Like many school districts, Fulton County Schools needed to bridge the gap between its legacy systems and a modernized cybersecurity posture. So, the school district launched a cyber-incident response plan, which includes using AI for predictive threat detection all day, every day. School leaders also organized a task force equipped with Microsoft Azure solutions that help monitor, detect, and stop threats. Now Fulton County Schools can detect cybersecurity threats before they occur and respond preemptively. 

As more students have moved to hybrid learning, schools must learn how to mitigate ransomware, malware, and phishing attempts. From raising awareness to creating a response plan, there are many ways that institutions can reduce risk and make hybrid learning safe. By transforming their security stance with the latest cloud technologies, school districts can focus on what matters most: educating students. 

Assessing the risks of hybrid learning 

Each year, hundreds of K–12 schools experience cyberattacks. Criminals’ tactics have become more sophisticated, and cyberattacks are on the rise. As hybrid learning has become commonplace, educational institutions are now the number one target for malware attempts. Further, recovering from a single cybersecurity incident can be costly. Facing these factors, many schools are investing in cyber insurance for added protection. 

Schools can better understand their level of risk by gauging their security stance using the Zero Trust Security Model Assessment Tool. They can also design a powerful defense strategy by staying aware of current cybercrime trends. 

In the Microsoft Digital Defense Report 2022, Microsoft experts share their insights on the scale and scope of digital threats by analyzing 43 trillion data signals daily. Looking at the data, experts agree that organizations can ward off threats by addressing cybersecurity holistically. A holistic approach hinges on four concepts: identify, protect, detect, and respond. Even basic steps, such as setting up multifactor authentication, can drastically reduce an organization’s risk. 

Global exam provider Pearson VUE is one of many institutions that has taken a holistic approach to cybersecurity. Every two seconds, the company delivers exams to test-takers across 20,000 test centers in more than 180 countries and territories. Upholding the integrity of its exams and protecting its data are key to the company’s mission. 

Inspired by the Microsoft Zero Trust security framework, Pearson VUE migrated its on-premises networks to the cloud, helping it segment its networks. Now the company can enforce conditional access with users. Pearson VUE also began monitoring its environment using Microsoft Sentinel, which gives it the ability to capture enterprise-wide security analytics. Using AI technology, the exam provider gets automatic alerts of suspicious activity. These measures help Pearson VUE continue to maintain the integrity of its exams. 

Staying ahead of the curve 

Since the COVID-19 pandemic, educational institutions have had to pivot to hybrid learning using limited resources. Additionally, many students may not have a secure network at home for logging into their courses remotely. Despite these challenges, many schools see this shift in learning as an opportunity to transform their technology. 

The University of Pittsburgh’s Department of Biomedical Informatics built a HIPAA-compliant data enclave in the cloud. Now the university can centralize data from its legacy systems and enable collaboration no matter where researchers are located. With a secure data hub enabling remote and hybrid work, researchers can speed up clinical insights by sharing data with other collaborators.

Similarly, the University of Texas at San Antonio (UTSA) wanted to increase collaboration among students and educators. So, the university began using Microsoft Office 365 A5 as its standard communication platform and to deliver free tools to students and faculty. By providing these tools across the board, students and faculty can focus on their courses. 

UTSA also has gained visibility into the delivery and open rates of its campus-wide announcements. With this information, the university can find ways to better serve its students. UTSA also set up advanced analytics, which helps it detect phishing scams faster than before. 

Accessing additional resources 

As schools engage with their students online and in the classroom, they can learn more about the latest cybersecurity trends from Microsoft Event webinars. 

To access more resources for educational institutions at all levels, check out the Microsoft K–12 education showcase and the Microsoft higher-education showcase. 

The post Addressing cybersecurity proactively to support hybrid learning appeared first on Microsoft in Business Blogs.

As part of our commitment to enhancing cybersecurity across the U.S., we are detailing a series of actions Microsoft is taking to support federal, state, and local governments, and partnerships we’re forging with federal agencies to share critical information and develop cybersecurity best practices.

Investing in our shared cyber responsibility to modernize, secure, and defend

Microsoft recognizes that the technology sector bears a great responsibility for securing our nation’s critical assets. This is why Microsoft has committed to investing in people and technology to advance the tools, practices, and services Microsoft provides to customers.

As the White House announced, Microsoft will immediately provide $150 million in technical services to help federal, state, and local governments upgrade security protection. This funding extends Microsoft FastTrack program support to help agencies modernize and establish Zero Trust controls that will raise the security baseline for government agencies. Of the $150M, $50M will be invested to provide Federal agencies with modernization assistance to help secure applications and servers by replacing vulnerable legacy infrastructure with cloud infrastructure that is always patched and up to date.

Microsoft’s investments aim to help agencies more quickly and effectively deploy modern applications and infrastructure that incorporate Zero Trust architectures and include additional built-in security capabilities such as Microsoft 365 Defender, Microsoft Information Protection, and Azure Security Center. We are ready now to help government modernize, secure, and defend their digital estate using established best practices and cloud security capabilities based on insights from our own journey toward Zero Trust and decades of experience helping federal agencies.

Collaborating to accelerate technical innovation

To adequately address software supply chain security, we also believe it’s essential to continue to work with the open-source community, in open standards forums, and with widely used platforms to address ecosystem-wide variability and help scale implementation.

At the White House, we reiterated our commitment to working with National Institute of Standards and Technology (NIST) to advance a common and open industry framework for ensuring end-to-end supply chain security, integrity, quality, and provenance. With President Biden’s May 12 Executive Order as a catalyst, Microsoft developed our Supply Chain Integrity Model (SCIM), which enables automated verification of supply chain security policies, artifacts, and evidence for all product types, including software, machine learning datasets, and hardware. To help standardize SCIM, we’ve made information available publicly through NIST and GitHub and engaged with industry partners through the Open Source Security Foundation (OpenSSF) to create ecosystem-wide solutions for supply chain security.

Separately, Microsoft is working with NIST’s National Cybersecurity Center of Excellence (NCCoE) on the Implementing a Zero Trust Architecture Project. This work focuses on developing practical, interoperable approaches to designing and building Zero Trust architectures that align with the tenets and principles documented in NIST SP 800-207, Zero Trust Architecture.

Lastly, we are using our existing GitHub and Microsoft Visual Studio capabilities and developer tools for software testing and dependency tracking to enable trustworthy software development practices.

Facilitating more seamless information sharing

No single agency or company can address our nation’s cyber security challenge alone, which is why Microsoft has long been a believer in partnering with agencies to share threat information in the interest of national defense.

Microsoft recently agreed to become an Alliance Partner in the new Joint Cyber Defense Collaborative (JCDC) established by Cybersecurity & Infrastructure Security Agency (CISA) to promote resilience and strengthen cyber defense. We’re also taking several further steps to help defend our nation’s cybersecurity, providing federal agencies targeted or compromised by a nation-state actor with notifications and enhanced reporting to CISA from our Digital Security Unit.

Addressing the skills gap through training and resources

Our nation is facing a cybersecurity talent crisis with nearly 500,000 unfilled cybersecurity jobs today. Microsoft committed at the White House to expand partnerships with community colleges and non-profits for cybersecurity training to help the workforce keep pace with in-demand skills.

We are also dedicated to providing agencies actionable insights and tools to accelerate modernization and help cyber professionals stay ahead of sophisticated adversaries. Microsoft has launched a free repository of educational resources to address the critical cybersecurity shortage and gaps. There, agencies can access government-specific training, Learning Paths, workshops, certifications, and reference architectures like our Zero Trust Scenario Architectures mapped to NIST standards.

Doing our part in a whole-of-nation effort

The steps detailed above for government agencies are part of a broader commitment to establish cybersecurity at the heart of everything we do. This includes investing $20 billion over the next five years to accelerate improved cybersecurity outcomes for all of our customers by integrating cybersecurity by design and delivering advanced security solutions. We believe that close collaboration with industry and government is essential to helping modernize and secure the critical assets upon which the American people rely. For more information on Microsoft’s commitments and additional resources on how to increase cyber resilience, visit our Cyber EO resource center.

The post Microsoft expands on cybersecurity commitments for U.S. government agencies appeared first on Microsoft in Business Blogs.

Uncovering new unknown attacks and attacker behaviors with EDR

Outdated endpoint protection strategies based on static prevention-focused capabilities like antivirus are ineffective. Today’s next-generation anti-malware capabilities — powered by advanced machine learning and behavioral monitoring — are critical to helping organizations stop threats. EDR then goes a step further beyond prevention to provide detailed telemetry that provides additional visibility and enables dynamic analytics and automation to discover and remediate more sophisticated threats at scale. Ensuring agencies have the tools necessary to address the full spectrum of endpoint protection, detection, and response is the ultimate aim of the September 9, 2021, EO EDR milestone.

Securing endpoints through EDR and prevention strategies like next-gen anti-malware and attack surface reduction is a crucial pillar of a Zero Trust architecture, an approach central to the EO and outlined extensively in our milestones guidance. In a Zero Trust strategy where compromise should be assumed, EDR helps agencies quickly read threat signals and determine if a device is healthy. Tools like Microsoft Defender for Endpoint, Endpoint Manager, and Azure Defender for Servers and Kubernetes, integrated with Microsoft’s own threat intelligence, deliver agencies automated threat blocking, response, and remediation capabilities while also enabling advanced threat hunting and forensics.

Microsoft’s endpoint security approach has received numerous accolades, including successfully demonstrating industry-leading, cross-platform defense capabilities according to MITRE Engenuity ATT&CK evaluations. We encourage agencies to look holistically across their endpoints to ensure often overlooked areas, like servers and containers, are adequately addressed in deployments. U.S. government agencies also have access to the best practices found in our federal cybersecurity learning path, along with extensive training modules and customized learning roadmaps. By partnering with Microsoft, agencies can build expertise in EDR and easily expand to a more comprehensive extended detection and response (XDR) approach.

Getting answers faster through enhanced logging

Section 8 of the Cyber EO focuses on establishing logging, log retention, and log management requirements by August 24, 2021. This policy aims to centralize “access and visibility for the highest level security operations center of each agency,” to avoid processes that drive up expense and introduce lag time as data flows up the chain.

The EDR capabilities discussed earlier naturally tie into the work that needs to be done to address Section 8 requirements since enhanced logging is a natural outcome of a Zero Trust architecture. For example, an agency can natively connect Microsoft Defender for Endpoint with Azure Sentinel to provide enhanced visibility across both security products and organizations. This combination enables a top-level agency to quickly and seamlessly access data from multiple lower-level agencies operating their own security operations centers (SOCs) without duplicating the data. Approaching logging in this way solves the tradeoffs between either centralized data not enabling distributed response or distributed data limiting centralized visibility. With native Azure Lighthouse capabilities in Azure Sentinel, agencies can do both — ingest the data into their SIEM once and also populate aggregate data views without added delay, overhead, or cost. So in addition to Sentinel’s well-known AI and automation capabilities for reducing analyst fatigue, Microsoft is now also enabling accelerated analyst collaboration across multiple SOC teams.

To further enhance data retention and logging, agencies can combine tools like Azure Data Explorer with Azure Sentinel to open up new possibilities for long-term log forensics at scale. These additional low-cost data management capabilities allow agencies to quickly query and analyze large volumes of log and telemetry data, and achieve up to 100 years of data retention. Ultimately, security data empowers agencies to train machine learning models that better identify patterns, anomalies, and trends to operationalize historical security logs while also minimizing cost.

Continually building upon the Zero Trust foundation

The upcoming EDR and logging milestones underscore the importance of having a strong Zero Trust architecture in place. Building on this foundation, agencies can then extend protection, detection, and response beyond endpoints to achieve a full-platform, pre-integrated XDR that delivers connected security at scale.

We encourage you to visit our Cyber EO resource center and delve deeper into additional resources on some of the topics covered in this blog. Also, stay tuned to this blog for additional insights as we address upcoming Cyber EO milestones.

The post Uncovering new unknowns: How to approach EDR & logging Cyber EO milestones appeared first on Microsoft in Business Blogs.

The need for analytics, high-capacity storage, and increased computing power has expanded the need for data handling, analytics tools, and applications that only the cloud can support.

Also, in response to the COVID-19 pandemic, pharmaceutical and life science organizations are looking into new methods for assessing a cloud vendor without physically visiting their datacenters.

In this article, we’ll cover how the offerings we have at Microsoft serve as a resource for you to save time while conducting your vendor assessment, and why our openness to compliance sets us apart.

Vendor Compliance

When considering a vendor and compliance, it’s important to understand that the cloud builds on the shared responsibility model that can help in guidance and understanding of the documents needed for compliance reporting.

Figure 1: The shared responsibility model

Regardless of the type of deployment, there are responsibilities that are always retained by Microsoft, including datacenter building access, physical hosts, and physical networks. The data, endpoints, account, and access management are always retained by the customer. This means that you need to have controls in place to protect the security of your data and identities. It’s also important to have documented evidence ready at all times to show how you govern those assets.

Microsoft offers you the platform and tools to help build a secure, resilient, and available environment. These tools can also assist in building reports that demonstrate continuous compliance. We will be taking a closer look at some of these tools, like the Azure Cloud Adoption Framework and enterprise scale landing zone.

As mentioned in the previous blog post on GxP guidelines, physical security is a vital security layer to consider. Microsoft takes numerous measures to ensure that our infrastructure is secure. We also recently published a virtual tour around our datacenters that gives insight into the Azure physical security layer.

Remote vendor assessment

Conducting a vendor assessment is a requirement for using third-party vendors. A vendor audit is optional. To produce a vendor assessment remotely, you must assess how to build quality, security, and integrity into your services. You also need to document the competencies and training records of staff and reliability of the services offered.

It’s necessary to have the appropriate controls and mitigations documented in the quality management system to help comply with regulatory expectations.

When factoring the level of depth of the assessment, organizations must consider their vendor management process and the associated risk documented for outsourcing or using cloud services.

According to regulations, there are three levels of assessing vendors:

• Basic assessment: A review of available information from the vendor.
• Postal audit: Questions sent to the vendor in which detailed information about the vendor’s quality management system and business processes is requested.
• On-site audit: A review of the vendor’s procedural controls and process documentation performed by an appointed auditor.

Special areas of interest in the vendor assessment would be:

• The security of our facilities (e.g., human access restrictions)
• Controls to protect hardware and devices (e.g., controls for destroying hardware)
• Controls for human access
• Availability of services

While an on-site audit is not allowed for security concerns and logistical reasons, Microsoft has contracted with third parties to do that inspection for you, making it easier for you to access the information to do a vendor assessment.

The above areas needed in the vendor assessment are all included in the audit cycle of our services and are also made available on the Microsoft Trust Center in SOC1/SOC2 reports, as well as our ISO/IEC 27001 certification report.

The SOC reports include the following areas:

• Security
• Availability
• Integrity
• Confidentiality
• Privacy of personal information

To show full visibility, the audit report we make available also includes the findings for the controls that are being audited. Remember to look for the correct version (date covered by the report) and to check for the relevant bridge letter, if applicable.

The vendor assessments provide you with the evidence relevant to your controls of our quality standards and practices. Building solutions and using cloud relies on trust, which we hope is established with our openness to security, process and compliance. The openness and dedication to show that we have appropriate controls in place to secure and govern your foundational estate. A trust that should bring confidence that you can build your solutions on Microsoft Clouds.

Several of our customers have done remote vendor assessments (desk-audit) using our available reports discussed in the previous blog. These are available on the Microsoft Trust Center Website.

We hope that the above information helps you in building your assessment and starting to leverage the tools and services we offer to build a compliant service inside your business or in your partnership.

As you read this, the next question you may be thinking is: how do I build the technical part to support this secure, resilient, and compliant environment?

What’s next

In a future post, we will look into building a foundation that has automation, good software development life cycle practices, standardization, and compliance at the core.

A valuable resource for building a qualified foundation is the Microsoft Cloud Adoption Framework. We will dive “into the how’s” with some operational examples on using enterprise scale adoption of the framework in later blog posts. A teaser can be found here.

The need for a true enterprise scale foundation is important because it offers the availability and control points, as well as the ability to deliver the services as infrastructure as code.

It’s important to familiarize yourself with infrastructure as code since it is needed to build compliance into the flow and to work with continuous validation across the cloud services that you wish to use or offer to your business.

Key takeaway

The need for governance and control has never been greater. At Microsoft, we try to build our services with that need in mind. Our products have high-quality coverage to give you the insight and control to build out the policies to support your secure environment.

Governance is important now that we look at infrastructure as code and low-code/no-code principles. That’s why we will also look at some examples of how you can establish good governance in your journey.

So, stick around as we continue to work our way through the next steps for GxP Cloud Compliance using Microsoft Cloud.

The post GxP Compliance starts with proper vendor assessments – and here’s how you can do it effectively even remotely appeared first on Microsoft in Business Blogs.

Deploying a proven three-phased modernization approach

Microsoft’s unique and comprehensive view of the cyber landscape allows us to simplify the complex in order to unlock the government’s full cyber capabilities. We have developed prescriptive guidance with each step of the journey designed to activate existing capabilities and optimize with new technologies so agencies can address sophisticated attacks with greater efficiency and efficacy than ever before.

At a high level, Microsoft recommends accelerating modernization by first focusing on identifying and monitoring risks. Organizations can get started by enabling single sign-on to applications, setting up conditional access to enforce MFA, and registering and provisioning devices to establish a dynamic asset inventory. This approach addresses several of the EO requirements and provides a solid foundation for additional phases. A key component to this phase is the implementation of identity solutions that most agencies already own, like Azure Active Directory (AD) single sign-on, and Azure Active Directory’s Application Proxy, which provides secure remote access to on-premises web applications. These capabilities offer high assurance authentication, connect existing on-premises infrastructure to the cloud, ensure every workload is assigned an identity, and provide better micro-segmentation and network security than is commonly achieved with VPNs.

Phase two builds on monitoring insights from the first phase to establish risk-prioritized actions. Adding a dynamic and risk-based context evaluation to authorization can be achieved through a simple and consistent centralized policy with Azure AD Conditional Access. Using a cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution like Azure Sentinel can provide additional insights through anomaly detection. Many agencies already have the capability to identify sensitive information in Office 365 and on-premises with Microsoft Information Protection. In phase two, agencies should focus on identifying this data more so than protecting it to address the EO requirements while also providing additional monitoring insights from the aggregation of sensitive data flows without impacting end users. Using Azure Virtual Desktop for remote administration via cloud SAW and segmenting privilege with cloud-only administrator accounts are also easy steps that significantly reduce risk.

The third phase is focused on increasing protection. Agencies can accomplish this by enforcing BYOD mobile device management (MDM) enrollment during authorization to provide an inventory of non-enterprise devices, proactively managing updates, patches, policies, and monitoring device health, and enabling additional telemetry and control with endpoint detection and response. Solutions like Azure Defender and Microsoft Cloud App Security provide deeper analytics and fine-grained control so agencies can gain greater visibility into cloud apps and services to control sessions and protect workloads in real-time.

Five reference architectures to demystify the Zero Trust journey

While reaching a high degree of Zero Trust maturity may initially seem daunting, many agencies are already well-positioned to adopt the three phases approach and reach upcoming milestones. Much of the technology required to execute the roadmap is already in place at many agencies — they simply need to activate and fine-tune existing capabilities.

To this end, Microsoft has identified five of the most impactful scenarios agencies should build towards across the three phases of modernization. The following reference architectures outline how to address those common Zero Trust scenarios and are mapped against key NIST requirements for Zero Trust while including other EO priorities such as endpoint detection and response (EDR), MFA, and continuous monitoring.

Scenario 1: Cloud-ready authentication apps

Modern authentication mechanisms are critical for securing SaaS applications by protecting identities, enforcing MFA requirements, and achieving comply-to-connect functionality. Many agencies are well on their way toward achieving secure baselines for SaaS using best practice approaches around ID configuration for Office 365, implementing strong MFA, and enforcing requirements with conditional access policies. This work can be easily extended to other SaaS applications and custom claims-based applications.

Scenario 2: Web apps with legacy authentication

For hard-to-reach applications that can’t be easily rewritten for modern authentication, agencies can use Azure Active Directory’s Application Proxy. This architecture builds on the Azure AD foundation in scenario 1 to extend Zero Trust to legacy systems. Application Proxy also provides outbound-only connectivity and much more restrictive access than a VPN solution.

Scenario 3: Remote server administration

Remote server administration has become a popular threat vector as attackers utilize admin tools to move laterally across an environment and find new ways to compromise systems. The scenario 3 design pattern outlines how to simplify secure remote administration by layering the work done in scenario 1 with a strongly authenticated administrator account and privileged access workstation. This significantly reduces the attack surface area preventing unsanctioned server-to-server management by requiring modern authentication, MFA, and allow-listed admin devices for server administration via Azure AD conditional access policies. The result is a high level of assurance for multi-cloud and hybrid server administration.

Scenario 4: Segment cloud administration

Recent attacks that used credentials compromised on-premises to attack the cloud underscore the need to ensure that no individual in an agency’s on-premises directory is privileged in the cloud. Building on scenario 1, this design pattern allows agencies to administer Microsoft and non-Microsoft workloads from isolated, dedicated, and segmented administrator accounts. Once this pattern is implemented, auditing controls should also be introduced to ensure that privilege segmentation remains in effect.

Scenario 5: Network micro-segmentation

Agencies must establish multiple levels of segmentation to achieve both secure control and data planes. Azure native capabilities allow agencies to apply a consistent micro-segmentation strategy to protect against threats, implement defense in-depth, and achieve policy-enforced continuous monitoring at a granular level — including each perimeter, micro-perimeter, segment and microsegment.

Collaborating on continuous improvement

Microsoft’s deep understanding of the threat landscape, broad product capabilities, and vast experience helping our federal customers achieve their missions enables us to deliver a comprehensive approach to Zero Trust. Working in partnership, government and industry can come together to accelerate security modernization, meet short- and long-term EO requirements, and adopt a robust cyber posture that evolves with the complexity of modern government.

The post Mapping the Cybersecurity Executive Order Milestones appeared first on Microsoft in Business Blogs.

The more popular and destructive types of ransomware appeared as WannaCry in May 2017 and NotPetya in June 2017. Because these variants of ransomware used vulnerabilities in unpatched operating systems to propagate, this kind of ransomware affected entire organizations rather than one or two devices.

Microsoft and other cybersecurity organizations started noticing a business model created from these more sophisticated and persistent types of ransomware starting in June 2019. This vastly expanded the ransomware business model into an enterprise scale operation blending targeted attack techniques and the extortion business model, threatening disclosure of data or encryption in exchange for payment. Human-operated ransomware is persistent, which means that it can mutate to evade detection from common anti-malware systems. This allows it to remain hidden within an organization and used in the future.

How does human-operated ransomware affect the health and life sciences industry?

Criminal organizations will target critical infrastructure, which may include the electrical grid, gas pipelines, water management, schools, governments, traffic management systems, and even healthcare organizations. These criminal organizations realize that time is of the essence when providing patient care because lives are on the line. This makes the healthcare organization victim more likely to pay the ransom to return to business as usual.

How to define the risk of human-operated ransomware to senior management

There are many examples of ransomware affecting 500 or more individuals in the healthcare sector available for reference. The U.S. Department of Health and Human Services Office for Civil Rights keeps records of reported incidents in healthcare throughout the US. Given these overwhelming statistics and the net impact of ransomware on healthcare organizations, it should be less difficult than before to create a business case for senior management to implement the right people, processes, and technologies to lower the risk of occurrence and severity of impact.

How to reduce the risk of becoming a victim of any kind of ransomware

1. Integrated and automated cybersecurity solution. This solution enables you to “see” everything, providing the opportunity for technology to share intelligence throughout the attack chain and apply the NIST Cybersecurity Framework to identify, protect, detect, respond, recover in the early, middle, or late stages of the attack. Best-of-breed, unintegrated solutions do not have built-in integration, so they have difficulty sharing their intelligence throughout the stages of the attack chain.
2. Use security orchestration and automated response (SOAR). Cloud-based integrated solutions come bundled with sophisticated security orchestration and automated response (SOAR) capabilities, so defensive and remediation activities will execute either before the attack occurs or before the ransomware has a chance to spread throughout the organization’s infrastructure.
3. Cloud-powered threat intelligence Real-time detection, analysis, and remote remediation of advanced attacks call for sophisticated machine learning algorithms to analyze billions of pieces of data to differentiate between what looks trustworthy versus what looks suspicious. The Microsoft Intelligent Security Graph API can help because it is based on massive amounts of attack behavior data that is compiled and analyzed at hyperscale. This approach gives the integrated system the advantage of detecting and preventing malicious behavior before it can do harm.
4. Move to cloud services to reduce patch management debt. If you are responsible for the infrastructure in your environment, such as servers running in a data center or infrastructure as a service in the cloud, you must ensure that every tier of the system is up to date on patching. That means that everything from firmware to the operating system to the drivers to the application that runs on the operating system, the database, and any other code (whether commercial or proprietary) must be vulnerability-free to the extent that it can be. Risk can never be zero percent because there is always the possibility of a zero-day vulnerability that neither the customer nor the vendor is aware of before a patch is issued for it.
5. Move to the cloud to simplify vulnerability management. PaaS and SaaS applications do not need patching because the cloud service provider is responsible for vulnerability management in the common shared responsibility model.
6. Move to the cloud to simplify and accelerate backup and recovery. It is simpler to ensure backup and recovery of data residing in cloud-based services than on-premises, usually by adding a backup service, like Azure Cloud Backup Service, Azure Block Blob Storage Backup, and third-party cloud-based Office 365 Backup and Recovery Services. These services ensure that if data residing in cloud services become affected by ransomware, recovery can be both immediate and comprehensive.
7. Cyber hygiene. This concept means understanding what resources are in production and implementing secure benchmark configurations that protect those resources. In other words, cyber hygiene is good configuration governance. Azure Security Center provides comprehensive cyber hygiene for on-premises and cloud resources.
8. Zero trust model. A zero trust approach means that any device or user is evaluated for risk before it is permitted to access resources like applications, files, databases, and other devices. This decreases the chance that a malicious identity or device would have the ability to access resources and install or propagate ransomware.

Learn more about human-operated ransomware and the steps you can take to reduce its effectiveness.

The post What is human-operated ransomware, and how does it differ from traditional ransomware? appeared first on Microsoft in Business Blogs.

Microsoft is committed to ensuring our men and women in uniform and in the intelligence community have access to the best available technology today. During our the recent three-day Virtual National Security Symposium, Microsoft Federal and our partners showcased many of the new and emerging technologies we have developed to help the U.S. Department of Defense (DOD) and national security agencies defend our nation and meet important missions. There was a lot covered during the symposium, and I want to share a few key highlights that stood out to me.

Microsoft Azure continues to lead

Microsoft Azure serves as the foundation of our cloud services – enabling defense partners access to innovative technologies like artificial intelligence and machine learning to help make decisionmakers address complex challenges anywhere. As Tom Keane, Microsoft corporate vice president of Azure Global, explain in his session, “Computing is ubiquitous … you have the ability to perform computing all the way from the edge to hyper-scale computing in the cloud,” he explained. “Our goal is to help you solve your hardest problems and to provide the computing that you need, wherever you need it, with the elasticity, the security and the reliability that you would expect.”

With over 61 Azure worldwide regions – more than any other cloud provider – 130,000-plus miles of ground or below-sea fiber, and increasing edge sites, Keane reinforced that Azure is the mission-critical cloud for national security. “The scale and scope of [Microsoft’s] investment is … billions of dollars to support your mission.” He also noted Microsoft’s cloud platform spans commercial, government and secret capabilities, with top secret currently in the final stages of accreditation. “Our commitment is to [deliver] cloud technology connected to the appropriate networks to support the full spectrum of your data,” he told the audience, identifying Azure cloud’s promises of always available, always secure, trusted and compliant, always monitored and third-party enabled. Keane closed with overviews of Azure hybrid, tactical edge and Azure Space capabilities, touching on the recent Azure connection to the International Space Station.

AI for Mission

There’s a lot of talk about AI, but Microsoft’s Andy Hickl led a session on AI that matters, or in his words, “The AI that we need to support mission operations – from the analyst, to the specialist to the war fighter and back again.” He said AI is “having its moment now” due to the convergence of algorithms, compute and data along with research community consolidation and today’s scale of operations. He noted that Microsoft’s “AI stack” is integrated across all products, such as Teams, the Power Platform and Azure.

Microsoft and our partners are committed to building AI for Mission, operating under the principles of: available anywhere, integrate data silos across domains, adapt to emerging threats, preserve model integrity, operate autonomously, support complex decision-making, explain findings and simulate real-world operations in stunning detail. “We’re committed to building the tech, the products and solutions, the accelerators that you ultimately need,” Hickl said.

Examples of bringing innovations to mission owners

Microsoft’s Jason Henderson, Aaron Lind and Harshal Dharia shared three compelling Azure use-case presentations:

• Windows Virtual Desktop (WVD): This virtual desktop infrastructure is a fully managed service within Azure. “The biggest thing that I see as valuable with WVD is delivering the only multisession Windows 10 experience on the market,” Henderson said. “With a single operating system of Windows 10, you can actually have one virtual machine running [with] multiple users logging in to that same desktop, each with their own profile.” In addition to reducing costs, he noted WVD “deploys and scales in minutes,” includes free Windows 7 extended security updates and blends the security of several Microsoft products to create a compliant, zero-trust environment. Henderson noted that most DOD customers already own Microsoft licenses to run WVD.
• Azure AI: “Machine learning on Azure is really a cornucopia of technological prowess,” Lind said, providing “limitless scale” and productivity-first capabilities that enable data scientists to take advantage of popular frameworks. He explained how Azure Machine Learning democratizes access to AI for mission authors of all skill levels and Azure Cognitive Services – made up of APIs for language, vision, speech and decision capabilities – provide “that intelligence to the mission, to your war fighter.”
• For the DOD and national security agencies using WVD, Azure AI and other solutions, Dharia said digital transformation is more about “how do we actually innovate and … bring those innovations to our mission owners faster and keep [them] available for longer?” His guidance for driving innovation:
  • Rely on organizational collaboration.
  • Shift security to the left, so that “developers are thinking about security.”
  • Leverage a hyper-scale cloud like Azure to improve applications and enable low-code application creation, which Dharia called “the biggest trend in the market right now.”

Meeting the needs of the servicemembers

Another key session featured Microsoft’s Michael Farrell providing an overview of our rugged edge devices. “Our edge platform has been designed from the ground up to meet the needs of the war fighter,” he said. Farrell detailed how Microsoft’s comprehensive approach offers unique Azure Arc-enabled hybrid capabilities, giving mission users “the flexibility to innovate and meet demanding requirements anywhere in the world.” He outlined the Azure edge portfolio, spanning Azure Sphere, Azure IoT devices, Azure IoT Edge, Azure Stack Edge, Azure Stack Hub and our global hyperscale cloud, from Azure Government to Azure Government Secret to Azure Government Top Secret.

We were also honored to be joined by Maj. Gen. Anthony Potts, the U.S. Army’s program executive officer lead for Integrated Visual Augmentation System (IVAS) project. The Army recently announced they are working with Microsoft to move IVAS development from rapid prototyping to production and rapid fielding. Gen. Potts spoke about the unique partnership between the Army and Microsoft to advance this project, “From a military perspective, we tend to have a habit of going back into the files, grabbing something that looks, smells and feels like what somebody asked us to do and try to recreate something or shift off of a known point.”

“With IVAS, we absolutely made the decision not to do that,” said Maj Gen. Potts. “What we did was this iterative approach. Microsoft calls it ‘human-centered design’ and we call it ‘Soldier-centered design’. But its something we really borrowed from Microsoft as we put our teams together.”

Ensuring our nation’s security

This is just a fraction of the fascinating projects our team and customers reviewed at the Symposium – and an even briefer glimpse of what Microsoft Federal and our partners can deliver to extend U.S. cloud-powered innovation and defense and intelligence capabilities. Our goal was to spark the imagination of Symposium attendees from the defense, intelligence and national security community, and we remain committed to partnering with them to enable their missions, inspire their innovation and deliver next-generation cloud solutions to ensure our nation’s security.

For more information and to access on-demand content, please visit the Microsoft Virtual National Security Symposium 2021 page.

The post Next-generation cloud innovations further enhance national security appeared first on Microsoft in Business Blogs.

Furthermore, in October 2020, the US Securities and Exchange Commission (SEC) enacted a new regulatory framework, Rule 18f-4, for derivatives use by US mutual funds, business development firms, and exchange-traded funds. The new rule permits funds to use derivatives if they comply with certain conditions designed to protect investors. A fund relying on the rule generally must calculate risk measurements that were not required in the past such as:

• Daily value-at-risk (VaR)
• At least weekly VaR backtesting
• At least weekly stress testing

A fund may rely on the exception for limited users of derivatives if the fund’s derivatives exposure is limited to 10 percent of its net assets, excluding certain currency and interest rate hedging transactions.

Compliance plans must be fully implemented by August 19, 2022. This means that each company’s firmwide risk management team, firmwide legal and compliance executives, and fund board of directors should be engaged in making initial decisions now. Failure to comply could result not only in fines from the SEC but also taking the consequence of reputation risk failure such as withdrawal or lawsuits from investors.

A new set of compliance demands

The rule calls on affected funds to implement a derivatives risk management program that will require them to significantly ramp up several types of risk analysis on a daily or weekly basis.

Affected funds will be required to appoint a derivative risk manager, deliver a written risk management strategy, and stay within limits on fund leverage risk based on VaR. This outer limit is based on a relative VaR test that compares the fund’s VaR to the VaR of a “designated reference portfolio” for that fund. A fund generally can use either an index that meets certain requirements or the fund’s own securities portfolio (excluding derivatives transactions) as its designated reference portfolio. If the fund’s derivatives risk manager reasonably determines that a designated reference portfolio would not provide an appropriate reference portfolio for purposes of the relative VaR test, the fund would be required to comply with an absolute VaR test. The fund’s VaR generally is not permitted to exceed 200 percent of the VaR of the fund’s designated reference portfolio under the relative VaR test or 20 percent of the fund’s net assets under the absolute VaR test.

The new limits on fund leverage risk mean that VaR analysis will need to be done daily, and stress testing and backtests will need to be done weekly. Many firms now do these tests only on an ad hoc or monthly/quarterly basis. Some don’t currently do them at all. To complement the limitations of VaR, stress tests will be an important tool. They should be run at least weekly, incorporating the correlations among the market factors.

A turnkey reporting solution

To properly measure the fund leverage risk, a risk engine requires the terms and conditions of the portfolio holdings and benchmarks, access to historical market data and broad pricing model coverage for various asset classes and derivatives for daily VaR analysis. The risk engine should also have robust stress testing capabilities. Running these calculations on many portfolios tracking large benchmarks will require intensive, scalable computing power.

To stay in compliance with the new rule, Qontigo’s Axioma Risk™ solution enables funds to run the necessary new risk measurements and calculations. Because Axioma Risk is powered by Microsoft Azure, it can scale as needed to help affected firms meet the new rule’s risk measurement requirements. Azure is a highly stable and secure environment that provides the computing power to handle the additional demands caused by this new regulation.

Axioma Risk provides a turnkey reporting package that includes daily derivatives exposure, daily VaR calculations for the SEC’s requirements, as well as relevant stress tests and backtests. VaR can be checked against SEC limits and/or against internal limits.

Axioma Risk also provides an interactive risk diagnostic tool and a web-based pre-trade risk analysis tool for what-if scenarios.

The scalability of the Azure cloud

To implement Axioma Risk, Qontigo’s team of risk experts source the fund holdings and benchmarks for each client and automate the risk calculation workflow. Axioma Risk comes with a rich set of securities master data and historical market data. The system also provides comprehensive securities pricing models, including cash securities in all asset classes: equity, fixed income, commodity, and currency, as well as every derivative commonly used by mutual funds.

The combination of Qontigo’s risk and compliance expertise, the robust data set and risk analytics, and a scalable simulation engine built on the Microsoft Azure cloud provides a very strong package to answer the requirements of the new SEC rule.

Visit the SEC Rule 18f-4 page on the Qontigo website to find out how we can simplify your compliance journey.

The post How fund companies can stay in compliance with SEC Rule 18f-4 appeared first on Microsoft in Business Blogs.

Different customers have different preferences and needs for where they save their audit logs and how long they wish to keep them. For this reason, we’ve typically provided customers maximum choice and flexibility. By default, we retain audit logs in the cloud for most Office 365/Microsoft 365 customers for 90 days. This gives customers the ability to decide if they’d like to:

• Download the audit logs and store them locally or in a cloud instance of their choice,
• Keep them with a third-party security vendor, or
• Keep them with Microsoft through an advanced service we call Advanced Audit, which provides deeper forensic investigation tools and audit log storage in the cloud for one year or longer.

We appreciate that some U.S. federal government customers have recently raised questions about the costs associated with Advanced Audit and their ability to store audit logs with Microsoft for a longer time period. While we work to address their questions and work collaboratively toward a long-term solution, we are now offering all U.S. federal government customers who use our Government Cloud a one-year free trial of Advanced Audit. Those who are interested should reach out to their Microsoft representative to learn more.

We always invite feedback from customers including our public sector customers and work hard to address it. While we might not be able to immediately meet every need or request, we believe it’s important to listen and to continuously invest in making helpful improvements. We have recently, for example, offered new privacy tools in response to feedback from the Dutch Ministry of Justice and Security, and before the 2020 election, we extended free security updates to voting machines running Windows 7.

Throughout our 45-year history, we have supported the U.S. federal government to help them use the power of technology to advance the mission of its agencies. We hope today’s update is another example of our commitment.

The post Addressing Audit Log Storage for U.S. Federal Government Customers appeared first on Microsoft in Business Blogs.

For an organization, building resilience means looking at every part of the business and preparing it to thrive in the face of change. There have been many conversations this year about resilience as it relates to keeping employees and customers safe, enabling remote work, and sustaining revenue. Let’s discuss how data is a crucial aspect of the organization when it comes to ensuring business agility and creating a sustained competitive advantage.

Data is a valuable resource that contributes to all six dimensions of resilience identified by Boston Consulting Group:

• Protect and grow the top line. Integrated data drives: 1) better sales decisions; 2) targeted marketing; and 3) personalized customer journeys.
• Develop agile operations. Dynamic data helps organizations identify changes and respond to them quickly.
• Enable people. Accessible data empowers people to work smarter and more flexibly.
• Accelerate data and digital platforms. Continuously available and fault-tolerant data based on cloud infrastructure helps keep organizations viable, while fully functional data lakes enable rapid innovation.
• Enhance cybersecurity. Keeping data secure is essential to resilience, and data also provides actionable intelligence for improving cybersecurity.
• Strengthen financials. Data informs cash management and other financial liquidity policies.

Let’s dive deeper into these areas to better understand how organizations can upgrade their data estate so they’re more prepared to weather future disruptions.

Migrating data to the cloud supports resilience

This year’s sudden move to remote work and digital customer experiences has driven home the value of cloud infrastructure. Wherever you are in your migration journey, taking the next few steps on that path will garner more benefits.

Capitalize on the value of your data

Pulling legacy data out of organizational silos and migrating to Azure makes it more accessible. Azure also stimulates growth by unlocking the possibilities of artificial intelligence and machine learning for processing and deploying data.

Improve data security and disaster recovery

Your valuable data needs to be protected from malicious actors like cybercriminals and natural disasters such as hurricanes, power outages, and, yes, pandemics. Azure can deliver much stronger security than smaller on-premises datacenters, ensuring that your data is highly available to authorized users and no one else.

For more detail on the tasks, tools, and resources that will help you achieve these goals, see Cloud Migration: A Guide to Building Resilience.

Insights and analytics drive business performance

When changes hit and things get bumpy, your organization needs to know what’s happening in the moment and get useful direction on how to respond.

Make informed decisions quickly

During disruptions, circumstances may be changing rapidly, requiring frequent pivots to keep the organization running. Using the same analytics system for all your data across both data warehouses and big data analytics systems helps you quickly identify patterns and trends.

Unify your organization’s data

A single analytics service can handle all your data warehousing and big data needs, allowing data engineers, data scientists, and database administrators to collaborate. You can consolidate data governance while still supporting personalized, custom dashboards.

Reduce costs using data analysis and generate proactive insights

You can go from hypothesis to validation in minutes by applying intelligent analytics. Use predictive models and advanced analytics to optimize your business processes and find new opportunities.

You’ll find more guidance on planning and implementing your analytics program in Building Insights and Analytics: A Guide to Building Resilience.

This intersection between data and resilience has so much potential for helping organizations empower their workforces, stay connected to customers, and differentiate themselves in the marketplace.

I hope you’ll join us for the Resilience at Work Virtual Summit on Thursday, February 4, 2021, to carry on the conversation. You’ll hear from the Microsoft leadership team and EY about how they use data to keep their organization resilient and agile.

The post How to build business agility and resilience using data appeared first on Microsoft in Business Blogs.