Savvy financial institutions are now moving beyond this paradigm and employing a modern approach to cybersecurity—the Zero Trust model. The central tenet of a Zero Trust model is to trust no one—internal or external—by default and require strict verification of every person or device before granting access.

The castle’s perimeters continue to be important, but instead of just pouring more and more investment into stronger walls and wider moats, a Zero Trust model takes a more nuanced approach of managing access to the identities, data, and devices within the proverbial castle. So, whether an insider acts maliciously or carelessly, or veiled attackers make it through the castle walls, automatic access to data is not a given.

Limitations of a castle-and-moat approach

When it comes to safeguarding today’s enterprise digital estate, the castle-and-moat approach has critical limitations because the advent of cyberthreats has changed what it means to ward and protect. Large organizations, including banks, deal with dispersed networks of data and applications accessed by employees, customers, and partners onsite or online. This makes protecting the castle’s perimeters more difficult. And even if the moat is effective in keeping enemies out, it doesn’t do much for users with compromised identities or other insider threats that lurk within the castle walls.

The practices below are all sources of exposure and are common in banks that rely on a castle-and-moat approach to security:

• A single annual review of staff access rights to applications.
• Ambiguous and inconsistent access rights policies dependent on manager discretion and insufficient governance when staff moves occur.
• Overuse of administrative privileged accounts by IT.
• Customer data stored in multiple file shares and little idea who has access to it.
• Overreliance on passwords to authenticate users.
• Lack of data classification and reporting to understand what data is where.
• Frequent use of USB flash drives to transfer files that include highly sensitive data.

How a Zero Trust model empowers bankers and customers

The benefits of a Zero Trust approach have been well documented, and a growing number of real-world examples show that this approach could have prevented sophisticated cyberattacks. However, many banks today still adhere to practices that diverge from Zero Trust principles.

Adopting a Zero Trust model can help banks strengthen their security posture, so they can confidently support initiatives that give employees and customers more flexibility. For example, bank executives would like to untether their customer-facing employees—such as relationship managers and financial advisors—from their desks and meet clients outside bank premises. Today, many financial institutions support this geographic agility with analog tools like paper printouts or static views of their counsel. However, both bank employees and customers have come to expect a more dynamic experience using real-time data.

Banks that rely on a castle-and-moat approach to security are hesitant to disperse data outside the physical network. As such, their bankers and financial advisors can only tap the dynamic models of proven and disciplined investment strategies if their client meetings take place on bank premises.

Historically, it’s been cumbersome for bankers or financial advisors on the go to share real-time model updates or actively collaborate with other bankers or traders, at least not without VPNs. Yet, this agility is an important driver of sound investment decisions and customer satisfaction. A Zero Trust model enables a relationship manager or an analyst to harness insights from market data providers, synthesize with their own models, and dynamically work through different client scenarios whenever and wherever.

The good news is this is a new era of intelligent security—powered by the cloud and Zero Trust architecture—that can streamline and modernize security and compliance for banks.

Microsoft 365 helps transform bank security

With Microsoft 365, banks can make immediate steps towards a Zero Trust security by deploying three key strategies:

• Identity and authentication—First and foremost, banks need to ensure that users are who they say they are and give access according to their roles. With Azure Active Directory (Azure AD), banks can use single sign-on (SSO) to enable authenticated users to connect to apps from anywhere, enabling mobile employees to access resources securely without compromising their productivity.

Banks can also deploy strong authentication methods such as two-factor or passwordless Multi-Factor Authentication (MFA), which can reduce the risk of a breach by 99.9 percent. Microsoft Authenticator supports push notifications, one-time passcodes, and biometrics for any Azure AD connected app.

For Windows devices, bank employees can use Windows Hello, a secure and convenient facial recognition feature to sign in to devices. Finally, banks can use Azure AD Conditional Access to protect resources from suspicious requests by applying the appropriate access policies. Microsoft Intune and Azure AD work together to help make sure only managed and compliant devices can access Office 365 services including email and on-premises apps. Through Intune, you can also evaluate the compliance status of devices. The conditional access policy is enforced depending on the compliance status of the device at the time that the user tries to access data.

Conditional access illustration.

• Threat protection—With Microsoft 365, banks can also bolster their ability to protect, detect, and respond to attacks with Microsoft Threat Protection’s integrated and automated security. It leverages one of the world’s largest threat signals available from the Microsoft Intelligent Security Graph and advanced automation powered by artificial intelligence (AI) to enhance incident identification and response, enabling security teams to resolve threats accurately, efficiently, and promptly. The Microsoft 365 security center provides a centralized hub and specialized workspace to manage and take full advantage of Microsoft 365 intelligent security solutions for identity and access management, threat protection, information protection, and security management.

The Microsoft 365 security center.

• Information protection—While identity and devices are the primary vectors of vulnerability for cyberattacks, data is what cybercriminals ultimately want. With Microsoft Information Protection, banks can improve their protection of sensitive information—wherever it lives or travels. Microsoft 365 enables customers to 1) identify and classify their sensitive data; 2) apply flexible protection policies; and 3) monitor and remediate sensitive data at risk.

Example of a classification and protection scenario.

Simplify security management with Zero Trust

Microsoft 365 helps simplify the management of security in a modern Zero Trust architecture, leveraging the visibility, scale, and intelligence necessary to combat cybercrime.

As you consider how to safeguard your modern “castle,” a Zero Trust environment is optimal for modern cybersecurity threats. A Zero Trust environment requires up-to-the-minute oversight of who is accessing what, where, and when—and whether they should even have access.

Microsoft 365 security and compliance capabilities help organizations verify before they trust a user or device. Microsoft 365 also offers a complete teamwork and productivity solution. Altogether, Microsoft 365 provides a comprehensive solution to help bank executives focus on customers and innovation.

The post Why banks are adopting a modern approach to cybersecurity—the Zero Trust model appeared first on Microsoft 365 Blog.

We’re also increasing the OneDrive standalone storage plan from 50 GB to 100 GB at no additional charge, and we’re giving Office 365 subscribers a new option to add more storage as they need it.

OneDrive Personal Vault

OneDrive runs on the trusted Microsoft cloud, which has many security measures in place to keep your files safe. But we understand that some people want more protection for their most important and sensitive files, which is why we’re introducing Personal Vault.

Personal Vault is a protected area in OneDrive that you can only access with a strong authentication method or a second step of identity verification, such as your fingerprint, face, PIN, or a code sent to you via email or SMS.¹ Your locked files in Personal Vault have an extra layer of security, keeping them more secured in the event that someone gains access to your account or your device.

Plus, this added security doesn’t mean added inconvenience. All your documents, photos, and videos in Personal Vault are easy to access on Onedrive.com, your PC, or capable devices.²

Personal Vault adds to the robust privacy and security that OneDrive currently offers, including file encryption at rest and in transit, suspicious activity monitoring, ransomware detection and recovery, mass file deletion notification and recovery, virus scanning on download for known threats, and version history for all file types.

Easy to use

Just enter a PIN, or use your fingerprint, face, or a code delivered by email or SMS¹ to unlock and access your files—no need to remember multiple passwords. Additionally, Personal Vault can be unlocked with the Microsoft Authenticator app. Whichever way you choose, unlocking is quick, convenient, and helps secure your data.

Scan and shoot directly into Personal Vault

You can use the OneDrive for mobile app to scan documents, take pictures, or shoot video directly into your Personal Vault, keeping them off less secure areas of your device—such as your camera roll. It’s easy to scan important travel, identification, vehicle, home, insurance documents, and more directly into your Personal Vault. And you’ll have access to these documents wherever you go, across your capable devices.²

Extra protection on and off your PC

Personal Vault uses more than just two-step verification to help keep your files safe and private. On Windows 10 PCs, OneDrive syncs your Personal Vault files to a BitLocker-encrypted area of your local hard drive. And like all files in OneDrive, the contents of your Personal Vault are encrypted at-rest in the Microsoft cloud and in-transit to your device. For further protection on mobile devices, we recommend that you enable encryption on your iOS or Android device. Together, these measures help keep your files protected even if your Windows 10 PC or mobile device is lost, stolen, or someone gains access to it.

Automatic locking after a short period of inactivity

Personal Vault automatically relocks on your PC, device, or online after a short period of inactivity. Once locked, any files you were using will also lock and require reauthentication to access. There’s no need to worry about whether you left your Personal Vault or your file open—both will close and lock automatically after inactivity.³

Available soon

We’re excited to provide these new capabilities to people who use OneDrive on the web, with our mobile app, or on a Windows 10 PC. Personal Vault will begin rolling out soon in Australia, New Zealand, and Canada and will be available to everyone by the end of the year.

If you already have OneDrive, Personal Vault will appear as a feature update when it launches later this year in your region. And if you aren’t yet a OneDrive customer, you can download the app or go to www.onedrive.com to start using it on your PC or on the web. If you are using OneDrive’s free or standalone 100 GB plan, you can try Personal Vault with a limited number of files. Office 365 subscribers can store as many files as they want in Personal Vault, up to their storage limit.

OneDrive gets additional storage

Today, we’re also excited to share two storage plan updates.

Store more with OneDrive 100 GB plan—We’re increasing the amount of storage in the OneDrive standalone plan from 50 GB to 100 GB⁴ for the same $1.99 per month. That’s enough space to store over 50,000 pictures (at 2 MB per photo). This new plan is perfect for automatically backing up your phone’s camera roll and scanning and saving documents, receipts, and more right from your phone. You can also use it to back up your files and share and collaborate on documents. This new plan will roll out soon. If you’re currently using our 50 GB plan, you’ll automatically get 50 GB more storage added to your account at no additional cost. For more information, see OneDrive plans.

Get additional OneDrive storage as you need it—Your Office 365 subscription starts with 1 TB of OneDrive storage, and many people have asked for even more storage. Today, we’re announcing OneDrive additional storage, which lets you add more storage—as you need it—to your existing Office 365 subscription. You can add storage in 200 GB increments starting at $1.99 per month, going up to 1 TB of additional storage for $9.99 per month.

If you need 2 TB of storage, we now have an option for you. Pay only for what you need and increase, decrease, or cancel your additional storage plan anytime. OneDrive additional storage will be available in the coming months wherever Office 365 is available.

Let us know what you think

To let us know what you think or share your thoughts and ideas, visit OneDrive UserVoice. To learn more about all the advanced protection features included in Office 365 Home and Office 365 Personal subscriptions, see our support page.

Notes
¹ Face and fingerprint verification requires specialized hardware including a Windows Hello capable device, fingerprint reader, illuminated IR sensor, or other biometric sensors and capable devices.
² The OneDrive for mobile app on Android and iOS requires either Android 6.0 or above or iOS 11.3 and above.
³ Automatic locking interval varies by device and can be set by the user.
⁴ 100 GB plan offers 102,400 MB of storage.

The post OneDrive Personal Vault brings added security to your most important files and OneDrive gets additional storage options appeared first on Microsoft 365 Blog.

Howdy folks,

I’m so excited to share today’s news! We just turned on the ability to securely sign in with your Microsoft account using a standards-based FIDO2 compatible device—no username or password required! FIDO2 enables users to leverage standards-based devices to easily authenticate to online services—in both mobile and desktop environments. This is available now in United States and will roll out globally over the next few weeks.

This combination of ease of use, security, and broad industry support is going to be transformational both at home and in the modern workplace. Every month, more than 800 million people use a Microsoft account to create, connect, and share from anywhere to Outlook, Office, OneDrive, Bing, Skype, and Xbox Live for work and play. And now they can all benefit from this simple user experience and greatly improved security.

Starting today, you can use a FIDO2 device or Windows Hello to sign in to your Microsoft account using the Microsoft Edge browser.

Watch this quick video showing how it works:

Microsoft has been on a mission to eliminate passwords and help people protect their data and accounts from threats. As a member of the Fast Identity Online (FIDO) Alliance and the World Wide Web Consortium (W3C), we’ve been working with others to develop open standards for the next generation of authentication. I’m happy to share that Microsoft is the first Fortune 500 company to support password-less authentication using the the WebAuthn and FIDO2 specifications, and Microsoft Edge supports the widest array of authenticators compared to other major browsers.

If you want to know more details on how it works and how to get started, keep reading on.

Get started

To sign in with your Microsoft Account using a FIDO2 security key:

1. If you haven’t already, make sure you update to Windows 10 October 2018.
2. Go to the Microsoft account page on Microsoft Edge and sign in as you normally would.
3. Select Security > More security options and under Windows Hello and security keys, you’ll see instructions for setting up a security key. (You can purchase a security key from one of our partners, including Yubico and Feitian Technologies that support the FIDO2 standard.*)
4. Next time you sign in, you can either click More Options > Use a security key or type in your username. At that point, you’ll be asked to use a security key to sign in.

And as a reminder, here’s how to sign in with your Microsoft account using Windows Hello:

1. Make sure you’ve updated to Windows 10 October 2018.
2. If you haven’t already, you’ll need to set up Windows Hello. If you have Windows Hello set up, you’re good to go!
3. Next time you sign in on Microsoft Edge, you can either click More Options > Use Windows Hello or a security key or type in your username. At that point, you’ll be asked to use Windows Hello or a security to sign in.

If you need more help, check out our detailed help article about how to get set up.

*There are a couple of optional features in the FIDO2 spec that we believe are fundamental to security, so only keys that have implemented those features will work. Read What is a Microsoft-compatible security key? to learn more.

How does it work?

Under the covers, we implemented the WebAuthn and FIDO2 CTAP2 specifications into our services to make this a reality.

Unlike passwords, FIDO2 protects user credentials using public/private key encryption. When you create and register a FIDO2 credential, the device (your PC or the FIDO2 device) generates a private and public key on the device. The private key is stored securely on the device and can only be used after it has been unlocked using a local gesture like biometric or PIN. Note that your biometric or PIN never leaves the device. At the same time that the private key is stored, the public key is sent to the Microsoft account system in the cloud and registered with your user account.

When you later sign in, the Microsoft account system provides a nonce to your PC or FIDO2 device. Your PC or device then uses the private key to sign the nonce. The signed nonce and metadata is sent back to the Microsoft account system, where it is verified using the public key. The signed metadata as specified by the WebAuthn and FIDO2 specs provides information, such as whether the user was present, and verifies the authentication through the local gesture. It’s these properties that make authentication with Windows Hello and FIDO2 devices not “phishable” or easily stolen by malware.

How do Windows Hello and FIDO2 devices implement this? Based on the capabilities of your Windows 10 device, you will either have a built-in secure enclave, known as a hardware trusted platform module (TPM) or a software TPM. The TPM stores the private key, which requires either your face, fingerprint, or PIN to unlock it. Similarly, a FIDO2 device, like a security key, is a small external device with its own built-in secure enclave that stores the private key and requires the biometric or PIN to unlock it. Both options offer two-factor authentication in one step, requiring both a registered device and a biometric or PIN to successfully sign in.

Check out this article on our Identity Standards blog, which goes into all the technical details around the implementation.

What’s next

We have tons of great things coming out as part of our efforts to reduce and even eliminate the use of passwords. We are currently building the same sign-in experience from a browser with security keys for work and school accounts in Azure Active Directory. Enterprise customers will be able to preview this early next year, where they will be able to allow their employees to set up their own security keys for their account to sign in to Windows 10 and the cloud.

Furthermore, as more browsers and platforms start supporting the WebAuthn and FIDO2 standards, the password-less experience—available on Microsoft Edge and Windows today—will be hopefully available everywhere!

Stay tuned for more details early next year!

Best Regards,
Alex Simons (@Twitter: @Alex_A_Simons)
CVP of Program Management
Microsoft Identity Division

The post Secure password-less sign-in for your Microsoft account using a security key or Windows Hello appeared first on Microsoft 365 Blog.

The ElitePOS modernizes the retail POS device with an innovative, sleek modular design that supports use cases beyond checkout to help the retail and hospitality industries deliver a consistent and compelling experience. With options such as a receipt printer that integrates into the column stand and a magnetic stripe reader that can be built into the display, retailers can complement their store environment with a clean counter space.

The ElitePOS is built to withstand extensive usage, with an extended lifecycle that retailers depend on. The system is designed to pass various military standards – or MIL-STD – tests, can handle spills by channeling liquid away from the device components, and provide efficient cooling with side venting for improved reliability. Additionally, line-busting will be a breeze with Windows 10 or Windows IoT, fast DDR4 memory, and 7th generation Intel Core processors with optional vPro technology.

As security continues to be a major concern in the retail and hospitality industries, the ElitePOS delivers both hardware-based and integrated software security features, including:

• BIOS-level device security to provide protection in the event of a malware attack with HP Sure Start Gen3, the industry’s first self-healing BIOS, and HP BIOSphere Gen3, the industry-leading firmware ecosystems.
• User authentication technology, including an optional fingerprint reader with Windows Hello, to help prevent unauthorized access; Credential Guard for secure user authentication and password protection, and Device Guard, which lets IT managers create rules to run only signed, trusted, and approved applications on the POS system to help protect against walk-up and low-level attacks through USB ports.
• Physical security of the device itself with an optional bolt-to-counter configuration, or VESA mounting and K-Lock features.

The ElitePOS is expected to be available in August 2017. To learn more about the point-of-sale system, visit hp.com/go/elitepos, or see the ElitePOS in person August 6-9 at RetailNow 2017 in booth #410-412.

The post HP announces new point-of-sale system powered by Windows 10 appeared first on Microsoft 365 Blog.