Jon Kessler, Vice President of Information Governance Services, Epiq.

Lighthouse integrates with Microsoft Purview eDiscovery

Lighthouse uses Microsoft Purview eDiscovery APIs to create “a rich and intuitive user experience, taking advantage of custodian data mapping, in-place preservation, modern attachment retrieval, and advanced culling. Our automation and orchestration solution is designed to improve user efficacy with job failure oversight, completion notification, and automatic provisioning and management of Azure storage containers. Clients embracing this solution benefit from automation and orchestration to fully leverage Purview Premium eDiscovery’s apps securely and at scale,” said John Collins, Director of Advisory Services, Lighthouse (winner of the Compliance and Privacy Trailblazer award for 2022).

Growth opportunities for partners

The opportunity for our partners who invest in the Microsoft compliance ecosystem continues to grow. Our partners are finding success by building value-added solutions and services around Microsoft’s solutions at an increasing rate. For example, partners are creating solutions that connect disparate information repositories for enterprise-wide compliance initiatives.

Microsoft partners continue to have the ability to participate in our successful go-to-market program, the partner build-intent workshops. These workshops cover the Microsoft Security portfolio and help drive customer success with Microsoft products and partner services through prescriptive scenarios that address the top pain points of our customers. These workshops have been updated to give partners the ability to uncover additional opportunities leveraging the most up-to-date tools and solutions. Discover all our partner workshops and get started with unlocking opportunities and value with your customers.

How Microsoft supports the partner ecosystem

The Microsoft Purview platform enables our customers and partners to adapt, extend, integrate, and automate information protection, data governance, risk management, and compliance scenarios. These capabilities are enabled through our investments in these key building blocks:

Microsoft Purview APIs: We are constantly expanding our API surface area. With our investments in Microsoft Graph APIs we currently enabling extensibility scenarios across Purview Information Protection, Purview Data Lifecycle Management, Purview eDiscovery, Purview Audit, and more. Partners are using these APIs to build value-added services and solve unique customer scenarios.

Microsoft Purview Data Connectors: To enable high-fidelity data ingestion—including sources such as Slack, Zoom, and WhatsApp, we have partnered with Veritas, TeleMessage, 17a-4, and CellTrust to deliver more than 70 ready-to-use connectors. Our extensibility push provides more opportunities for partners to join this connector ecosystem.

Microsoft Purview Data Catalog: Microsoft Purview’s unified data governance capabilities help with managing on-premises, multicloud, and software as a service (SaaS) data. Microsoft Purview Data Catalog supports multicloud data classification and covers data repositories such as Azure Cosmos DB and Amazon Web Services (AWS) S3 buckets. There is also an Atlas Kafka API that facilitates extensibility scenarios for our partners and customers.

Microsoft Purview Compliance Manager: With universal templates, we help partners and customers extend compliance management capabilities to non-Microsoft environments.

Power Automate integrations: Microsoft Purview solutions including Microsoft Purview Data Lifecycle Management, Insider Risk Management, and Communication Compliance have built-in Power Automate integrations. This offers unique opportunities for our partners and customers to streamline and automate workflows and business scenarios.

Another way Microsoft supports the ecosystem is through the Microsoft Intelligent Security Association (MISA). MISA is an ecosystem of independent software vendors and managed service providers that have integrated their products and services with Microsoft’s security technology. Over the last year, MISA has extended its qualifying products to include a broad range of Microsoft Purview and Microsoft Priva products. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem. MISA offers members co-marketing benefits and the opportunity to deepen their technology integrations and relationship within the Microsoft security ecosystem.

Partner with Microsoft Purview

Here are a few ways that partners can join the Microsoft Purview ecosystem:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How Microsoft Purview and Priva support the partner ecosystem appeared first on Microsoft Security Blog.

KuppingerCole rates Microsoft as outstanding in functionality for secure collaboration

We are excited to share that Microsoft has been rated “Outstanding in Functionality” in the KuppingerCole Market Compass for Secure Collaboration, May 2022. Microsoft was also the only company to be awarded the highest possible score of “Strong Positive” in all five categories: security, deployment, interoperability, usability, and market standing for the Microsoft Purview Information Protection platform.

KuppingerCole graphic awarding rewarding Microsoft with Outstanding Functionality rating.

The Secure Collaboration Market Compass report covers solutions that protect sensitive data, which includes intellectual property or information restricted to certain audiences (such as trade secrets, some legal contracts, agreements, and financial statements), along with personally identifiable information (PII) and health information for regulatory standards such as General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Health Insurance Portability and Accountability Act (HIPAA). As companies shift towards remote hybrid work, protecting sensitive data that is continuously created and shared among employees, contractors, partners, and suppliers—while not impeding worker productivity—is becoming increasingly important. Enterprises today face the challenge of classifying large volumes of data, especially personal data, which is required by privacy regulations and laws worldwide.

At Microsoft, our goal is to provide a built-in, intelligent, unified, and extensible solution to protect sensitive data across your digital estate—in Microsoft 365 cloud services, on-premises, third-party software as a service (SaaS) applications, and more. With Microsoft Purview Information Protection, we are building a unified set of capabilities for classification, labeling, and protection, not only in Microsoft Office apps but also in other popular productivity services where the information resides (such as SharePoint Online, Exchange Online, and Microsoft Teams), as well as endpoint devices.

“Microsoft Purview Information Protection provides a sophisticated classification system that can apply labeling to a document based on the creator, the context in which it was created, and/or the content within the document. The functionality is natively embedded into Office services and apps, and third-party applications via the information protection SDK. Sensitive information is discovered and labeled with out-of-the-box, custom, and machine learning (trainable) functionality,” Annie Bailey, KuppingerCole analyst, writes in the report. “Information such as credit card, social security number (SSN), person names, licenses, and business categories like healthcare or financial can be classified out-of-the-box. Custom fields include RegEx, Dictionary, Fingerprint, Named entities detection (e.g., person name, address, medical terms), Exact Data Match, and credentials.”

We are also pleased that KuppingerCole recognizes the breadth and depth of our Microsoft Purview Information Protection platform and called out these strengths:

•  Double Key Encryption provides additional security and governance control.
•  Built into frequently used enterprise applications.
•  Simulations to test policy effectiveness.
•  Interoperates with Microsoft and third-party event logs.
•  Automated and manual classification options.
•  Coverage of structured and unstructured data in the Microsoft environment.
•  Data loss prevention functionality in Teams chat.
•  Option for no configuration, default classification.

We have made significant investments in our Microsoft Purview solutions (such as Data Loss Prevention, Compliance Manager, Data Lifecycle Management, Insider Risk Management, and eDiscovery) and Microsoft Priva privacy solution that leverage our advanced classifiers, unified labeling and protection, sensitive information types, and policy authoring templates provided by our Microsoft Purview Information Protection platform.

More than 200 partners are part of our Microsoft Intelligent Security Association (MISA). Partners can leverage our labeling features through our Information Protection SDK, data connectors, and Graph APIs to provide integrations with Microsoft applications and services, security and compliance solutions, and their own products.

We are honored to have been designated as “Outstanding in Functionality” by KuppingerCole and rated the highest possible score of “Strong Positive” in five different categories.

Learn more

We invite you to read the full KuppingerCole Secure Collaboration report. For more information on our Microsoft Purview solutions, please visit our website. Visit the Microsoft Purview Information Protection platform page to learn more about how to protect your data wherever it lives.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post KuppingerCole rates Microsoft as outstanding in functionality for secure collaboration appeared first on Microsoft Security Blog.

How to improve risk management using Zero Trust architecture

“Compliance is all about risk management and lessening risk, and the same is true of Zero Trust.”

Abbas Kudrati

What’s risk management and why is it important?

Risk management, the process of developing a strategy for addressing risk throughout its lifecycle, normally involves four phases: risk identification, assessment, response, and monitoring and reporting.

Phases of risk management listed as identification, assessment, response, and monitoring and reporting.

Risk management plays a critical role in helping organizations with their security posture enhancement. Taking insider incidents as an example, they are not only costly to organizations but also time-consuming to be contained. Given the limited resources available, we have seen many organizations often prioritize investment in security controls, which can address the more critical risks. As such, the return on investment (ROI) is maximized in effectively protecting the organizations’ assets as well as ensuring their business operations. Risk management is an ongoing activity. Are the long-established risk management programs in the enterprises staying on top of the evolving digital and threat landscapes?

With trends like digital transformation, cloud migration, and hybrid work, traditional trust boundaries are getting blurred. Perimeter-driven defense is no longer adequate in protecting against the rising attack vectors. More attention has been drawn to the Zero Trust security model that assumes attackers are in the enterprise environment and encourages organizations to always verify explicitly and enforce least-privilege access.

Why is risk management important, noting that an insider incident costs an average of USD11.45 million and takes an average of 77 days to resolve.

How can Zero Trust architecture help with risk management?

Microsoft approaches the following Zero Trust architecture as a reference for customers to defend their digital estates.

Zero Trust architecture design.

Let’s look at how Zero Trust architecture can help an organization effectively manage enterprise risk management practice throughout the four phases:

1. Identification: More thorough asset discovery and risk identification with the six pillars

In the initial step of risk management, organizations need to categorize the system and information processed, stored, and transmitted based on impact analysis. With prioritization, activities of identifying threats and vulnerability to the assets are then performed. The Zero Trust architecture emphasizes the full coverage of organization assets across the entire digital estate, with six pillars specified as identity, endpoint, network, data, application, and infrastructure. Following the reference architecture would allow organizations to obtain a holistic view of their IT landscapes and associated risks.

Some questions for organizations to consider during the asset discovery and risk identification phase:

  • What types of structured and unstructured data do you create, process, and store? Are all data classified, labeled, and encrypted?
  • What applications do you access? Are they in the cloud or on-premises?
  • What types of infrastructure do you manage—in the cloud or on-premises?
  • Who has access to your resources, including network, data, applications, and infrastructure? Are they internal or external stakeholders, human or non-human actors? How are the authentication and authorization of the identities enforced?
  • From which endpoints are access to your resources allowed? Are they owned by a company or individuals? How is device management performed and compliance reviewed?
  • What are the normal and abnormal paths of an identity accessing your resources of any kind?

2. Assessment: Continuous risk assessment as input to access control evaluation and enforcement

Typically, a risk assessment on an information asset is performed periodically or upon major changes. It allows organizations to determine the potential risks and evaluate if the existing processes and controls are sufficient to lower the risks to an acceptable level. In the more dynamic digital world where attacks happen at cloud speed, Zero Trust architecture recommends continuous risk assessment—each request shall be intercepted and verified explicitly by analyzing signals on user, location, device compliance, data sensitivity, and application type. In addition, rich intelligence and analytics can be leveraged to detect and respond to anomalies in real-time, enabling effective risk management at the request level.

In addition, the security controls included in the Zero Trust architecture enable defense-in-depth, which shall be taken into consideration during regular risk assessment at system or organizational levels. With identity being the new first line of defense, strong multifactor authentication helps to determine if the actor is who it claims to be, reducing the likelihood of unauthorized access. Device compliance check then helps to reduce the likelihood of actors using compromised or outdated endpoints to access organization resources. In case of a breach, network micro-segmentation based on least-privilege access principle will minimize the lateral movement of malicious actors, narrowing the attack surface and containing the damage. Encryption of data in transit and at rest renders data unreadable and unusable without decryption keys, further lessening the impact of data breaches.

3. Response: Real-time responsive measures to mitigate risks throughout the request life cycle

Zero Trust architecture can also be aligned with the four general categories of risk response strategies: tolerate, operate, monitor, and improve. By design, it is recommended that telemetry, state information, and risk assessment from threat protection shall all feed into the Zero Trust policy engine to enable automatic response to threats immediately. Upon collection and evaluation of all risk signals from various sources, Zero Trust policies shall be enforced in real-time to allow, deny, restrict, or further authenticate access requests. Such approaches offer great responsiveness to risks detected in real-time throughout a request lifecycle, allowing organizations to address risks in a timely manner.

4. Monitoring and reporting: Visibility at all levels empowering risk monitoring and reporting

Risk monitoring and reporting are also critical components to ensure risk governance and assurance. It is common for organizations to keep risk monitoring and reporting at the system level. With Zero Trust architecture, organizations would benefit from the flexibility of gaining visibility at all levels into risks. At the granular level, risks of a single-user identity or sign-in will be evaluated, logged, and reported. With IT and security tools integrated, other potential breach indicators like a high volume of data access and transfer and malware detection can be associated, allowing the first line of the risk management team to obtain all necessary details for investigation. The rich threat and vulnerability data can be further processed to offer an aggregated view of an organization’s risk posture, making the risk reporting to senior management and auditors more accurate and hassle-free. With the insights generated from risk monitoring and reporting, risk management strategy and policy can be continuously reviewed and improved to stay relevant and effective.

Learn more

Learn more about the Microsoft Zero Trust framework.

Organizations may leverage the free Microsoft Zero Trust Maturity Assessment Quiz to understand their current state of Zero Trust maturity and our recommendations on the next steps. More details of how Microsoft can empower organizations in their Zero Trust journeys can be found in the Zero Trust Essentials eBook.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How to improve risk management using Zero Trust architecture appeared first on Microsoft Security Blog.

So you want to be a CISO: What you should know about data protection

Data is the lifeblood of any organization. Whether you’re a Chief Information Security Officer (CISO) or aspiring to become one, protecting sensitive business data will be your main priority. But the job isn’t getting any easier. In 2021, the number of data breaches climbed 68 percent to 1,862, costing an average of USD4.24 million each.1 The damage from a breach touches everyone, causing diminished brand equity and consumer trust, decreased shareholder confidence, failed audits, and increased scrutiny from regulatory agencies.

It’s easy to become so preoccupied with protecting against the next ransomware attack that you overlook risks within your own organization. Insider leaks of sensitive data, intellectual property (IP) theft, fraud, regulatory violations—any of these can crash a company (and your career) as quickly as a headline-grabbing breach. Given the breadth of today’s digital estate—on-premises, in the cloud, and at the edge—Microsoft Purview provides the inside-out, integrated approach that an effective CISO needs to reduce the risk of internal and external data breaches before they occur. Here are some things to consider, both when prioritizing for yourself and talking to your board of directors.

Mind your own house—insider threats

As the “Great Resignation” or “Great Reshuffle” rolls on, organizations worldwide are dealing with large numbers of people heading for the exits—and climbing aboard. Results from Microsoft’s most recent Work Trend Index indicate that 43 percent of employees are likely to consider changing jobs in the year ahead. This massive shift in employment status has been accompanied by the “Great Exfiltration.” Many of those transitioning employees will, intentionally or not, be leaving with sensitive data stored on personal devices or accessed through a third-party cloud. During 2021, 15 percent of workers uploaded more corporate data to personal cloud apps as compared to 2020. What’s more alarming, 2021 also saw 8 percent of exiting employees upload more than 100 times their usual data volume.2

As a CISO, you’re responsible for data spread across multiple platforms, devices, and workloads. You’ll need to consider how that technology interacts with your organization’s business processes. That includes having policies in place to prevent data exfiltration; especially if you work in a regulated industry, such as finance or healthcare. It starts with asking: Who can access the data? Where should the data reside (or not reside)? How can the data be used? How do we prevent oversharing? A modern data loss prevention (DLP) solution—cloud-native and comprehensive—enables you to centrally manage all your DLP policies across cloud services, devices, and on-premises file shares. Even better, this type of unified DLP solution requires no additional infrastructure or agents, helping to keep costs down. Even in a time of great change, today’s workplace requires that people remain free to create, manage, and share data across platforms and services. However, the organizations they work for are often constrained by limited resources and strict privacy standards when seeking to mitigate user risks. For that reason, you’ll need tools that can analyze insider threats and provide integrated detection and investigation capabilities. The best solution for insider threats will be:

  • Transparent—balancing user privacy with organizational risk by using privacy-by-design architecture.
  • Configurable—enabling policies based on your industry, geographical location, and business groups.
  • Integrated—maintaining a workflow that’s integrated across all your data, wherever it resides.
  • Actionable—providing insights to enable reviewer notifications, data investigations, and user investigations.

Protecting against insider threats should include templates and policy conditions that define which triggering events and risk indicators require examination. For that reason, your insider-risk solution should be able to look at potential risk patterns across the organization, as well as investigate risky activity with end-to-end workflows. Furthermore, a solution that helps detect code of conduct violations (harassing or threatening language, adult content, and sharing sensitive information) can be a reliable indicator for possible insider threats. Machine learning will help provide greater context around certain words or key phrases, so investigators can speed up remediation.

Automate and integrate your data strategy

Because many organizations resist going all-in on one vendor, most CISOs have to deal with data spread across a patchwork of on-premises and cloud storage. Though clunky, legacy data silos are a fact of life. If large volumes of “dark data” aren’t correctly classified as sensitive, then it becomes difficult to protect personally identifiable information (PII) or sensitive corporate IP and implement data loss prevention policies. A thrifty CISO needs to simplify wherever possible, using a comprehensive solution to help protect the entire digital estate. A good data management solution should provide both the flexibility for users to manually classify their documents, as well as system administrators applying auto-labeling and machine learning-trainable classifiers.

  • Data discovery: It’s not unheard of to discover that an employee unknowingly stored a customer’s Social Security Number (SSN) on an unprotected site or a third-party cloud. That’s why you’ll want a data management solution like PII that automatically identifies sensitive data using built-in sensitive information types and regulatory policy templates, such as General Data Protection Regulation (GDPR) and Health Insurance Portability and Accountability Act of 1996 (HIPAA). And since sensitive data can land anywhere, the right solution needs to use automation to cast a wide net across on-premises, multicloud, operational, and software as a service (SaaS) data.
  • Data classification: Look for unified built-in labeling that’s already integrated with broadly used applications and services, allowing users to further customize sensitivity levels for their specific needs. The right solution should also allow automatic labeling and policy enforcement across an organization for faster classification and data loss prevention deployment at enterprise scale. In addition, look for unified data management solutions that identify and classify sensitive data found on-premises, multicloud, and SaaS to create a holistic map of your entire data estate.
  • Data governance: You want your organization’s data to be discoverable, trusted, and stored in a location where it can be readily protected. Storing data longer than necessary increases your risk of exposure in a breach. On the other hand, deleting data too quickly can put your organization at risk of regulatory violations. Data retention, records management, and machine learning capabilities solve this problem by classifying data and automatically applying lifecycle policies, helping you manage risk and liability by keeping only the data you need and deleting what you don’t.

Make data protection a team effort

A primary responsibility for any CISO is to protect the organization’s IP, such as software source code, patented designs, creative works—pretty much anything that gives the business a competitive edge. But with the growth of big data and changing regulatory standards, CISOs are also expected to protect user data, such as PII, personal health information (PHI), and payment card industry (PCI) data. Privacy laws are also increasing restrictions on the use, retention, and location of user data, both internally and with third-party vendors.

In addition, hybrid and multicloud services create new challenges by distributing data’s geographic origins, storage location, and user access points. Today’s CISO needs to work with colleagues in data protection, privacy, IT, HR, legal, and compliance, meaning, you may be sharing duties with a Chief Data Officer (CDO), Chief Risk Officer (CRO), Chief Compliance Officer (CCO), and Chief Information Officer (CIO). That’s a lot of acronyms at one table. So, rather than duplicate efforts or compete for territory, an effective CISO should adopt a unified solution for data protection that helps eliminate potential redundancies and keeps your entire security team working off the same script.

Bonus tip—simplify

We all know the days of firewalls and perimeter-based security aren’t coming back. Enabling an effective Zero Trust approach requires the ability to protect data across a multicloud, multiplatform environment. Microsoft’s decision to unify data protection, governance, and compliance capabilities as Microsoft Purview—bringing together the former Microsoft Azure Purview and Microsoft 365 Compliance portfolio under one brand—reflects our belief that organizations need a simpler approach to data protection.

If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1 Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

2 With the ‘Great Resignation’ comes the ‘Great Exfiltration’, Kevin Townsend. January 11, 2022.

The post So you want to be a CISO: What you should know about data protection appeared first on Microsoft Security Blog.

The future of compliance and data governance is here: Introducing Microsoft Purview

April 19th, 2022 No comments

The worldwide shift to a hybrid workplace has pushed us all to embrace ubiquitous connectivity. Those new connections have helped us become more collaborative; routinely editing and sharing documents in real-time from wherever we happen to be working. Instant messaging went from being a tool of convenience to a cornerstone of communication. People in business, operations, and technical roles became adept at stitching together disparate solutions to meet changing needs.

But constant connectivity brings evolving, inherent risks. Over the past two years, organizations have seen a massive increase in their digital footprint, leading to data fragmentation and growth across a multitude of applications, devices, and locations. The Great Reshuffle left blind spots within ever-enlarging data estates.1 Dark data, which organizations pay to store, but goes underutilized in decision making, is now growing at a rate of 62 percent per year.2  Even the virtual office has created the risk of new collaboration mediums opening doors to harassment, sensitive data leaks, and other workplace policy infractions. It’s a big digital world for any organization to try to manage. 

The lines between risk roles are blurring 

Just as today’s big-data, multiplatform, hyper-connected workplace brings new vulnerabilities, the responsibility for protecting it is also in flux. For example, an organization with a Chief Data Officer (CDO), Chief Risk Officer (CRO)/Chief Compliance Officer (CCO), Chief Information Security Officer (CISO), and Chief Information Officer (CIO) has to choose whether they will duplicate, compete, or collaborate. Conditions that are driving the need for integrated risk management include:

  • The pandemic: Ongoing decentralized work has reinforced the need for strategic, operational, and business continuity management. All of this requires cross-functional data sharing and coordination. 
  • Nation-state attacks: Increasing sophistication and frequency of nation-state attacks is driving collaboration between compliance, data, and security functions. 
  • Remote work: Virtual communication spaces require coordination between compliance, IT, and HR. 
  • Evolving regulations: New requirements, like those from the Office of Foreign Assets Control (OFAC), Department of Justice (DOJ), and the European Union Whistleblower Directive require collaboration among all risk-management leaders.
  • Data sharing: Requirements for continuous access to operational data across functions (read the DOJ’s requirements for compliance programs).  
  • Growing CDO responsibilities: The CDO’s role may go beyond data management and protection to include business intelligence, AI, and machine learning. Because this role can overlap with a Chief Analytics Officer (CAO) and CISO, a unified solution for risk management is vital to eliminating redundancies.
  • Governance and compliance: Overlap between information governance, records management, and data collection is driving the need for a comprehensive solution for managing data risk.

In a tracking survey of over 500 US decision-makers, nearly all (95 percent) are concerned about challenges they face regarding data protection in 2021.” 3

The market has responded with dozens of products that force security, data governance, compliance, and legal teams to stitch together a patchwork of solutions. This approach not only strains resources, but it’s also ineffective. Security outcomes are worse—audits are failed and brand reputations are damaged.

”A survey of US decision-makers showed that to meet their compliance and data-protection needs, almost 80 percent had purchased multiple products, and a majority had purchased three or more. 4

Introducing Microsoft Purview 

To meet the challenges of today’s decentralized, data-rich workplace, we’re introducing Microsoft Purview—a comprehensive set of solutions that help you govern, protect, and manage your entire data estate. This new brand family combines the capabilities of the former Azure Purview and the Microsoft 365 Compliance portfolio that customers already rely on, providing unified data governance and risk management for your organization.

The new Microsoft Purview:

  • Helps you gain visibility into assets across your entire data estate.
  • Enables easy access to all your data, security, and risk solutions. 
  • Helps safeguard and manage sensitive data across clouds, apps, and endpoints.
  • Manages end-to-end data risks and regulatory compliance.
  • Empowers your organization to govern, protect, and manage data in new, comprehensive ways. 

Microsoft Purview brings together data governance from Microsoft Data and AI, along with compliance and risk management from Microsoft Security. Microsoft Purview is also complemented by identity and access management, threat protection, cloud security, endpoint management, and privacy management capabilities—creating a truly comprehensive approach to security.

Microsoft Purview at a glance

Chart of new product names within the Microsoft Purview portfolio: Microsoft Purview Audit (Premium), Microsoft Purview Communication Compliance, Microsoft Purview Compliance Manager, and more.

Securing multicloud and multiplatform environments

Because organizations now operate across multiple clouds and on-premises platforms, we’ve expanded Microsoft Purview’s capabilities to include data protection for macOS users, as well as offering new data classifiers, protection for mobile devices, and data lifecycle management.

  • To extend Microsoft Purview’s capabilities for macOS users, we’re excited to announce the general availability (GA) of Microsoft Purview Data Loss Prevention (DLP) for macOS endpoints. Now organizations can extend their endpoint DLP insights and controls to devices running macOS (Catalina or higher). In addition, the preview of restricted app groups for Windows endpoints allows organizations to scope different access restrictions to sensitive files between a set of sanctioned or unsanctioned applications. Learn about Microsoft Purview DLP for macOS endpoint.
  • Before sensitive data can be safely shared, it first needs to be identified. To that end, we’re extending our sensitive information type catalog with more than 50 new classifiers. The new classifiers are available for DLP, Information Protection (auto-labeling), Data Lifecycle Management, Insider Risk Management, Records Management, eDiscovery, and Microsoft Priva. Explore the new data classifiers in Microsoft Purview.
  • With remote users now regularly accessing files from multiple locations, devices, and apps, organizations shouldn’t have to compromise on security for productivity. To help address this, the preview of co-authoring of encrypted documents for mobile devices (iOS and Android) enables multiple users to work simultaneously on Microsoft 365 apps and documents with autosave, allowing for enhanced real-time collaboration and productivity. Learn about co-authoring of encrypted documents.
  • Within any document file’s lifecycle, organizations need to be able to configure retention and deletion settings. To help simplify that process, we’re announcing the preview of multi-stage retention in Microsoft Purview Data Lifecycle Management (formerly Microsoft Information Governance), which automatically applies a new label when an item reaches the end of its retention period. Learn more about multi-stage retention from Microsoft Purview Data Lifecycle Management.

Protecting your business and employees in a hybrid work environment

Employees don’t gather around the water cooler anymore. They’re communicating across digital channels and personal and corporate devices. Microsoft Purview helps protect your organization’s data with Insider Risk Management, eDiscovery, Communication Compliance, and more.

  • Many organizations have had to adapt to a changing workforce during the Great Reshuffle. Recent enhancements to the detection and investigation capabilities of Microsoft Purview Insider Risk Management help provide security teams with additional context and actionable insights to keep data secure, including expanded coverage with Microsoft Defender for Cloud Apps. Learn about Microsoft Purview Insider Risk Management.
  • Sensitive data isn’t confined to business transactions. According to the 2022 Work Trend Index annual report from Microsoft, employees are communicating over a greater variety of digital channels. With so much internal chatter, robust data and document discovery are essential for organizations responding to both internal investigations and external inquiries. To help meet that need, we’re excited to announce additional capabilities for Microsoft Purview eDiscovery (Premium), which improve the identification of relevant data in Microsoft Teams and help manage legal holds with new reporting functionality. Learn about Microsoft Purview eDiscovery.
  • To help organizations maintain a positive work culture and a strong commitment to user privacy, Microsoft Purview Communication Compliance helps detect code of conduct violations (including harassing or threatening language, adult content, and sharing sensitive information). We’re excited to announce new features, including expanded optical character recognition, machine learning model highlighting, reduced detection-to-investigation time, and step-by-step onboarding guidance. Protect your employees and business with Microsoft Purview Communications Compliance.
  • To help organizations save time and manual efforts, we’re excited to announce the general availability of continuous compliance assessments in Microsoft Purview Compliance Manager. This feature allows customers to understand and act on over 150 recommendations across our suite of solutions—increasing customers’ ability to measure and manage their data handling from a single location. Learn more about continuous assessments in Microsoft Purview Compliance Manager.

Enhancing data governance across compliance and privacy imperatives

Microsoft Priva complements Microsoft Purview’s data governance and compliance portfolio. Acting as a separately available privacy management solution that proactively identifies and helps protect against privacy risks, Priva provides visibility into organizations’ privacy postures. This includes associated privacy risks arising from personal data transfers, overexposure, and hoarding. Priva’s policy-driven templates also help customers adhere to common privacy regulations and requirements.

At the same time, Priva provides the flexibility to customize policies for user groups, data locations, conditions, and notifications. As the foundation of enterprise privacy management, Priva automatically recommends risk-remediation actions and subject rights requests at scale—offering built-in review and redact capabilities and integration with business processes and APIs.

We protect data to protect people 

Regulations regarding data governance don’t exist in a vacuum. Their purpose is to help create a more ethical digital world. A strong solution is built around strong principles. It’s designed to protect customers’ data, keep employees’ workplaces safe, and protect the business. At Microsoft, we don’t do these things just because they’re required, we do them because they’re right.   

There’s no going back to the days of perimeter-based security. Enabling an effective Zero Trust approach requires the ability to govern, protect, and understand data coming from an ever-widening array of endpoints. Similarly, the number of tools we use for work will also grow. And with it, the challenge of having to protect data and manage risk across a multicloud and multiplatform environment. 

The unification of Microsoft’s data governance and compliance capabilities to Microsoft Purview reflects our belief that the world needs a simpler and more unified approach to data. We want to help you get the most out of your data while simultaneously managing risk and compliance. If you’re already a Microsoft 365 E5 or Microsoft 365 E5 Compliance customer, head over to the revamped Microsoft Purview compliance portal to check out some of these changes. If you’re an existing Azure Purview customer, visit the new Microsoft Purview governance portal. To learn more and get started, visit the Microsoft Purview website or start a free trial today.

Join other cybersecurity professionals at the Microsoft Security Summit digital event on May 12, 2022. Hear exciting product announcements and discover solutions you can use to lay the foundation for a safer and more innovative future. Register now.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1How Microsoft can help reduce insider risk during the Great Reshuffle, Alym Rayani, Microsoft Security. February 28, 2022.

2Shed light on your dark data before GDPR comes into force, CIO, April 2018.

3September 2021 survey of 512 US compliance decision-makers commissioned by Microsoft from Vital Findings.

4February 2022 survey of 200 US compliance decision-makers (n=100 599-999 employees, n=100 1000+ employees) commissioned by Microsoft with MDC Research.

The post The future of compliance and data governance is here: Introducing Microsoft Purview appeared first on Microsoft Security Blog.

3 strategies to launch an effective data governance plan

March 31st, 2022 No comments

Aware of the potential risks of sensitive data if not managed properly, you’ve undertaken a data discovery process to learn where it’s all stored. You’ve classified this sensitive data—confidential information like credit card numbers and home addresses collected from customers, prospects, partners, and employees—as either non-business, public, general, confidential, or highly confidential. You’ve assessed the risks to better protect it from exposure and the risk of theft or loss. Your next step is to govern your data. But what does that mean and how do you launch a data governance plan?

Data governance is the process of managing data as a strategic asset. This means setting controls around data, its content, structure, use, and quality. Microsoft considers data governance to be the foundational pillar of an enterprise data strategy. All the preceding steps—data discovery, data classification, and data protection—are necessary to build your plan. When done right, data governance makes it easier for companies to ascertain their data is consistent, trustworthy, and properly used.

To avoid those issues, ensure that you govern your data properly. Let’s explore three steps to take when building a data governance plan.

1. Set lifecycle controls on sensitive data

Numerous laws and regulations dictate how long you must retain data and in what circumstances you should delete data. Many privacy laws require that you keep personally identifiable information (PII), such as names, identification numbers, home addresses, and IP addresses, only for as long as it has met its original purpose.1

Under GDPR Article 5(1)(c), the data minimization principle requires entities to process only “adequate, relevant and limited” personal data that is “necessary.”2 GDPR also encourages you to pseudonymize and encrypt this personal information.

Your organization’s data governance plan should take these data retention requirements into account. Tracking which file is subject to a retention or deletion regulatory requirement manually would be extremely challenging if not impossible. A better approach is to implement ongoing controls to auto-expire personal data or set up automated reminders to review data periodically to assess whether it’s still in use or active. Another option is to have approvals in place before deleting documents to ensure you’re deleting verified personal data and not inadvertently hurting the business by deleting the wrong content.

2. Operationalize data governance

After setting lifecycle controls to manage your company’s sensitive data, it’s time to define strategy and figure out how to operationalize the management of your data governance program. Data governance isn’t a set-it-and-forget-it situation. You’ll need ongoing processes to protect and govern sensitive data.

However, a company’s approach to data retention and deletion will vary based on the laws of its country and corporate policies. You need to define how often you review, delete, and archive sensitive data. Your company’s Data Governance Officer or legal department can offer guidance on what’s required.

Automating these ongoing operations can ease the burden of management. One opportunity for automation is auto-labeling of secure documents at different confidentiality levels. If you don’t properly label data as sensitive, you’ll be unable to locate, identify, or successfully govern it. 

3. Manage role-based access

A major tenant of Zero Trust, a security model that assumes breach and verifies each request, is to allow people to access only the resources that they use to complete their work. Assigning role-based access control helps you protect resources by managing who has access to resources, what they can do with those resources, and what resources they can access.

Develop a detailed lifecycle for access that covers employees, guests, and vendors. Don’t delegate permission setting to an onboarding manager as they may over-permission or under-permission the role. Another risk with handling identity governance only at onboarding is that this doesn’t address changes in access necessary as employees change roles or leave the company.

Instead, leaders of every part of the organization should determine in advance what access each position needs to do their jobs—no more, no less. Then, your IT and security partner can create role-based access controls for each of these positions. Finally, the compliance team owns the monitoring and reporting to ensure these controls are implemented and followed.

When deciding what data people need to access, consider both what they’ll need to do with the data and what level of access they need to do their jobs. For example, a salesperson will need full access to the customer database, but may need only read access to the sales forecast, and may not need any access to the accounts payable app. It’s about ensuring that people have the right access to the right information at the right time.

Other questions to ask when building your plan include:

  • How do you revoke access when someone no longer needs it due to a role change, offboarding, or another reason?
  • Have you set up recurring and exception-based monitoring and reporting to check what people are doing with the access they have? 
  • Could implementing a permissions management solution help reduce costs and workload to IT while increasing user productivity?

Organizations need to be able to prove to auditors and regulators that privacy policies are being followed and enforced within the company. Restricting network access based on the roles of individual users can assist with that.

Secure sensitive data with data governance

Data governance ensures that your data is discoverable, accurate, and trusted. Protect your sensitive data by launching a data governance plan that involves setting lifecycle controls of sensitive data, operationalizing data governance, and managing role-based access. As a follow-up to careful data discovery, data classification, and data protection, data governance can help you protect your sensitive data through its entire lifecycle according to industry regulations, which in turn will help you protect your employees, customers, prospects, and partners.

Read more about data governance and protecting sensitive data:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1GDPR personal data – what information does this cover?, GDPR.

2GDPR Article 5(1)(c), EUR-Lex. 2016.

The post 3 strategies to launch an effective data governance plan appeared first on Microsoft Security Blog.

Microsoft shares 4 challenges of protecting sensitive data and how to overcome them

March 1st, 2022 No comments

Breaches of sensitive data are extremely costly for organizations when you tally data loss, stock price impact, and mandated fines from violations of General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), or other regulations. They also can diminish the trust of those who become the victims of identity theft, credit card fraud, or other malicious activities as a result of those breaches. In 2021, the number of data breaches climbed 68 percent to 1,862 (the highest in 17 years) with an average cost of USD4.24 million each.1 About 45 million people were impacted by healthcare data breaches alone—triple the number impacted just three years earlier.2

Sensitive data is confidential information collected by organizations from customers, prospects, partners, and employees. Common types of sensitive data include credit card numbers, personally identifiable information (PII) like a home address and date of birth, Social Security Numbers (SSNs), corporate intellectual property (IP) like product schematics, protected health information (PHI), and medical record information that could be used to identify an individual.

Every level of an organization—from IT operations and red and blue teams to the board of directors— could be affected by a data breach. How do organizations identify sensitive data at scale and prevent accidental exposure of that data? Let’s look at four of the biggest challenges of sensitive data and strategies for protecting it.

1. Discovering where sensitive data lives

The data discovery process can surprise organizations—sometimes in unpleasant ways. Sensitive data can live in unexpected places within your organization. For instance, an employee may have stored a customer’s SSN in an unprotected Microsoft 365 site or third-party cloud without your knowledge. Of an estimated 294 million people hacked in 2021, about 164 million were at risk because of data exposure events—when sensitive data is left vulnerable online.3   

The only way to ensure that your sensitive data is stored properly is with a thorough data discovery process. Scans for data will pick up those surprise storage locations. However, it’s close to impossible to handle manually.

2. Classifying data to learn what’s most important

That leads right into data classification. Once the data is located, you must assign a value to it as a starting point for governance. The data classification process involves determining data’s sensitivity and business impact so you can knowledgeably assess the risks. This will make it easier to manage sensitive data in ways to protect it from theft or loss.

Microsoft uses the following classifications:

  • Non-business: Data from your personal life that doesn’t belong to Microsoft.
  • Public: Business data freely available and approved for public consumption.
  • General: Business data not meant for a public audience.
  • Confidential: Business data that can cause harm to Microsoft if overshared.
  • Highly confidential: Business data that would cause extensive harm to Microsoft if overshared.

Identifying data at scale is a major challenge, as is enforcing a process so employees manually mark documents as sensitive. Leveraging security products that enable auto-labeling of sensitive data across an enterprise is one method, among several that help overcome these data challenges.

3. Protecting important data

After classifying data as confidential or highly confidential, you must protect it against exposure to nefarious actors. Ultimately, the responsibility of preventing accidental data exposure falls on the Chief Information Security Officer (CISO) and Chief Data Officer. They are accountable for protecting information and sharing data via processes and workflows that enable protection, while also not hindering workplace productivity.

Data leakage protection is a fast-emerging need in the industry. The Allianz Risk Barometer is an annual report that identifies the top risks for companies over the next 12 months. For the 2022 report, Allianz gathered insights from 2,650 risk management experts from 89 countries and territories. Cyber incidents topped the barometer for only the second time in the survey’s history. At 44 percent, cyber incidents ranked higher than business interruptions at 42 percent, natural catastrophes at 25 percent, and pandemic outbreaks at 22 percent.4

4. Governing data to reduce unnecessary data risks

Data governance ensures that your data is discoverable, accurate, trusted, and can be protected. Successfully managing the lifecycle of data requires that you keep data for the right amount of time. You don’t want to store data longer than necessary because that increases the amount of data that could be exposed in a breach. And you don’t want to delete data too quickly and put your organization at risk of regulatory violations. Sometimes, organizations collect personal data to provide better services or other business value. For instance, you may collect personal data from customers who want to learn more about your services. To abide by the data minimization principle, once the data is no longer serving its purpose, it must be deleted.

How to approach sensitive data

The fallout from not addressing these challenges can be serious. Organizations can face big financial or legal consequences from violating laws or requirements. A couple of well-known brands, for instance, were fined hundreds of millions of euros in 2021. One of these fines was related to violating the GDPR’s personal data processing requirements. Another was because of insufficient detail to consumers in a privacy policy about data processing practices. The data protection authorities have issued a total of $1.25 billion in fines over breaches of the GDPR since January 28, 2021.5

Considering the potentially costly consequences, how do you protect sensitive data? As mentioned earlier, data discovery requires locating all the places where your sensitive data is stored. This is much easier with support for sensitive data types that can identify data using built-in or custom regular expressions or functions. Since sensitive data is everywhere, we recommend looking for a multicloud, multi-platform solution that enables you to leverage automation.

For data classification, we advise enforcing a plan through technology rather than relying on users. After all, people are busy, can overlook things, or make errors. Also, organizations can have thousands of sensitive documents, making manual identification and classification of data untenable because the process would be too slow and inaccurate. Look for data classification technology solutions that allow auto-labeling, auto-classification, and enforcement of classification across an organization. Trainable classifiers identify sensitive data using data examples.

Some solution providers divorce productivity and compliance and try to merely bolt-on data protection. Instead, we recommend an approach that integrates data protection into your existing processes to protect sensitive data. When considering plan protections, ask: Who can access the data? Where should the data live and where shouldn’t it live? How can the data be used?

Microsoft solutions offer audit capability where data can be watched and monitored but doesn’t have to be blocked. It can be overridden too so it doesn’t get in the way of the business. Also, consider standing access (identity governance) versus protecting files. Data leakage protection tools can protect sensitive documents, which is important because laws and regulations make companies accountable. 

Explore data protection strategies

Security breaches are very costly. Data discovery, data classification, and data protection strategies can help you find and better protect your company’s sensitive data. Learn more about how to protect sensitive data.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

2Cyberattacks Against Health Plans, Business Associates Increase, Jill McKeon, HealthITSecurity xtelligent Healthcare Media. January 31, 2022.

3Despite Decades of Hacking Attacks, Companies Leave Vast Amounts of Sensitive Data Unprotected, Cezary Podkul, ProPublica. January 25, 2022.

4Allianz Risk Barometer 2022: Cyber perils outrank Covid-19 and broken supply chains as top global business risk, Allianz Risk Barometer. January 18, 2022.

6Fines for breaches of EU privacy law spike sevenfold to $1.2 billion, as Big Tech bears the brunt, Ryan Browne, CNBC. January 17, 2022.

The post Microsoft shares 4 challenges of protecting sensitive data and how to overcome them appeared first on Microsoft Security Blog.

How Microsoft can help reduce insider risk during the Great Reshuffle

February 28th, 2022 No comments

These are exciting and demanding days for organizations adapting to hybrid work realities, including a wider distributed workforce and more rapid change in employee roles. Organizations are becoming more agile as they refocus on employee onboarding and empowerment, opportunities with third-party partners, and cloud transformation. These dramatic shifts drive business resilience and upside in a world still coping with pandemic disruptions.

These workplace shifts test and break an organization’s compliance postures as executive, IT, and risk professionals take stock of resulting gaps and blind spots. Research from Carnegie Mellon University’s CyLab, with support from Microsoft, found that a majority of surveyed organizations had experienced over five malicious insider threat incidents in the last year (69 percent of respondents), and over 10 inadvertent or data misuse incidents (58 percent of respondents).1

Underscoring the stakes of the moment is the business sector’s high-profile challenge: the Great Reshuffle of employee roles and talent. Microsoft’s 2021 Work Trend Index found that 41 percent of the global workforce was considering leaving their employer due to burnout and a lack of workplace flexibility.2 The cyber risk ramifications of reshuffles like this are clear when you consider the data exposure that can occur with a mix of departing employees and new staff unfamiliar with the organization’s security and compliance policies.

The best course of action for navigating the changing data landscape isn’t overly restricting employee access or aggressively punishing small errors. Organizations need a solution that lends employees the access they need while providing IT teams tools to quickly identify risky insider activity. This balance of trust is critical when implementing an insider risk program and can create a culture of empathy that empowers employees to work safely and independently.

We’re excited to announce a few new features that can help organizations better manage their insider risks, while also facilitating a corporate culture of safety and respect.

Improving insider risk management visibility, context, and integrations

Identifying and managing security and data risks inside your organization can be challenging. Insider risk management in Microsoft 365 helps minimize internal risks by empowering security teams to detect and act on malicious and inadvertent activities in your organization. Where traditional tools and strategies may focus on preventing sensitive data from leaving your organization, insider risk management leverages machine learning to correlate signals around risky user behavior and identify which activities may result in data theft or data leakage. These insights help security teams to identify potential concerns and can help accelerate time to action.

Communication compliance in Microsoft 365 helps organizations foster safe and compliant communications across corporate communications. In the world of hybrid work, organizations seek out communication and collaboration tools to empower employees to do their best work. At the same time, they need to manage risk in communications to protect company assets, fulfill regulatory compliance obligations, and detect code of conduct violations, like harassing or threatening language, sharing of adult content, and inappropriate sharing of sensitive information. We are honored that  Gartner® has listed Microsoft as a Leader in its 2022 Magic Quadrant™ for Enterprise Information Archiving, a market “designed for archiving data sources to a centralized platform to satisfy information governance requirements.”3

Built with privacy by design, the solutions ensure that user names are pseudonymized by default, role-based access controls are built-in, and investigators must be explicitly added by an administrator.

Today, Microsoft is excited to announce new functionalities in insider risk management and communication compliance for Microsoft 365:

  • Enhancements to sequence detections.
  • Enhancements and additions to insider risk investigation capabilities.
  • Enhanced cumulative exfiltration anomaly detection capabilities.
  • Enhanced audit trail of investigator and analyst activity.
  • New classifier to detect customer complaints made about your organization’s products or services in communication compliance.

Microsoft 365 E3 customers are welcome to sign up for an Insider Risk Management Trial or the Microsoft E5 Compliance Trial through the Microsoft compliance center.

Enhancements to sequence detections

To help security and risk management teams accelerate time to action when it comes to insider risk management, it’s important to provide a rich context of risky user activity that goes beyond a transactional view.

In 2021, we introduced sequence detection to help analysts and investigators identify a series of connected activities and get a better understanding of intent. Today, we’re excited to announce enhancements to our sequence detections, including the ability to identify changes in document sensitivities, such as a document label being downgraded from Confidential to Public in an effort to evade detections. Insider risk can also detect sequences that may start on an endpoint device, providing greater visibility into the risky activity that may start on a workstation or device. We’ve also included additional exfiltration signals to broaden the coverage of sequences, including visibility for when a user uploads data to a cloud as a potential exfiltration step.

Enhancement and additions to insider risk investigation capabilities

With insider risk management, your security, data protection, or investigative teams have new tools and capabilities to better understand and investigate the risky activities happening in your environment.

This update includes an improved user experience for drilling down into sequences within the activity explorer. With these latest updates, security teams can get better insights into user activity types, including the ability to filter by activity category in the user activity view.

The improved alert triage experience in insider risk management includes a new summary user alert history timeline to provide better context, as well as an enhanced alert overview page.

New summary alert timeline in Insider Risk provides context on risky user activity.

Furthermore, insider risk management administrators can now set up email notifications for high severity alerts or for policy health recommendations.

Enhanced cumulative exfiltration anomaly detection capabilities

With cumulative exfiltration anomaly detection (CEAD) in insider risk management, organizations can leverage machine learning models to detect when a user’s exfiltration activities exceed the organizational averages. This can help to detect exfiltration activities that security teams might traditionally miss through data loss prevention (DLP) or structured policies alone. Learn more about CEAD.

Enhanced alert review experience, including the new visual for cumulative exfiltration anomaly detection.

With these latest updates, there are new visuals to represent potentially risky activity, making it easier for investigative or analyst teams to review and triage user activity against the organizational normal. CEAD will also prioritize cumulative exfiltration of sensitive documents based on prioritized SharePoint sites and built-in sensitive information types, as well as Microsoft Information Protection (MIP) label prioritization.  

Enhanced audit trail of investigator and analyst activity

When security or investigative teams are looking into organizational activity, it is crucial that investigations align with regulatory requirements and your organization’s compliance and security policies. It is also key to ensuring objectivity on the part of the investigators and analysts who are reviewing user activities.

Microsoft is announcing new audit events for insider risk management, including audit events of activities within the content explorer, activity explorer, and user timeline. These additional audit log events mean that anyone reviewing audit logs will have a better understanding of what investigators or analysts did within the insider risk management interface.

New customer complaints model in communication compliance

In highly regulated industries, such as financial services, pharmaceuticals, and food, organizations are mandated by law to track and address customer complaints made on their products or services. We are excited to announce the preview of a new customer complaint classifier that detects possible complaints filed by customers and surfaces matches for customer complaint management.

This new feature can help organizations meet regulations that mandate detection and triage of complaints, such as the Consumer Financial Protection Bureau and the Food and Drug Administrator requirements. Additionally, this feature can help organizations gain insight into how to improve their products and services.

View of customer complaints classifier during policy configuration.

Microsoft partners with other security leaders to address insider risk

In addition to our work in growing the capabilities of our insider risk management and communication compliance solutions, Microsoft is focused on reducing insider risks through partnerships and knowledge sharing. Microsoft is a Founding Research Sponsor of MITRE Engenuity’s Center for Threat-Informed Defense (Center), which launched a knowledge base to identify insider threats. See the Center’s release announcement here.

This latest resource from the Center is designed to help insider threat programs and security operation centers (SOCs) “detect, mitigate, and emulate insider actions on IT systems” and to stop those behaviors deemed risky or damaging. These resources include a Knowledge Base of Tactics, Techniques, and Procedures (TTPs) and the Design Principles and Methodology report.

As a Founding Research Sponsor, Microsoft researchers and security practitioners collaborated with other security industry partners to share TTPs and insights for what we are seeing in the insider risk space. “Microsoft’s work with the Center team and other security leaders confirms that insider risks pose a huge threat and that detection requires context beyond standard TTPs. Through this program, Microsoft’s Digital Security and Resilience and engineering teams partnered with and learned from others, and we are excited to see the collaboration in this space grow,” shared Rob McCann, Principal Data Scientist in Microsoft’s Security Research division. “This initial Knowledge Base sets the stage for industry-wide expansion and increased awareness of insider risk across the security community, and helps lay a foundation for further development and understanding of the insider risk landscape. This is an exciting step forward, and we’re grateful to have been a part of it.”

The insights and learnings from Microsoft’s participation in the Center have reaffirmed the priorities that have shaped Microsoft’s investments, both internally and in solutions available to our customers, including insider risk management.

Building an effective insider risk program

Over the past 18 months, we have seen high-profile insider risk incidents across a number of industries, ranging from data theft to corporate code of conduct violations. Recent high-profile examples have included the theft of confidential documents related to COVID-19 vaccines in the pharmaceutical industry to workplace harassment.

PwC and Microsoft advocate for an enterprise-wide approach to insider risk by leveraging key stakeholders to identify potential insider risks and tailor technical controls to address them. See how your organization can benefit from this approach by downloading the PwC and Microsoft whitepaper Building an effective insider risk management program.

Get started

These new features in insider risk management and communication compliance for Microsoft 365 have already rolled out or will start rolling out to customer tenants in the coming weeks. These solutions are also generally available across government clouds, supported in Government Community Cloud (GCC), GCC-High, and US Department of Defense (DoD) tenants.

We are happy to share that there is now an easier way for you to try Microsoft compliance solutions directly in the Microsoft 365 compliance center. By enabling the trial in the compliance center, you can quickly start using all capabilities of Microsoft Compliance, including insider risk management, communication compliance, records management, Advanced Audit, Advanced eDiscovery, MIP, DLP, and Compliance Manager.

If you are a current Microsoft 365 E3 user and interested in experiencing insider risk management, check out the Insider Risk Management Trial or the Microsoft E5 Compliance Trial to see how insider risk solutions and analytics can give you actionable insights.

Learn more about how to get started and configure policies in your tenant in the supporting documentation for insider risk management and communication compliance. Keep a lookout for updates to the documentation with information on the new features over the coming weeks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1Insider Risk Management Program Building: Summary of Insights from Practitioners, CyLab, Carnegie Mellon University. May 2021.

2The Great Reshuffle and how Microsoft Viva is helping reimagine the employee experience, Seth Patton, Microsoft 365. September 28, 2021.

3Gartner, Magic Quadrant for Enterprise Information Archiving, Michael Hoeck, Jeff Vogel, Chandra Mukhyala, Gartner. January 24, 2022.

Gartner and Magic Quadrant are registered trademarks of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post How Microsoft can help reduce insider risk during the Great Reshuffle appeared first on Microsoft Security Blog.

Gartner® names Microsoft a Leader in the 2022 Magic Quadrant™ for Enterprise Information Archiving

January 28th, 2022 No comments

With data doubling every two years, it is more critical than ever to have simple and integrated tools to understand and manage risks to an organization. As more people work remotely, users collaborate and store data in different locations. These secular trends offer new possibilities in how work gets done—but also expose an organization to new and expanded risks: increased exposure to data breaches, costs associated with finding relevant data quickly, and meeting compliance requirements. These trends and challenges emphasize the need for a comprehensive enterprise information archiving (EIA) solution that can balance risk and productivity across multiple clouds and systems.

The Microsoft Compliance suite offers an integrated set of solutions to address the information risk and archiving challenges our customers face. We introduced multiple innovations over the past few years:

  • Seamless risk management. Risk management is no longer a siloed activity. An EIA solution needs to work seamlessly with security, compliance, and productivity solutions. Our Microsoft 365 Advanced eDiscovery solution, for example, can automatically collect linked content with the original message in Microsoft Teams, Yammer, and Outlook.
  • Leveraging machine learning to manage data at scale. With the large volume of data created every day, it is impossible to manually manage an organization’s content. It is easiest to manage data at scale with machine learning integrated throughout business processes, rather than as a separate add-on. For example, our trainable classifiers categorize content for retention, deletion, and protection policies.
  • New data types and multi-cloud compliance. The rise of text messages, asynchronous communication, and other communication modes creates a variety of formats to manage risk and compliance. This year Microsoft introduced 65 plus new connectors built by Microsoft and partners. Customers can leverage their investments in Microsoft 365 Compliance to manage imported data alongside their Microsoft 365 data.

We are honored that Gartner has listed Microsoft as a Leader in its 2022 Magic Quadrant™ for Enterprise Information Archiving in recognition of our ability to execute and completeness of vision. This is the fourth consecutive year that Gartner recognized Microsoft as a Leader in this critical space. Additionally, Microsoft placed highest in the ‘ability to execute.’ Read the full report.

Gartner 2022 Magic Quadrant for E I A chart depicting Microsoft under the Leaders category in the top right hand corner.

According to Gartner, “Leaders have the highest combined measures of ability to execute and completeness of vision. They may have the most comprehensive and scalable products. They have a proven track record of financial performance and an established market presence. In terms of vision, they are perceived to be thought leaders, with well-articulated plans for ease of use, product breadth, and how to address scalability. For vendors to have long-term success, they must plan to address the expanded market requirements for EIA, including support for multiple content types; support for the cloud; solid, relevant e-discovery functionality; and a seamless user experience.”

To us, this recognition would not be possible without the close partnership with our customers that provides critical insights for our solutions. We look forward to continuing this partnership and product innovation.

Learn more

We invite you to read to full Gartner® 2022 Magic Quadrant™ for Enterprise Information Archiving report.

For more details about our enterprise information archiving solution, please visit our website or view our Microsoft 365 for business subscription.

Microsoft continues to be a Leader in four additional Gartner Magic Quadrant reports in the broader security space:

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


Gartner does not endorse any vendor, product, or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

GARTNER and Magic Quadrant are registered trademarks and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner, Magic Quadrant for Enterprise Information Archiving, by Michael Hoeck, Jeff Vogel, Chandra Mukhyala. 24 January 2022.

The post Gartner® names Microsoft a Leader in the 2022 Magic Quadrant™ for Enterprise Information Archiving appeared first on Microsoft Security Blog.

Categories: Compliance, cybersecurity Tags:

Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview

June 2nd, 2021 No comments

Smart meters and smart grid infrastructure have been deployed in many of the world’s electric distribution grids. They promise energy conservation, better grid management for utilities, electricity theft reduction, and a host of value-added services for consumers. To deliver on this promise, they need to collect granular electric usage data and make this available to the stakeholders who need it. This has created consumer privacy concerns which are being addressed with security and governance programs, like Microsoft Information Protection and Azure Purview, and with regulation by the government. The ability to protect and govern smart meter data is critical to addressing consumer privacy. It’s also critical to making the data available to realize the return on investment in terms of environment, safety, savings, and enhanced services to consumers.

Smart grid data contains private information

Smart meter data is personally identifiable information (PII). Information potentially available through the smart grid includes:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1. Information Potentially Available Through the Smart Grid.

Figure 1: Information potentially available through the smart grid.1

This gives rise to a range of privacy concerns from personal data exposure for embarrassment or extortion, determination of behavior patterns for unwanted marketing, by criminals who might be casing a premises or seeking to exploit children, or inappropriate uses by government.

Depending on the granularity and character of data collected, smart meter data can be disaggregated to reveal private information:

NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Figure 5-2. Using Hidden Markov Models to Produce an Appliance Disaggregation.

Figure 2: Using hidden Markov models to produce an appliance disaggregation.2

Electric meter data was generally not a focus of privacy concern prior to smart meters. With smart meters, there is the potential for the data to be near real-time and with a frequency and granularity not previously available. The potential value of smart meter data for demand management programs, time of use pricing, outage management, grid optimization, energy theft reduction, unlocking the value of smart cities, and other uses increases as does the frequency and granularity of the data.

Utilities and other stakeholders need to do a privacy impact assessment (PIA) for the use of this data. Part of this process is to set out the controls that will be used to govern the data.

Many of the same regulations and standards that cover PII in general apply to smart meter information. These include General Data Protection Regulation (GDPR), California Consumer Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s General Data Protection Act (LGPD), and many other established and emerging privacy regimes. A geographic summary of privacy regulations is provided by the global law firm DLA Piper.

Where is PII from smart meters located?

Smart meter data is in the meters themselves and the backhaul infrastructure, potentially passing through range extenders, connected grid routers on its way to the head end. From here it is made available to the utility departments and other organizations as permitted in databases and data reservoirs to derive value from the data.

Conceptual Reference Diagram for Smart Grid Information Networks. Ref NIST Special Publication 1108R2, Figure 3-2.

Figure 3: Conceptual reference diagram for smart grid information networks.3

With the range of stakeholders that need access to the data, there will be a variety of technologies and architectures that must be governed. Broadly, there will be PII in structured resources like SQL or SAP S/4HANA databases, and unstructured like desktop application files and email or data repositories like Azure Blob, Data Lake Storage, or Amazon S3.

The data should be governed during its full lifecycle from collection through to secure auditable disposal—both inside the utility’s environment and outside as third parties access the data for permitted uses.

Protect and governing PII from smart meters

The Microsoft Information Protection and Governance framework protects and governs Microsoft 365 data, including desktop applications, email, on-premises repositories, and with Microsoft Cloud App Security, both in our own- and third-party clouds and on Windows 10 endpoints like laptops.

Most impactful for smart meter data, we now have Azure Purview (now in preview) for structured and unstructured data outside of Microsoft 365, such as in databases, data lakes, SAP, and a range of other environments where smart meter data is stored and used to extract value.

Microsoft Information Protection and Governance framework.

Figure 4: Microsoft Information Protection and Governance.

To properly protect and govern PII in smart grid data, we need to identify and inventory this data across our cloud and on-premises environment. We need to protect this data with durable security policies that stay with the data throughout its lifecycle. We need to implement Data Loss Prevention (DLP) to keep the information from traveling to places it should not go and we need to dispose of data when it’s no longer needed for business purposes. The deletion should be permanent and auditable.

Microsoft Information Protection as part of Microsoft 365 provides the tools to know your data, protect your data, and prevent data loss. It provides users with a native experience in their documents and emails, providing automation to recognize PII and either recommend the user apply a sensitivity label with the option to override this suggestion with auditable justification to enforce the application of the label.

Microsoft Information Protection provides real time assistance to users with a native experience while they work. Users receive suggestions and can automatically label data or override the suggestion with auditable justification if configured by the administrator.

Figure 5: Microsoft Information Protection provides real-time assistance to users with a native experience while they work.

The sensitivity label can enforce encryption, scoping the document to be consumed only by the intended organization, teams, or individuals. It can enforce watermarking, disable cut and paste, and a range of other security policies for the life of the document, even when it leaves the sender’s environment.

PII such as credit card numbers can be recognized as out-of-box sensitive information types and then be tuned to reduce false positives. Custom sensitive information types can be informed by keywords, keyword dictionaries, or regular expressions which are particularly useful for recognizing utility account numbers or smart meter numbers. Machine learning can be used to recognize documents by using trainable classifiers to reason over a sample of relevant documents to recognize documents that are like these.

Sensitive data can be identified, inventoried, and protected as it is created, in the cloud with Microsoft Cloud App Security (MCAS) or with on-premises resources using the Azure Information Protection (AIP) scanner.

These sensitivity labels and sensitive information types can trigger DLP policies across email, desktop applications, SharePoint sites, OneDrive, Windows 10 devices, Teams, and third-party clouds. The policies are managed with a unified experience across Office 365, cloud, on-premises, and endpoint locations.

Data loss prevention policies can be triggered by sensitivity labels or sensitive information types. These policies can be administered for email, SharePoint, OneDrive, Teams, endpoints, on premises repositories and third party clouds from a single admin interface.

Figure 6: Selections of locations to apply policy.

Files and emails can be tagged with retention labels as well as sensitivity labels. Like sensitivity labels in Microsoft Information Protection, they can be applied manually or in an automated way based on out-of-box, custom information types, or machine learning with trainable classifiers.

Retention labels can enforce auditable retention, deletion and disposition review of documents and emails in the Microsoft 365 tenant.

Figure 7: Records management.

Retention labels can enforce auditable retention, deletion, and disposition review of documents and emails in the Microsoft 365 tenant.

This can facilitate compliance with privacy regulations, but also regulations that require retention for discovery purposes such as utility commissions or Freedom of Information (FOI) requests.

Visualization and reporting for sensitive data, including smart meter PII as well as the retention labels and policies applied, are available from the compliance portal so that sensitive data can be inventoried, managed, and reported on.

Azure Purview

Azure Purview is a unified data governance service that helps you manage and govern your on-premises, multi-cloud, and software as a service (SaaS) data. We’ll focus on PII data discovery in this post.

Azure Purview Data Map captures metadata across a wide range of data sources and file types with automated data discovery and sensitive data classification. Azure Purview extends our information protection and governance capabilities beyond Microsoft 365.

Among the broad list of data sources, you’ll be able to scan SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Azure Purview creates a data map for a broad list of sources including but not limited to SQL databases, Azure Blob Storage, Azure Data Lake Storage, Azure Cosmos DB, AWS S3 buckets, Oracle databases, SAP ECC, and SAP S/4HANA.

Figure 8: Metadata map.

The data in these sources can be classified and labeled by out-of-box and custom sensitive information types, including those defined for smart grid PII.

The data in the sources connected to Azure Purview can be classified and labelled by out of the box and custom sensitive information types, including those defined for smart grid PII.

Figure 9: Microsoft Azure Purview classification rules.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

The sensitive information types and sensitivity labels are made available to Azure Purview from the Microsoft 365 Compliance Center, the same place the Microsoft Information Protection rules are managed, creating a unified experience for the administrators.

Figure 10: How to edit label sensitivity.

Custom classifications and rules to identify custom sensitive data types or keywords can be created in the Azure Purview solution.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data. The repositories where sensitive data is located can have additional security added or the data can be removed from locations where it does not belong.

Azure Purview provides reporting that shows where sensitive data such as PII is located across an organization’s data estate. Sensitivity labels with security policy can be applied to this data.

Figure 11: Azure Purview showing locations where sensitive data exists.

Azure Purview can validate that the Data Privacy Impact Assessment (DPIA) and controls undertaken by an organization around sensitive smart grid data are being enforced. This reporting can provide evidence to a regulator that an organization’s commitments to security and privacy that enabled the use of customer’s private data have been upheld.

Azure Purview does not move or store customer data outside of the geographic region in which it is deployed so data residency requirements can be met.

In addition to helping protect sensitive data, Microsoft also offers agentless, security monitoring for industrial control system (ICS) and operational technology (OT) networks to rapidly detect and respond to anomalous or unauthorized activities in control networks. Azure Defender for IoT integrates with existing security operations center (SOC) tools (like Azure Sentinel, Splunk, IBM QRadar, and ServiceNow), is broadly deployed in production across power distribution and generation sites worldwide, and is available for both on-premises and cloud-connected environments.

Microsoft 365 Information Protection and Governance and Azure Purview together provide tools to protect and govern smart meter data and other sensitive data for utilities. The more effectively we can implement protection and governance of this data, the more we can make use of it and derive value for the ratepayers who have invested in the smart grid.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.


1NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2, Table 5-1.

2NISTIR 7628, Guidelines for Smart Grid Cybersecurity volume 2.

3NIST Special Publication 1108R2.

The post Privacy compliance for smart meter infrastructure with Microsoft Information Protection and Azure Purview appeared first on Microsoft Security.

How a positive hybrid work culture can help you to mitigate insider risk

May 17th, 2021 No comments

As Vasu Jakkal recently shared, we are operating in the most sophisticated threat landscape ever seen, and coupled with the next great disruption—hybrid work—security is more challenging than ever. Protecting from external threats is only one part of the challenge, though. You also must protect from the inside out—another facet of “assume breach” in your Zero Trust approach. Insider risks can be malicious or inadvertent, but all impact your most important asset: your data.

As our recent Work Trend Index showed, people are collaborating, chatting, emailing, and sharing in new ways and greater volume than ever before. Between February 2020 and February 2021, the time spent in Microsoft Teams meetings more than doubled (2.5 times) globally, the average Teams user is sending 45 percent more chats per week, the number of emails delivered to commercial and education customers is up by 40.6 billion, and we’ve seen a 66 percent increase in the number of people working on documents.

That same report also found that people are burned out. One in five global survey respondents say their employer doesn’t care about their work-life balance, with 54 percent feeling overworked and 39 percent feeling exhausted. And there are trillions of productivity signals from Microsoft 365 quantifying the precise digital exhaustion workers are feeling.

Not only does this create challenges for productivity and engagement, but it also creates risk for the organization. A recent study out of CyLab, Carnegie Mellon University’s Security and Privacy Institute—conducted with support from Microsoft—found that of the organizations who participated in the research study, 69 percent had more than 5 malicious, high-concern insider incidents in 2020, 44 percent had more than 10 incidents, and 11 percent had more than 100 incidents, such as financial fraud, sabotage, data theft, or workplace violence. The report also drew a direct correlation between the stressors impacting employees and an increase in insider risk incidents. A positive corporate culture, in which employees are engaged, rewarded, and supported, can decrease both malicious and inadvertent insider risks, such as data loss, data theft, insider trading, and others.

“A well-balanced insider risk program can become known as an advocate for employee wellbeing and a means for a more productive, engaged, connected, and committed workforce.”—Carnegie Mellon University

What can you do to mitigate risk in your organization?

  1. Listen to and empower your people: As the Work Trend Index research shows, the pandemic has taken its toll on the workforce in ways never before imagined. Stressful events can lead to individuals feeling overwhelmed or burned out, which may lead to an increase in risk for the organization. To reduce this risk and support the wellbeing of your people, it’s important that you create channels and mechanisms to listen to their concerns, giving you an opportunity to get feedback and helping them prioritize. Most importantly, ensure your people know they are valued by the organization and that they play a critical role in keeping you and your critical data safe and secure.
  2. Embrace collaboration: Insider risk management programs often focus exclusively on implementing tools and technology without incorporating the necessary organizational, risk management, and cultural considerations. Technology plays an important role, but it is just one component of an effective program. Addressing insider risk effectively requires a collaborative approach across business leaders, HR, legal, and security. It also requires education and engagement with all people in the organization.
  3. Take a holistic approach: Identifying insider risks can be complex, and it often feels like trying to find a needle in a haystack. In working with customers, we’ve found that taking a holistic, purpose-built approach that can pull signals together into a cohesive view across your organization gives you a better understanding of the relevant trends in your organization and better risk reduction. In fact, we took this approach ourselves to ensure that it’s easy to get started, yet configurable to meet your wide variety of needs. In addition to the rich set of capabilities we announced at Ignite, we recently added new capabilities, including the user activity report and activity explorer, to our insider risk management solution to expand the analytics and reporting to ensure you have the broadest view of insider risks in your organization.

As you embrace this new hybrid work world, mitigating insider risk is more critical than ever. We’re here to help as you continue this journey.

Learn more

You can learn about insider risk management and stay up to date by following our insider risk blog. You can also listen to our podcast Uncovering Hidden Risks.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a positive hybrid work culture can help you to mitigate insider risk appeared first on Microsoft Security.

Categories: Compliance, cybersecurity Tags:

Meet critical infrastructure security compliance requirements with Microsoft 365

April 27th, 2021 No comments

Critical infrastructure operators face a hostile cyber threat environment and a complex compliance landscape. Every operator of an industrial control system also operates an IT network to service its productivity needs. A supervisory control and data acquisition (SCADA) system operator of a power grid or chemical plant needs email, databases, and business applications to support it, much like any enterprise.

IT environments, with their large attack surface, can be the entryway to attack critical infrastructure even where those IT systems are not critical infrastructure themselves. Security and compliance failures may include life safety, environmental, or national security consequences—a different risk management challenge from other enterprise IT systems.

Ransomware, thought more of as an IT problem as opposed to an industrial control system (ICS) one, has been used to attack critical infrastructure operators Norsk Hydro, Brazilian utilities Electrobras and Copel, as well as Reading Municipal Light Department and Lansing Board of Water and Light among other US utilities. Dragos and IBM X-Force identified 194 ransomware attacks against industrial entities between 2018 and 2020, including ICS-specific strains like EKANS.

The range of threats to our increasingly converged IT and ICS environments highlights the need for a combined approach to IT and ICS security.

Azure Defender for IoT is the cornerstone of security for on-premises, cloud, and hybrid ICS. In addition to the anti-malware features of Microsoft 365, the integration of Advanced Threat Protection (ATP) and Microsoft Compliance Manager to manage, visualize, and report on standards-based compliance are also foundational.

Complex compliance landscape

As the cyber threat landscape to ICS has grown more hostile and publicized, the compliance responsibilities of critical infrastructure operators have increased as well. In the US and Canada, Bulk Electric System (BES) participants need to comply with the North American Electric Reliability Corporation Critical Infrastructure Protection Standards (NERC CIP), as well as using NIST 800-53 as the basis for their organizational security policies and benchmarking to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. They may also be architecting their ICS to IEC62443/ISA 99. Many forward-looking utilities are increasing their use of the cloud through infrastructure as a service (IaaS), platform as a service (PaaS), and software as a service (SaaS) like Microsoft 365 with Zero Trust architecture.

While NERC CIP standards were written around on-premises systems, NERC has become more open to Registered Entities’ use of the cloud for Bulk Electric System Cyber System Information (BCSI). This includes NERC’s Order on Virtualization and Cloud Computing Services and their Technical Rationale for Reliability Standard CIP-011-3, where they discuss risk assessment of a cloud services provider. This risk assessment will include the ongoing standards-based assessment of the cloud service provider.

Comprehensive and efficient compliance

As an organization moves workloads to the cloud, they move responsibility for a portion of the security controls to the cloud service provider.

The shared responsibility model for cloud security. As cloud service provider takes responsibility for controls, the cloud customer can use their resources to focus on the controls for which they remain responsible.

The organization can thus focus its resources on the remaining security controls and on vetting how the cloud service provider manages the security controls for which it is responsible.

With Office 365, customers dramatically reduce the number of NIST 800-53 controls they are responsible for as opposed to an on premises deployment.

When customers use Office 365, Microsoft helps them manage 79 percent of the 1,021 NIST 800-53 controls, so customers need only focus on implementing and maintaining the remaining 21 percent of the controls. By using the shared responsibility model, these customer resources are made available to further secure their systems. Customers that are using on-premises infrastructure to provide those functions need to implement and maintain all 1,021 controls.

Tools for comprehensive and efficient compliance

Microsoft Compliance Manager is a feature in Microsoft 365 compliance center. It uses signals from the customer’s Microsoft 365 tenant, Microsoft’s compliance program, and workflows completed by the customer to manage and report compliance against regulatory and industry-standard templates. These templates include NERC CIP, NIST Cybersecurity Framework (CSF), NIST 800-53, and the US Protecting and Securing Chemical Facilities from Terrorist Attacks Act (H.R. 4007), as well as more than 330 standards-based assessments globally. You can also create custom templates based on other standards or mapped to your own policies and control set.

With each Compliance Manager assessment template, you get simplified guidance on “what to do” to meet the regulatory requirements. In this regard, you get to understand what controls are Microsoft’s responsibility as your cloud service provider and what controls are your responsibility. Furthermore, for each of the controls that are your responsibility, we break down actions that you need to take to meet these control requirements. These actions can be procedural, documentation, or technical.

For technical actions, you get step-by-step guidance on how to use Microsoft security, compliance, identity, or management solutions to implement and test technical actions. With this detailed information, you can efficiently implement, test, and demonstrate your compliance against regulations as per your industry and region. This information also helps you to draw maximum benefits from your Microsoft 365 security and compliance solutions. Once you create assessments within Compliance Manager, we make it very easy for you to understand what solutions you can use to implement and test technical actions on Compliance Manager.

The Microsoft 365 Compliance Manager Solutions page, showing how the various solutions contribute to Compliance Score and compliance posture.

You can use the custom assessment feature to “extend” Compliance Manager assessment templates to track compliance against any non-Microsoft 365 assets as well. With this functionality, Compliance Manager helps you to track and manage compliance across all your assets.

There are different template sets available for the different license levels.

Microsoft updates the assessment templates when the standards change, relieving the customer of this responsibility. The changes are called out to the customer and the option to update the assessment is provided.

Compliance Manager tracks, reports, and provides visualizations for:

  • Microsoft-managed controls: these are controls for Microsoft cloud services, for which Microsoft is responsible for implementing.
  • Your controls: these are controls implemented and managed by your organization, sometimes referred to as “customer-managed controls.”
  • Shared controls: these are controls that both your organization and Microsoft share responsibility for implementing.

The assessments are provided with visualizations that allow the user to drill down into the individual control status and view evidence. High impact improvement actions are suggested.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework assessment dashboard.

Microsoft 365 Compliance Manager NIST Cybersecurity Framework controls view with benchmark visualization.

Compliance Manager covers both the Microsoft and customer-managed controls as part of the shared cloud security and compliance responsibility model. Automated workflows and evidence repositories are provided for customer-managed and shared controls.

Microsoft 365 customer control workflow. Assign a control to a team member to provide input and upload evidence on a schedule to support customer's compliance program.

You can assign a stakeholder and an automated message with instructions and upload link is provided on a schedule to remind them of the compliance activity required, report status, and upload evidence. This provides an efficient and defensible system to respond to auditors and benchmark compliance programs.

Many of the controls that enable compliance for critical infrastructure operators are common across the standards, so implementing a control once enables compliance across multiple standards.

Mapping controls across standards such as:

NIST CSF Category NIST CSF Subcategory NIST 800-53 Rev. 4 Control ISO 27001 Control NERC CIP Control
Access Control (PR.AC): Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. PR.AC-1: Identities and credentials are managed for authorized devices and users. NIST SP 800-53 Rev. 4 AC-2, IA Family ISO/IEC 27001:2013 A.9.2.1, A.9.2.2, A.9.2.4, A.9.3.1, A.9.4.2, A.9.4.3 CIP-004-6 – Access Management Program, parts 4 and 5

This crosswalk across standards is part of the Compliance Manager and populated automatically across a customer’s assessments.

Microsoft 365 Compliance Manager, control mapped across multiple standards. New standards based assessments in Compliance Manager are automatically populated with controls that have been implemented.

The level of effort to benchmark and report compliance with a new standards regime is dramatically reduced.

IT and ICS convergence is a continuing trend for critical infrastructure operators. Attack methodologies, surfaces, and threat actors are crossing over to put our most critical resources at risk. Compliance regimes must be efficiently met in an auditable way to protect the availability of our systems. Microsoft provides the range of tools described above to help you manage across the IT and ICS environments.

Learn more

Learn more about Microsoft Compliance Manager and how it helps simplify compliance and reduce risk.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Meet critical infrastructure security compliance requirements with Microsoft 365 appeared first on Microsoft Security.

Securing and governing data in a new hybrid work reality

March 2nd, 2021 No comments

The past year has led to an evolution in not only how we think about work, but more importantly, where work gets done. Arguably, gone are the days that your organization’s data is limited to the protected confines of your corporate network as your people continue to work remotely, return in some capacity to the office, or even adopt some hybrid of the two. With your people working across networks, devices, clouds, and apps, how do you ensure your data remains not only secure but compliant?

A culture of security starts by securing data where people get work done. We have been investing in innovation to make this easier, and I’m sharing with you some additional capabilities that enable you to extend data protection and governance across apps, clouds, endpoints, and on-premises file repositories that keep your people collaborative and productive while ensuring your most valuable asset—your data—remains secure and compliant wherever it lives.

Co-authoring of Microsoft Information Protection-protected documents now available in preview

With the shift to remote work, people are creating, storing, and sharing data in new ways. Collaboration and productivity are critical to getting work done, but you still need to ensure that the data remains safe wherever it is. Data classification in Microsoft Information Protection protects your business-critical data so your people can collaborate securely without having to sacrifice productivity.

Today we are announcing the ability for multiple users to simultaneously edit a Microsoft Office document that has been encrypted using Microsoft Information Protection, now in preview. In the past, you had to choose between encrypting sensitive content and collaborating on it. If you encrypted the content, only one person could edit at a time. Everyone else would be locked out, and AutoSave would be disabled to preserve the encryption. With this new unique capability, multiple people can now be co-authors on a Word, Excel, or PowerPoint document simultaneously, frictionlessly, with auto-save, while maintaining the sensitivity labeling and document protections.

Learn more on Tech Community and Microsoft docs.

Microsoft 365 data loss prevention now available in preview for Chrome and on-premises

Enabling a comprehensive and flexible approach to data loss prevention solutions is one of the most important ways to protect your data.  We have been investing heavily in this area, and our unified Data Loss Prevention (DLP) solution—a key part of Microsoft Information Protection—understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 Apps (including Word, PowerPoint, Excel, and Outlook), services (including Microsoft Teams, SharePoint, and Exchange), third-party software as a service (SaaS) applications, and more—on-premises or in the cloud. Microsoft’s unified data loss prevention approach provides simplicity, enabling you to set a data loss prevention (DLP) policy once and have it enforced across services, endpoints, and first-and third-party apps.

A few months ago, we announced Endpoint DLP, which provides built-in data loss prevention into Windows 10 and Microsoft Edge. Today we’re announcing that we are extending Microsoft’s unified DLP capabilities natively to Chrome browsers and on-premises file shares and SharePoint Server.

You can learn more about this preview on Tech Community.

Microsoft Azure Purview provides new multi-cloud support

In December 2020, we announced Azure Purview, a unified data governance service that facilitates the mapping and control of organizational data no matter where it resides. Azure Purview is integrated with Microsoft Information Protection, which means you can apply the same sensitivity labels defined in Microsoft 365 Compliance Center to your data in Azure.

Today we’re sharing that we are extending Azure Purview’s ability to automatically scan and classify data to other platforms, such as AWS Simple Storage Services (S3), SAP ECC, SAP S4/HANA, and Oracle Database. Available now in preview, you can now automatically scan and classify data residing within various on-premises data stores using the Azure Purview Data Map.

We are also expanding the insight available within Azure Purview. Available now in preview, Azure Purview can now scan Azure Synapse Analytics workspaces, which enables you to discover and govern data across your serverless and dedicated SQL pools. This expands on Azure Purview’s existing tools enabling customers to scan data across various sources via out-of-the-box connectors in the Data Map.

You can learn more in the Azure Purview blog.

Microsoft 365 Insider Risk Management Analytics available in preview

Another important component of securing your data as people work in new and different ways is effectively managing insider risk. Balancing the ability to quickly identify and manage insider risks while maintaining a dynamic culture of trust and collaboration is a priority for security leaders.

With privacy built-in, pseudonymization on by default, and strong role-based access controls, Insider Risk Management in Microsoft 365 is used by businesses worldwide to quickly get started using machine learning to identify insider risks and take action with integrated collaboration workflows.

Today we’re announcing Microsoft 365 Insider Risk Management Analytics, which can identify potential insider risk activity within an organization and help inform policy configurations. With one click, customers can have the system run a daily scan of their tenant audit logs, including historical activity, and leverage Microsoft 365’s Insider Risk Management Machine Learning engine to identify potential risky activity with privacy built-in by design. Insider Risk Management Analytics will start rolling out to tenants in public preview in mid-March 2021.

For more information, check out the Tech Community blog.

Continued investments to help you address compliance and risk

We’ve been hard at work across our entire portfolio to ensure you have the capabilities you need to protect and govern your data while addressing regulatory compliance and eDiscovery. Here are a few more announcements we’re making today:

  • Additional assessment templates and enhanced capabilities in Compliance Manager to increase regulation visibility, further enrich the user experience, and save you valuable time.
  • Further guidance to get started with Advanced Audit to support your forensic investigations when you suspect a data breach.

In addition, our partner ecosystem plays a critical role in helping you to address your compliance and risk management needs. I’m announcing today that we are expanding the Microsoft Intelligent Security Association (MISA) to include risk management and compliance partners to enable greater scale and customization.

We will continue to innovate and work closely alongside you, our partners, and the industry to improve compliance and security for everyone. We’re on this journey together.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing and governing data in a new hybrid work reality appeared first on Microsoft Security.