For decades, Microsoft has consistently prioritized earning and maintaining the trust of the people and organizations that rely on its technologies. The 2025 Axios Harris Poll 100 ranked Microsoft as one of the top three most trusted brands in the United States.¹ At Microsoft, we believe one of the best ways we can build trust is through our long-established core values of respect, accountability, and integrity. We also instill confidence in our approach to regulations by demonstrating rigorous internal compliance discipline—such as regular audits, cross-functional reviews, and executive oversight—that mirrors the reliability we extend to customers externally.

Microsoft Trust Center

Our mission is to empower everyone to achieve more, and we build our products and services with security, privacy, compliance, and transparency in mind.

Explore products and services

Here at Microsoft, we are grounded in the belief that privacy is a human right, and we safeguard it as such. Whether you’re an individual using Microsoft 365 or a global enterprise running mission-critical workloads on Microsoft Azure, your privacy is protected by design. In my role as Vice President for Microsoft Security and Deputy CISO for Privacy and Policy at Microsoft, I see privacy and security as two sides of the same coin—complementary priorities that strengthen each other. They’re inseparable, and they can be simultaneously delivered to customers at the highest standard, whether they rely on Microsoft as data processor or data controller.

There are plenty of people out there who view the relationship between security and privacy as one of tension and conflict, but that doesn’t need to be the case. Within my team, we embrace differing viewpoints from security- and privacy-focused individuals as a core principle and a mechanism for refining our quality of work. To show you how we do this, I’d like to walk you through a few of the ways Microsoft delivers both security and privacy to its customers.

Security and privacy, implemented at scale

Our approach to safeguarding customer data is rooted in a philosophy that prioritizes security without the need for access to the data itself. Think of it as building a fortress where the walls (security) protect the treasures inside (data privacy) without ever needing to peek at them. Microsoft customers retain full ownership and control of their data, as outlined in our numerous privacy statements and commitments. We do not mine customer data for advertising, and customers can choose where their data resides geographically. Even when governments request access, we adhere to strict legal and contractual protocols to protect the interests of our customers.

A number of Microsoft technologies play important roles in the implementation of our privacy policy. Microsoft Entra, and in particular its Private Access capability, replaces legacy VPNs with identity-centric Zero Trust Network Access, allowing organizations to grant granular access to private applications without exposing their entire network. Microsoft Entra ID serves as the backbone for identity validation, ensuring that only explicitly trusted users and devices can access sensitive resources. This is complemented by the information protection and governance capabilities of Microsoft Purview, which enables organizations to classify, label, and protect data across Microsoft 365, Azure, and their third-party platforms. Microsoft Purview also supports automated data discovery, policy enforcement, and compliance reporting.

The beating heart of the Microsoft security strategy is the Secure Future Initiative. We assume breach and mandate verification for every access request, regardless of origin. Every user, every action, and every resource is continuously authenticated and authorized. Automated processes, like our Conditional Access policies, dynamically evaluate multiple factors like user identity, device health, location, and session risk before granting access. Support workers can access customer data only with the explicit approval of the customer through Customer Lockbox, which gives customers authorization and auditability controls over how and when Microsoft engineers may access their data. Once authorized by a customer, support workers may only access customer data through highly secure, monitored environments like hardened jump hosts—air-gapped Azure virtual machines that require multifactor authentication and employ just-in-time access gates.

Privacy is a human right

The intersection of privacy and security is not just a theoretical concept for Microsoft. It’s a practical reality that we work to embody through comprehensive, layered strategies and technical implementations. By using advanced solutions like Microsoft Entra and Microsoft Purview and adhering to the principles set out in our Secure Future Initiative, we help ensure that our customers’ data is protected at every level.

We demonstrate our commitment to privacy through our proactive approach to regulatory compliance, our tradition of transforming legal obligations into opportunities for innovation, and our commitment to earning the trust of our customers. Global and region-specific privacy, cybersecurity, and AI regulations often evolve over time. Microsoft embraces regulations not just as legal obligations but as strategic opportunities through which we can reinforce our commitments to privacy and security. This is exactly what we did when the European General Data Protection Regulation (GDPR) came into effect in May of 2018, and we’ve applied similar principles to emerging frameworks like India’s Digital Personal Data Protection Act (DPDP), the EU’s Network and Information Systems Directive 2 (NIS2) for cybersecurity, the Digital Operational Resilience Act (DORA) for financial sector resilience, and the EU AI Act for responsible AI governance.

Using regulatory compliance as a lever for innovation

Microsoft publicly cheered the GDPR as a step forward for individual privacy rights, and we committed ourselves to full compliance across our cloud services. We soon became an early adopter of the GDPR, adding GDPR-specific assurances to our cloud service contracts, including breach notification timelines and data subject rights.

Because we believe so strongly in these protections, our compliance efforts quickly became the foundation for a broader, proactive transformation of our privacy and security posture. First, we established a company-wide framework that formalized privacy responsibilities and safeguards. It mandated robust technical and organizational measures designed to protect personal data companywide, now aligned with cybersecurity standards like those in NIS2.

As part of this framework, Microsoft appointed data protection officers and identified corporate vice presidents in each business unit to provide group-level accountability. Microsoft also built what we believe is one of the most comprehensive privacy and compliance platforms in the industry. This platform is the result of a company-wide effort to give customers real control over their personal data, experienced with consistency across our products, while seamlessly integrating security and regulatory compliance.

To operationalize these commitments, we developed advertising and data deletion protocols that made sure data subject requests (DSRs) were honored across all our systems, including those managed by third-party vendors. Microsoft extended GDPR-like principles to customers globally. This initiative emphasized data minimization, consent management, and timely breach reporting. It also reinforced customers’ rights to access, correct, delete, and export their personal data.

Expanding from this foundation, we continue to take a proactive stance on emerging global regulations. For DPDP in India, we enhanced data localization and consent mechanisms in Azure to help organizations comply with local privacy mandates while maintaining robust security. Under NIS2 and DORA, our tools like Microsoft Defender for Cloud enable critical sectors to detect, respond, and build operational resilience—creating cybersecurity as the shield that protects privacy rights.

For the EU AI Act, Microsoft Responsible AI tools integrated with Microsoft Purview enable governance, classification, and compliance tracking of AI models, ensuring transparency and accountability across the AI lifecycle. In parallel, Microsoft Defender for Cloud extends protection for AI workloads and data environments, ensuring AI systems are secure, monitored, and resilient — much like a traffic light system that signals safe passage for innovation while mitigating risk.

Thanks to this early, decisive action to safeguard privacy and security worldwide, Microsoft is now in a strong leadership position as similar laws are passed by a growing number of countries. Because we’ve already gone above and beyond what initial regulations asked of us, we’re more easily able to adapt to the specifics of other related legal frameworks.

Learn more

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series. To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

• Visit the Microsoft Trust Center to better understand your privacy rights and find ways to improve your security posture.
• To learn how Microsoft empowers organizations to innovate securely, explore Microsoft Security Solutions.
• Discover how to build digital trust with Microsoft Purview.
• See how Microsoft helps you turn compliance into competitive advantage, by exploring Microsoft Purview Compliance Manager.

Microsoft
Deputy CISOs

To hear more from Microsoft Deputy CISOs, check out the OCISO blog series:

To stay on top of important security industry updates, explore resources specifically designed for CISOs, and learn best practices for improving your organization’s security posture, join the Microsoft CISO Digest distribution list.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹The 2025 Axios Harris Poll 100 reputation rankings

The post How Microsoft builds privacy and security to work hand-in-hand appeared first on Microsoft Security Blog.

I’m often asked how long it takes to deploy Microsoft Purview. The answer depends on the specifics of the organization and what they want to achieve. Microsoft Purview should enable a comprehensive data governance program but it can provide risk mitigation for generative AI in the short term while the program is underway.

Microsoft Purview

Secure and govern your entire data estate.

Explore solutions

Organizations need AI solutions to add value for their customers and to stay competitive. They can’t wait for years to secure and govern these systems.

For the organizations deploying generative AI, “how long does it take to deploy Microsoft Purview?” isn’t the right question.

The risk mitigation Microsoft Purview provides for AI can begin on day one. This includes Microsoft AI, like Microsoft 365 Copilot, AI that an organization builds in-house, and AI from third parties like Google Gemini or ChatGPT.

This post will discuss ways we can secure and govern data used or generated by AI quickly, with minimal user impact, change management, and resources required.

These Microsoft Purview solutions are:

• Microsoft Purview Data Security Posture Management for AI
• Microsoft Purview Information Protection
• Microsoft Purview Data Loss Prevention
• Microsoft Purview Communications Compliance
• Microsoft Purview Insider Risk Management
• Microsoft Purview Data Lifecycle Management
• Microsoft Purview Audit and Microsoft Purview eDiscovery
• Microsoft Purview Compliance Manager

Here are short term steps you can take while the comprehensive data governance program is underway.

Microsoft Purview Data Security Posture Management for AI

Microsoft Purview Data Security Posture Management for AI (DSPM for AI) provides visibility into data security risks. It reports on:

• User’s interactions with AI.
• Sensitive information in the prompts users share with the AI.
• Whether the sensitive information users share is labeled and thus is protected by durable security policy controls.
• Whether and how user interactions may be violating company policy including codes of conduct and attempts at jailbreak, where users manipulate the system to circumvent protections.
• The risk level of users interacting with the system, such as inadvertent or malicious activities they may be involved in that put the organization at risk.

DSPM for AI reports on this for each AI application and can drill down from the reports to the individual user activities. DSPM for AI collects and surfaces insights from the other Microsoft Purview solutions around generative AI risks in a single screen.

Custom sensitive information types, sensitivity labels, and information protection rules are reasoned over by DSPM for AI, but if these are not available, more than 300 out-of-the-box sensitive information types are available from day one.  

DSPM for AI will use these to report on risk for the organization without additional configuration. The organization’s administrators can configure policy to mitigate these risks directly from the DSPM for AI tool.

Figure 1. DSPM for AI shows interactions with Microsoft 365 Copilot, enterprise generative AI from other providers, and AI developed in-house.

Figure 2. DSPM for AI Reports on generative AI user interactions with sensitive data.

A big concern that organizations have in widely deploying generative AI is that it will return results that contain sensitive information that the user should not have access to. SharePoint sites have been created over the years, are unlabeled, and may be accessible to the entire organization through the AI. The “security by obscurity” that may have prevented the sensitive information from being inappropriately shared is now negated by the AI that reasons over and returns the data.

Data assessments, part of DSPM for AI, and currently in preview, identifies potential oversharing risks and allows the administrator to apply a sensitivity label to the SharePoint sites, the sensitive data, or initiate an Microsoft Entra ID user access review to manage group memberships.

The administrator can engage the business stakeholder who has knowledge of the risk posed by the data and invite them to mitigate the risk or apply the policy at scale from the Microsoft Purview administration portal.

Figure 3. Data assessment—visualize risk, review access, and deploy policy.

Microsoft Purview Information Protection

The document access controls of Microsoft Purview Information Protection, including sensitivity labels, are enforced when the data is reasoned over by AI. The user is given visibility in context that they are working with sensitive information. This awareness empowers users to protect the organization. 

The sensitivity labels that enforce scoped encryption, watermarking, and other protections travel with the document as the user interacts with the AI. When the AI creates new content based on the document, the new content inherits the most restrictive label and policy.

Microsoft Purview can automatically apply sensitivity labels to AI interactions based on the organization’s existing policy for email, desktop applications, and Microsoft Teams, or new policy can be deployed for the AI.

These can be based on out-of-the-box sensitive information types for a quick start.

Microsoft Purview Data Loss Prevention

The Microsoft Purview Data Loss Prevention policies that the organization currently uses for email, desktop applications, and Teams can be extended to the AI or new policy for the AI can be created. Cut and paste of sensitive information or transfer of a labeled document into the AI can be prevented or only allowed with an auditable justification from the user.

A rule can be configured to prevent all documents bearing a specific label from being reasoned over by the AI. Out-of-the-box sensitive information types can be used for a quick start.

Microsoft Purview Communication Compliance

Microsoft Purview Communication Compliance provides the ability to detect regulatory compliance (for example, SEC or FINRA) and business conduct violations such as sensitive or confidential information, harassing or threatening language, and sharing of adult content.

Out-of-the-box policies can be used to monitor user prompts or AI-generated content. It provides policy enforcement in near real time and also audit logs and reporting.

Microsoft Purview Insider Risk Management

Microsoft Purview Insider Risk Management correlates signal to identify potential malicious or accidental behaviors from legitimate users. Pre-configured generative AI-specific risk detections and policy templates are now available in preview.

As the Insider Risk Management solution algorithms determine a user to be engaging in risky behavior, the data loss prevention (DLP) policies for that user can be made stricter using a feature called Adaptive Protection. It can be configured with out-of-the-box policies. This continuous monitoring and policy modulation mitigates risk while reducing administrator workload.

AI analytics can be activated from the Microsoft Purview portal to provide insights even before the Insider Risk Management solution is deployed to users. This quickly surfaces AI risks with minimal administrative workload.

Microsoft Purview Data Lifecycle Management

Microsoft Purview can enforce AI Data Lifecycle Management, with retention of AI prompts, prompt returns, and the documents AI creates for a specified time period. This can be done globally for every interaction with an AI solution. It can be done with out-of-the-box or custom policies. This will keep these interactions available for future investigations, for regulatory compliance, or to tune policies and inform the governance program.

A policy for deletion of AI interactions can be enforced so information is not over-retained.

Microsoft Purview Audit and Microsoft Purview eDiscovery

The organization will need to support internal investigations around the use of AI. Microsoft Purview Audit logs and retains these interactions. They also need to support their legal team should they have to produce AI interactions to support litigation.

Microsoft Purview eDiscovery can put a user’s interactions with the AI as well as their other Microsoft 365 documents and communications on hold so that their availability to support investigations is maintained. It allows them to be searched based metadata, enhancing relevancy, annotated, and produced.

Microsoft Purview Compliance Manager

Microsoft Purview Compliance Manager has pre-built assessments for AI regulations including:

• EU Artificial Intelligence Act.
• ISO/IEC 23894:2023.
• ISO/IEC 42001:2023.
• NIST AI Risk Management Framework (RMF) 1.0.

These assessments are available to benchmark compliance over time, report on control status, and maintain and produce evidence for both Microsoft and the organization’s activities that support the regulatory compliance program.

Microsoft Purview is an AI enabler

Without security, governance, and compliance bases being covered, the AI program puts the organization at risk. An AI program can be blocked before it deploys if the team can’t demonstrate how it is mitigating these risks.

The actions suggested here can all be taken quickly, and with limited effort, to set up a generative AI deployment for success.

Learn more

Learn more about Microsoft Purview.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Fast-track generative AI security with Microsoft Purview appeared first on Microsoft Security Blog.

Historically, organizations have relied on the traditional approach to data security and governance, largely involving stitching together fragmented solutions. According to Gartner®, “75% of security leaders are actively pursuing a security vendor consolidation strategy as of 2022.”² Consolidation, however, is no easy feat. In a recent study, more than 95% of security leaders acknowledge that unifying the handling of data security, compliance, and privacy across teams and tools is both a priority and a challenge.³ These approaches often fall short because of duplicate data, redundant alerts, and siloed investigations, ultimately leading to increased data risks. Over time, this approach has been increasingly difficult for organizations to maintain.

Unify how you protect and govern your data with Microsoft Purview

Unlike traditional data security and governance strategies that require disparate solutions to achieve comprehensive data protection, Microsoft Purview is purpose-built to unify data security, governance, and compliance into a single platform experience. This integration aims to reduce complexity, simplify management, and mitigate risk, while helping enhance efficiency across teams to support a culture of collaboration. With Microsoft Purview you can:

• Enable comprehensive data protection.
• Support compliance and regulatory requirements.
• Help safeguard AI Innovation.

What’s new in Microsoft Purview?

To meet our growing customer needs, the team has been delivering a lot of innovation at a rapid pace. In this blog, we’re excited to recap all the new capabilities we announced at Microsoft Ignite last month.

Enable comprehensive data protection

Microsoft Purview enables you to discover, secure, and govern data across Microsoft and third-party sources. Today, Microsoft Purview delivers rich data security capabilities through Microsoft Purview Data Loss Prevention, Microsoft Purview Information Protection, and Microsoft Purview Insider Risk Management, enhanced with AI-powered Adaptive Protection. To drive AI transformation, you need to build and maintain a strong data foundation, categorized by data that is not just secured but also governed. Microsoft Purview also addresses your data governance needs with the newly reimagined Microsoft Purview Unified Catalog. These data security and data governance products leverage shared capabilities such as a common data catalog, connectors, classifications, and audit logs—helping reduce inconsistencies, inefficiencies, and exposure gaps, commonly experienced by using disparate tools.

Introducing Microsoft Purview Data Security Posture Management

Microsoft Purview Data Security Posture Management (DSPM) provides visibility into data security risks and recommends controls to protect that data. DSPM provides contextual insights, usage analysis, and continuous risk assessments of your data, helping you mitigate risks and enhance data security. With DSPM, you get a shared understanding of key risks through a series of reports that correlate insights across location and type of sensitive data, risky user activities, and common exfiltration channels. In addition, DSPM provides actionable, scenario-based recommendations for detection and protection policies. For example, DSPM can help you create an Insider Risk Management policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a data loss prevention (DLP) policy to block that exfiltration at the same time.

DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users so show the effectiveness of your data security policies over time. And finally, DSPM leverages the power of generative AI through its deep integration with Microsoft Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations—all in natural language.

With DSPM, you can easily identify possible labeling and policy gaps such as unlabeled content and users that aren’t scoped in a DLP policy, unusual patterns and activities that might indicate potential risks, as well as opportunities to adapt and strengthen your data security program.

Figure 1. DSPM overview page provides centralized visibility across data, users, and activities, as well as access to reports.

Learn more about this announcement in the Data Security Posture Management blog.

Increasing data security and security operations center integration

Understanding data and user context is vital for improving security operations and prioritizing investigations, especially when sensitive data is at stake. By integrating insights such as data classification, access controls, and user activity into the security operations center (SOC) experience, organizations can better assess the impact of security incidents, reduce false alerts, and enhance containment efforts. In addition to the already present DLP alerts in the Microsoft Defender XDR incident investigation and data security remediation actions enabled directly from Defender XDR, we’ve also added Insider Risk Management context to the user entity page to provide a more comprehensive view of user activities.

With Microsoft Purview’s latest integration with Microsoft Defender, now in preview, you get insider risk alerts in Defender XDR and can correlate them with incidents. This gives you critical user context for your security investigations. SOC teams can now better distinguish internal incidents from external cyberattacks and refine their response strategies. For more complex analysis to identify risks such as attack patterns, we are integrating insider risk signals into Defender XDR’s Advanced Hunting, giving you deeper insights and allowing you to improve your policies in partnership with data security teams. Together, these advancements allow your organization to stay ahead of evolving cyberthreats, providing a collaborative and data-driven approach to security.

Learn more about this announcement in the Purview Insider Risk Management blog.

Protecting data and preventing sensitive data loss

As AI generates new data in unprecedented volumes, the need to secure that data and prevent the loss of sensitive information has become even more crucial. Our new DLP capabilities help you effectively investigate DLP incidents, fortify existing protections, and refine your overall DLP program. You can now customize Purview DLP to the established processes of your organization with the Microsoft Power Automate connector in preview. This lets you automate and customize your DLP policy actions through Power Automate workflows to integrate your DLP incidents into new or established IT, security, and business operations workflows, like stakeholder awareness or incident remediation.

DLP policy insights in Security Copilot, also in preview, summarize existing DLP policies in natural language and helps you understand any gaps in policy coverage across your environment. This makes it easier for you to quickly and easily understand the full breadth of DLP policy coverage across your organization and address gaps in protection. We are also enhancing DLP protections on endpoints by expanding our file type coverage from more than 40 to more than 110 file types. Users can also now store and view full files on Windows devices as evidence for forensic investigations using Microsoft-managed storage. With the Microsoft-managed option, your admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. Finally, you can now enforce blanket protections on file types that cannot currently be scanned or classified by endpoint DLP, such as blocking copy to removable media for all computer-aided design (CAD) files regardless of those files’ contents. This helps ensure that the diverse range of file types found in your environment are still protected even if they cannot currently be scanned and classified by Microsoft Purview endpoint DLP. 

Learn more about these announcements in our Microsoft Purview Data Loss Prevention blog.

Microsoft Purview Data Governance innovations to drive greater business value

Research indicates that data practitioners spend 80% of their time finding, cleaning, and organizing data, leaving only 20% of time to process and analyze it.⁴ To simplify the data governance practice in the age of AI, the Microsoft Purview Unified Catalog is a comprehensive enterprise catalog that automatically inventories and tags your organization’s critical data assets. This gives your business users the ability to search for specific business data when building analytics reports or AI models. The Unified Catalog gives you visibility and confidence in your data across your disparate data sources and local catalogs with built-in data quality management and end-to-end lineage. You can integrate metadata from diverse catalogs such as Fabric OneLake, Databricks Unity, and Snowflake Polaris, into a unified catalog for all your data stewards, data owners, and business users.

Now in preview, Unified Catalog provides deeper data quality through a new scan engine that supports open standard file and table formats for big data platforms, including Microsoft Fabric, Databricks Unity Catalog, Snowflake, Google Big Query, and Amazon S3. This new scan engine enables rich data quality management at the asset level for improved data quality management at the asset level for overall improved data quality health. Lastly, Microsoft Purview Analytics in OneLake (preview) allows you to extract tenant-specific metadata from the Unified Catalog and export it directly into OneLake. You can then use Microsoft Power BI to analyze the metadata to further understand and report on your data’s quality and lineage.

Learn more about these announcements in our Microsoft Purview Data Governance blog.

Support compliance and regulatory requirements

As regulatory requirements evolve with the proliferation of AI, it is more critical than ever for businesses to keep compliance and privacy top of mind. However, adhering to requirements is becoming increasingly complex, while consequences for non-compliance are growing more severe. Microsoft Purview empowers you to address regulatory demands and comply with corporate policies by offering compliance and privacy controls that are both scalable and adaptable to changing needs.

New templates in Compliance Manager to help simplify compliance

Microsoft Purview Compliance Manager provides insights into your organization’s compliance status through compliance templates and provides suggested actions and next steps to help you along your compliance journey. Compliance Manager continues to add new templates to help you address new and evolving regulations, including templates for the European Union AI Act (EUAI Act), NIST 2 AI, ISO 42001, ISO 23894, Digital Operations Resiliency Act (DORA), and additional industry and regional regulations. Compliance Manager now includes historical records that help track your organization’s compliance and provides actionable next steps to understand how new regulations or policies affect your compliance score over time. In addition, you can now leverage custom templates to address both regulatory and your organization’s specific policies and preferences.

Figure 2. EUAI Act Assessment in Compliance Manager.

Learn more about this announcement in the Microsoft Purview Compliance Manager blog.

New Microsoft Purview controls for ChatGPT Enterprise with integration with OpenAI for improved compliance

Microsoft Purview now integrates with ChatGPT Enterprise, allowing you to gain visibility and govern the prompts and responses of your ChatGPT Enterprise interactions. This integration, currently in preview, includes Microsoft Purview Audit for auditing ChatGPT Enterprise interactions, Microsoft Purview Data Lifecycle Management for enabling retention and deletion policies, Microsoft Purview Communication Compliance to proactively detect regulatory and corporate policy violations, and Microsoft Purview eDiscovery to streamline legal investigations.

Learn more about all these announcements in our Security for AI blog.   

Microsoft Purview is built to help safeguard AI Innovation

With the rapid adoption of AI, new vulnerabilities have emerged, highlighting the need for strong data security and governance of AI workloads. Microsoft Purview is built to secure and govern data related to pre-built and custom-built AI apps.

Introducing Microsoft Data Security Posture Management for AI (DSPM for AI)

Security teams often find themselves in the dark when it comes to data security and compliance risks associated with AI usage. Without proper visibility, organizations often struggle to safeguard their AI assets effectively. DSPM for AI, now generally available, gives you visibility through a centralized dashboard and reports, enables you to proactively discover and manage your AI-related data risks, such as sensitive data in user prompts, and gives you actionable recommendations and real-time insights to respond effectively to security incidents.

Microsoft Purview controls for Microsoft 365 Copilot help prevent data oversharing

Data oversharing occurs when users have access to more data than necessary for their job duties. Organizations need effective data security controls to help mitigate this risk. At Microsoft Ignite we announced a number of new Microsoft Purview capabilities in preview to prevent data oversharing in Microsoft 365 Copilot.

Data oversharing assessments: Discover data that is at risk of oversharing by scanning files containing sensitive data, identifying risky data sources such as SharePoint sites with overly permissive user access, and by providing recommendations such as auto-labeling policies and default labels to prevent sensitive data from being overshared. The oversharing assessment report can identify unlabeled files accessed by users before deploying Copilot or can be run post-deployment to identify sensitive data referenced in Copilot responses. 

Label-based permissions: Microsoft 365 Copilot honors permissions based on sensitivity labels assigned by Microsoft Purview when referencing sensitive documents.

Purview DLP for Microsoft 365 Copilot: You can create DLP policies to exclude documents with specified sensitivity labels from being processed, summarized, or used in responses in Microsoft 365 Copilot, preventing sensitive data from being inadvertently overshared.

New Microsoft Purview capabilities to detect risky activities in Microsoft 365 Copilot

Security teams need ways to detect risky use of AI applications like deliberate or accidental access to sensitive data, jailbreaks, and copyright violations. Insider Risk Management and Communication Compliance now provide risky AI usage indicators, a policy template, and an analytics report in preview to help detect and investigate the risky use of AI. These new capabilities not only help detect risky activities and prompts but also integrate with Microsoft Defender XDR, enabling your security teams to investigate new AI-related risks holistically alongside other risks, such as identity risks through Microsoft Entra and data oversharing and data loss risks through Purview DLP.

New Microsoft Purview capabilities for agents built with Microsoft Copilot Studio

When new and citizen developers are building low code or no-code AI, they often lack security expertise and tools to enable security and compliance controls. Microsoft Purview now provides data controls for agents built in Copilot Studio to enable low code and no-code developers to build more secure agents. For example, when an agent built with Copilot Studio accesses sensitive data, it will recognize and honor the sensitivity labels of the data being accessed. Microsoft Purview will also protect sensitive data generated by the agent through label inheritance and will enforce label permissions, ensuring only authorized users have access.

Data security admins also get visibility into the sensitivity of data in user prompts and agent responses within DSPM for AI. Moreover, Microsoft Purview will enable you to detect anomalous user activity and risky or non-compliant AI use and apply retention or deletion policies on your agent prompts and responses. These new controls give you visibility and and insights into risks for your agents built with Copilot Studio, strengthening your data security posture.

Learn more about all these announcements in our Security for AI blog.   

Unified solutions that empower your organization

As you navigate the complexities of AI proliferation, regulatory requirements, and security threats, we are excited to innovate, invest in, and expand the capabilities of Microsoft Purview to address your most pressing data security, governance, and compliance challenges.

Get started with Microsoft Purview today

To get started, we invite you to try Microsoft Purview free and to learn more about Microsoft Purview today.

• Read the Data Security Index report.
• Read our new whitepaper: Accelerating AI transformation by prioritizing security, a path to implementing effective security for AI that enables innovation.
• Watch Microsoft Purview sessions from Microsoft Ignite.
• Try Microsoft Purview for free.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal research, May 2023. 

²Gartner, Innovation Insight for Security Platforms, Peter Firstbrook, Craig Lawson. October 16, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

³Microsoft internal research, August 2024. 

⁴Overcoming the 80/20 Rule in Data Science, Pragmatic Institute.

The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.

Tools like Microsoft Purview Compliance Manager, Microsoft Secure Score, and regulatory compliance dashboard in Microsoft Defender for Cloud are great ways for an organization to benchmark and communicate its security and compliance posture.

This blog post will offer these learnings to CISOs and IT security teams to set their relationship with the cybersecurity committee of the board up for success.

Microsoft Purview Compliance Manager

Meet multicloud compliance requirements across global, industrial, or regional regulations and standards.

Learn more

The cybersecurity committee of the board

The United States Securities and Exchange Commission (SEC) adopted rules in July 2023¹ to expand the scope of its cybersecurity reporting requirements for publicly traded companies,² making the governance of IT security by the board of directors and the cybersecurity expertise of board members reportable to the marketplace.

Corporate governance benchmarks including the Institutional Shareholder Services (ISS) ESG Governance QualityScore, widely used by analysts and for some executive compensation are including IT security measurements in their scoring.³ Cybersecurity is recognized as requiring governance from the board of directors. Boards are changing to make this possible.

The IT security function was viewed as the province of technical specialists, to be given some increased investment for a more hostile security landscape and in response to high profile security incidents. Cybersecurity was not considered a focus area of the board like finance, audit, or executive compensation. This has changed. Boards are seating directors with IT security expertise and asking for more communication from the IT security team, usually through the CISO.

Mandate of the cybersecurity committee

The mandate of the cybersecurity committee includes learning about the organization’s IT security team. To optimize the relationship, the security team needs to understand how the board and the cybersecurity committee work as well.

The cybersecurity committee will have a mandate, vetted and granted by the board members and likely the chief executive officer (CEO). This mandate will be set out in a corporate document that describes the responsibilities of the committee, the content, and frequency of their reports and the type of information they are to review. The CISO should understand the mandate and with it the scope of the committee to know how to best and most efficiently partner with them. A proactive CISO can contribute to the formulation of the mandate, avoiding conflict and inefficiency, and setting the relationship up for success.

Beyond the mandate document, the board will likely have public-facing Rules of Procedure. This document sets out the mission, duties, and operations of the board. It will likely also have a section describing the various board committees, their operations, and responsibilities.

The committee will be focused on discharging these responsibilities in an auditable way.

Time on the agenda of board meetings is at a premium. A typical two-hour meeting agenda might include:

• Approval of the last board meeting minutes.
• Review of first half results.
• Review of Environmental Social and Governance (ESG) report and ESG committee recommendations.
• Approval of board members’ expenses.
• Financial and business outlook.
• Business plan update.
• Review of next meeting dates.

Some of these are mandated by law, leaving little time for discretionary topics. There may be four or five such board meetings per year. The cybersecurity committee will have a slot on the agenda slot as will other business.

A board may receive a briefing from the CISO on current state and plan once a year. The CISO may be called on to provide ad hoc input on risks, incidents, or other emerging topics.

A cybersecurity committee is a subgroup of the board. It is led by one or two directors that have a relatively high level of cybersecurity expertise. They should:

• Understand the IT security function, policies, standards, current state, and plan.
• Offer their opinion as to how the current state and plan aligns with the company’s risk management posture and business objectives.
• Identify areas in current state and plan that need focus from the IT security function.
• Communicate blockers and advocate for the security function with the board and executives.

The committee is accountable for reporting to the board on these items.

Working with the cybersecurity committee

The board and the CISO need to align on how they will work together. They need to agree on efficient ways to get the information and context the committee needs to achieve its mandate.

This is an opportunity for the CISO to leverage their existing reporting and documents to the extent possible. A CISO who is proactive and suggests a framework will be a good partner to the committee. This will reduce the level of effort for the security team going forward.

The role of the board and the committee is to act on behalf of the shareholders to manage risk—not to manage the IT security team, the plan, or be accountable for cybersecurity. That’s the CISO’s job.

Board members often serve on multiple boards and have high profile roles in other organizations. They need information that is on target, that they can consume quickly, and report with confidence to stakeholders. Effective communication includes:

Context

What does it mean to the business?

Cybersecurity risk and planning should be communicated in similar format to the financial and business risk that the board is used to managing.

Progress to plan should be shown in context. A security roadmap for a minimum of three years should be shared with progress and changes tracked over time.

The focus should be on a holistic IT security strategy and architecture spanning infrastructure, services, internal, vendors, on-premises, cloud, and culture.

Objective data

Recommendations from the IT security team should be presented together with objective information that supports it.

Key performance indicators (KPIs) should be agreed upon and visualized over time to expose trends. The committee should see that the right things are being monitored but not expect to drill down into every KPI.

Objective outputs that can show trends and be mapped to investments in security include Secure Score in Microsoft Defender. Secure Score monitors platform as a service (PaaS) and infrastructure as a service (IaaS) cloud, hybrid, and on-premises environments in Microsoft Azure, Amazon Web Services, and Google Cloud Platform.    

Microsoft Secure Score is a similar service focused on the improvement of security posture of a company’s Microsoft 365 software as a service (SaaS), including identity, devices, and applications.

The score, which is expressed as a percentage from 0 to 100, is shown with a list of recommendations that can be undertaken to meet security controls. These security controls should be considered for the security roadmap. As the controls are implemented, the Secure Score increases.

A company should not be focused on driving Secure Score to 100 percent but rather that the recommendations are considered in light of the company’s risk appetite and security roadmap. If the score is not rising as expected then the reason should be understood.

Similarly Microsoft Purview Compliance Manager provides Compliance Score for Microsoft 365. For Azure customers, Microsoft provides the regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds. These solutions are vehicles to help customers objectively assess and communicate the company’s compliance posture with their most important regulatory standards.

The updated security roadmap, with progress indicated, should be presented to the committee, and the KPIs should broadly track with this progress, allowing an increased confidence in the organization’s security posture and trends.

Align with the mandate of the committee

Working with the cybersecurity committee and the board will involve communicating to a diverse group whose first expertise may not be information technology. We need to teach.

We also need to learn. The committee operates within its mandate. Servicing this mandate is the primary focus of the committee. It will come before other subjects we may want to discuss. Map these subjects to the committee’s mandate.

The board operates within its rules of procedure. We will be much more effective if we are familiar with these. If we map our asks and replies to the committee’s mandate, our communication will be well received and we’ll strengthen the partnership. If we understand the rules of procedure we can avoid ad hoc engagement and communicate our message effectively.

The mandate may indicate that a report from the committee is due to the board in advance of the Annual General Meeting. If we’ve agreed on the information needed to service the mandate, we can be proactive about providing this. We can anticipate questions and put challenges in context with what they mean to the business and what we’re doing to address them.

Confidentiality

Some of the materials provided to the cybersecurity committee will require confidentiality. They should be watermarked or encrypted per company policy. Board members are not employees, and they probably don’t have a company email address or access to the company network. The tools and procedures will need to take this into account.

The reporting of the cybersecurity committee to the board is also confidential. Beyond bad actors, the information may be taken out of context by analysts or those seeking to harm the company’s reputation. Security controls should be agreed with the CISO to ensure that the documents provided to and produced by the cybersecurity committee will be limited in distribution to the committee, company leadership and the office of the CISO.

Some board documents are shared with shareholders and made available to the public, such as minutes of the board meetings. Where input from the CISO or the cybersecurity committee for these documents is needed, it should be made sufficiently general so as not to expose the company to risk.

Get started with committee collaboration

The formation of a cybersecurity committee as part of a company’s board will mean more scrutiny of the IT security function. More time will be devoted to communicating and reporting.

The CISO and their team will get visibility with the board and can use this to advocate for the resources and cultural changes they need to protect the company. Productive, efficient interaction with the committee can build a partnership with the board, which protects and adds value for the company.

Learn more

Learn more about Microsoft Purview Compliance Manager.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on X at @MSFTSecurity for the latest news and updates on cybersecurity.

¹SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, SEC. July 26, 2023.

²SEC cyber risk management rule—a security and compliance opportunity, Steve Vandenberg. March 1, 2023.

³IT security: An opportunity to raise corporate governance scores, Steve Vandenberg. August 8, 2022.

The post Working with a cybersecurity committee of the board appeared first on Microsoft Security Blog.

AI is transforming our world, unlocking new possibilities to enhance human abilities and to extend opportunities globally. At the same time, we are also facing an unprecedented threat landscape with the speed, scale, and sophistication of attacks increasing rapidly. To meet these challenges, we must ensure that AI is built, deployed, and used responsibly with safety and security at its core. And it is more important than ever to leverage AI to empower all defenders and tilt the balance in their favor.

Security is our top priority at Microsoft—above all else—and our expanded Secure Future Initiative underscores our company-wide commitment to making the world a safer place for everyone. I am proud that Microsoft is prioritizing security in the age of AI as we continue to innovate with a security-first mindset. 

Today, new capabilities are now available in Microsoft Defender and Microsoft Purview to help organizations secure and govern generative AI applications at work. These releases deliver purpose-built policy tools and better visibility to help you secure and govern generative AI apps and their data. We are also delivering a new unified experience for the security analyst and integrating Microsoft Copilot for Security across our security product portfolio.  

You’ll be able to see firsthand these innovations and more across the Microsoft Security portfolio at RSA Conference (RSAC). I also hope you will also join me on Tuesday, May 7, 2024, for “Securing AI: What We’ve Learned and What Comes Next,” to explore the strategies that every organization can implement to securely design, deploy, and govern AI.

Secure your AI transformation with Microsoft Security

Wherever your organization is in your AI transformation, you will need comprehensive security controls to secure govern your AI applications and data throughout their lifecycle—development, deployment, and runtime.  

With the new capabilities announced today, Microsoft becomes the first security provider to deliver end-to-end AI security posture management, threat protection, data security, and governance for AI.

Discover new AI attack surfaces, strengthen your AI security posture, and protect AI apps against threats with Microsoft Defender for Cloud. Now security teams can identify their entire AI infrastructure—such as plugins, SDKs, and other AI technologies—with AI security posture management capabilities across platforms like Microsoft Azure OpenAI Service, Azure Machine Learning, and Amazon Bedrock. You can continuously identify risks, map attack paths, and use built-in security best practices to prevent direct and indirect attacks on AI applications, from development to runtime.

Integrated with Microsoft Azure AI services, including Microsoft Azure AI Content Safety and Azure OpenAI, Defender for Cloud will continuously monitor AI applications for anomalous activity, correlate findings, and enrich security alerts with supporting evidence. Defender for Cloud is the first cloud-native application protection platform (CNAPP) to deliver threat protection for AI workloads at runtime, providing security operations center (SOC) analysts with new detections that alert to malicious activity and active threats, such as jailbreak attacks, credential theft, and sensitive data leakage. Additionally, SOC analysts will be able facilitate incident response with native integration of these signals into Microsoft Defender XDR.

Identify and mitigate data security and data compliance risks with Microsoft Purview. Give your security teams greater visibility into and understanding of which AI applications are being used and how to help you safeguard your data effectively in the age of AI. The Microsoft Purview AI Hub, now in preview, delivers insights such as sensitive data shared with AI applications, total number of users interacting with AI apps and their associated risk level, and more. To prevent potential oversharing of sensitive data, new insights help organizations identify unlabeled files that Copilot references and prioritize mitigation of oversharing risks. Additionally, we are excited to announce the preview of non-compliant usage insights in the AI Hub to help customers discover potential AI interactions that violate enterprise and regulatory policies in areas like hate and discrimination, corporate sabotage, money laundering, and more.

Govern AI usage to comply with regulatory policies with new AI compliance assessments in Microsoft Purview. We understand how important it is to comply with regulations, and how complicated it can be when deploying new technology. Four new Compliance Manager assessment templates, now in preview, are available to help you assess, implement, and strengthen compliance with AI regulations and standards, including EU AI Act, NIST AI RMF, ISO/IEC 23894:2023, and ISO/IEC 42001. The new assessment insights will also be surfaced within the Purview AI Hub, providing recommended actions to support compliance as you onboard and deploy AI solutions.

Together we can help everyone pursue the benefits of AI, by thoughtfully addressing the new risks. The new capabilities in Microsoft Defender for Cloud and Microsoft Purview, which build on top of the innovations we shared at Microsoft Ignite 2023 and Microsoft Secure 2024, are important advancements in empowering security teams to discover, protect, and govern AI—whether you’re adopting software as a service (SaaS) AI solutions or building your own.

Read more about all of the new capabilities and features that help you secure and govern AI.

Strengthening end-to-end security with a unified security operations platform

We continue investing in our long-standing commitment to providing you with the most complete end-to-end protection for your entire digital estate. There is an immediate need for tool consolidation and AI to gain the speed and scale required to defend against these new digital threats. Microsoft integrates all of the foundational SOC tools—cloud-native security information and event management (SIEM), comprehensive native extended detection and response (XDR), unified security posture management, and generative AI—to deliver true end-to-end threat protection in a single platform, with a common data model, and a unified analyst experience.  

The new unified security operations platform experience, in preview, transforms the real-world analyst experience with a simple, approachable user experience that brings together all the security signals and threat intelligence currently stuck in other tools. Analysts will have more context at every stage, with helpful recommendations and suggestions for automation that make investigation and response easier than ever before. We are also introducing new features across Microsoft Sentinel and Defender XDR, including global search, custom detections, and automation rules.

We are also pleased to announce a number of additional new features and capabilities that will empower your security operations center (SOC) to work across Microsoft security products for stronger end-to-end security.

• Microsoft Security Exposure Management initiatives help your security team identify risky exposures and instances of insufficient implementation of essential security controls, to find opportunities for improvement.
• SOC analysts can now use insider risk information as part of their investigation in Microsoft Defender XDR.
• Microsoft Defender XDR expands to include native operational technology (OT) protection, enabling automatic correlation of OT threat signal into cross-workload incidents and the ability to manage OT and industrial control system vulnerabilities directly within Defender XDR.
• Expanded attack disruption in Microsoft Defender XDR, powered by AI, machine learning, and threat intelligence, will cover new attack scenarios like disabling malicious OAuth apps and will significantly broaden compromised user disruption, such as leaked credentials, stuffing, and guessing.
• Microsoft Sentinel launches SOC Optimizations to provide tailored guidance to help manage costs, increase the value of data ingested, and improve coverage against common attack techniques.

Expanded Microsoft Copilot for Security integrations

When it comes to supporting security teams and relieving complexity, Microsoft Copilot for Security offers a great advantage. Greater integration of Copilot across the Microsoft security portfolio and beyond provides richer embedded experiences and Copilot capabilities from familiar and trusted products. We are proud to announce new Microsoft Copilot for Security integrations, including Purview, new partner plugins, Azure Firewall, and Azure Web Application Firewall. These integrations provide your security teams with real-time guidance, deeper investigative insights, and expanded access to data from across your environment.  

Security for the era of AI

An end-to-end security platform will be a determining factor in every organization’s transformation and will play a critical role in the durability of AI-powered innovation. Organizations that focus on securing AI and invest in using AI to strengthen security will be the lasting leaders in their industries and markets. Microsoft is committed to empowering these industry and market leaders with security solutions that can help them achieve more. We bring together four critical advantages: large-scale data and threat intelligence; the most complete end-to-end platform; industry leading, responsible AI; and tools to help you secure and govern AI.

With the general availability of Copilot for Security, Microsoft has delivered on our promise to put industry-leading generative AI into the hands of IT and security professionals of all levels of experience. Now, with today’s release of new capabilities in Defender for Cloud and Microsoft Purview, we are also delivering on our commitment to empower IT and security teams with the tools they need to take advantage of AI safely, responsibly, and securely.

Lastly and importantly, security is a team sport. We look forward to working together with the industry and our partners on advancing cyber security for all. 

I do hope you’ll connect with us at RSAC this week, where we will be demonstrating our comprehensive security portfolio and how it helps you protect your environment from every angle to prepare for and confidently adopt and deploy AI. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post New capabilities to help you secure your AI transformation appeared first on Microsoft Security Blog.

Figure 1. This graphic shows how software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) work together in a comprehensive security strategy.

Microsoft Security—extending our multicloud reach

At Microsoft, we have long embraced our commitment to protecting our customers’ multicloud environments. The journey began in July 2021, when we acquired CloudKnox Security to help customers manage permissions across clouds and strengthen their Zero Trust strategy.² That cloud infrastructure entitlement management (CIEM) solution has evolved to become Microsoft Entra Permissions Management, and is part of our comprehensive identity product family: Microsoft Entra. In February 2022, Microsoft Defender for Cloud expanded to include GCP and AWS, becoming the first cloud provider to offer integrated cloud-native application protection (CNAPP) for the three main public clouds—from development to runtime.³ This past March, we introduced Microsoft Defender Cloud Security Posture Management for multicloud environments, including new data-aware security posture management capabilities to help customers identify risks across their data estate, and an improved multicloud security benchmark to better unify security and compliance across services. And finally, earlier this year we announced enhancements to Microsoft Purview to continue building on the promise of securing both structured and unstructured data wherever it lives.

Figure 2. Timeline of Microsoft Security’s journey to multicloud, starting in 2021 with the acquisition of CloudKnox Security, to the launch of Microsoft Entra and the extension of Microsoft Defender for Cloud to GCP and AWS in 2022, continuing with enhancements to Microsoft Purview in 2023, with more capabilities to come.

Securing your data wherever it travels

The amount of data being created and transferred is growing exponentially. This is taking place at a time when employees don’t just gather around the water cooler; they’re communicating across digital channels on personal and corporate devices. Modern workforces are distributed, and the digital fabric of any given organization is made up of multiple threads, adding layers of complexity. Additionally, the shift to multicloud makes the surface area of your data even larger. Without unified visibility across your multicloud data security posture, the shift adds to the complexity of identifying risks such as misconfigured object storage and databases.⁴ You can hear more about this in the most recent Uncovering Hidden Risks podcast, which discusses the risks of running a multicloud strategy as customers accelerate their digital transformation. Organizations looking to proactively protect and manage multicloud environments often face challenges around data risk, data protection, and data compliance.

Data Risk—Data doesn’t move itself; people move and interact with data, and that’s where the majority of data security risks stem from. In fact, data security incidents are commonly caused by insider actions, accounting for nearly 35 percent of all unauthorized incidents.⁴ Even the strongest cybersecurity programs can be undermined by insiders who either intentionally or unintentionally compromise an enterprise. To assist you in identifying data risks across various environments, we are pleased to share that you can now bring your own risk detections into Microsoft Purview Insider Risk Management. For example, you can import events from customer relationship management (CRM) systems, such as Salesforce, or developer tools like GitHub. These user activities can then be used as custom indicators in insider risk policies, combined with other built-in indicators, offering organizations a comprehensive view and understanding of potential data security risks posed by an insider. You can learn more about it from our blog “Manage insider risks in multicloud environments.”

Data Protection—The loss of sensitive data remains the top security concern for IT and security professionals. This often leads to the deployment of multiple solutions to manage data loss across different environments, which could lead to both blind spots and data leakage. It is crucial to have integrated solutions that can protect sensitive data across your digital landscape. In addition to supporting Microsoft 365 apps, services, Microsoft Edge, and Windows endpoints, Microsoft Purview Data Loss Prevention (Purview DLP) supports macOS endpoints, as well as virtualized environments such as Citrix, Windows Virtual Desktop, Amazon Workspaces, and Hyper-V platforms, as well as Google Chrome and Firefox browsers. We are continuing to expand our capabilities to allow you to cover all egress risks. Today we are excited to announce that organizations can now leverage Purview DLP to prevent their users from pasting sensitive content in websites on supported browsers. For example, let’s say a user copies customer information from an internal CRM system or SQL database, and pastes it into personal email, social media sites, or generative AI prompts on a supported browser like Microsoft Edge, Google Chrome, or Firefox. Based on the pre-set policy, Purview DLP will audit, warn, or block the action to prevent leaking sensitive information. Learn more in our blog here.

Data Compliance—The compounding impact of a complex regulatory environment and the growing adoption of cloud services makes it increasingly difficult for organizations to identify compliance risks. We are excited to share that you can now run multicloud assessments in Microsoft Purview Compliance Manager. This feature lets you assess your compliance posture across your organization’s multicloud estate, including Azure, AWS, GCP, and services like Zoom and Salesforce. For example, for a regulation such as Payment Card Industry Data Security Standard, you can aggregate and automate your compliance posture across all in-scope services. You can learn more about it in our latest blog.

Be sure to explore our videos on Multicloud Assessments from Microsoft Mechanics, and delve into the latest overview of Microsoft Defender for Cloud by Microsoft Solution Architect, John Savill. This is the first of a series of exciting multicloud innovations, with more in store over the next few months. Stay tuned!

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹2023 State of the Cloud Report, Flexera. 2023.

²Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management, Microsoft Security Team. July 21, 2021.

³Microsoft Announces new Security Capabilities for the Multicloud World, Microsoft Stories Asia. February 24, 2022.

⁴Insider threat peaks to highest level in Q3 2022, Maria Henriquez. November 10, 2022.

The post Expanding horizons—Microsoft Security’s continued commitment to multicloud appeared first on Microsoft Security Blog.

Zero Trust is a proactive, integrated approach to security across the digital estate that explicitly and continuously verifies every transaction, asserts least privilege access, and relies on intelligence, advanced detection, and real-time response in the face of threats.

Adopting an end-to-end Zero Trust security strategy, and implementing Zero Trust security pillars, promotes the most secure and optimized access for users in the modern hybrid workforce. Organizations need to adapt to stay competitive, and cybersecurity remains a top concern as work environments continue to shift toward hybrid and remote settings.

Enable a more productive hybrid or remote workplace

Hybrid work introduces significant challenges for security teams as employees spend more time outside the traditional network perimeter where visibility, control, and consistency are harder to enforce. This impacts security teams who work to secure sensitive data and devices.

Figure 1. Hybrid and remote workers can enable more productive, secure workflows in both global and local locations with a comprehensive Zero Trust strategy in place.

Embracing a Zero Trust security model provides your organization with the necessary tools and framework to more effectively secure hybrid work environments. Adopting an end-to-end Zero Trust strategy also comes with several other business benefits in this new world of work, including:

• Improved employee experience and productivity.
• Increased organizational agility and adaptability.
• Strengthened talent retention.

One of the first steps organizations must take to modernize and equip themselves with proper data security measures is to determine if they:

• Know the types of sensitive information they have and where it lives.
• Protect and prevent loss of sensitive data across environments.
• Have a method for managing insider risks to understand user intent.

Answering these questions can help organizations discern how well they match up to today’s evolving security risks and how they could improve their security posture by implementing a Zero Trust architecture.

A Zero Trust framework helps organizations strengthen their defenses, giving employees the flexibility to work from anywhere and use applications that live outside of traditional corporate network protections. Zero Trust makes securing data across multiple channels, such as emails, messages, shared storage, cloud apps, and devices much easier. And, with hybrid workforces, data security incidents can happen anytime, anywhere.

A simplified security architecture through Zero Trust improves business agility across many types of workplaces, including hybrid. Through efficient system management and user access, organizations can move quickly to pursue business opportunities and support remote work while assessing and managing risk. This is particularly important since collaborating across multiple environments and devices due to remote and hybrid work can result in severe data security incidents, especially if your organization does not have visibility into its data or if a user has malicious intent to exfiltrate the data or share sensitive information and make it visible. Instituting Zero Trust architecture also improves security posture and reduces the risk of data breaches, even for people, resources, and data outside the corporate network perimeter.

Figure 2. Teams must collaborate with each other to implement a comprehensive, cross-cloud Zero Trust framework into their security practices.

Innovate and rapidly modernize your organization’s security posture

Zero Trust is designed to modernize your security posture and ensure comprehensive security across all identities. A comprehensive Zero Trust approach also helps break down siloes between IT teams and systems, enabling better visibility and protection across your entire IT stack. Using tools like Microsoft Purview Compliance Manager, your security team can also measure the security posture of your assets against industry benchmarks and best practices. Analyzing productivity and security signals helps your team better evaluate your security culture, identifying areas for improvement or best practices for compliance.

Today’s security leaders must balance the challenges of hybrid or remote access, protecting sensitive data, and compliance requirements with the business need to collaborate, innovate, and grow. Rapidly modernizing your security posture by implementing a Zero Trust framework will not only help your organization to meet and exceed regulatory and compliance requirements, but it will also help enable your organization to protect against a fast-changing threat landscape. As your organization begins this journey, remember that teams must:

• Collaborate on how to address the most critical threats they face.
  • This involves continuous improvement and evaluation across the entire digital estate to increase visibility. Teams can automate tasks that slow down team efforts, such as implementing IT help desk support, which saves teams time and money to use for proactively addressing serious security problems.
• Simultaneously defend their organizations against attacks and other security threats.
  • As a part of defending against security attacks and threats, security teams should ask themselves how they protect data and identities, while also evaluating and managing endpoint device health. This can help teams evaluate attacks that may occur while determining insider risk alongside user behavior analysis.
• Strive for continuous security improvement.
  • Because of the ever-evolving threat landscape, security teams must also continuously improve and check in on their security status, including continuous monitoring for threats that otherwise would not or could not be detected proactively. Zero Trust allows teams to protect against bad actors and potential security threats automatically and proactively through multistep defense across identities and endpoints.
• Prioritize their need for end-to-end visibility.
  • Another component of defending against security attacks and threats is increasing the security team’s visibility throughout the entire digital estate. Organizations should adopt specific policies to ensure data and identities are protected and meet compliance requirements, as necessary, and set alerts for attacks to enable quick remediation.

Consider the Rapid Modernization Plan guidance Microsoft uses to implement Zero Trust, which allows teams to use a set of specified initiatives for successful and quick deployment. The process goes as follows:

1. Validate trust for all access requests from identities, endpoints, apps, and networks.
2. Prepare and enable ransomware recovery.
3. Protect on-premises and cloud data from malicious access.
4. Streamline threat response.
5. Unify visibility across all security pillars.
6. Reduce manual effort on security teams.

Adopting a Zero Trust model enables end-to-end visibility across the security estate. The automated response that the Zero Trust approach takes protects assets, remediates threats, and supports investigations, ultimately empowering security teams to respond more quickly to threats across all pillars.

Secure your organization’s digital estate through a comprehensive Zero Trust approach

Adopting an end-to-end Zero Trust strategy is a critical step that organizations can take to increase productivity in, innovate, and modernize their hybrid work environments. We look forward to diving into additional scenarios in our next Zero Trust blog.

To learn more about protecting your business:

• Get started with our Zero Trust assessment tool.
• 5 reasons to adopt a Zero Trust security strategy for your business.
• Securely work from anywhere.
• Safeguard your most critical assets.
• Meet regulatory and compliance requirements.
• Minimize the impact of internal or external bad actors.
• Rapidly modernize your security posture.

And, to dive deeper into Microsoft Security solutions, join us on April 13, 2023, for Microsoft Secure Technical Accelerator. During this event, you can engage with our product and engineering teams through a live Q&A during each session, learn best practices, build community with your security peers, and get prescriptive technical guidance that will help you and your organization implement our comprehensive security solutions. 

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Secure hybrid and remote workplaces with a Zero Trust approach appeared first on Microsoft Security Blog.

Our customers have been clear in voicing their need for a unified, comprehensive solution for data security and management, one that’s as scalable as their business needs. In the Go Beyond Data Protection with Microsoft Purview digital event on February 7, 2023, Alym Rayani, General Manager of Compliance and Privacy Marketing at Microsoft, and I will discuss Microsoft’s approach to data security, including how to create a defense-in-depth approach to protect your organization’s data. We’ll also introduce some groundbreaking innovations for our Microsoft Purview product line—such as Adaptive Protection for data powered by machine learning—and invite new customers to sign up for a free trial. We remain guided by our core belief that security is a team sport. So in this blog, I’ll address how our newest innovations can help your team keep your data safe while empowering productivity and collaboration. We’ll also look at steps you can take to build a layered data security defense within your organization.

A new approach for a new data landscape

We’ve all seen how the ongoing shift to a hybrid and multicloud environment is changing how organizations collaborate and access data. Considering the massive amounts of data generated and stored today, it’s easy to see how this creates a business liability. More than 80 percent of organizations rate theft or loss of personal data and intellectual property as high-impact insider risks.³ Often the risk stems from organizations making do with one-size-fits-all, content-centric data-protection policies that end up creating alert noise. This signal overload leaves admins scrambling as they manually adjust policy scope and triage alerts to identify critical risks. Fine-tuning broad, static policies can become a never-ending project that overwhelms security teams. What’s needed is a more adaptive solution to help organizations address the most critical risks dynamically, efficiently prioritizing their limited security resources on the highest risks and minimizing the impact of potential data security incidents.

Adaptive Protection in Microsoft Purview is the solution. This new capability, now in preview, leverages Insider Risk Management machine learning to understand how users are interacting with data, identify risky activities that may result in data security incidents, then automatically tailor Data Loss Prevention (DLP) controls based on the risk detected. With Adaptive Protection, DLP policies become dynamic, ensuring that the most effective policy—such as blocking data sharing—is applied only to high-risk users, while low-risk users can maintain their productivity. The result: your security operations team is now more efficient and empowered to do more with less.

Adaptive Protection in action

Let’s take a look at how Adaptive Protection can benefit your organization in everyday use. Imagine there’s a company named Contoso where Rebecca and Chris work together on a confidential project. Rebecca and Chris both try to print a file related to that project. Rebecca gets a policy tip to educate her that the file contains confidential information and that she will need to provide a business justification before printing. But when Chris tries to print the file, he gets blocked outright by Contoso’s endpoint DLP policy. 

So, why do Rebecca and Chris have different experiences? The security team at Contoso uses Adaptive Protection, which detected that Chris has a privileged admin role at Contoso, and he had previously taken a series of exfiltration actions that may result in potential data security incidents. As Chris’s risk level increased, a stricter DLP policy was automatically applied to him to help mitigate those risks and minimize potential negative data security impacts early on. On the other hand, Rebecca has only a moderate risk level, so Adaptive Protection can educate her on proper data-handling practices while not blocking her ability to collaborate. This also influences positive behavior changes and reduces organizational data risks. For both Rebecca and Chris, the policy controls constantly adjust. In this way, when a user’s risk level changes, an appropriate policy is dynamically applied to match the new risk level.

With Adaptive Protection, Contoso’s security team no longer needs to spend time painstakingly adding or removing users based on events, such as an employee leaving or working on a confidential project, to prevent data breaches. In this way, Adaptive Protection not only helps reduce the security team’s workload, but also makes DLP more effective by optimizing the policies continuously.

Adaptive Protection in Microsoft Purview integrates the breadth of intelligence in Insider Risk Management with the depth of protection in DLP, empowering security teams to focus on building strategic data security initiatives and maturing their data security programs. Machine learning enables Adaptive Protection controls to automatically respond, so your organization can protect more (with less) while still maintaining workplace productivity. You can learn more about Adaptive Protection and watch the demo in this Microsoft Mechanics video.

Fortify your data security with a multilayered, cloud-scale approach

As I speak with customers, I continue to hear about their difficulties in managing a patchwork of data-governance solutions across a multicloud and multiplatform environment. Today’s hybrid workspaces require data to be accessed from a plethora of devices, apps, and services from around the world. With so many platforms and access points, it’s more critical than ever to have strong protections against data theft and leakage. For today’s environment, a defense-in-depth approach offers the best protection to fortify your data security. There are five components to this strategy, all of which can be enacted in whatever order suits your organization’s unique needs and possible regulatory requirements.

1. Identify the data landscape: Before you can protect your sensitive data, you need to discover where it lives and how it’s accessed. That requires a solution that provides complete visibility into your entire data estate, whether on-premises, hybrid, or multicloud. Microsoft Purview offers a single pane of glass to view and manage your entire data estate from one place. As a unified solution, Microsoft Purview empowers you to easily create a holistic, up-to-date map of your data landscape with automated data discovery, sensitive data classification, and end-to-end data lineage. Now in preview are more than 300 new, ready-to-use trainable classifiers for source code discovery, along with 23 new pre-trained out-of-the-box trainable classifiers that cover core business categories, such as finance, operations, human resources, and more.
2. Protect sensitive data: Along with creating a holistic map, you’ll need to protect your data—both at rest and in transit. That’s where accurately labeling and classifying your data comes into play, so you can gain insights into how it’s being accessed, stored, and shared. Accurately tracking data will help prevent it from falling prey to leaks and breaches. Microsoft Purview Information Protection includes built-in labeling and data protection for Microsoft 365 apps and other Microsoft services, including sensitivity labels for Outlook appointments, invites, and Microsoft Teams chats. Microsoft Purview Information Protection also empowers users to apply customized protection policies, such as rights management, encryption, and more.
3. Manage risks: Even when your data is mapped and labeled appropriately, you’ll need to take into account user context around the data and activities that may result in potential data security incidents. As I noted earlier, internal threats accounted for almost 35 percent of unauthorized access breaches during the third quarter of 2022.² The best approach to addressing insider risk is a holistic approach bringing together the right people, processes, training, and tools. Microsoft Purview Insider Risk Management leverages built-in machine learning models to help detect the most critical risks and provides enriched investigation tools to accelerate time to respond to potential data security incidents, such as data leaks and data theft. Recent updates include sequence detection starting with downloads from third-party sites and a new trend chart to show a user’s cumulative data exfiltration activities. And to help reduce noise and ensure safe and compliant communications, we’ve added a policy condition to exclude email blasts (such as bulk newsletters) from Microsoft Purview Communication Compliance policies.
4. Prevent data loss: This includes unauthorized use of data. More than 85 percent of organizations do not feel confident they can detect and prevent the loss of sensitive data.⁴ An effective data loss protection solution needs to balance protection and productivity. It’s critical to ensure the proper access controls are in place and policies are set to prevent actions like improperly saving, storing, or printing sensitive data. Microsoft Purview Data Loss Prevention offers native, built-in protection against unauthorized data sharing, along with monitoring the use of sensitive data on endpoints, apps, and services. DLP controls can be extended to macOS endpoints, non-Microsoft apps through Microsoft Defender for Cloud apps, and to Google Chrome, providing comprehensive coverage across customers’ environments. We now also support in preview DLP controls in Firefox with the Microsoft Purview Extension for Firefox. And now with the general availability of the Microsoft Purview Data Loss Prevention migration assistant, you’re able to automatically detect your current policy configurations and create equivalent policies with minimal effort.
5. Govern the data lifecycle: As data governance shifts toward business teams becoming stewards of their own data, it’s important that organizations create a unified approach across the enterprise. This kind of proactive lifecycle management leads to better data security and helps ensure that data is responsibly democratized for the user, where it can drive business value. Microsoft Purview Data Lifecycle Management can help accomplish this by providing a unified data-governance service that simplifies the management of your on-premises, multicloud, and software as a service (SaaS) data. Now in preview, simulation mode for retention labels will help you test and fine-tune automatic labeling before broad deployment.

And lastly, we’re making it easier for you to assess and monitor your compliance posture with integration between Microsoft Purview Compliance Manager and Microsoft Defender for Cloud. This new integration enables your security operations center to ingest any assessment in Defender for Cloud, simplifying your work by bringing together multiple services in a single pane of glass.

Data protection that keeps you moving forward fearlessly

Data is the oxygen of digital transformation. And in the same way that oxygen both sustains life and feeds a fire, each organization must strike a balance between ready access to data and securing its combustible elements. At Microsoft, we don’t believe your business should have to sacrifice productivity for greater data protection. This is where Adaptive Protection in Microsoft Purview excels—empowering your security operations center to efficiently safeguard sensitive data with the power of machine learning and cloud technology—without interfering with business processes. If you’re not already a Microsoft Purview customer, be sure to sign up for a free trial. 

Mark your calendar for Microsoft Secure on March 28, 2023, where you’ll hear about even more Microsoft Purview innovations. This new digital event will bring together customers, partners, and the defender community to learn and share comprehensive strategies across security, compliance, identity, management, and privacy. We’ll cover important topics such as the threat landscape, how Microsoft defends itself and its customers, the challenges security teams face daily, and the future of security innovation. Register now.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹How Much Data Is Created Every Day in 2022? Jacquelyn Bulao. January 26, 2023.

²Insider threat peaks to highest level in Q3 2022, Maria Henriquez. November 2022.

³Build a Holistic Insider Risk Management Program, Microsoft. October 2022.

⁴2021 Verizon Data Breach Report. 2021.

The post Introducing Adaptive Protection in Microsoft Purview—People-centric data protection for a multiplatform world appeared first on Microsoft Security Blog.

In the new world of hybrid work, regulatory compliance has become a board-level directive. Local and global regulations dictate how to manage, store, and transmit data, making compliance more critical than ever before. However, to adhere to these regulatory standards, risks need to be identified and mitigated, and data needs to be governed according to policy. Embarking on this journey will provide additional valuable outcomes, like:

• Providing you with fast access to requested data in the event of an external or internal investigation or legal action.
• Protecting company data as the workplace evolves is especially important given the growing use of personal devices for work and the increase in employees accessing company networks from outside the physical office for some or most of their week.
• Acting as good stewards—Chief Information Security Officers (CISOs) feel a sense of duty to protect their employees, partners, and customers to the best of their ability.

Microsoft’s compliance journey has given us insights and best practices that we can share with other organizations determined to strengthen their compliance management practices. Planning for the unexpected events that inevitably occur means aligning your people, processes, and technology. Here are five things we’ve learned along our compliance path—and stories of what’s worked for customers.

Assess your compliance posture

It’s difficult, if not impossible, to know if you’re headed in the right direction without knowing your current position. So, where do you start? Compliance management has gone from a nice to have to a must-have for organizations, which have huge a incentive to strengthen their compliance management practices. Keeping track of all the regulations they’re responsible for, however, can be challenging, especially for those companies in regulated industries, like financial services or healthcare. Maintaining a good compliance posture can help you avoid penalties, negative publicity, fines, and financial losses. Given how quickly regulations change, this can be a big challenge. And manually tracking compliance issues in spreadsheets often isn’t sufficient. As a first step, we recommend assessing the current state of your compliance with a visual tool that helps measure where you are today, and allows you to track your collective progress over time.

Broaden your idea of compliance

When people hear the term “compliance,” many instantly think about regulatory compliance. Understandably so, because regulations like the California Consumer Protection Act (CCPA) and General Data Protection Regulation (GDPR) receive a lot of press and attention. But as mentioned earlier, compliance goes way beyond regulations.

Compliance management can even lead to innovation. Customers tell us they feel free to adapt the way they operate in response to customer trends. Visionary Wealth Advisors, a financial management firm in the United States, wanted to allow customers to communicate with the company via text messaging but needed to manage that data securely for compliance reasons. Visionary Wealth Advisors was able to maximize security and compliance with Microsoft Purview Data Lifecycle Management and CellTrust SL2.

“A central pain point is that the client doesn’t understand the regulatory environment that we operate in,” said Ryan Barke, Chief Compliance Officer and General Counsel, Visionary Wealth Advsiors. “They just want to communicate with their financial advisor, and the financial advisor wants to communicate with the client. We can have a policy that says, advisors, you’re prohibited from text messaging with your clients but we cannot control the other end of that communication.”

Involve everyone

Data breaches are accelerating—climbing 68 percent in 2021, costing an average of USD4.24 million each.¹ Insider leaks of sensitive data, intellectual property (IP) theft, and fraud can all detrimentally impact a company. So, too, can regulatory violations, but CISOs may be so focused on data protection that data compliance doesn’t get as much attention. What we have learned on our journey is that compliance isn’t a CISO’s burden to bear alone. Multiple Microsoft executives were involved in meeting compliance regulations and obligations. People across Microsoft had to have a hand in compliance to drive the process.

Involving multiple leaders makes sense given how people throughout an organization will benefit from what strong compliance management makes possible. The City of Marion in Australia deployed Microsoft Purview Records Management to better manage the data collected from the 90 services it provides. As a result, city staff has become more engaged with the process of creating and handling information. They can organize themselves and their workflows in Microsoft Teams, set up SharePoint sites, create and link information, create their own Power BI reports, configure workflows, and connect varied information much easier.

“It helps our small team get lots of stuff done, and we don’t need to worry so much about compliance anymore,” said Karlheins Sohl, Information Management Team Leader, City of Marion. “We can trust the system to help take care of that, while we’re freed to focus on the quality of information and the service we provide to the City of Marion staff.”

Discover data and identify risks

In the event of legal action, a merger or acquisition, or an internal or external investigation, technology solutions can help you more efficiently find the relevant data you need. With the proliferation of data, that’s more important than ever.

The sheer volume of data can make this challenging. Technology solutions like Microsoft Purview eDiscovery can help you save time and money on tracking down data.

Through a solution like Microsoft Purview Communication Compliance, organizations can reduce risks related to regulatory compliance obligations.  

Simplify and automate compliance

Effective technology solutions have a wonderful way of simplifying complex processes—and often the workdays of those responsible for managing those processes. Multiple solution providers can complicate already challenging compliance processes and result in a fragmented, inefficient approach. Choosing a comprehensive solution, like Microsoft Purview, can help by continuously monitoring for compliance changes and automating the update process.

Texas-based Frost Bank must follow numerous banking regulations and employees recognize the importance of complying with them—“Compliance is like drinking coffee in the morning,” says Edward Contreras, CISO, Frost Bank. Keeping up with all of those regulations proved challenging before adopting Microsoft Purview Compliance Manager, which updates daily, adding at least 200 updates from more than 1,000 regulatory bodies and enabling the bank to create detailed reports for regulators and auditors.

“Compliance Manager took the mystery out of regulatory compliance for us,” said Glenn McClellan, Endpoint Architect, Frost Bank. “The solution provides improvement actions, excerpts from relevant regulations, and overall, made managing compliance really easy and actionable.”

Explore Microsoft Purview

Effective compliance and risk management are extremely important, and are possible. Microsoft is here to help if you’re looking to simplify your compliance management with technology solutions.

Microsoft Purview is a comprehensive set of compliance and risk management solutions that help organizations govern, protect, and manage data, and improve your company’s risk and compliance posture. These solutions include Microsoft Purview eDiscovery, which helps you discover, preserve, collect, process, cull, and analyze your data in one place; Microsoft Purview Compliance Manager, which helps you simplify compliance and reduce risk; and Microsoft Purview Communication Compliance, which helps foster compliant communications across corporate mediums. We’d love to offer support on your journey.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹Cost of a Data Breach Report 2021, Ponemon Institute, IBM. 2021.

The post Discover 5 lessons Microsoft has learned about compliance management appeared first on Microsoft Security Blog.

Data explosion and regulatory environment

As organizations go through digital transformation, they are generating and consuming much more data than in the past to help them gain an edge over their competitors. This data is necessary to continue to stay relevant by empowering employees, engaging customers, and optimizing operations. Managing this data and the variety of devices on which it is created can be complicated, especially when it comes to ensuring compliance.

Not only is the amount of data IT must manage exploding, regulations on how that data can and should be handled are also increasing. Collecting customer and citizen data is often an integral part of how public and private sector organizations function. While there has been progress over the last few years, the challenge of maintaining and protecting personal data continues. Regulations are creating a need for the responsible usage of personal data, and the stakes are high. Not complying with regulations can result in significant fines and reduced credibility with regulators, customers, and citizens.

Manage compliance challenges

According to a recent report about the cost of compliance, there were more than 215 regulation updates a day from over 1,000 regulatory bodies all over the world, a slight decrease from the previous year. For example, enforcement of the California Consumer Privacy Act (CCPA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and Thailand’s Personal Data Protection Act (PDPA) began in 2020.

Organizations face all kinds of risks, including financial, legal, people, IT, and cybersecurity risks. Below are some of the challenges we are seeing due to the dynamic nature of the compliance landscape.

• Keeping up with constantly changing regulations is a struggle. With all the regulatory and standards bodies creating new or revising existing requirements and guidelines, keeping up to date is time and resource-intensive.
• Point-in-time assessments create a digital blind spot. Many organizations rely on point-in-time assessments, like annual audits. Unfortunately, they can go out of date quickly and expose the organization to potential risks until the next assessment is done. Organizations are looking for ways to improve integration and create near real-time assessments to control risks caused by digital assets.
• Inefficient collaboration and siloed knowledge lead to duplication of effort. Organizations are often challenged due to siloed knowledge concerning IT risk management. IT and security admins know the technology solutions but find regulations difficult to understand. Contrast that with compliance, privacy, and legal teams who tend to be familiar with the regulations but are not experts in the technology available to help them comply. In addition, many organizations start their compliance journey using general-purpose tools like Microsoft Excel and try to track compliance manually, but quickly outgrow this approach because of the complexities of managing compliance activities.
• Complexity across IT environments hinders adoption. Understanding how to integrate the many solutions available and configure each one to minimize compliance risks can be difficult. This is especially true in organizations with solutions sourced from multiple vendors that often have overlapping functionality. Decision-makers want simple step-by-step guidance on how to make the tools work for the industry standards and regulations they are subject to.

Simplify compliance with Microsoft Compliance Manager

Microsoft Compliance Manager is the end-to-end compliance management solution included in the Microsoft 365 compliance center. It empowers organizations to simplify compliance, reduce risk, and meet global, industry, and regional compliance regulations and standards. Compliance Manager translates complicated regulations, standards, company policies, and other desired control frameworks into simple language, maps regulatory controls and recommended improvement actions, and provides step-by-step guidance on how to implement those actions to meet regulatory requirements. Compliance Manager helps customers prioritize work by associating a score with each action, which accrues to an overall compliance score. Compliance Manager provides the following benefits:

• Pre-built assessments for common industry and regional standards and regulations, and custom assessments to meet your unique compliance needs. Assessments are available depending on your licensing agreement.
• Workflow functionality to help you efficiently complete risk assessments.
• Detailed guidance on actions you can take to improve your level of compliance with the standards and regulations most relevant for your organization.
• Risk-based compliance score to help you understand your compliance posture by measuring your progress completing improvement actions.

Shared responsibility

For organizations running their workloads only on-premises, they are 100 percent responsible for implementing the controls necessary to comply with standards and regulations. With cloud-based services, such as Microsoft 365, that responsibility becomes shared between your organization and the cloud provider, although is ultimately responsible for the security and compliance of their data.

Microsoft manages controls relating to physical infrastructure, security, and networking with a software as a service (SaaS) offering like Microsoft 365. Organizations no longer need to spend resources building datacenters or setting up network controls. With this model, organizations manage the risk for data classification and accountability. And risk management is shared in certain areas like identity and access management. The chart below is an example of how responsibility is shared between the cloud customer and cloud provider with various on-premises and online services models.

Figure 1: Shared responsibility model

Apply a shared responsibility model

Because responsibility is shared, transitioning your IT infrastructure from on-premises to a cloud-based service like Microsoft 365 significantly reduces your burden of complying with regulations. Take the United States National Institute of Standards and Technology’s NIST 800-53 regulation as an example. It is one of the largest and most stringent security and data protection control frameworks used by the United States government and large organizations. If your organization were adhering to this standard and using Microsoft 365, Microsoft would be responsible for managing more than 75 percent of the 500 plus controls. You would only need to focus on implementing and maintaining the controls not managed by Microsoft. Contrast that situation with one where your organization was running 100 percent on-premises. In that case, your organization would need to implement and maintain all the NIST 800-53 controls on your own. The time and cost savings managing your IT portfolio under the shared responsibility model can be substantial.

Figure 2: NIST examples of shared responsibilities

Assess your compliance with a compliance score

Compliance Manager helps you prioritize which actions to focus on to improve your overall compliance posture by calculating your compliance score. The extent to which an improvement action impacts your compliance score depends on the relative risk it represents. Points are awarded based on whether the action risk level has been identified as a combination of the following action characteristics:

• Mandatory or discretionary.
• Preventative, detective, or corrective.

Your compliance score measures your progress towards completing recommended actions that help reduce risks around data protection and regulatory standards. Your initial score is based on the Data Protection Baseline, which includes controls common to many industry regulations and standards. While the Data Protection Baseline is a good starting point for assessing your compliance posture, a compliance score becomes more valuable once you add assessments relevant to the specific requirements of your organization. You can also use filters to view the portion of your compliance score based on criteria that includes one or more solutions, assessments, and regulations. More on that later.

The image below is an example of the Overall compliance score section of the Compliance Manager dashboard. Notice that even though the number under Your points achieved is zero, the Compliance Score is 75 percent. This demonstrates the value of the shared responsibility model. Since Microsoft has already implemented all the actions it is responsible for, a substantial portion of what is recommended to achieve compliance is already complete even though you have yet to take any action.

Figure 3: Compliance Score from Microsoft Compliance Manager

For more information on Microsoft Compliance Manager, please visit the Microsoft Compliance Manager documentation. To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Simplify compliance and manage risk with Microsoft Compliance Manager appeared first on Microsoft Security Blog.