AI innovation is transforming every industry, business process, and individual experience. As organizations adopt AI, one truth remains constant:

Your AI is only as good as your data

If poor quality, incomplete, biased, or sensitive data is fed into AI models, the results will be equally flawed, leading to sensitive data leaks and inaccurate predictions—both of which create potentially harmful outcomes and erode trust. High quality, governed, and secured data enables AI systems to deliver reliable insights and instill confidence in data usage and AI usage. Consider a team building an AI-powered customer service app. Without trustworthy data, the AI could give incorrect answers or expose sensitive information. In fact, about 99% of organizations have already experienced sensitive data exposure through AI tools, underscoring the urgent need for robust safeguards.¹ Compounding this challenge, many companies address data security and governance in silos, using separate point solutions for each, and different tools across cloud platforms, which makes it harder to ensure data discovery, quality, and protection consistently.

As organizations prepare for an AI future, they require a comprehensive approach that solves both security and governance together. Microsoft Purview offers a modern, unified approach to help organizations secure and govern data across their heterogenous data estate. Purview consolidates security, governance, and compliance into a single solution. Purview also bridges different tools across different data sources like Microsoft Azure, Microsoft 365, and Microsoft Fabric, streamlining oversight and reducing complexity across the estate.

At FabCon Vienna, we are announcing new Microsoft Purview innovations for Fabric to help you seamlessly secure and confidently activate your data for AI. These updates span data security and data governance, allowing Fabric users to both

1. Discover risks and protect data in Fabric
2. Improve data discovery and quality across their Fabric estate

Discover risks and protect data

In today’s AI-powered world, data is both a powerful asset and a growing risk. Microsoft Purview helps organizations protect their data holistically by integrating Information Protection, Data Loss Prevention, Insider Risk Management, and Data Security Posture Management for AI. These tools work together to classify and secure sensitive data, prevent leaks, detect insider threats, and uncover AI-related risks. Paired with Microsoft Fabric, Purview builds upon existing data security such as OneLake Security while enabling innovation. Here are a few examples how Purview secures your Fabric estate:

Microsoft Purview Information Protection policies for Fabric items and Data Loss Prevention for structured data in OneLake

Now generally available, Microsoft Purview Information Protection policies allow Fabric users to manually label Fabric items, with access controls automatically enforced according to pre-defined protection policies set by administrators. Data Loss Prevention policies on structured data in OneLake is also now generally available, preventing data oversharing in Fabric through policy tip triggering when sensitive data is detected in assets. 

Microsoft Purview Insider Risk Management indicators for Power BI

Microsoft Purview Insider Risk Management is now generally available for Microsoft Fabric and extends its detection capabilities to Fabric by introducing built-in risk indicators for user activities in Power BI, such as viewing, downloading, exporting, and managing sensitivity labels for Power BI artifacts. These indicators can be applied directly to data theft and data leak policies, giving organizations stronger signals to spot suspicious behavior. By correlating signals across different activities, Insider Risk Management helps uncover potential insider threats such as intellectual property theft, unauthorized data sharing, or policy violations in Fabric.

Microsoft Purview Data Risk Assessments for Fabric

Within Purview’s Data Security Posture Management for AI, Data Risk Assessments will now support discovering overshared Fabric data (dashboards, reports, and more) in preview. Fabric customers will benefit from Data Risk Assessments by easily identifying what data is most at risk of leakage within Fabric. A default assessment will be created to identify overshared Fabric data in the top 100 accessed Fabric workspaces.

Microsoft Purview Data Security and Compliance controls for Copilot in Power BI

Microsoft Purview Data Security and Compliance controls for Copilot in Power BI are now generally available for Fabric users. Users can discover data risks, such as sensitive information in Copilot in Power BI’s prompts and responses, with actionable recommendations surfaced in Microsoft Purview Data Security Posture Management for AI reports. Users can also govern Copilot interactions using audit, eDiscovery, retention policies, and identifying non-compliant usage to support responsible AI usage.

Now that we’ve covered how Purview helps secure Fabric data, the next focus is to ensure that Fabric users can use that data.

Improve data discovery and quality across their Fabric estate

Once an organization’s data is well-protected, the next challenge is making sure Fabric data consumers can find and trust the data for AI and analytics projects. This is where the Microsoft Purview Unified Catalog comes in, as a foundation for data discovery, quality, and curation across your Fabric environment. The Unified Catalog acts as a lever for data activation: it brings together powerful tools to improve data visibility and quality so that your analysts, data scientists, and AI models can easily locate the right data and use it with confidence. Estate-wide data discovery provides a holistic view of your data landscape, so data is not underutilized. Data quality tools empower teams to measure, monitor, and remediate issues in your data such as incomplete rows and columns and redundant data so business decisions are made with confidence based on the accuracy and reliability of the data. Paired with Microsoft Fabric, Purview builds upon existing data governance capabilities in Fabric such as the OneLake catalog while enabling innovation. Here are a few examples of how:

Sub item metadata in Fabric Lakehouse for comprehensive visibility of your Fabric estate

In preview, Fabric data consumers can now view metadata at the table, column, and file level in Purview, ensuring each artifact is recorded at its most granular detail for in-depth data discovery.

Defining custom attributes for business concepts using language your data consumers will understand

In the Unified Catalog, you can define and apply custom attributes to your data assets, which fosters better organization and utilization of your data. Now in preview, custom attributes provide data practitioners with the ability to apply specific attributes to business concepts such as glossary terms, critical data elements and data products. For a Fabric customer, this ensures that data is easier to understand and is more discoverable for usage of data workloads and AI use cases.

Published error records in Fabric for analysis and remediation of data quality issues

Now in preview, Fabric users can identify the root causes of data quality errors directly where they work in Fabric OneLake, providing Fabric data consumers with a one stop shop for remediation of data for its use in analytics and AI.

These governance enhancements empower teams to use data with confidence. A protected dataset isn’t very useful if users neither know it exists nor if they don’t trust its accuracy. Unified Catalog ensures that data assets are more discoverable and trustworthy for Fabric users

Looking forward

As organizations embrace the transformative power of AI, the need for robust data security and governance has never been greater. Microsoft Purview and Microsoft Fabric provide a unified foundation that empowers organizations to innovate confidently, knowing their data is protected, governed, and ready for responsible AI activation. We are committed to helping you stay ahead of evolving challenges and opportunities and invite you to explore these new capabilities. Join us on the journey toward a more secure, governed, and innovative data future.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

¹ Businesstechweekly.com, 99% of Organizations Expose Sensitive Data: The Security Risks of Uncontrolled AI Tools, May 28, 2025.

The post Microsoft Purview innovations for your Fabric data: Unify data security and governance for the AI era appeared first on Microsoft Security Blog.

Microsoft is continuously innovating, empowering people and organizations to achieve more, and Microsoft Purview is a key part of that mission. New advanced capabilities in Microsoft Purview eDiscovery make it easier to safeguard and manage compliance of data. eDiscovery allows you to easily search, collect, and review AI-based interactions across more than 25 AI applications. It also uses advanced AI capabilities to streamline eDiscovery workflows—from natural language queries for more intuitive searching to automatic case summarization for a quick snapshot of key insights. And more powerful AI-driven features are on the horizon to further accelerate and simplify the eDiscovery process. 

We are excited to share more about new developments across Microsoft Security at Legalweek 2025. If you are attending the conference in New York City from March 24 to March 27, 2025, we’d love to connect. Read on for an overview of our sessions. And request to attend our Executive Breakfast on Tuesday, March 25, 2025, from 7:30am–8:45am (ET) at the Mercury Ballroom, New York Hilton Midtown, to learn how to protect Microsoft 365 Copilot with Microsoft Purview as well as our latest developments in eDiscovery.  

Mark your calendar for these Legalweek sessions 

At Legalweek 2025, we will have experts from Microsoft and the legal field to offer insights into the latest cybersecurity challenges facing the legal sector as well as strategies to tackle these pressing issues. 

Connect with Microsoft at Legalweek 

If you seek strategies for safeguarding and managing the compliance of your data and AI applications, check out one or more of our sessions at Legalweek. Throughout the conference, you can also interact with our Microsoft experts directly in a few ways: 

• Stop by Booth #3103 in New York Hilton Midtown Americas Hall 2 to learn how Microsoft solutions can address your challenges. 
• Request to attend the Executive Breakfast on Tuesday, March 25, 2025 from 7:30am – 8:45am ET at Mercury Ballroom, New York Hilton Midtown.
• Request dedicated time with our experts, who will be available in meeting rooms at 1700 Broadway, between 9:00 AM – 6:00 PM ET, Monday, March 24, 2025, through Thursday, March 27, 2025. We’d love to connect. Hope to see you there! 

Connect with members of the Microsoft Intelligent Security Association  

At Microsoft we truly believe security is a team sport. And we are thrilled to welcome three of our strategic Microsoft Intelligent Security Association (MISA) members to demonstrate their solutions at the Microsoft booth. Join Epiq Global, Lighthouse, and Relativity as they share their expertise and discuss how their solutions—together with Microsoft technology—are helping our mutual customers secure their data efficiently in the age of AI. 

• Epiq Global: Tuesday, March 25, 2025, 12:00 – 2:00 PM ET 
• Lighthouse: Wednesday, March 26, 2025, 2:30 – 4:30 PM ET 
• Relativity: Thursday, March 27, 2025, 10:00 AM – 12:00 PM ET 

Read more about MISA and membership benefits. 

Learn more about Microsoft Security solutions

To help your organization efficiently respond to legal matters or internal investigations with intelligent capabilities that reduce data to only what’s relevant, learn more about Microsoft Purview eDiscovery. 

Learn how to accelerate the secure adoption of AI with ready-to-go security and governance tools built for generative AI at The Microsoft at RSAC experience. From our signature Pre-Day to demos and networking, discover how Microsoft Security can give you the advantage you need in the era of AI. 

 Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Sources:

 ¹ The Future of Professionals: How AI is impacting the legal profession | Legal Blog 

The post Microsoft at Legalweek: Help safeguard your AI future with Microsoft Purview​ appeared first on Microsoft Security Blog.

Historically, organizations have relied on the traditional approach to data security and governance, largely involving stitching together fragmented solutions. According to Gartner®, “75% of security leaders are actively pursuing a security vendor consolidation strategy as of 2022.”² Consolidation, however, is no easy feat. In a recent study, more than 95% of security leaders acknowledge that unifying the handling of data security, compliance, and privacy across teams and tools is both a priority and a challenge.³ These approaches often fall short because of duplicate data, redundant alerts, and siloed investigations, ultimately leading to increased data risks. Over time, this approach has been increasingly difficult for organizations to maintain.

Unify how you protect and govern your data with Microsoft Purview

Unlike traditional data security and governance strategies that require disparate solutions to achieve comprehensive data protection, Microsoft Purview is purpose-built to unify data security, governance, and compliance into a single platform experience. This integration aims to reduce complexity, simplify management, and mitigate risk, while helping enhance efficiency across teams to support a culture of collaboration. With Microsoft Purview you can:

• Enable comprehensive data protection.
• Support compliance and regulatory requirements.
• Help safeguard AI Innovation.

What’s new in Microsoft Purview?

To meet our growing customer needs, the team has been delivering a lot of innovation at a rapid pace. In this blog, we’re excited to recap all the new capabilities we announced at Microsoft Ignite last month.

Enable comprehensive data protection

Microsoft Purview enables you to discover, secure, and govern data across Microsoft and third-party sources. Today, Microsoft Purview delivers rich data security capabilities through Microsoft Purview Data Loss Prevention, Microsoft Purview Information Protection, and Microsoft Purview Insider Risk Management, enhanced with AI-powered Adaptive Protection. To drive AI transformation, you need to build and maintain a strong data foundation, categorized by data that is not just secured but also governed. Microsoft Purview also addresses your data governance needs with the newly reimagined Microsoft Purview Unified Catalog. These data security and data governance products leverage shared capabilities such as a common data catalog, connectors, classifications, and audit logs—helping reduce inconsistencies, inefficiencies, and exposure gaps, commonly experienced by using disparate tools.

Introducing Microsoft Purview Data Security Posture Management

Microsoft Purview Data Security Posture Management (DSPM) provides visibility into data security risks and recommends controls to protect that data. DSPM provides contextual insights, usage analysis, and continuous risk assessments of your data, helping you mitigate risks and enhance data security. With DSPM, you get a shared understanding of key risks through a series of reports that correlate insights across location and type of sensitive data, risky user activities, and common exfiltration channels. In addition, DSPM provides actionable, scenario-based recommendations for detection and protection policies. For example, DSPM can help you create an Insider Risk Management policy that identifies risky behavior such as downgrading labels in documents followed by exfiltration, and a data loss prevention (DLP) policy to block that exfiltration at the same time.

DSPM also brings a view of historical trends and insights based on sensitivity labels applied, sensitive assets covered by at least one DLP policy, and potentially risky users so show the effectiveness of your data security policies over time. And finally, DSPM leverages the power of generative AI through its deep integration with Microsoft Security Copilot. With this integration, you can easily uncover risks that might not be immediately apparent and drive efficient and richer investigations—all in natural language.

With DSPM, you can easily identify possible labeling and policy gaps such as unlabeled content and users that aren’t scoped in a DLP policy, unusual patterns and activities that might indicate potential risks, as well as opportunities to adapt and strengthen your data security program.

Figure 1. DSPM overview page provides centralized visibility across data, users, and activities, as well as access to reports.

Learn more about this announcement in the Data Security Posture Management blog.

Increasing data security and security operations center integration

Understanding data and user context is vital for improving security operations and prioritizing investigations, especially when sensitive data is at stake. By integrating insights such as data classification, access controls, and user activity into the security operations center (SOC) experience, organizations can better assess the impact of security incidents, reduce false alerts, and enhance containment efforts. In addition to the already present DLP alerts in the Microsoft Defender XDR incident investigation and data security remediation actions enabled directly from Defender XDR, we’ve also added Insider Risk Management context to the user entity page to provide a more comprehensive view of user activities.

With Microsoft Purview’s latest integration with Microsoft Defender, now in preview, you get insider risk alerts in Defender XDR and can correlate them with incidents. This gives you critical user context for your security investigations. SOC teams can now better distinguish internal incidents from external cyberattacks and refine their response strategies. For more complex analysis to identify risks such as attack patterns, we are integrating insider risk signals into Defender XDR’s Advanced Hunting, giving you deeper insights and allowing you to improve your policies in partnership with data security teams. Together, these advancements allow your organization to stay ahead of evolving cyberthreats, providing a collaborative and data-driven approach to security.

Learn more about this announcement in the Purview Insider Risk Management blog.

Protecting data and preventing sensitive data loss

As AI generates new data in unprecedented volumes, the need to secure that data and prevent the loss of sensitive information has become even more crucial. Our new DLP capabilities help you effectively investigate DLP incidents, fortify existing protections, and refine your overall DLP program. You can now customize Purview DLP to the established processes of your organization with the Microsoft Power Automate connector in preview. This lets you automate and customize your DLP policy actions through Power Automate workflows to integrate your DLP incidents into new or established IT, security, and business operations workflows, like stakeholder awareness or incident remediation.

DLP policy insights in Security Copilot, also in preview, summarize existing DLP policies in natural language and helps you understand any gaps in policy coverage across your environment. This makes it easier for you to quickly and easily understand the full breadth of DLP policy coverage across your organization and address gaps in protection. We are also enhancing DLP protections on endpoints by expanding our file type coverage from more than 40 to more than 110 file types. Users can also now store and view full files on Windows devices as evidence for forensic investigations using Microsoft-managed storage. With the Microsoft-managed option, your admins can save time otherwise spent configuring additional settings, assigning permissions, and selecting the storage in the policy workflow. Finally, you can now enforce blanket protections on file types that cannot currently be scanned or classified by endpoint DLP, such as blocking copy to removable media for all computer-aided design (CAD) files regardless of those files’ contents. This helps ensure that the diverse range of file types found in your environment are still protected even if they cannot currently be scanned and classified by Microsoft Purview endpoint DLP. 

Learn more about these announcements in our Microsoft Purview Data Loss Prevention blog.

Microsoft Purview Data Governance innovations to drive greater business value

Research indicates that data practitioners spend 80% of their time finding, cleaning, and organizing data, leaving only 20% of time to process and analyze it.⁴ To simplify the data governance practice in the age of AI, the Microsoft Purview Unified Catalog is a comprehensive enterprise catalog that automatically inventories and tags your organization’s critical data assets. This gives your business users the ability to search for specific business data when building analytics reports or AI models. The Unified Catalog gives you visibility and confidence in your data across your disparate data sources and local catalogs with built-in data quality management and end-to-end lineage. You can integrate metadata from diverse catalogs such as Fabric OneLake, Databricks Unity, and Snowflake Polaris, into a unified catalog for all your data stewards, data owners, and business users.

Now in preview, Unified Catalog provides deeper data quality through a new scan engine that supports open standard file and table formats for big data platforms, including Microsoft Fabric, Databricks Unity Catalog, Snowflake, Google Big Query, and Amazon S3. This new scan engine enables rich data quality management at the asset level for improved data quality management at the asset level for overall improved data quality health. Lastly, Microsoft Purview Analytics in OneLake (preview) allows you to extract tenant-specific metadata from the Unified Catalog and export it directly into OneLake. You can then use Microsoft Power BI to analyze the metadata to further understand and report on your data’s quality and lineage.

Learn more about these announcements in our Microsoft Purview Data Governance blog.

Support compliance and regulatory requirements

As regulatory requirements evolve with the proliferation of AI, it is more critical than ever for businesses to keep compliance and privacy top of mind. However, adhering to requirements is becoming increasingly complex, while consequences for non-compliance are growing more severe. Microsoft Purview empowers you to address regulatory demands and comply with corporate policies by offering compliance and privacy controls that are both scalable and adaptable to changing needs.

New templates in Compliance Manager to help simplify compliance

Microsoft Purview Compliance Manager provides insights into your organization’s compliance status through compliance templates and provides suggested actions and next steps to help you along your compliance journey. Compliance Manager continues to add new templates to help you address new and evolving regulations, including templates for the European Union AI Act (EUAI Act), NIST 2 AI, ISO 42001, ISO 23894, Digital Operations Resiliency Act (DORA), and additional industry and regional regulations. Compliance Manager now includes historical records that help track your organization’s compliance and provides actionable next steps to understand how new regulations or policies affect your compliance score over time. In addition, you can now leverage custom templates to address both regulatory and your organization’s specific policies and preferences.

Figure 2. EUAI Act Assessment in Compliance Manager.

Learn more about this announcement in the Microsoft Purview Compliance Manager blog.

New Microsoft Purview controls for ChatGPT Enterprise with integration with OpenAI for improved compliance

Microsoft Purview now integrates with ChatGPT Enterprise, allowing you to gain visibility and govern the prompts and responses of your ChatGPT Enterprise interactions. This integration, currently in preview, includes Microsoft Purview Audit for auditing ChatGPT Enterprise interactions, Microsoft Purview Data Lifecycle Management for enabling retention and deletion policies, Microsoft Purview Communication Compliance to proactively detect regulatory and corporate policy violations, and Microsoft Purview eDiscovery to streamline legal investigations.

Learn more about all these announcements in our Security for AI blog.   

Microsoft Purview is built to help safeguard AI Innovation

With the rapid adoption of AI, new vulnerabilities have emerged, highlighting the need for strong data security and governance of AI workloads. Microsoft Purview is built to secure and govern data related to pre-built and custom-built AI apps.

Introducing Microsoft Data Security Posture Management for AI (DSPM for AI)

Security teams often find themselves in the dark when it comes to data security and compliance risks associated with AI usage. Without proper visibility, organizations often struggle to safeguard their AI assets effectively. DSPM for AI, now generally available, gives you visibility through a centralized dashboard and reports, enables you to proactively discover and manage your AI-related data risks, such as sensitive data in user prompts, and gives you actionable recommendations and real-time insights to respond effectively to security incidents.

Microsoft Purview controls for Microsoft 365 Copilot help prevent data oversharing

Data oversharing occurs when users have access to more data than necessary for their job duties. Organizations need effective data security controls to help mitigate this risk. At Microsoft Ignite we announced a number of new Microsoft Purview capabilities in preview to prevent data oversharing in Microsoft 365 Copilot.

Data oversharing assessments: Discover data that is at risk of oversharing by scanning files containing sensitive data, identifying risky data sources such as SharePoint sites with overly permissive user access, and by providing recommendations such as auto-labeling policies and default labels to prevent sensitive data from being overshared. The oversharing assessment report can identify unlabeled files accessed by users before deploying Copilot or can be run post-deployment to identify sensitive data referenced in Copilot responses. 

Label-based permissions: Microsoft 365 Copilot honors permissions based on sensitivity labels assigned by Microsoft Purview when referencing sensitive documents.

Purview DLP for Microsoft 365 Copilot: You can create DLP policies to exclude documents with specified sensitivity labels from being processed, summarized, or used in responses in Microsoft 365 Copilot, preventing sensitive data from being inadvertently overshared.

New Microsoft Purview capabilities to detect risky activities in Microsoft 365 Copilot

Security teams need ways to detect risky use of AI applications like deliberate or accidental access to sensitive data, jailbreaks, and copyright violations. Insider Risk Management and Communication Compliance now provide risky AI usage indicators, a policy template, and an analytics report in preview to help detect and investigate the risky use of AI. These new capabilities not only help detect risky activities and prompts but also integrate with Microsoft Defender XDR, enabling your security teams to investigate new AI-related risks holistically alongside other risks, such as identity risks through Microsoft Entra and data oversharing and data loss risks through Purview DLP.

New Microsoft Purview capabilities for agents built with Microsoft Copilot Studio

When new and citizen developers are building low code or no-code AI, they often lack security expertise and tools to enable security and compliance controls. Microsoft Purview now provides data controls for agents built in Copilot Studio to enable low code and no-code developers to build more secure agents. For example, when an agent built with Copilot Studio accesses sensitive data, it will recognize and honor the sensitivity labels of the data being accessed. Microsoft Purview will also protect sensitive data generated by the agent through label inheritance and will enforce label permissions, ensuring only authorized users have access.

Data security admins also get visibility into the sensitivity of data in user prompts and agent responses within DSPM for AI. Moreover, Microsoft Purview will enable you to detect anomalous user activity and risky or non-compliant AI use and apply retention or deletion policies on your agent prompts and responses. These new controls give you visibility and and insights into risks for your agents built with Copilot Studio, strengthening your data security posture.

Learn more about all these announcements in our Security for AI blog.   

Unified solutions that empower your organization

As you navigate the complexities of AI proliferation, regulatory requirements, and security threats, we are excited to innovate, invest in, and expand the capabilities of Microsoft Purview to address your most pressing data security, governance, and compliance challenges.

Get started with Microsoft Purview today

To get started, we invite you to try Microsoft Purview free and to learn more about Microsoft Purview today.

• Read the Data Security Index report.
• Read our new whitepaper: Accelerating AI transformation by prioritizing security, a path to implementing effective security for AI that enables innovation.
• Watch Microsoft Purview sessions from Microsoft Ignite.
• Try Microsoft Purview for free.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft internal research, May 2023. 

²Gartner, Innovation Insight for Security Platforms, Peter Firstbrook, Craig Lawson. October 16, 2024. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. 

³Microsoft internal research, August 2024. 

⁴Overcoming the 80/20 Rule in Data Science, Pragmatic Institute.

The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.

This week, we are thrilled to announce the expansion of the Microsoft Priva family of products. Microsoft Priva was introduced in 2021 to help organizations navigate the complex world of privacy operations. The expansion of Microsoft Priva brings automated capabilities to help organizations meet adapting privacy requirements related to personal data.

Microsoft Priva

Protect personal data, automate risk mitigation, and manage subject rights requests at scale.

Explore product family

“Understanding and managing privacy is crucial for our clients. Exponential flows of sensitive data and emerging technologies such as generative AI have amplified the need for a strong privacy solution; we are confident in Microsoft’s vision to take on this challenge with Microsoft Priva. The richness of data and activities in Microsoft 365 and Priva’s ability to monitor and action on related workflows allows for a proactive approach to privacy. This capability aligns with our commitment to privacy and data protection, reinforcing our partnership with Microsoft to serve our global clients with solutions that address their privacy management needs.”

—Jon Kessler, Vice President, Information Governance, Epiq Legal Solutions

What will the Priva family address?

In today’s digital landscape, people’s awareness of data privacy has surged to unprecedented levels. Individuals are increasingly aware of the intricate web of data points that define their online existence and how their data is collected and used. This has prompted a collective call for the safeguarding of personal information from unwarranted intrusions and establishing ways for people to take control of their personal data. The public has become more discerning about the need for stringent measures to protect their sensitive data and keep it private. The heightened awareness surrounding individual data privacy rights is not merely a fleeting trend—it’s a fundamental shift in the way society perceives and values the sanctity of personal information.

In response to this evolving landscape, the need to build and maintain customer trust has never been more pronounced. Privacy solutions have emerged to empower organizations to establish transparent and ethical data practices. Building customer trust is about a commitment to empowering individuals to have control over their own data.

Robust privacy solutions are essential for regulatory adherence and in cultivating a culture of transparency, accountability, and respect for user privacy. By embracing more robust privacy solutions, organizations not only fortify their defenses, but they also embark on a journey to forge enduring relationships with their customers—relationships based on mutual trust and data integrity. Beyond regulatory compliance, organizations should use transparent data practices to gain deeper insights into customer preferences, behaviors, and trends. This managed data can become a strategic asset—enabling more informed decision-making, delivering targeted marketing to customers who’ve consent to receive it, and developing personalized services. Prioritizing privacy is not just a legal necessity but a pathway to extracting meaningful and sustainable value from the wealth of data at an organization’s disposal.

Microsoft Priva is here to help your organization meet privacy and compliance requirements

Organizations must mitigate risk for privacy non-compliance and be ready for new and emerging regulations. They need an end-to-end solution that helps them oversee and establish privacy protocols across their entire organization. Microsoft Priva solutions support privacy operations across entire data estates—paving quick and cost-effective paths to meet privacy regulations and avoid the risks of non-compliance. With the Microsoft Priva family, organizations can automate the management, definition, and tracking of privacy procedures at scale to ensure personal data stays private, secure, and compliant with regulations. Let’s take a quick look at each member of the family.

Microsoft Priva Privacy Assessments

Build the foundation of your privacy posture with Microsoft Priva Privacy Assessments—a solution that automates the discovery, documentation, and evaluation of personal data use across your entire data estate. Automate privacy assessments and build a complete compliance record for the responsible use of personal data. Embed your custom privacy risk framework into each assessment to programmatically identify the factors contributing to privacy risk. Lower organizational risk and build trust with your data subjects. Priva Privacy Assessments help at any stage of the privacy journey, enabling you to fully utilize your company’s data while ensuring its proper use.

Key features

• Automate the creation of privacy assessments: Discover and document personal data usage across your data estate through easily created custom assessments.
• Monitor personal data usage: Automate monitoring for changes in data processing activities that require privacy compliance actions.
• Evaluate privacy risks: Design a personalized privacy risk framework and use automated risk analysis based on the data usage information obtained from a privacy assessment.

Microsoft Priva Privacy Risk Management

Microsoft Priva Privacy Risk Management is here to empower you to simplify the identification of unstructured personal data usage. Priva Privacy Risk Management enables you to automate risk mitigation through easily definable policies that conform to your specific needs. It can also help you build a privacy-resilient workplace by identifying personal data and critical privacy risks around it, automating risk mitigation to prevent privacy incidents, and empowering employees to make smart data handling decisions.

Key features

• Identify personal data and critical privacy risks: Gain visibility into your personal data and associated privacy risks arising from overexposure, hoarding, and transfers with automated data discovery, user mapping intelligence, and correlated signals.
• Automate risk mitigation and prevent privacy incidents: Effectively mitigate privacy risks and prevent privacy incidents with automated policies and recommended user actions.
• Empower employees to make smart data handling decisions: Foster a proactive privacy culture by increasing awareness of and accountability towards privacy risks without hindering employee productivity.

Microsoft Priva Tracker Scanning

With data privacy regulation laws surrounding tracking technologies continuously evolving—and fines for non-compliance exponentially increasing—organizations need a platform that enables them to avoid risk and standardize tracking compliance at scale. Microsoft Priva Tracker Scanning empowers organizations to automate the discovery and categorization of tracking technologies—including cookies, pixels, and beacons—across all their websites. With Priva Tracker Scanning, organizations can remediate risks for tracker non-compliance, effectively monitor website compliance, and easily address compliance issues. Priva Tracker Scanning enables your organization to embolden your privacy posture for maximum control and visibility.

Key features

• Register and scan web domains: Automate scans for various forms of trackers—empowering you to quickly identify and categorize all tracking technologies on your websites.
• Evaluate and manage web trackers: Use flexible scan configurations to easily identify missing compliance elements across your websites.
• Streamline compliance reporting: Scan for areas of non-compliance and monitor compliance issues throughout the lifecycle of websites.

Microsoft Priva Consent Management

Gain better value from your user-consented data and meet today’s most challenging data privacy regulations with an approach to streamlining consent management and consented data usage. Built by harnessing Microsoft’s extensive experience and expertise in privacy operations, Microsoft Priva Consent Management provides a solution for bolstering your organization’s personal data consent management and publishing capabilities in a simplified and streamlined manner.

Key features

• Create customizable and regulatory-compliant consent models: Quickly author dynamic consent models using prebuilt templates for easy deployment.
• Streamline the deployment of consent models: Use a centralized process to publish consent models at scale to multiple regions.
• Organization specific layouts: Create on-brand layouts for consent models that conform to changing business needs.

Microsoft Priva Subject Rights Requests

With personal data often distributed across multiple environments, organizations need a solution that enables them to fulfill and manage subject rights requests across their entire data estate for maximum visibility. Crafted from Microsoft’s extensive experience and expertise in data privacy operations, Microsoft Priva Subject Rights Requests is a next-generation privacy solution that enables organizations to automate the fulfillment of subject rights requests across their on-premises, hybrid, and multicloud environments. With Priva Subject Rights Request, organizations can manage the access, deletion, and export of subject rights requests across their entire data landscape. to help build trust with customers.

Key features

• Efficiently manage subject rights requests: Streamline the fulfillment of subject rights request tasks using configurable settings within your workflows, providing end-to-end oversight of subject rights request operations.
• Discover personal data across various data types and locations: Discover and manage subject rights requests across multicloud data estates, including Microsoft Azure, Microsoft 365, and third-party data sources like Amazon Web Services, Google Cloud Platform, and more.
• Create low-code data agents to automate task fulfillment: Create low-code agents to automatically find and fulfill personal data requests using Microsoft Power Automate.

Learn more about new Priva capabilities at the IAPP Global Privacy Summit

From April 2 to 5, 2024, the world’s largest forum for exploring privacy and data protection law, regulation, policy, management, and operations takes place in Washington, D.C. The International Association of Privacy Professionals (IAPP) Summit is a key event for information privacy professionals to learn about innovative solutions and expand your privacy and data protection network. Microsoft will have a strong presence with a spotlight feature, breakout sessions, and networking events. Check the agenda for times and locations for these events and more:

Spotlight stage: Microsoft Priva Privacy—Paul Brightmore, Head of Product for Microsoft Privacy, and Terrell Cox, Vice President (VP) of Privacy Engineering at Microsoft, will be featured on the spotlight stage sharing about Microsoft Priva privacy solutions.

Breakout session: Managing Privacy at Scale—Explore how large organizations keep pace with today’s privacy obligations, share strategies and tools available to manage privacy at scale, and share updates on the latest privacy governance tools. Get insight into the emerging role of AI in managing privacy.

Mainstage session: Regulator’s Agenda—Shifting Priorities and Practices—Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, moderates this discussion where you’ll learn the top priorities of privacy authorities, understand how AI governance factors into the Data Protection Authorities’ 2024 plans, and review lessons learned from recent privacy enforcement actions.

VIP reception—Microsoft is hosting this event to bring privacy experts together on April 3, 2024. This event promises an engaging showcase of Priva demonstrations, enriching conversations, and valuable insights within the field of privacy. 

CDT Spring Fling—Microsoft is the lead sponsor of this reception organized in partnership with the Center for Democracy in Technology. The event includes a panel discussion on AI as a catalyst for ushering in the next era of data governance. Julie Brill, Chief Privacy Officer, Corporate VP, Global Privacy, Safety and Regulatory Affairs at Microsoft, will be speaking on this panel.

LGBTQ+ Allies After Party—Registration and tickets are required in advance for this Wednesday, April 3, 2024, afterparty at Pitchers. We hope to see you there.

Optimize your privacy operations today, and streamline compliance adherence

Thanks for taking the time to get to know the members of the Microsoft Priva suite of products. We’re so excited to continue to be your trusted partner in helping you meet your privacy and compliance regulations. Please check in on the Priva family from time to time to stay informed about our products.

Interested in learning more now? Head over to the Microsoft Priva homepage. To get a deeper dive into our product capabilities, read our Tech Community post or watch our video.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Priva announces new solutions to help modernize your privacy program appeared first on Microsoft Security Blog.

NIS2 key features 

As we take a closer look at the key features of NIS2, we see the new directive includes risk assessments, multifactor authentication, security procedures for employees with access to sensitive data, and more. NIS2 also includes requirements around supply chain security, incident management, and business recovery plans. In total, the comprehensive framework ups the bar from previous requirements to bring: 

• Stronger requirements and more affected sectors.
• A focus on securing business continuity—including supply chain security.
• Improved and streamlined reporting obligations.
• More serious repercussions—including fines and legal liability for management.
• Localized enforcement in all EU Member States. 

Preparing for NIS2 may take considerable effort for organizations still working through digital transformation. But it doesn’t have to be overwhelming. 

NIS2 guiding principles guide

Get started on your transformation with three guiding principles for preparing for NIS2.

Download the guide today

Proactive defense: The future of cloud security

At Microsoft, our approach to NIS2 readiness is a blend of technical insight, innovative strategies, and deep legal understanding. We’re dedicated to nurturing a security-first mindset—one that’s ingrained in every aspect of our operations and resonates with the tech community’s ethos. Our strategy for NIS2 compliance addresses the full range of risks associated with cloud technology. And we’re committed to ensuring that Microsoft’s cloud services set the benchmark for regulatory compliance and cybersecurity excellence in the tech world. Now more than ever, cloud technology is integral to business operations. With NIS2, organizations are facing a fresh set of security protocols, risk management strategies, and incident response tactics. Microsoft cloud security management tools are designed to tackle these challenges head-on, helping to ensure a secure digital environment for our community.  

NIS2 compliance aligns to the same Zero Trust principles addressed by Microsoft Security solutions, which can help provide a solid wall of protection against cyberthreats across any organization’s entire attack surface. If your security posture is aligned with Zero Trust, you’re well positioned to assess and help assure your organization’s compliance with NIS2. 

For effective cybersecurity, it takes a fully integrated approach to protection and streamlined threat investigation and response. Microsoft Security solutions provide just that, with: 

• Microsoft Sentinel – Gain visibility and manage threats across your entire digital estate with a modern security information and event management (SIEM). 
• Microsoft XDR – Stop attacks and coordinate response across assets with extended detection and response (XDR) built into Microsoft 365 and Azure. 
• Microsoft Defender Threat Intelligence – Expose and eliminate modern threats using dynamic cyberthreat intelligence. 

Next steps for navigating new regulatory terrain 

The introduction of NIS2 is reshaping the cybersecurity landscape. We’re at the forefront of this transformation, equipping tech professionals—especially Chief Information Security Officers and their teams—with the knowledge and tools to excel in this new regulatory environment. To take the next step for NIS2 in your organization, download our NIS2 guiding principles guide or reach out to your Microsoft account team to learn more. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

Explore data security resources and trends

Gain insights into the latest data security advancements, including expert guidance, best practices, trends, and solutions.

Get started

The post Navigating NIS2 requirements with Microsoft Security solutions appeared first on Microsoft Security Blog.

With the growing use of AI in litigation and number of data storage locations, the process of ediscovery gets increasingly more complex and must be more agile, comprehensive, and integrated. The tools legal professionals need in today’s digital environment necessitate using advanced tools such as AI to locate the relevant data quickly and securing data in a way that complies with myriad regulations and major challenges.

To help you secure data and address your needs efficiently in the age of AI, we’re making it easier to safeguard and manage compliance of data using generative AI tools. Recent advanced capabilities of Microsoft Purview eDiscovery are aimed at giving you the advantage. If you’re attending the Legalweek conference in New York City from January 29 to February 1, 2024, we’d love to connect. Read on for an overview of what you can expect our experts to discuss, and keep scrolling for sessions and other ways to connect with us at Legalweek.

Microsoft at Legalweek: How generative AI helps address eDiscovery challenges

Microsoft is continuously innovating to ensure our solutions help organizations achieve their objectives, and Microsoft Purview is no exception. We are committed to enhancing Microsoft Purview for an improved overall user experience. Offering the advantages of AI is a further step toward this commitment. In November 2023, we announced new features and capabilities of Microsoft Purview eDiscovery harnessing Microsoft Security Copilot.

The latest release of eDiscovery enables the search, discovery, preservation, review, and export of Copilot interactions in Microsoft 365 across Word, Excel, PowerPoint, Microsoft Teams, and other applications. This boosts the efficiency of eDiscovery—an essential tool that allows you to search for evidence and gain an understanding of what occurred for informed decision-making.

Here are two advantages of the combination of eDiscovery and generative AI for legal professionals:

Efficient handling of massive datasets

The volume of data produced in litigation necessitates a solution that can keep up. Microsoft Purview eDiscovery features intelligent, machine learning capabilities to make it easier to locate the most relevant items for review, and help you get started quickly.

Two new Copilot capabilities in Microsoft Purview help you better manage huge datasets by helping you to:

• Accelerate and refine your search: A successful investigation relies on an accurate search but query-building can be challenging. Creating a query in Keyword Query Language (KQL) can be time-consuming. Soon available in preview, a new capability lets you provide a prompt in natural language and Copilot will translate the query into KQL.
• Accelerate and navigate your investigation: Based on conversations with our customers, eDiscovery admins and managers spent 60% of their time reviewing evidence collected in review sets. Soon in preview, a new capability lets you generate document summaries and walks you through your investigation with guided prompts.   

Compliance with constantly changing regulations

Integrating AI technology like Microsoft Security Copilot into your existing eDiscovery workflows gives you more careful accounting of your sensitive or confidential information or evidence of intellectual property. This makes it much easier to satisfy the numerous regulations that dictate how data can be collected, stored, used, and managed.

Microsoft Purview makes it easy to comply by providing tools for data risk identification and regulatory requirement management. In addition, this solution features expanded risk detections gathering signals from infrastructure clouds and third-party apps, including Amazon Web Services (AWS), Box, Dropbox, and GitHub.

Compliance is also easier because the solution allows you to:

• Ensure more consistent protections regardless of data type.
• Discover, label, and classify data across sources, including Microsoft Fabric, Microsoft Azure, and AWS.
• Restrict access to sensitive data (determined by labels or roles).
• Detect business violations.
• Gain visibility into generative AI app usage.

Mark your calendar for these Legalweek sessions

There’s more we’ll cover at Legalweek 2024. During three sessions, Microsoft experts and legal experts will provide a glimpse at the current cybersecurity challenges in the legal sector as well as share strategies to tackle these challenges with modern cybersecurity and technology solutions.

The Microsoft sessions at Legalweek are:

Connect with Microsoft at Legalweek

If you seek strategies for safeguarding and managing the compliance of your data, check out one or more of our sessions at Legalweek. Throughout the conference, you can also interact with our Microsoft experts directly in a few ways:

• Stop by Booth #3105 in Americas Hall 2 to learn how Microsoft solutions can address your challenges.
• Request to attend the Executive Breakfast on Tuesday, January 30, 2024.
• Request dedicated time with our eDiscovery experts, who will be available between 9:00 AM ET and 5:00 PM ET, Monday, January 29, 2024, through Thursday, February 1, 2024. We’d love to connect. Hope to see you there!

Learn more

Learn more about Microsoft Purview eDiscovery.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹New report on ChatGPT & generative AI in law firms shows opportunities abound, even as concerns persist, Thomson Reuters. April 17, 2023.

The post Microsoft at Legalweek: Secure data and gain efficiencies with Microsoft Purview eDiscovery enhanced by generative AI appeared first on Microsoft Security Blog.

I recently worked with an enterprise customer who experienced a data exfiltration attack using the characteristics of the BazaCall campaign. BazaCall can be both a ransomware and data exfiltration attack that are used together to increase pressure on and damage to the victim. Microsoft Purview has data security capabilities that form part of a holistic mitigation strategy.

Microsoft 365 Defender is our security solution for phishing and related cyberthreats. Some great analysis has been done by the Microsoft Threat Intelligence team on BazaCall’s Tactics, Techniques, and Procedures (TTPs). They’ve also shared how to use Microsoft 365 Defender to locate exploitation activity.

I wanted to take another perspective with this post and share the role that Microsoft Purview data security solutions play, together with Microsoft 365 Defender and Microsoft Sentinel, to provide defense-in-depth mitigation. With defense-in-depth, we create barriers to the bad actor, increasing their resources required and uncertainty, interfering with their business case.

Microsoft Purview provides important value with unified data governance and compliance solutions but it’s Microsoft Purview’s data security capabilities within Microsoft 365 we’ll be discussing in this blog.

What makes BazaCall different from most phishing attacks is using a malicious email to have the victim initiate a call to a phony call center run by the bad actor that then coaches the victim to install malware. Replacing malicious links and attachments in email with a phone number to the call center is used to evade email protection.

An overview of the BazaCall attack flow is provided at the end of this post.

The mitigations suggested here will be of value for attacks where the bad actor has control of a Microsoft 365 account and is attempting to exfiltrate sensitive data.

The data security benefits of Microsoft Purview for attack mitigation are sometimes overlooked. These solutions may be managed by other groups in the organization, such as the compliance team rather than the security team, and so may not be the go-to tools in the toolbox when preparing for or responding to an attack. These solutions should be part of a defense-in-depth strategy and Zero Trust architecture.

Microsoft Purview Mitigations

Microsoft Purview Information Protection sensitivity labels can be applied to protect sensitive files from unauthorized access. These sensitivity labels can have scoped encryption, among other protections, which travels with the file inside and outside of the organization’s environment. This would make the file unreadable except by the party for which the encryption is scoped—for example, only employees, a partner, or a customer organization—or it can be defined by the user to be consumable only by specific individuals.

Figure 1. Sensitivity Label with scoped encryption—accessible only to employees.

Automation, configured by the administrators, can be used to support the user in applying these labels including making the application of a label mandatory if the file contains sensitive information.

Microsoft Purview Data Loss Prevention (Purview DLP) can be used to prevent the sensitive information from being exfiltrated through several egress channels, including user’s endpoint devices, Microsoft cloud services such as SharePoint Online, OneDrive for Business, Exchange Online, Teams, and Microsoft PowerBI, browsers such as Microsoft Edge, Chrome, and Firefox, as well as non-Microsoft applications such as Salesforce, Dropbox, Box, and more, including the free file-sharing services used as part of the BazaCall TTPs.

Customers can create policies that block and do not allow override for their top priority sensitive information such that even if the bad actor manages to get access to the user’s account, they are blocked from exfiltrating any sensitive content. Purview DLP policies can be configured leveraging a variety of out-of-the-box or custom criteria including machine learning-based trainable classifiers as well as the sensitivity labels created in Information Protection.

Figure 2. Purview DLP preventing the upload of sensitive files into Dropbox.

Microsoft Purview Insider Risk Management can alert the security team to the bad actor’s activities, including the exfiltration of sensitive information to the file-sharing service. Insider Risk Management can reason over and parse through user activity signals, by leveraging more than 100 ready-to-use indicators and machine learning models, including sequence detection and cumulative exfiltration detection. With Adaptive Protection powered by Insider Risk Management, the security team can detect high-risk actors, such as a bad actor-controlled account, and automatically enforce the strictest DLP policy to prevent them from exfiltrating data.  

Figure 3. Insider Risk Management uses specialized algorithms and machine learning to identify data exfiltration and other risks.

Microsoft Defender for Cloud Apps can make a file-sharing site used for sensitive file exfiltration unreachable from the user’s browser or it can prevent sensitive files from being moved to the site. Alternatively, the policy can be configured to only allow files to be moved to the file-sharing site if they have a sensitivity label applied that contains scoped encryption. If this protected file is exfiltrated it would not be readable by the bad actor.

Figure 4. Microsoft Defender for Cloud Apps blocking access to file sharing and backup site.

Microsoft Purview Audit provides forensic information to scope a possible breach. This is especially valuable when bad actors are “living off the land.” Among the audit items made available are the terms that a user searched in email and SharePoint. If the bad actor was searching for sensitive information to exfiltrate, this item will assist the investigation.

Purview Audit, recently expanded for accessibility and flexibility, will also provide insight to mail items accessed and mail sent, which would be impactful when investigating scope and possible exfiltration channels. Although a bad actor’s known TTPs may not include these channels, we need a fulsome investigation. Their TTPs are likely not static.

Purview Audit Premium provides more logging event retention capabilities, with one-year retention (up from 180 days with Standard) and an option to increase retention to 10 years among other upgraded features.

Figure 5. Premium Audit solution searching forensic events.

Microsoft Purview Data Lifecycle Management policies and labeling could be used to purge unneeded information from the organization’s environment. An auditable review can be required prior to deletion or deletion can be automated without user or administrator action.

If information is not in the environment, it cannot be exfiltrated by the bad actor or put the organization at risk.

Figure 6. Disposal of unneeded documents reduces exfiltration risk to the organization.

About BazaCall

BazaCall uses a phishing campaign that tricks unsuspecting users into phoning the attacker, who coaches them into downloading BazaLoader malware, which retrieves and installs a remote monitoring and management (RMM) tool onto the user’s device. The email typically claims that the user has reached the end of a free trial of some type, that billing will begin shortly and provides an option to cancel by phoning a call center. The threat of unjustified billing is the lever that the attacker uses to get the victim to comply.

Typically, the file download has been a malicious Excel document that purports to be a “cancellation form” for the unwanted service and charges referred to in the phishing campaign. The bad actor coaches the victim into accepting macros and disabling security solutions to complete the phony “cancellation.”

RMM software provides multiple useful purposes for attackers: The software allows an attacker to maintain persistence and deploy malicious tools within a compromised network. It can also be used for an interactive command-and-control system. With command and control established, the bad actor organization can spread laterally through the environment to steal sensitive data and deploy ransomware. Once command and control of the user’s machine is established, bad actor hands-on keyboard is used to exfiltrate data including through free cloud-based file-sharing sites. TTPs have evolved in the last two years, including the use of file-sharing sites for exfiltration in addition to open-source tools like RClone.

The user is also subject to human-operated ransomware.

The mitigations discussed in this post are focused on the data exfiltration aspects in the “hands-on-keyboard” phase of the attack.

Figure 7. BazaCall attack flow.

Microsoft Purview can help protect from BazaCall attacks

Microsoft Purview data security for Microsoft 365 is not a cure-all for phishing attacks. It is part of a defense-in-depth strategy that includes user training, antimalware, vulnerability management, email security, access control, monitoring, and response. The data security solutions within Microsoft Purview should be considered based on risk-based criteria for inclusion in the strategy.

These tools may be managed by different teams in the organization. Collaboration among these teams is critical for coordinated defense and incident response. 

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post Microsoft Purview data security mitigations for BazaCall and other human-operated data exfiltration attacks appeared first on Microsoft Security Blog.

The DIB as a whole has been making progress toward improving its security posture, but it can still be challenging to prepare for the required full third-party audit—especially for small and medium-sized businesses (SMBs).³ While some DIB organizations may be well-positioned to pass a Third-Party Assessment Organization (3PAO) audit, it’s important for all DIB organizations to achieve CMMC compliance to realize the objective.

Microsoft is introducing new capabilities in Microsoft Entra ID and Microsoft Purview that support CMMC compliance while also helping DIB organizations accelerate their Zero Trust journeys. Identity and data protection are central to compliance, security, and empowering more user productivity and collaboration.

Voluntary self-assessment? Why would we do that?

Although CMMC 2.0 is still in its early stages, DIB companies should move ahead with meeting today’s CMMC requirements, including undergoing voluntary assessments. Doing so helps bolster national security while also preparing companies for future DoD compliance requirements.

One of the callouts from the National Cybersecurity Strategy is that those that can do more, should. Microsoft affirmed this principle by signing up for CMMC voluntary assessment effort, where we earned a perfect 110-point score. This validation demonstrates that Microsoft Azure Government and Microsoft 365 GCC High services can be effectively used to help DIB members accelerate their compliance.

Microsoft is taking the opportunity to share lessons learned and best practices that can inform planning within the DIB. Adopting Microsoft 365 GCC High and Azure Government as starting points allows organizations to use familiar Microsoft 365 productivity tools and Microsoft Azure Cloud Services while accelerating their compliance journey. As a primary platform for collaboration, Microsoft 365 also satisfies controls beyond the cloud; its configuration is a well-documented path to compliance with the National Institute of Standards and Technology (NIST) SP 800-171 controls.

We have recently developed capabilities and guidance for identity, data, and device protection that can help DIB members achieve and measure progress on compliance faster and more effectively.

The benefits of utilizing cloud identity

CMMC encompasses 72 practices across 13 domains, so the ability to address them holistically through Microsoft Entra ID delivers huge advantages in terms of time, resources, and visibility. Identity provides a strong starting point for CMMC 2.0 compliance given its ability to address multiple domains in CMMC 2.0 Levels 1-3.

Microsoft Entra ID is unique in providing elevated security, increased collaboration, and a better user experience. The newest features of Microsoft Entra ID make passwordless authentication easier and establishes trust through the cloud for business-to-business (B2B) collaboration, which are some of the ways Microsoft Entra ID helps enable CMMC compliance while also making users more productive and increasing teamwork within and across secure environments.

Identity empowers Zero Trust

CMMC documents several key identity components and controls critical to achieving security transformation with Zero Trust. Getting these aspects right from the start can enable a faster path to success across the other Zero Trust pillars.

One example is the utilization of a centralized identity management system which is also a requirement of Executive Order (EO) 14028. While smaller organizations are at a disadvantage for CMMC in some ways, this is one area in which SMBs can often be more agile. There are simple changes any organization can make to rapidly mature its posture—including implementing some of the best practices and prescriptive CMMC identity guidance published by Microsoft.

Strong authentication is pivotal for achieving higher levels of CMMC compliance. However, relying solely on the strongest authentication method available may be inflexible and at times hinder user productivity. Having multiple authentication methods offers users greater flexibility while enhancing their productivity. A new option in Microsoft Entra ID offers the strongest authentication option available by default, allowing organizations to safely direct users toward higher security measures.

There’s more than one way to approach user challenges. Organizations can take advantage of Microsoft Authenticator’s easy access to strong authentication tools. However, we also support tools from partners such as Yubico. This provides a variety of ways for DIB members to perform authentication, which we can then map to the appropriate level of assurance.

Secure sensitive data with a platform approach

Another goal of CMMC 2.0 is safeguarding sensitive information, such as Controlled Unclassified Information (CUI) and Federal Contract Information (FCI), which includes many categories of data such as personal records or contract information for sensitive projects. When this data is put at risk, it can have significant consequences for national security.

Microsoft’s data security platform, Microsoft Purview, can help government agencies identify and locate their data, detect data security risks, and prevent data loss across clouds, apps, and devices. Recently, Microsoft announced more than 25 new features for government and commercial customers to help them get ahead of potential security incidents, such as data leaks and theft, along with the availability of additional logs to enhance security monitoring and incident response. Data protection is supported by three key products within the Microsoft Purview family:

1. CMMC requires organizations to implement specific security controls and practices based on the sensitivity of the data they handle, so information protection is essential. Microsoft Purview Information Protection enables customers to classify data, protect it through encryption, and gain visibility into sensitive data. It can also help government organizations discover, classify, and protect data using built-in and ready-to-use advanced classifiers, which include sensitive information types (SITs) that can identify personal information such as credit card numbers, addresses, and medical conditions. More complex data types and scenarios can utilize custom AI classifiers that can be easily trained from sample data.
2. Falling under the CMMC Audit and Accountability domain, insider risk can be a significant challenge for organizations. According to a report by the Insider Threat Defense Group, insider risks accounted for 33 percent of all data breaches in the public sector.⁴ Microsoft Purview Insider Risk Management helps customers uncover elusive insider risks through multiple machine learning models with intelligent detection and analysis capabilities.
3. Under CMMC, data loss prevention (DLP) solutions are a critical part of preventing the unauthorized transfer and use of data, as well as data exfiltration. Microsoft Purview Data Loss Prevention (DLP) acts as an integrated and extensible offering that allows organizations to manage their DLP policies from a single location.
   
   

Each of these three solutions integrates seamlessly to enable agencies to fortify data security with a defense-in-depth approach—all while facilitating easier CMMC compliance.

Additionally, Compliance Manager provides CMMC assessment templates to help organizations assess their compliance posture against CMMC in a comprehensive control-by-control way. Regulations are added to Compliance Manager as new laws and regulations are enacted and can be used to help organizations meet national, regional, and industry-specific requirements governing the collection and use of data.

Go-forward guidance for DIB organizations

While the final rules under CMMC 2.0 have not yet been published, we do know that the underlying technical controls will continue to be based on NIST 800-171. For DIB members, having a trusted platform that has gone through accreditation requirements itself is a great starting point. Beyond a trusted platform adoption, DIB organizations can also follow the guidelines for secure configuration that we provide.

As we continue down this path with the adoption of CMMC 2.0, there will be more guidance that we can bring to the table with lessons learned from our own voluntary audit. The successful audit also provides evidence that Microsoft can accept the flow-down terms applicable to cloud service providers.

Compliance capability built for every DIB organization

Microsoft platforms and tools, including Microsoft Entra ID, Microsoft Authenticator, and Microsoft Purview, can ease compliance for DIB organizations of different sizes and structures, particularly companies that may be resource-constrained.

New capabilities and enhancements built on Secure-by-Design and Secure-by-Default principles are making it easier for organizations to improve their security posture and meet CMMC requirements. Our goal behind compiling CMMC-specific guidance in a single place is to empower the entire DIB ecosystem to support more secure, effective interactions with the federal government.

Learn more

Learn more about Microsoft Entra ID and Microsoft Purview.

Explore data security resources and trends

Gain insights into the latest data security advancements, including expert guidance, best practices, trends, and solutions.

Get started

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹DOD CIO Says CMMC 2.0 Coming Soon: ‘We Want to Get This Right’, Charles Lyon-Burt. May 17, 2023.

²Defense Primer: U.S. Defense Industrial Base, Congressional Research Service. April 17, 2023.

³CMMC: Managing digital risk for the Defense Industrial Base (DIB) and beyond, CyberAB.

⁴Insider Threat Report, Cybersecurity Insiders. 2020.

The post New Microsoft identity and data security capabilities to accelerate CMMC compliance for the Defense Industrial Base appeared first on Microsoft Security Blog.

Microsoft Build 2023

Browse virtual and in-person security sessions at Microsoft Build.

Register now

Below is a quick tour of a few security-related sessions and the new features and technologies they highlight.

New identity and access features in Microsoft Entra

Welcome to modern identity and access management with Microsoft Entra

Developers are in the business of building app features and capabilities. Most developers are not—and don’t want to be—identity security experts.

At Microsoft Build, we’re announcing the next generation customer identity access management platform: Microsoft Entra External ID, now in preview. Microsoft Entra External ID was purpose-built to personalize and secure access to applications while protecting any external identity and effectively controlling which resources they can access. It delivers a flexible, unified identity platform, personalized customer experiences, adaptive access policies, and built-in identity governance. In the session “Explore CIAM capabilities with External Identities in Microsoft Entra,” Yoel Horvitz, Senior Program Manager, Microsoft Azure Active Directory (Azure AD), and Namita Singh, Senior Software Engineer at Cloud Data Center Cybersecurity, Microsoft, will explore how easily you can create branded sign-up and sign-in app experiences. No more trade-offs between great security and great customer experiences. You’ll see how quickly you can add a strong sign-up or sign-in experience plus comprehensive onboarding flows that capture and validate customer information.

Partner identity scenarios (B2B Collaboration) remain in the same location on the Microsoft Entra admin portal within the Workforce tenant. Please note that there is no action for our current Azure AD business-to-consumer (B2C) customers required at this time as the next generation platform is currently in early preview only. We remain fully committed to support the current Azure AD B2C solution, and there are no requirements for B2C customers to migrate at this time and no plans to discontinue the current B2C service.

This next-generation expanded solution for customer and partner identities marks the next chapter in our customer identity solution, addressing critical customer feedback and building on top of our existing capabilities.

External ID now combines familiar B2B collaboration functionality in Microsoft Entra (generally available) with evolved and unified customer identity (CIAM) capabilities, targeting customer-facing applications, now in preview. Help us shape the future of this new platform with your participation in our preview.

Microsoft Entra Verified ID digital wallet SDK

Microsoft Entra Verified ID is an open standards-based verifiable credentials service that customers can use to automate the identity validation process while enabling privacy-protected interactions between organizations and users. You can integrate the upcoming release of the Verified ID Wallet Library into your mobile apps to store and share digital Verified ID cards. This allows you to issue verifiable credentials for dozens of use cases, such as reducing the risk for fraud and account takeovers, streamlining app sign-ins, creating self-service account recovery and helpdesk flows, and enabling rich partner rewards ecosystems. Be sure to check out the “Reduce fraud and improve engagement using Digital Wallets” session by Christer Ljung, Principal Program Manager, Microsoft, and Sydney Morton, Software Engineer, Microsoft, to learn more about Verified ID’s open source digital wallet SDK.

New capabilities for compliance and data automation in Microsoft Purview

General availability of machine learning-enabled source code classifier

Microsoft Purview Information Protection helps organizations automate data classification, labeling, and protection across multiple platforms. More than 35 pre-trained classifiers help quickly identify and protect some of the most sensitive data, such as intellectual property and trade secrets, material non-public information, sensitive health and medical files, business sensitive financial information, and personally identifiable information for General Data Protection Regulation (GDPR) compliance. Plus, an improved ready-to-use source code classifier that supports more than 70 file extensions and 23 programming languages can detect embedded and partial source code.  

New APIs available to help automate compliance workflows

You can take advantage of new Microsoft Graph APIs built specifically for Microsoft Purview eDiscovery and compliance scenarios to help organizations automate their litigation and investigation workflows. Join us for “Streamline eDiscovery with new innovations, including Microsoft Graph APIs,” a sequel to Microsoft Senior Product Marketing Manager Caitlin Fitzgerald’s Microsoft Build 2022 session, which will share recent examples of using APIs to ensure repeatable and predictable management of time-sensitive compliance processes.

Explore built-in security features in these Microsoft Build sessions

Unlocking the Power of Azure Security: Conversations with Experts, Q&A

In this Q&A session, Richard Diver, Technical Story Design Lead, Microsoft, will moderate a panel of experts who help secure the software supply chain within Microsoft Azure and other platforms. The session is based on a four-part blog series that includes Microsoft Azure’s defense-in-depth approach to cloud vulnerabilities and Cloud Variant Hunting. The panel will share Microsoft security best practices and how we’re enhancing our response process, extending our internal security research, and continually improving how we secure multitenant services.

Next-Level DevSecOps: Secure Supply Chain Consumption Framework, Q&A

Microsoft Build 2023

Join us in Seattle for Microsoft Build from May 23 to 25, 2023. We’ll stream online sessions May 23 and 24, 2023 during Pacific Time hours. Register now to reserve your spot and visit the Microsoft Build 2023 website to explore the session catalog and plan your experience. We look forward to connecting with you!

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹8th Annual State of the Software Supply Chain Report, Sonatype.

The post Microsoft Build 2023: Announcing new identity, compliance, and security features from Microsoft Security appeared first on Microsoft Security Blog.

When I read the United States Securities and Exchange Commission (SEC) proposed rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies, I saw an opportunity for cybersecurity professionals to add value to their organizations and to further their conversations with the board of directors. The proposed rule is on the Office of Management and Budget’s regulatory calendar for April 2023.¹

The information disclosed by companies under this rule would be submitted in eXtensible Business Reporting Language (XBRL) to be made broadly available to market participants for comparison, filtering, and analysis.² This is important to the board from both a compliance and a shareholder value perspective. It’s an opportunity for a company to differentiate itself from competitors through its cultural and infrastructure investments in IT security.

Proposed SEC rule on cybersecurity risk management, strategy, governance, and incident disclosure

The March 9, 2022, SEC proposed rules³ for publicly traded companies supplement the SEC’s guidance of October 13, 2011,⁴ and February 26, 2018,⁵ regarding disclosure of cybersecurity breaches and incidents. It makes the requirements more comprehensive, including reporting on:

• Cybersecurity incidents and updating incidents previously reported.
• The company’s policies and procedures for detecting and dealing with cybersecurity risks.
• Oversight of cybersecurity governance by the board of directors.
• Management’s role and expertise in cybersecurity risk management, including policies, procedures, and strategy.
• Reporting on the board of director’s cybersecurity expertise.

This would require the board to become more aware of and involved in the company’s cyber risk posture. The chief information security officer (CISO) is best positioned to enable the board in this regard. The SEC guidance encourages the board to seat directors with cybersecurity expertise and perhaps stand up a cybersecurity committee.

Reporting of cybersecurity incidents

Reporting of cyber incidents including breaches is the focus of the existing SEC rules. The proposal expands this to require reporting within four business days of the date that the company determines it to be material. Included in the reporting is when the incident is discovered, if it is ongoing, the scope, if data was stolen or accessed, its effect on operations, and the status of remediation.

The scope of reportable incidents would be expanded to include those smaller incidents, which, in the aggregate, become material.

The term “material” is defined as whether a reasonable shareholder would consider it important, leaving some room for interpretation.

The proposal requires that the company update its reporting on an incident with any material changes in its quarterly or annual report.

This makes it all the more important that companies have tools in place to prevent attacks and minimize time to detection, like Microsoft 365 Defender and Microsoft Sentinel. They need to minimize the impact of a breach.⁶ A data breach may be reportable to regulators and customers or a minor incident dealt with by the security team. The company needs the tools, like Microsoft Purview Premium Audit, to know which.⁷ Without the right tools in place before the incident, a company may have to do more reporting to regulators and the marketplace than is necessary.

Disclosure of cybersecurity risk management, strategy, and governance

Companies would be required to disclose if they have a cybersecurity risk assessment program and to describe it. This includes how the company works with auditors, consultants, and other third parties.   

They would be required to describe how they protect, detect, and minimize the effects of cybersecurity incidents. They would describe their cybersecurity policies and procedures, including business continuity and disaster recovery. They would describe how they select, retain, and use third parties to enable these activities and also how cybersecurity considerations affect the selection of service providers. They would describe how past cybersecurity incidents have influenced these as lessons learned.

How the selection of partners, including cloud service providers, affects the company’s security posture would be communicated to the marketplace. The company needs information to assess this and ensure that the vendor is a good security partner throughout the relationship.

Microsoft provides the service trust portal to give our customers the third-party assessments and evidence they need to make informed decisions and to support them during assessments and audits. We provide information for Microsoft Azure, Microsoft Dynamics 365, and Microsoft 365 customers to help comply with a wide range of global, regional, industry, and government regulations with our Microsoft compliance offerings documentation.⁸ For customers to assess their compliance with more than 350 regulatory standards in Microsoft 365,⁹ we offer Microsoft Purview Compliance Manager.¹⁰ For Azure customers, Microsoft provides the Regulatory compliance dashboard in Microsoft Defender for Cloud, which also provides visibility into the compliance posture of non-Microsoft clouds.¹¹

Companies would be required to describe how cybersecurity incidents have or might in the future affect their operations and financial performance and how these risks are dealt with as part of the company’s business planning.

This aligns with corporate governance scoring that credits companies for the investment, planning, and expertise in IT security.¹² It provides an increased return on a company’s cultural and infrastructure investments in IT security.

Disclosure regarding governance and the board of director’s cybersecurity expertise

Companies would disclose their cybersecurity governance including a description of both how the board and how management provide oversight, assess, and manage cybersecurity risk. They would describe management’s cybersecurity expertise and role in cybersecurity for the company.

Companies would disclose each board member with cybersecurity expertise and describe it under the proposed rule. The proposed rule is not prescriptive as to what constitutes expertise. It provides some examples such as experience in information security, policy, architecture, engineering, incident response, certifications, or degrees.

This may encourage organizations to select directors with these skill sets. It may also encourage a company to stand up a cybersecurity committee within the board.

This will likely mean that the CISO will be enabled to advocate for the needs of the information security program, and communicate the security posture and plans to an informed audience. It may provide opportunities for cybersecurity professionals to serve on boards.

Microsoft can help security teams meet this opportunity

Whatever the final content of the SEC rule, it will be an opportunity for the CISO to increase and highlight the value of the IT security function. It will expand the scope of their communications with the board. It will supplement the business case for investment in IT security. By making information on a company’s cybersecurity posture and governance broadly available, stakeholders can make better-informed decisions about cyber risk. This helps transition IT security from a cost center to a business enabler where it belongs.

Learn more about Microsoft 365 Defender, Microsoft Purview and Microsoft Sentinel.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Regulatory calendar, Office of Information and Regulatory Affairs. 2023.

²An Introduction to XBRL, XBRL.org.

3Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, SEC. March 9, 2022.

⁴CF Disclosure Guidance: Topic No. 2, SEC. October 13, 2011.

⁵Commission Statement and Guidance on Public Company Cybersecurity Disclosures, SEC. February 26, 2018.

⁶Privacy breaches: Using Microsoft 365 Advanced Audit and Advanced eDiscovery to minimize impact, Steve Vandenberg. January 6, 2021.

⁷Auditing solutions in Microsoft Purview, Microsoft Learn. February 21, 2023.

⁸Microsoft compliance offerings, Microsoft Learn.

⁹Compliance Manager templates list, Microsoft Learn. February 22, 2023.

¹⁰Microsoft Purview Compliance Manager, Microsoft Learn. February 22, 2023.

¹¹Customize the set of standards in your regulatory compliance dashboard, Microsoft Learn. February 8, 2023.

¹²IT security: An opportunity to raise corporate governance scores, Steve Vandenberg. August 8, 2022.

The post SEC cyber risk management rule—a security and compliance opportunity appeared first on Microsoft Security Blog.