Software as a service (SaaS) adoption has accelerated at a lightning speed, enabling collaboration, automation, and innovation for businesses large and small across every industry vertical—from government, education, financial service to tech companies. Every SaaS application is now expanding its offering to allow better integration with the enterprise ecosystem and advanced collaboration features, becoming more of a “platform” than an “application.” To further complicate the security landscape, business users are managing these SaaS applications with little to no security oversight, creating a decentralized administration model. All this is leading to a growing risk surface with complex misconfigurations that can expose organization’s identities, sensitive data, and business processes to malicious actors. 

To combat this challenge, Valence and Microsoft Security work together to ensure that SaaS applications are configured according to the best security practices and improve the security posture of identities configured in each individual SaaS application. Together, Valence and Microsoft:  

• Centrally manage SaaS identities permissions and access.
• Enforce strong authentication by ensuring proper MFA (multi-factor authentication) and SSO (single sign-on) enrollment and managing local SaaS users.
• Detect and revoke unauthorized non-human SaaS identities such as APIs, service accounts, and tokens.
• Incorporate SaaS threat detection capabilities to improve SaaS incident response.

As most of the sensitive corporate data shifted from on-prem devices to the cloud, security teams need to ensure they manage the risks of how this data is being accessed and managed. Integrating Valence’s SaaS Security with the Microsoft Security ecosystem now provides a winning solution. 

SaaS applications are prime targets  

Recent high profile breaches have shown that attackers are targeting SaaS applications and are leveraging misconfigurations and human errors to gain high privilege access to sensitive applications and data. While many organizations have implemented SSO and MFA as their main line of defense when it comes to SaaS, recent major breaches have proven otherwise. Attackers have identified that MFA fatigue, social engineering and targeting the SaaS providers themselves can bypass many of the existing mechanisms that security teams have put in place. These add to high-profile breaches where attackers leveraged legitimate third-party open authorization (OAuth) tokens to gain unauthorized access to SaaS applications, and many more attack examples. 

State of SaaS security risks 

According to our 2023 SaaS Security Report which analyzed real SaaS environments to measure their security posture before they implemented an effective SaaS security program. The results showed that every organization didn’t enforce MFA on 100% of their identities—there are some exceptions, such as service accounts, contractors, and shared accounts, or simply lack of effective monitoring of drift. In addition, one out of eight SaaS accounts are dormant and not actively used. Offboarding users is not only important to save costs, but attackers also like to target these accounts for account takeover attacks since they are typically less monitored. Other key stats were that 90% of externally shared files haven’t been used by external collaborators for at least 90 days and that every organization has granted multiple third-party vendors organization-wide access to their emails, files, and calendars. 

Figure 1. Top SaaS Security gaps identified in the 2023 State of SaaS Security Report.

Holistic SaaS security strategy 

Establishing a holistic SaaS security strategy requires to bring together many elements—from shadow SaaS discovery, through strong authentication, identity management of both humans and non-humans, managing and remediating SaaS misconfigurations, enforcing data leakage prevention policies, and finally, establishing scalable incident response. Valence and Microsoft take security teams one step further toward a more holistic approach. 

Valence joined the Microsoft Intelligence Security Association (MISA) and integrated with Microsoft security products—Microsoft Entra ID and ​​​​Microsoft Sentinel—to enhance customers’ capabilities to manage their SaaS risks, effectively remediate them, and respond to SaaS breaches. The Valence SaaS Security Platform provides insight and context on SaaS risks such as misconfigurations, identities, data shares, and SaaS-to-SaaS integrations. Extending existing controls with SaaS Security Posture Management (SSPM) capabilities and SaaS risk remediation capabilities. Valence is also a proud participant of the Partner Private Preview of Microsoft Copilot for Security. This involves working with Microsoft product teams to help shape Copilot for Security product development in several ways, including validation and refinement of new and upcoming scenarios, providing feedback on product development and operations to be incorporated into future product releases, and validation and feedback of APIs to assist with Copilot for Security’s extensibility. 

Figure 2. Illustrative data: The Valence Platform provides a single pane of glass to find and fix SaaS risk across four core use cases: data protection, SaaS to SaaS governance, identity security, and configuration management. 

Secure SaaS human and non-human identities

In the modern identity-first environment, most attackers focus on targeting high privilege users, dormant accounts, and other risks. Enforcing zero trust access has become a core strategy for many security teams. Security teams need to identify all the identities they need to secure. Microsoft Entra SSO management combined with Valence’s SaaS application monitoring—to detect accounts created—provides a holistic view into human identities and non-human (Enterprise Applications, service accounts, APIs, OAuth and 3rd party apps).  

Microsoft Entra ID centrally enforces strong authentication such as MFA and Valence discovers enforcement gaps or users that are not managed by the central SSO. Valence also monitors the SaaS applications themselves to discover the privileges granted to each identity and provides recommendations on how to enforce least privilege with minimal administrative access. To continuously validate verification based on risks, the final piece of zero trust strategy, Valence leverages the risky users and service principals signals from Microsoft Entra ID and combines them with signals from other SaaS applications for a holistic view into identity risks. 

Protect SaaS applications 

Microsoft has a wide SaaS offering that is fueling enterprise innovation. These services are central to core business functions and employee collaboration, cover many use cases, and are spread across multiple business units, but are tied together in many cases such as identity and access management, and therefore their security posture is often related as well. Managing the security posture of SaaS services can be complex because of the multiple configurations and the potential cross service effects that require security teams to build their expertise across a wide range of SaaS.  

Many security teams view SaaS apps as part of their more holistic view into SaaS security posture management and would like to create cross-SaaS security policies and enforce them. Valence’s platform integrates with Microsoft Entra ID and other SaaS services using Microsoft via Microsoft Graph to normalize the complex data sets and enable security teams to closely monitor the security posture of their SaaS applications in Microsoft alongside the rest of their SaaS environment. 

Enhance SaaS threat detection and incident response 

Improving SaaS security posture proactively reduces the chances of a breach, but unfortunately SaaS breaches can still occur, and organizations need to prepare their threat detection coverage and incident response plans. The built in human and non-human identity threat detection capabilities of Microsoft Entra ID, combined with Microsoft Sentinel log correlation and security automation, and Microsoft Copilot for Security’s advanced AI capabilities, create a powerful combination to detect and respond to threats. Valence expands existing detections from compromised endpoint and identity with important SaaS context—for example, did the compromise device belong to a SaaS admin user? Did the compromised identity perform suspicious activities in other SaaS applications? The expanded detections provide critical insights to prioritize and assess the blast radius of breaches. Additionally, Valence’s SaaS threat detection can trigger threat detection workflows in Microsoft products based on its unique indicator of compromise monitoring. 

Together, Valence and Microsoft combine the best of all worlds when it comes to SaaS security. From SaaS discovery, through SaaS security posture management, remediating risks, and detecting threats—Valence and Microsoft enable secure adoption of SaaS applications. Modern SaaS risks and security challenges require a holistic view into SaaS risk management and remediation. Get started today. 

About Valence Security 

Valence is a leading SaaS security company that combines SSPM and advanced remediation with business user collaboration to find and fix SaaS security risks. SaaS applications are becoming decentrally managed and more complex, which is introducing misconfiguration, identity, data, and SaaS-to-SaaS integration risks. The Valence SaaS Security Platform provides visibility and remediation capabilities for business-critical SaaS applications. With Valence, security teams can empower their business to securely adopt SaaS. Valence is backed by leading cybersecurity investors like Microsoft’s M12 and YL Ventures, and is trusted by leading organizations. Valence is available for purchase through Azure Marketplace. For more information, visit their website. 

Be among the first to hear about new products, capabilities, and offerings at Microsoft Secure digital event on March 13, 2024.​ Learn from industry luminaries and influencers. Register today.

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products. 

​​To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post ​​Secure SaaS applications with Valence Security and Microsoft Security​​ appeared first on Microsoft Security Blog.

Microsoft Intune

Enhance security and IT efficiency with the Microsoft Intune Suite.

Learn more

The broad value of the Intune Suite

While the solutions of the Intune Suite launched at different points in time, three fundamental principles have been there from the beginning.

First, one place for workloads adjacent to Unified Endpoint Management. If you’re currently using a mix of third-party solutions, the integrated experience in Microsoft Intune provides security and efficiency on multiple levels. First, one unified solution means fewer integrations to manage across third parties, meaning fewer attack vectors for malicious actors. And second, on a deeper level, the broader Intune proposition (both Intune Suite and Intune) is integrated with Microsoft 365 and Microsoft Security solutions. This provides a consolidated and seamless experience for IT professionals with a single pane of glass for end-to-end endpoint management.

Second, all parts of the Intune Suite are ready to support your cloud and AI-enabled future. Intune Suite will help accelerate organizations’ digital transformation to cloud native and simplify their IT operations. Additionally, data from Intune Suite are consolidated with other Intune and security data, meaning complete visibility across the device estate, informing and improving emerging technologies like Microsoft Copilot for Security. The more interrelated data that Copilot can use, the more it can proactively advise on the next best action.

Lastly, Intune Suite is available in a single unified plan. So, rather than having separate solutions for remote assistance, privilege management, analytics, and more, these advanced solutions can all be consolidated and simplified into one. This provides value in two ways: directly, by reducing the overall licensing cost, as the cost of Intune Suite is less than purchasing separate solutions; and the economic value of the Intune Suite is also in indirect savings: no need to manage separate vendors, train IT admins on separate tools, or maintain costly on-premises public key infrastructure (PKI). The Intune Suite makes it easier for IT admins, reducing overhead costs.

“With what we get out of Intune Suite, we can eliminate other products that our customers need. It’s now a suite of many components that enable customers who want to consolidate solutions and save money.”

—Mattias Melkersen Kalvåg, Mobility and Windows Management Consultant at MINDCORE, and| Microsoft Certified Professional & MVP

From today: A comprehensive suite across applications, access needs, and support

Let’s get into specifics. For application security, Enterprise App Management helps you find, deploy, and update your enterprise apps. And Endpoint Privilege Management lets you manage elevation rules on a per-app basis so that even standard users can run approved privileged apps. Cloud PKI lets you manage certificates from the cloud in lieu of complex, on-premises PKI infrastructure. And Microsoft Tunnel for Mobile Application Management (MAM) is perfect for unenrolled, personal mobile devices, to help broker secure access to line of business apps. Advanced Analytics gives you data-rich insights across your endpoints. And Remote Help lets you view and control your PCs, Mac computers, and specialized mobile devices, right from the Intune admin center. Let us take each of those three product areas in turn.

Increase endpoint security with Enterprise App Management and Endpoint Privilege Management

Enterprise App Management gives you a new app catalog, allowing you to easily distribute managed apps, but also keep them patched and always up to date. With this initial release, you will be able to discover and deploy highly popular, pre-packaged apps, so you no longer need to scour the Internet to find their installation files, repackage, and upload them into Intune. Simply add and deploy the apps directly from their app publishers. You can also allow the apps you trust to self-update, and when a new update is available, it is just one click to update all your devices with that app installed. We will continuously expand and enrich the app catalog functionality in future releases to further advance your endpoint security posture and simplify operations. 

“I’m very excited about Enterprise App Management as it’s powered by a strong app catalog and natively integrated in Intune. This single pane of glass experience is what we’re all looking for.”

—Niklas Tinner, Microsoft MVP and Senior Endpoint Engineer at baseVISION AG

For more control over your apps, with Endpoint Privilege Management, you can scope temporary privilege elevation, based on approved apps and processes. Then, as a user in scope for this policy, you can elevate only the processes and apps that have been approved. For example, users can only run a single app for a short period of time as an administrator. Unlike other approaches that give local admin permissions or virtually unlimited scope, you can selectively allow a user to elevate in a one-off scenario by requesting Intune admin approval, without you needing to define the policy ahead of time.

“Endpoint Privilege Management offers tight integration into the operating system. And the focus that Microsoft has over only elevating specific actions and apps versus making you an admin for a period of time—this is security at its best, going for the least privileged access.”

—Michael Mardahl, Cloud Architect at Apento

Cloud PKI and Microsoft Tunnel for MAM powers secure access

With Cloud PKI, providing both root and issuing Certificate Authorities (CA) in the cloud, you can simply set up a PKI in minutes, manage the certificate lifecycle, reduce the need for extensive technical expertise and tools, and minimize the effort and cost of maintaining on-premises infrastructure. In addition, support for Bring-Your-Own CA is available, allowing you to anchor Intune’s Issuing CA to your own private CA. Certificates can be deployed automatically to Intune-managed devices for scenarios such as authentication to Wi-Fi, VPN, and more; a modern PKI management option that works well to secure access with Microsoft Entra certificate-based authentication. In the initial release, Cloud PKI will also work with your current Active Directory Certificate Services for SSL and TLS certificates, but you do not need to deploy certificate revocation lists, Intune certificate connectors, Network Device Enrollment Service (NDES) servers, or any reverse proxy infrastructure. You can issue, renew, or revoke certificates directly from the Intune admin center automatically or manually. 

Microsoft Tunnel for MAM helps secure mobile access to your private resources. Microsoft Tunnel for MAM works similarly to Microsoft Tunnel for managed devices; however, with this advanced solution, Microsoft Tunnel for MAM works with user-owned (non-enrolled) iOS and Android devices. Microsoft Tunnel for MAM provides secure VPN access at the app level, for just the apps and browser (including Microsoft Edge) your IT admin explicitly authorizes. So, for personally owned devices, the user can access approved apps, without your company’s data moving onto the user’s personal device. App protection policies protect the data within the apps, preventing unauthorized data leakage to other apps or cloud storage locations.

“Cloud PKI within the Intune Suite allows you to go cloud native in terms of certificate deployment, which means you can provision PKIs with just a few clicks—that’s a blessing for all the IT administrators. With this built-in service, Microsoft hosts everything for you to manage certificates.”  

—Niklas Tinner

Resolve support issues quicker with Advanced Analytics and Remote Help

Advanced Analytics in Intune is a powerful set of tools for actionable reporting and AI-driven analytics. It provides deep, near real-time insights into your connected devices and managed apps that help you understand, anticipate, and proactively improve the user experience. We continue to infuse AI and machine learning into our analytics products. For example, you can get ahead of battery degradation in your device fleet through our advanced statistical analysis and use that information to prioritize hardware updates. Intune Suite now includes real-time device querying on-demand using Kusto Query Language for individual devices, useful for troubleshooting and resolving support calls quicker.

With Remote Help, you can also streamline the way you remotely view and interact with your managed devices, for both user-requested or unattended sessions. As a help desk technician, you can securely connect to both enrolled and unenrolled devices. Users also have peace of mind in being able to validate the technician’s identity, to avoid help desk spoofing attempts. Right now, Remote Help works for remote viewing and controlling in Windows PCs and Android dedicated Enterprise devices, and supports remote viewing for macOS. Especially useful for frontline workers, Remote Help for Android allows help desk administrators to configure and troubleshoot unattended devices, meaning issues can be revolved off-shift.

“Remote Help takes away the requirement and the need for third-party remote help tools. Remote Help is native, it’s interactive, and you don’t have to worry about installing anything, it’s already there. It’s part of Intune, it’s part of the build.”

—Matthew Czarnoch, Cloud and Infrastructure Operations Manager at RLS (Registration and Licensing Services)

To see many of these new capabilities in action, we invite you to watch this new Microsoft Mechanics video.

Analyst recognition for Microsoft

With the additions to the Intune Suite now available, IT can power a more secure and productive future at an important time as AI comes online. Notably, analyst recognition is validating the importance of its value. For example, Microsoft again assumes the strongest leadership position in the Omdia Universe: Digital Workspace Management and Unified Endpoint Management Platforms 2024. Omdia wrote: “Microsoft is focused on reducing management costs by utilizing the Microsoft Intune Suite and integrating different solutions with it.” They added: “The company plans to invest in Endpoint Analytics and Security Copilot to introduce data-driven management, helping IT professionals shift from reactive, repetitive tasks to strategic ones by utilizing Endpoint Analytics and automation.” Omdia’s recognition follows that from others like Forrester, who named Microsoft as a Leader in The Forrester Wave™ for Unified Endpoint Management, Q4 2023.

Get started with consolidated endpoint management solutions with the Microsoft Intune Suite

The February 2024 release of the solutions in the Intune Suite marks a key milestone, offering a consolidated, comprehensive solution set together in a cost-effective bundle (and available as individual add-on solutions) for any plan that includes Intune. And in April 2024, they will also be available to organizations and agencies of the United States government community cloud. We look forward to hearing your reactions to the new Intune Suite.

• Microsoft Intune News at Microsoft Ignite 2023.
• Learn more about Microsoft Intune.
• Omdia Universe: Digital Workspace Management/Unified Endpoint Management Platforms 2024.
• Forrester Wave™ for Unified Endpoint Management, Q4 2023. 
• Microsoft Cloud PKI blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Enterprise App Management blog announcement at Microsoft Ignite 2023.
• Microsoft Intune Advanced Analytics blog announcement at Microsoft Ignite 2023.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Ease the burden of managing and protecting endpoints with Microsoft advanced solutions, Dilip Radhakrishnan and Gideon Bibliowicz. April 5, 2022.

The Forrester Wave™ is copyrighted by Forrester Research, Inc. Forrester and Forrester Wave™ are trademarks of Forrester Research, Inc. The Forrester Wave™ is a graphical representation of Forrester’s call on a market and is plotted using a detailed spreadsheet with exposed scores, weightings, and comments. Forrester does not endorse any vendor, product, or service depicted in the Forrester Wave™. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change.

The Forrester Wave™: Unified Endpoint Management, Q4 2023, Andrew Hewitt, Glen O’Donnell, Angela Lozada, Rachel Birrell. November 19, 2023.

The post 3 new ways the Microsoft Intune Suite offers security, simplification, and savings appeared first on Microsoft Security Blog.

In a scenario familiar to many universities worldwide, Claremont Graduate University (CGU), a renowned research university located in Southern California, was struggling with how to bring Oracle PeopleSoft Campus Solutions into its Microsoft 365 and Microsoft Entra ID (formerly Azure Active Directory) environment and enable multifactor authentication and single sign-on (SSO) for students and staff who access Oracle PeopleSoft on a daily basis. The only option for the resource-strapped IT department seemed to be an expensive development effort until the university discovered Datawiza and accomplished its goal in just a few weeks.

CGU lacked security expertise and SDK programming experience to connect PeopleSoft to Microsoft Entra ID themselves. The IT team also lacked the resources to consult with PeopleSoft, Microsoft, and outside security resources, or had to hire a third party to do the project. The combination of Datawiza and Microsoft enabled CGU to quickly and easily connect PeopleSoft to Microsoft Entra ID and enable multifactor authentication and SSO. Datawiza swiftly crafted a proof of concept that CGU then thoroughly tested. Once approved, Datawiza promptly configured the solution to precisely suit the university’s needs, subsequently transitioning it to production.

Universities like CGU rely on PeopleSoft, one of the first client-server solutions introduced in the 1990s to store student records, which typically includes personally identifiable information (PII), such as social security numbers, credit card numbers, transcripts, schedules, financial aid history, and more. Though it remains a powerful and functional solution, PeopleSoft has no built-in support for modern security standards such as multifactor authentication or SSO, nor does it easily connect to Microsoft Entra ID to bridge the gap.

As a result, CGU students and staff needed to log into an application outside of their secure Microsoft account to access and update information in PeopleSoft. This led to confusion and frustration for them and significant ongoing support issues and trouble tickets related to password management. It also increased security risks as users who must remember multiple passwords are more likely to write them down and leave them where others can access them.

“With Datawiza, CGU was able to rapidly enhance security and improve the user experience for Oracle PeopleSoft through [multifactor authentication] and SSO without having to go through the time and expense of coding their own connector,” said Manoj Chitre, Associate Vice President and Chief Information Officer, Technology Services and Information Systems at Claremont Graduate University. “The response from students and staff has been tremendous. Users no longer need to maintain and remember a separate PeopleSoft password, and the number of trouble tickets related to PeopleSoft login issues has plummeted.”

Today, nearly 2,000 GCU students and staff access PeopleSoft through multifactor authentication and their single SSO password, completely eliminating the unnecessary security risk, as well as all the time and resource-consuming effort associated with IT having to maintain a separate password environment for PeopleSoft.

“Microsoft Entra ID is the flagship of our identity and access solutions which help organizations secure access to everything in a hybrid, multicloud world. We are pleased to see companies like Datawiza support this mission through the Microsoft Intelligent Security Association.” 

– Irina Nechaeva, General Manager, Identity, Microsoft

Datawiza, the Zero Trust Access Management Platform

Datawiza provides Microsoft Entra ID-based SSO and multifactor authentication integration with PeopleSoft using Security Assertion Markup Language (SAML) or OpenID Connect. The cloud-native, no-code or low-code Datawiza platform can be deployed in minutes and connected to PeopleSoft—and other legacy or on-premises applications—without the need for Oracle Access Manager or Oracle Identity Cloud Service and without any application patches or additional installations for the existing PeopleSoft deployment.

Once PeopleSoft is connected to Microsoft Entra ID, IT administrators can also easily apply existing Microsoft Entra Conditional Access policies to PeopleSoft.

Datawiza is a simple, highly secure platform consisting of two major components. The Datawiza Access Proxy (DAP) is a lightweight container-based proxy. DAP integrates with identity providers to enable SSO, multifactor authentication, and granular authorization. DAP can be deployed in a customer’s environment or hosted by the Datawiza Cloud. The Datawiza Cloud Management Console (DCMC) is a centralized console for configuring access policies. DCMC aggregates logs and provides visibility. Once the solution is set up and configured by Datawiza, IT administrators will only need to manage user access through the DCMC.

Datawiza: A trusted solution

Datawiza joined the Microsoft Intelligent Security Association Program (MISA) in February 2021, and the solution has previously been described in detail in a MISA blog post. Datawiza is also a fully managed service built by security experts, eliminating the need for a university’s IT team to deploy and manage a new solution or hire or contract with additional security expertise. This makes the combination of Datawiza and Microsoft the easiest and most powerful way to rapidly improve security and user access for the valuable data stored in PeopleSoft.

Microsoft Entra ID

Safeguard your organization with a cloud identity and access management solution that connects employees, customers, and partners to their apps, devices, and data.

Learn more and try free

Learn more

The Datawiza Platform is available in the Microsoft commercial marketplace. More information and a free trial are also available on the Datawiza website.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website, where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.    

Learn more about Microsoft Entra ID.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity. 

The post How Datawiza uses Microsoft Entra ID to help universities simplify access appeared first on Microsoft Security Blog.

Along with every merger and acquisition between two companies comes the need to combine and strengthen their IT infrastructure. In particular, there is an immediate and profound impact on the identity and access management (IAM) postures of both companies. With a newly combined workforce, where does all the user information live? Where are the authentications going to be handled? What changes are going to be made for authorization to applications; will users have access to the apps of the other organization? All these problems must be solved quickly in order to provide continuous day-to-day operations in a secure way.

While most combined organizations aspire to eventually consolidate their identity systems, this is a challenging and time-consuming process. The untangling (and re-entangling) of dozens or hundreds of enterprise applications and their identity stacks takes time and deliberation. Meanwhile, there may be immense pressure from users and app owners for secure access to the appropriate apps, along with pressure from regulators and investors to unlock and demonstrate value from the combined organization. Not to mention the pressure from investors and the board to deliver immediate value after the transaction’s close.

As one of the most comprehensive and advanced IAM platforms available today, Microsoft Entra ID is often the choice to be the dominant set of identity services in the combined architecture. Microsoft strives to make the merger and acquisition process as easy as possible and works with Strata Identity for a seamless integration. Strata’s Maverics Identity Orchestration platform does this by acting as abstraction layer to accelerate and simplify the path to consolidation.

The identity challenges with mergers and acquisitions

Addressing IAM issues is one of the most pressing issues in a merger and acquisition scenario. Typically, other operational issues such as application workloads can continue to operate in their status quo indefinitely until such time as it makes sense to address them. The cybersecurity implications of user access, however, are immediate and need to be addressed quickly, whether this be through some sort of identity consolidation, or through a higher-level abstraction encompassing the existing systems.

One factor that makes a migration complex is the tendency for applications to be tightly coupled with their current identity provider (IdP). When creating an application, developers and app owners may end up writing code that is very specific to their current IdP. Switching that IdP is seldom trivial, especially for long-lived applications that may have been written against a now-legacy protocol, or may have “rolled their own” authentication and authorization. Very often this calls for a complete rewrite of the application; an onerous task that is particularly daunting years or decades after its inception, when the original app team may be long gone.

This makes the common natural approach of wholesale migration somewhat untenable, especially with the time constraints imposed by governance and regulation. Even disregarding those factors, the sheer expense of refactoring and rewriting a sizable portion of your application library—anything older than about five years is probably using an outdated security profile—is prohibitively expensive.

The end goal in a merger and acquisition scenario is to quickly (and cost effectively) transition to a unified and tractable IAM posture, despite having a mix of user pools, protocols, and applications tightly coupled. Such transitions often need to happen in weeks or months, whereas a wholesale rewrite-and-migration might take years.

Microsoft Entra ID

Safeguard your organization with a cloud identity and access management solution that connects employees, customers, and partners to their apps, devices, and data.

Learn more and try free

Addressing your merger and acquisition challenges with Microsoft Entra ID and Strata Identity

Strata Identity takes a different approach to the challenges of managing disparate identity systems during a merger or acquisition. Instead of focusing on a migration of identities, Strata’s Maverics Identity Orchestration Platform provides an abstraction layer on top of your apps, IdPs, and services to enable you to create your own identity fabric.

The Maverics Platform is composed of individual Orchestrators distributed throughout the target environment. These lightweight Orchestrators can live anywhere within the infrastructure on any operating system within Kubernetes clusters or just on standalone virtual machines. They act as a distributed mesh of control, able to pull identity information from any system—whether that be through directing for authentication or just pulling additional user information for an existing session—and convert identity information into the formats needed and expected by applications.

Importantly, this approach means that existing applications do not need to be refactored or rewritten as part of the identity consolidation process. Any application that cannot be trivially swapped over to a new source of identity information—and, importantly, that isn’t up-to-date on the very latest security practices—is simply harnessed by Maverics. It continues to consume identity information in the way that it has always known and Maverics handles the rest. Sessions that are allowed to flow through to the application have had the Microsoft Entra identity controls applied for both authentication and authorization before the traffic is permitted to reach the application in the first place. Even app owners have their burdens reduced significantly, being needed only for some basic smoke testing during a changeover.

This also allows for a deliberate and calculated roll out of changes to your infrastructure. No more stressful projects with hard cutover dates, with those long all-or-nothing weekend cutovers and the associated frantic testing of every application to make sure everything transitioned smoothly. Using the Maverics platform from Strata allows for measured incremental changes. Cutover a single application, at a time—or even a subset of an application’s users—and test with leisure.

Better yet, if any issues are found the rollback is trivial. Since Maverics is acting as an abstraction layer over the identity process, the swapping between user stores or IdPs is handled in one simple interface. The user is unlikely to notice any impact at all as changes are made—either to migrate to the new identity source or to roll back to the old configuration.

Another benefit of this approach is that user impacting changes can be rolled out with deliberation, giving users a chance to acclimate to any new process. Let’s say, for instance, that as part of your migration you need to add multifactor authentication to a body of users that didn’t use it previously. The identity abstraction layer allows you to notify your users of impending changes, and can even assist in the enrollment of the new security factors.

This abstraction layer lets Maverics serve as the single pane of glass through which you can view the combined identity systems, securely controlling all access while, at the same time, making the incremental updates and changes to move the locus of control from these disparate systems into Microsoft Entra ID.

Strata Identity: The last mile in mergers and acquisitions with Microsoft Entra ID

With Strata’s Maverics Orchestration Platform, mergers and acquisitions don’t have to be a long, risky, and labor-intensive effort. By adding an abstraction layer over the existing identity stacks, Strata makes shifting control of authentication and authorization over to Microsoft Entra ID seamless and simple, regardless of how complex and disjointed the previous implementation might have been. Strata also prevents the nightmare of having to rewrite all your apps, using its ability to harness legacy apps with modern identity protocols to save your team immense time and effort.

About Strata Identity

Strata Identity is a pioneer in Identity Orchestration for multicloud and hybrid cloud. The orchestration recipe-powered Maverics platform enables organizations to integrate and control incompatible identity systems with an identity fabric that does not change the user experience or require rewriting apps. By decoupling applications from identity, Maverics makes it possible to implement modern authentication, like passwordless, and enforce consistent access policies without refactoring apps.

The Maverics platform is available on the Azure Marketplace and is an IP co-sell Benefits Eligible solution.

Learn more

Learn more about Microsoft Entra ID.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.   

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

The post How Strata Identity and Microsoft Entra ID solve identity challenges in mergers and acquisitions appeared first on Microsoft Security Blog.

Passwords are a security weakness and phishing attacks to exploit accounts protected by passwords are on the rise. The last 12 months have seen an average of more than 4,000 password attacks per second an almost threefold increase from the previous year, a phishing continues to be the preferred attack method by cybercriminals.¹ Clearly, better solutions are needed to help reduce reliance on passwords and increase security. Phishing-resistant multifactor authentication methods like certificate-based authentication (CBA) are proven to increase account security while decreasing reliance on passwords. Microsoft studies found that your account is more than 99.9 percent less likely to be compromised if you use multifactor authentication.² The power of Axiad Cloud complements Microsoft Azure Active Directory, now Microsoft Entra ID, with Axiad CBA for identity and access management (IAM) to prevent common phishing attacks by provisioning and managing phishing-resistant, passwordless credentials for users everywhere. Together, Axiad and Microsoft enable customers to secure entities, enhancing security and reducing IT complexity.

The rise in cyberattacks

Multifactor authentication fatigue has become increasingly popular among bad actors in recent years. Multifactor authentication fatigue involves flooding user authentication apps with push notification requests to authorize a sign-in. The goal is to frustrate users to the point where they accept one of the approval notifications typically to get the notifications to stop. Once that occurs, the attacker can gain access to the victim’s account. Sometimes these attacks become more sophisticated and add a social engineering or spear phishing component where an attacker will pose as an IT or help desk employee to a targeted victim and ask the victim to approve authentication through an app or ask for the victim’s one-time password (OTP) code. Both techniques can result in an organization losing money and damaging its reputation to remediate the attack.

One example of a high-profile multifactor authentication fatigue attack is the ridesharing platform breach by Lapsus$, a hacking group notorious for their social engineering attacks, that occurred in September 2022. According to an article by Infosecurity Magazine, one of the documents included in the breach may have contained email addresses and information for more than 77,000 employees.³

As IT environments become more complex and multilayered to combat cybersecurity attacks, authentication processes for applications, operating systems, and workplace locations are increasingly managed in silos. This leaves IT teams overwhelmed and organizations vulnerable to the attacks they are working to avoid.

Implementing CISA’s guidance for enhanced security

As bad actors have found ways to bypass some authentication protocols, many organizations are looking to enhance their security with phishing-resistant multifactor authentication. Cybersecurity and Infrastructure Security Agency (CISA) has released guidance for implementing stronger, phishing-resistant multifactor authentication to enhance authentication security and avoid phishing attacks.⁴ The guidance urges all organizations to implement phishing-resistant multifactor authentication methods, such as CBA. These protocols have additional built-in protections to prevent phishing and resist increasingly automated, sophisticated attacks on authentication processes. The Identity Defined Security Alliance (IDSA) recently created an infographic illustrating the 2022 trends in securing digital identities.⁵ IDSA found that 96 percent of organizations that have suffered a breach report that it could have been prevented or minimized by implementing identity-related security outcomes. Implementation of phishing-resistant multifactor authentication methods can drastically help reduce that risk.

Axiad recommends organizations implement phishing-resistant multifactor authentication methods. This is one of the simplest steps organizations can take to protect their environments and keep hackers out. Axiad Cloud is a great complement to existing Microsoft Entra ID customers looking to strengthen their security perimeter.

Integrate with Microsoft Entra ID

The power of Axiad Cloud complements Microsoft Entra ID with Axiad CBA for IAM by provisioning and managing phishing-resistant, passwordless credentials for users everywhere. Microsoft customers can leverage Microsoft Entra ID CBA with certificates provisioned and managed by Axiad Cloud. Axiad CBA for IAM can support issuing and managing certificates with a variety of authenticators such as physical smart cards, virtual smart cards, and YubiKeys. The Axiad Cloud-issued user certificates can be used to authenticate Microsoft 365 applications and workstations to protect companies’ most sensitive information and devices. This eliminates the need for multiple forms of authentication and reduces IT complexity. All entities are secured without using passwords or shared secrets, so the authentication process is secure from end to end.

This joint solution offers the following benefits:

Passwordless multifactor authentication: Provisions multiple types of authenticators that do not rely on a password or push notification that can easily be intercepted or compromised and supports phishing-resistant authentication as recommended by CISA.

Consolidated view: Provides administrators and users with a consolidated view of all authenticators and helps manage them from Axiad MyIdentities, which uniquely provides visibility into all user authenticators, including Microsoft Authenticator, Windows Hello for Business, OTP codes, and security keys. All authenticators and credentials can be managed with the Axiad Unified Portal. The portal provides administrators and users, the ability to provision credentials through a number of delivery workflows.

Self-service: Empowers self-service by enabling the workforce to issue department-level credential resets with Axiad MyCircle, thereby avoiding temporary passwords and reducing user friction. This improves user experience and reduces calls to the IT help desk for credential resets.

Increased efficiency: Replaces the use of multiple tools for enterprise deployment, management, and support of authenticators and credentials with Axiad Airlock. Organizations can automate multifactor authentication processes and checklists (for example, enforcing initial smart card setup and renewal) before an employee can gain full access to systems. Axiad Airlock allows organizations to streamline provisioning authenticators and credentials. Organizations can provide self-service credential lifecycle management including account recovery (replacement, temporary credentials, and PIN resets), expirations, renewals, and more.

With these benefits, CBA is increasingly deployed in the public sector. The majority of federal agency and defense employees and contractors use a Personal Identity Verification (PIV) card or Common Access Card (CAC), which are both forms of smart cards used for authentication. CBA simplifies the process of authenticating to Microsoft Entra ID using PIV- or CAC-based smart cards and meets the federal government’s requirement to move to phishing-resistant multifactor authentication solutions.

To further support Microsoft users on their journey to passwordless, Axiad is also an active member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors and managed security service providers that have integrated their solutions with Microsoft Security products to better defend against a world of increasing threats. Through working in MISA, and with Microsoft product teams, Axiad is fully committed to aligning with Microsoft’s vision for securing customers’ environments with the best solutions possible.

Support cloud migration

Microsoft has recently advised their customers with on-premises Active Directory Federation Services (AD FS) to migrate to cloud-based Microsoft Entra ID for identity and access management. This helps customers to authenticate to Microsoft services directly against Microsoft Entra ID and eliminates the need for federated AD FS. This allows customers to simplify infrastructure and improve costs, security, and scalability. But how do customers ensure secure CBA remains intact while migrating to the cloud?

Customers can enable cloud migration by using the same certificate issued by Axiad Cloud to authenticate to on-premises resources protected by AD FS, and Microsoft 365 services by leveraging Microsoft Entra ID CBA. Axiad Cloud credentials used by AD FS to authenticate on-premises resources can continue to be used as applications are migrated to authenticate to Microsoft Entra ID. This provides flexibility in a cloud migration strategy and deployment. Users will also have the same authentication experience during the migration process as the same Axiad Cloud-issued credential will be used for authentication. This supports CBA across Microsoft 365 services.

Overall, this joint solution supports authentication needs across an enterprise environment. Together, these products can manage a broad range of phishing-resistant authenticators ranging from enterprise-grade mobile-based to government-grade compliant approaches. By creating a consolidated authentication experience across devices, authenticators, and locations, the solution both enhances security and reduces user friction. Axiad CBA for IAM helps organizations migrate to Microsoft Entra ID more rapidly or operate a hybrid Azure AD and on-premises active directory environment by keeping secure certificate-based authentication intact during the migration process.

Learn more about how Axiad Cloud, with Microsoft Entra ID, allows organizations to protect and easily authenticate to Microsoft 365 applications by visiting their website.

For more information about Axiad’s support of Microsoft Entra ID, visit the Azure Marketplace.

Microsoft Entra ID

New name, same powerful capabilities: Azure Active Directory is becoming Microsoft Entra ID.

Learn more

Learn more

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.   

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

¹Microsoft Entra expands into Security Service Edge and Azure AD becomes Microsoft Entra ID, Joy Chik. July 11, 2023.

²Your Pa$$word doesn’t matter, Alex Weinert. July 9, 2019.

³Uber Hit By New Data Breach After Attack on Third-Party Vendor, Alessandro Mascellino. December 13, 2022.

⁴More than a Password, CISA.

⁵2022 Trends in Securing Digital Identities, IDSA. 2022.

The post Boost identity protection with Axiad Cloud and Microsoft Entra ID appeared first on Microsoft Security Blog.

Here’s what I love about Libby’s story: her career has followed a winding path that ended up being the best possible path to the role she has today. Early on, she switched from engineering to public policy and then worked in publishing, product marketing, training, release management, and now product management. She’s spent time at a small publishing firm, at a startup, and at Microsoft. She pushed her way past every career hiccup, and as she moved forward, she gained experience that would later be relevant to her work in ways she had never anticipated.

Today, Libby is in a technical role, calling on everything she’s learned throughout her education and career to build usable experiences that make technology easier for businesses of all sizes. Her focus on usability is crucial; we’ve learned the hard way that unless security experiences are easy for IT administrators to deploy and manage, and easy for users to adopt, people will be reluctant to use them. Our goal is to make passwordless authentication even easier to use than passwords, which are hard to remember and far less secure. With her varied background working on an array of products for an array of different audiences, Libby is the perfect person to lead this charge.

Libby’s interview with Eric Sachs has been edited for clarity and length. We’ve included two video snippets of the interview recording so you can learn more about her unique career journey and perspectives.

Eric: I have three young daughters myself, and none of them has gotten interested in computers yet. How did you first get interested in them growing up?

Libby: I was pretty lucky. My older brother was interested in computers, so from the very earliest days, we had a Timex Sinclair computer—with a little chiclet keyboard and programs that saved to a cassette tape—and also an early Apple. I had the opportunity to attend Thomas Jefferson High School for Science and Technology in Northern Virginia which had just graduated its first class. Computers were just something in the background, from an early age, that I used. I recognize now, though, that I was pretty lucky to have that.

Eric: What did you decide to study in college after you had that opportunity in high school?

Libby: In high school, you take those career “What do you want to do?” questionnaires. My answers always led to engineering, so I attended Duke University to study mechanical engineering. It was an interesting time, but I realized I just did not care if you took a piece of metal and bent it where it would break. It wasn’t the kind of problem-solving that I liked. So, I looked around, took a couple of public policy courses—which turned out to be a different type of systemic problem solving—and ended up majoring in that.

Eric: You eventually got back to computers, so what was the next time you encountered technology?

Libby: After Duke, I returned to Washington, D.C., to get involved in public policy. My first job was for a small publishing company called Congressional Quarterly. They produced daily, weekly, monthly, and annual publications on what Congress was doing. My first job involved researching legislation and entering it into a database. With the year 2000, we needed to upgrade those databases, including how researchers entered the data and how customers pulled the data and were presented with it. I started doing things like designing what that screen would look like, what the website would look like, and designing the queries to pull the data for legislative reports. Little did I know at the time, that’s what I would be doing 20 some years later, just with different challenges, but still focusing on that foundational user experience, running those systems, and designing great opportunities and spaces for users.

Once we made it past the year 2000, we launched the Congressional Quarterly Website. It won a bunch of awards that year for being one of the newest, best magazine tools online. But also keep in mind, this was in the heyday of Web 2.0. Red Herring magazine was 300 pages thick, with information on all these great Web 2.0 companies and the future of e-commerce. Congressional Quarterly was a pretty small business. I realized I needed more scope and scale to succeed in this new world, so I decided to get my MBA. 

I chose Vanderbilt University because they had leading researchers in Web 2.0 e-commerce. I studied both information technology and strategy. This led me to think about how businesses take advantage of technology and use it to gain competitive advantage, which became the underlying thread to the rest of my tech career.

Video description: Libby describes her first role at Microsoft.

Eric: So, after business school, you came into Microsoft initially as a Product Manager for one of the company’s publishing arms, left for a startup, and then returned. What was different, and what worked well for you, when you came back?

Libby: I came back for a fun startup-like team within Microsoft called Office Live Small Business. We were working to give small businesses a free custom domain name with Hotmail mailboxes on the backend and a Microsoft SharePoint site they could easily customize to market to their customers. While our product was successful, other technologies were coming online, including Microsoft Exchange and SharePoint moving to the cloud, so we needed to reconcile that. Since we had experience with small businesses and users, our team pivoted to building the user and admin portals for what became Microsoft Office 365. Being part of that transition was a fun time.

Eric: Well, you had quite a journey to get there, but now you’ve been a product manager for a while at Microsoft. How did you end up in the identity team then, dealing with passwords?

Libby: Sometimes I’m not quite sure how I got here myself, but through a series of reorganizations, I found myself doing a weird set of roles around financial compliance for our commerce platform. I learned all about Sarbanes-Oxley compliance, payment card industry (PCI), and other interesting spaces, but it was not an area that I enjoyed. So, I reached out to my wide corporate network. As a product manager at Microsoft, you want to keep those connections active, and I was doing my, “Hey, what’s happening in your space of the company?” interviews with a bunch of friends and former coworkers. One of them happened to work in identity as the program manager lead for the Microsoft Authenticator app, and we realized that I had a lot of applicable skills. I joined that team in 2016.

Eric: I have to admit, I’m a little jealous because your current project’s very focused on passwordless authentication. What about your unique background do you think helps you with this particular challenge?

Libby: We wanted to make the experience of two-step verification easier for Microsoft consumers. As you know, not many people were comfortable with two-step verification, especially in 2016. They didn’t quite understand a password plus something else, whether that something else was an SMS code or a push notification to your phone. Then we said, well, if we can do password plus “push,” why can’t we just do the push and tie it to the device? We’d create a super easy experience of entering your username and responding to a notification on your phone. That got a lot of attention and traction.

And we were also working to build the same type of experience for work and school accounts in Azure AD. Given my background, I asked questions from an organizational standpoint about keeping our customers more secure. How can they make sure that their business is doing what it needs to do—without having to worry about those attacks? Creating a great user experience so employees can easily make that strong authentication gesture to be safe really helps the overall security posture of the company itself.

Video description: Libby explains how usability enhances security.

Eric: It’s pretty exciting. In the passwordless area, the FIDO Alliance recently published a white paper about passkeys. Part of it is about using a mobile phone to help sign in to other devices like a Microsoft Windows desktop. Can you explain a bit more about why that is so important? Windows devices and mobile phones have built-in biometrics—why can’t that just solve all problems and make all passwords go away?

Libby: Passwords have been in our systems now since the 1960s. It’s going to take us a little while to kill them off. But multidevice credentials, which some refer to as passkeys, really are that next thing that will enable us to do that. Most of us have a mobile device in our hands for the better part of the day, and we’re working to take advantage of the native biometrics on that device, whether it’s touch ID or face ID, or the Windows Hello gesture that you might use on your PC. We’re trying to use the native gesture on that device that everyone is familiar with, backed by this modern use of public-key cryptography to keep you secure.

Then I can use my phone as a passkey to sign in on my phone or to another device such as my Windows PC, or the Mac at my mom’s house, and it’s just seamless and ubiquitous. And when you think about the companies that have been involved—whether that’s Microsoft, Apple, Google—we’ve been in this from the very beginning and now we’re looking at more than six billion devices being able to use these standards-based multidevice credentials. When you look at those numbers and that scope and scale, it’s just pretty mind-boggling how we can transform in the next few years.

Eric: Cool! All of us who use passwords, which is just about everybody, want to thank you for taking on the password challenge and it certainly seems like your very unique career path makes you uniquely qualified for this challenge. I can’t wait to see where you lead us next on the passwordless journey.

Libby: Thanks, Eric.

Learn more

Help protect your organization with Microsoft’s complete identity and access management solution.

Learn more about Azure AD.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post How a senior product manager is leading the passwordless movement at Microsoft appeared first on Microsoft Security Blog.

In 2021, protections built into Windows, Azure, Microsoft 365, and Microsoft Defender for Office 365 have blocked more than 9.6 billion malware threats, more than 35.7 billion phishing and other malicious emails, and 25.6 billion attempts to hijack our enterprise customers by brute-forcing stolen passwords—that’s more than 800 password attacks per second. The intelligence we get from this, combined with the 8,500 security professionals we have and 24 trillion security signals processed by our cloud every 24 hours, gives us a unique view into what our customers need to protect themselves from threats now and in the future. The combination of modern hardware and software required for Windows 11, delivered alongside our ecosystem partners, is what will enable us to help protect our customers from wherever and however they choose to work.

Security designed for hybrid work

In a future release of Windows 11, you’re going to see significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software. Microsoft has made groundbreaking investments to help secure our Windows customers with hardware security innovations like Secured-core PCs. Our data shows that these devices are 60 percent more resilient to malware than PCs that don’t meet the Secured-core specifications. The stronger protection these devices provide helped build the foundation that the Windows 11 hardware baselines were designed upon. In upcoming releases of Windows, we are advancing security even further with built-in protections to help defend from advanced and targeted phishing attacks. We’re also adding more protection for your applications, personal data, and devices and empowering IT with the ability to lock security configurations as more enterprise devices are sent directly to users. Here’s a look at what’s coming to Windows 11 to help our customers combat the biggest security challenges of distributed work scenarios and the threat landscape of the future.

Zero Trust security, from the chip to the cloud, rooted in hardware

• Microsoft Pluton: Built on the principles of Zero Trust, the hardware and silicon-assisted security features in Windows 11—including the TPM 2.0, firmware and identity protection, Direct Memory Access, and Memory Integrity protection—help protect core parts of the OS as well the user’s credentials as soon as the device powers on. While those features provide protection from many attack patterns we see today, we know that attackers have shifted their sights to hardware which is why we’re looking ahead to the Microsoft Pluton Security Processor as an innovative solution to securing that critical layer of computing.
• Microsoft Pluton has several key capabilities that stem from its direct integration into the CPU and the OS. First, Pluton is the only security processor which is kept regularly up to date with key security and functionality updates coming through Windows Update just like any other Windows component. This means that Pluton does not require enterprises to take the traditional manual steps to update firmware, making it much easier to stay secure. In addition, the Pluton firmware is developed by the same Windows team that builds the features that use it, like Windows Hello and Bitlocker. This means Pluton is optimized for the best performance and reliability in Windows 11. Pluton also undergoes world-class penetration testing along with external bug bounties to ensure it remains secure. Pluton offers more than just optimized firmware, it also offers protection against physical attacks through its direct integration into the CPU. This avoids any additional attack surface, increasing security and simplifying additional configuration traditionally needed to address physical attacks. Pluton is a testament to the investment in our chip to the cloud security strategy and the success of Secured-core PCs.

App security without the app store from Smart App Control 

• Smart App Control is a major enhancement to the Windows 11 security model that prevents users from running malicious applications on Windows devices that default blocks untrusted or unsigned applications. Smart App Control goes beyond previous built-in browser protections and is woven directly into the core of the OS at the process level. Using code signing along with AI, our new Smart App Control only allows processes to run that are predicted to be safe based on either code certificates or an AI model for application trust within the Microsoft cloud. Model inference occurs 24 hours a day on the latest threat intelligence that provides trillions of signals. When a new application is run on Windows 11, its core signing and core features are checked against this model, ensuring only known safe applications are allowed to run. This means Windows 11 users can be confident they are using only safe and reliable applications on their new Windows devices. Smart App Control will ship on new devices with Windows 11 installed. Devices running previous versions of Windows 11 will have to be reset and have a clean installation of Windows 11 to take advantage of this feature. 

Increased account and credential security

• Enhanced phishing detection and protection with Microsoft Defender SmartScreen: In the last year, we’ve blocked more than 25.6 billion Microsoft Azure Active Directory (Azure AD) brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365. The enhanced phishing detection and protection built into Windows with Microsoft Defender SmartScreen will help protect users from phishing attacks by identifying and alerting users when they are entering their Microsoft credentials into a malicious application or hacked website. These enhancements will make Windows the world’s first operating system with phishing safeguards built directly into the platform and shipped out-of-box to help users stay productive and secure without having to learn to be their own IT department.

• Credential Guard by default: Windows 11 makes use of hardware-backed, virtualization-based security capabilities to help protect systems from credential theft attack techniques like pass-the-hash or pass-the-ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. In the future, Credential Guard will be enabled by default for organizations using the Enterprise edition of Windows 11. 

• Additional protection for Local Security Authority (LSA) by default: Windows has several critical processes to verify a user’s identity. The LSA is one of those processes, responsible for authenticating users and verifying Windows logins. It is responsible for handling user credentials, like passwords, and tokens used to provide single sign-on to Microsoft accounts and Azure services. Attackers have developed tools and have abused Microsoft tools to take advantage of this process to steal credentials. To combat this, additional LSA protection will be enabled by default in the future for new, enterprise-joined Windows 11 devices making it significantly more difficult for attackers to steal credentials by ensuring LSA loads only trusted, signed code.

Personal Data Encryption adds a second layer of security for personal data

• Forty percent of respondents in Verizon’s 2021 Mobile Security Index said mobile devices are the biggest IT security threat, 97 percent consider remote workers to be at more risk than office workers, and 56 percent were worried about device loss or theft. No matter where users are working, the new Personal Data Encryption coming to Windows 11 provides a platform, available for use by applications and IT, to protect user files and data when the user is not signed into the device. To access the data, the user must first authenticate with Windows Hello for Business, linking data encryption keys with the user’s passwordless credentials so that even if a device is lost or stolen, data is more resistant to attack and sensitive data has another layer of protection built-in.

Protect users from themselves with Config Lock

• More than 60 percent of security decision-makers reported that they’re challenged when it comes to implementing security solutions and a big reason for that is the limited control they have once the device is in the hands of the user. Config Lock changes that. This feature, already in Windows 11, monitors registry keys through mobile device management (MDM) policies to help ensure devices in your ecosystem comply with industrial and company security baselines. If Config Lock detects a change in registry keys, it will automatically revert the impacted system to the IT-desired state in seconds. With Config Lock, IT administrators can be confident that devices in their organization are protected, and users have not changed critical security settings.

Block vulnerable drivers by default with HVCI

• Hypervisor-Protected Code Integrity (HVCI) default enhancements: Malware attacks over the last few years (RobbinHood, Uroburos, Derusbi, GrayFish, and Sauron)² have increasingly leveraged driver vulnerabilities to compromise systems. In the next Windows 11 release, HVCI will be enabled by default on a broader set of devices running Windows 11. This feature prevents attackers from injecting their own malicious code (for example, WannaCry)³ and helps ensure that all drivers loaded onto the OS are signed and trustworthy. Using data from the broader security community, the Microsoft Vulnerable and Malicious Driver Reporting Center helps enable Windows to automatically block known vulnerable drivers.
• The Microsoft vulnerable driver blocklist leverages Windows Defender Application Control (WDAC) to help prevent advanced persistent threats (APTs) and ransomware attacks abusing and exploiting known vulnerable drivers. The kernel blocklisting feature mitigates these threats by preventing these drivers from being exploited by blocking their load in the Windows kernel. Devices running HVCI or Windows SE have the blocklist enabled by default. Additionally, the feature can be enabled by the new experience in the Core isolation page within the Windows Security App.

Redesigning security from the chip to the cloud

Microsoft is continuously investing in improving the default security baseline for Windows and is focused on closing gaps on top attack vectors like those we shared here today. Those investments are designed to help simplify and deepen the security experience for Windows customers by default. With built-in chip to the cloud protection and layers of security, Windows 11 helps organizations meet the new security challenges of the hybrid workplace, now and in the future. With every release, we are making Windows more secure by default, designing new protections as we continue to power the future of business.

Check out our breakout security session to see how these upcoming Windows Security features help protect you from real-world attacks. And learn more about Windows 11 security in our Windows 11 Security Book.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

¹The Work Trend Index survey was conducted by an independent research firm, Edelman Data x Intelligence, among 31,102 full-time employed or self-employed workers across 31 markets between January 7, 2022 and February 16, 2022. Business leaders were asked, “When you think ahead to the next year, what are the biggest obstacles or challenges you’re most worried about?” Cyber security challenges ranked number one; meeting increased customer demands/needs and navigating external factors like supply chain disruptions and inflation ranked two and three.

²Secured-core PCs: A brief showcase of chip-to-cloud security against kernel attacks, Windows Platform Security Team, Microsoft Security. March 17, 2020.

³A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017, Tanmay Ganacharya, Microsoft Security. January 10, 2018.

The post New security features for Windows 11 will help protect hybrid work appeared first on Microsoft Security Blog.

Seventy-five percent of software decision-makers feel that the move to hybrid work leaves their organization more vulnerable to security threats.

The threat intelligence journey to build in protection

The expansion of both remote and hybrid workplaces brings new opportunities to organizations. But the expansion of access, increased number of endpoints, and desire for employees to work from anywhere on any device has also introduced new threats and risks. In 2020, Microsoft protected customers from 30 billion email threats, 6 billion threats to endpoint devices, and processed more than 30 billion authentications. Yet most employees still struggle to avoid clicking phishing links in email, spoofed websites, and more. The National Institute of Standards and Technology (NIST) shows a more than five-fold increase in hardware attacks over three years, and Microsoft’s initial Security Signals report found that more than 80 percent of Vice Presidents and above admitted to experiencing a hardware attack in the last two years.

We designed Windows 11 for today’s hybrid workplace. With Windows 11, hardware and software work together for protection from the central processing unit (CPU) all the way to the cloud so our customers can enable hybrid productivity and high-quality employee experiences without compromising security.

“In this new hybrid work environment, more information is being handled outside the confines of the traditional office and outside the control of IT departments. This creates new, acute security challenges and makes it more important than ever to add as many layers of protection as possible to keep devices secure. Hardware protections are a key component to instilling a higher degree of confidence that devices haven’t been compromised.”—Michael Mattioli, Vice President, Goldman Sachs

Windows 11: Security by default

NIST shows a more than five-fold increase in hardware attacks over three years, and Microsoft’s initial Security Signals report found that more than 80 percent of Vice Presidents and above admitted to experiencing a hardware attack in the last two years. To address the increasing sophistication and number of attacks against firmware/hardware, we partnered with manufacturers to create a new class of Secured-core PCs in 2019 and a new security-specific processor in 2020, the Microsoft Pluton, that redefines Windows security at the CPU. In Secured-core PCs, hardware-backed security features are enabled by default without any action required by the user or IT. Secured-core PCs were initially designed for highly targeted industries like financial services and healthcare with mission-critical roles that handle company IP, customer Personal Identifiable Information (PII), sensitive government data, financial information, or patient history. But as the move to hybrid work becomes the new normal and the threat landscape becomes more complex, the need to apply better security features from chip to cloud becomes a high priority.

Eighty percent of security decision-makers believe software alone is not enough protection from emerging threats.

We leveraged our learnings from secured-core PCs and brought them to Windows 11. The new hardware security requirements that come with Windows 11 are designed to build a foundation that is even stronger and more resilient to attacks. Windows 11 isolates software from hardware. This isolation helps protect access—from encryption keys and user credentials to other sensitive data—behind a hardware barrier, so malware and attackers can’t access or tamper with that data during the boot process. And Windows 11 requires hardware that can enable even more protections like Windows Hello, Device Encryption, virtualization-based security (VBS), hypervisor-protected code integrity (HVCI), and Secure Boot. The combination of these features has been shown to reduce malware by 60 percent on tested devices. All Windows 11 supported CPUs have an embedded Trusted Platform Module (TPM) chip, support secure boot, and support virtualization-based security (VBS) and specific VBS capabilities, fully turned on out-of-the-box.

Windows 11: Powerful security from chip to cloud. For a comprehensive view of the Windows 11 security investments, see the Windows 11 Security book.

Enhanced hardware and operating system security

With hardware-based isolation security that begins at the chip, Windows 11 stores sensitive data behind additional security barriers, separated from the operating system. As a result, information including encryption keys and user credentials are protected from unauthorized access and tampering. In Windows 11, hardware and software work together to protect the operating system, with VBS and Secure Boot built-in and enabled by default on new CPUs. Even if bad actors get in, they don’t get far.

Robust application security and privacy controls

To help keep personal and business information protected and private, Windows 11 has multiple layers of application security to safeguard critical data and code integrity. Application isolation and controls, code integrity, privacy controls, and least-privilege principles enable developers to build in security and privacy from the ground up. This integrated security protects against breaches and malware, helps keep data private, and gives IT administrators the controls they need.

Secured identities

Passwords are inconvenient to use and prime targets for cybercriminals—and they’ve been an important part of digital security for years. That changes with the passwordless protection available with Windows 11. After a secure authorization process, credentials are protected behind layers of hardware and software security, giving users secure, passwordless access to their applications and cloud services.

Connecting to cloud services

Windows 11 security enables policies, controls, procedures, and technologies that work together to protect your devices, data, applications, and identities from anywhere. Microsoft offers comprehensive cloud services for identity, storage, and access management in addition to the tools to attest that any Windows device connecting to your network is trustworthy. You can also enforce compliance and conditional access with a modern device management (MDM) service such as Microsoft Intune that works with Microsoft Azure Active Directory to control access to applications and data through the cloud.

Learn more

Windows 11 rises to the challenge of modern threats of hybrid computing and enables customers to get ultimate productivity and intuitive experiences without compromising security.

For customers who aren’t ready to transition to new devices, the baseline security features in Windows 11 are also available on Windows 10, which will remain supported through October 14, 2025. We are committed to supporting Windows 10 customers and offering choices in their computing journey.

• See how to upgrade to Windows 11 now.
• Read more about comprehensive Windows 11 security.
• Panos Panay, Chief Product Officer, Windows + Devices, Introduces Windows 11.
• Watch the Windows 11 Security show, Microsoft Mechanics.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Windows 11 offers chip to cloud protection to meet the new security challenges of hybrid work appeared first on Microsoft Security Blog.

As the corporate network perimeter disappears, it’s crucial to establish a strong cloud identity foundation through a Zero Trust approach so you can protect business-critical systems, while improving business agility. We’re committed to making it easier to enforce appropriate, tailored privileges and other identity controls across multi-cloud environments, as organizations adapt to hybrid work, new risks, and business transformation.

Read more on Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Microsoft acquires CloudKnox Security to offer unified privileged access and cloud entitlement management appeared first on Microsoft Security Blog.

Hackers launch an average of 50 million password attacks every day—579 per second. Phishing attacks have increased. Firmware attacks are on the rise, and ransomware has become incredibly problematic. And while Microsoft intercepted and thwarted a record-breaking 30 billion email threats last year, our work is never done.

We are now actively tracking 40 plus active nation-state actors and over 140 threat groups representing 20 countries—that number used to be a handful.

We are also rapidly delivering innovation to meet the needs of a changing landscape and you can read more about our latest product updates for RSA in a blog I published today.

Security continues to be a number one priority for our customers, especially as many companies around the world are looking to transition from remote work to hybrid. To truly meet this challenge, defenders across the industry must come together for an end-to-end, Zero Trust security approach that covers the entire technology ecosystem. Because today, digital transformation cannot happen without security transformation.

The future of work is hybrid: Here’s what we can do

Even as many people start to transition back to the office, we expect a future where hybrid work is the norm. Forrester predicts that once people have settled into their new work patterns post-pandemic, we will still see a 300 percent increase in employees working remotely from pre-pandemic levels. According to our own Work Trend Index, The Next Great Disruption is Hybrid Work—Are We Ready?, 46 percent of people plan to move because they can now work remotely.

People are working on corporate networks and home networks and moving fluidly between business and personal activity online thanks to technologies intertwined with both aspects of our daily routines. The network is changing with employees’ home networks and devices are now part of the corporate network. What this means for organizations is that the network is suddenly without firm borders.

Our own approach

My friend and colleague Bret Arsenault, Microsoft’s Chief Information Security Officer, had the mammoth task of transitioning Microsoft and its 160,000 plus employees to remote work in March 2020 and has created our technology plan to transition to hybrid work.

Bret’s approach to solving this has been to foster a culture where security is everyone’s job. Just today, new guidance went out on a few areas:

• Keeping devices healthy and managed: All devices that need access to corporate resources must be managed to seamlessly keep your device secure and protected from phishing and malicious websites.
• Making security everyone’s job: We will offer new training, opportunities to provide feedback, and a new virtual security summit to ensure our employees are empowered and equipped to be more secure.
• Securing home offices: We will continue to build and offer resources and guidelines for employees that will work remotely either part or full time.
• Building for Zero Trust: We are asking our developers to build with a Zero Trust mentality.

While we have been remote, and as part of our Zero Trust approach, we have also been moving employees off the corporate network. An internet-first approach reduces exposure and gives employees a consistent experience whether they are at home or in the office.

We believe that security is a team sport and that when we share what we’re learning, we can all make the world a safer place. So we are sharing Bret’s guidance with our customers and partners. These specific steps will be the first of many in ensuring our hybrid workforce is as secure as possible.

There are other practical things that we will continue to focus on, and every business should consider as we move into hybrid work.

Identity is more important than ever: Use the tools you likely already have to protect it

Through NOBELIUM and other recent attacks, a clear theme has emerged—identity is the battleground for attacks of the future. We know weak passwords, password spraying, and phishing are the entry point for the vast majority of attacks. As our own CISO, Bret Arsenault, likes to say, “hackers don’t break in, they log in.”

In building a defense for our new threat landscape, the first thing every business should do is examine the tools they already have.

A great example of this is multifactor authentication (MFA). MFA is a defense that our customers have available to them, yet when looking at our own customer data, only 18 percent have it turned on. Any customer with a commercial service subscription—Azure or Microsoft 365—can turn on MFA at no additional cost.

We saw a significant jump in usage when the pandemic began. And when that happened, we saw a significant decrease in aggregate compromises—people thought they were activating to protect only remote access, but MFA protects the entire network.

We work with many kinds of organizations of all sizes—for some, implementing MFA is as easy as flipping the switch. But we understand and empathize that for others it’s much more complex. We’re actively working to make MFA rollout easier and more seamless for our customers, as well as ensuring that the end-user experience is as frictionless and friendly as possible. We are dedicated to working alongside our customers to make everyone more secure. We’ve introduced a number of programs to drive MFA adoption—from the introduction of security defaults to giving customers an entire toolset for internal communications.

Embrace a Zero Trust mindset

In a world where identity is the new battleground, adopting a Zero Trust strategy is no longer an option, it’s a new business imperative. People and organizations need to have trust in the technologies that bring them together. The term Zero Trust may feel like the opposite of that, but when you assume breach and provide the least privileged access necessary, it actually empowers employees with the flexibility and freedom they want.

The hybrid world is largely perimeterless, so wrapping protections around identity and devices is critical. As part of Zero Trust, we also think the future is passwordless and we will start to see that transition this year.

In fact, to help our customers on their Zero Trust journey we are excited to roll out a new Zero Trust assessment tool today that can help companies understand where they are currently and where they need to go.

For a deeper look at the imperatives around Zero Trust and how Microsoft is reimagining the concept of identity for a perimeterless world, read Joy Chik’s blog, 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond, from Microsoft Ignite.

Take advantage of more robust security in the cloud

The benefits of the cloud for a remote or hybrid workforce are plentiful. Business-critical information can be accessed over the network, making it easy to have workers in any location.

Over the next 6 to 12 months, we will see rapid migration to the cloud, as companies recover from 2020 and implement new infrastructure. In a recent survey of our Microsoft Intelligent Security Association (MISA) partners, 90 percent reported that customers have accelerated their move to the cloud due to the pandemic.

Having a strong cloud posture also provides a level of security that most companies just couldn’t achieve on their own. And we learned from NOBELIUM that the vast majority of attacks originated on-premises, while attacks via the cloud were largely unsuccessful.

Invest in people and skills—and focus on diversity

We know that attackers exploit not just our digital holes, but the holes in our defender teams. Right now, we have two big problems: a shortage of cybersecurity professionals and a lack of diversity within teams. In the coming year, attackers will find these gaps and take advantage.

There is an estimated shortfall of 3.5 million security professionals this year—91 percent of our MISA partners report more demand than supply for cybersecurity professionals. This shortage can mean not only unfilled positions but also too much work on the shoulders of existing teams.

How do we solve this? We build the workforce of the future. We teach, train, and arm new defenders. After all, anyone can be a superhero of cybersecurity. It just takes passion and purpose—and some skilling.

I firmly believe anyone can be a defender, and with the proper training programs, we can all work together to build a cybersecurity workforce that reflects our planet. We must build diverse teams that reflect the many viewpoints of people globally, including the same demographics as the attackers themselves, to meet the security and privacy challenges of our time.

That’s why we’re pleased to offer new skilling programs and certifications across security, compliance, and identity. There are programs available for all levels of expertise, no matter where a defender is on their journey.

Fortunately, in a future where remote work is more common, the world is our oyster in terms of cultivating new and diverse talent. No longer constrained by physical office locations, it’s an exciting time to find the next generation of defenders and help them develop.

What’s next

We’re emerging from a year that has altered the world forever. It changed the way we live and work, brought new challenges in cybersecurity, and reminded all of us that there is no playbook for change.

But where there’s uncertainty, there is also the power to shape the world in positive and profound ways. At the heart of security and privacy protection is the freedom to imagine, plan, empower, and inspire.

As security professionals, it is within our superpowers to help people and organizations feel safe and be safe—to help them persist in the face of adversity with optimism, empathy, and peace of mind.

Learn more

Learn more about Microsoft’s approach to securing hybrid work, including context from our CISO Bret Arsenault, as well as a link to his new podcast Security Unlocked.

You can also assess your Zero Trust maturity stage to determine where your organization is and how to move to the next stage.

To learn more about Microsoft security solutions and how to optimize your Zero Trust strategy, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Securing a new world of hybrid work: What to know and what to do appeared first on Microsoft Security Blog.