Deploying Windows Hello for Business internally here at Microsoft has significantly increased our security when our employees and vendors access our corporate resources. This feature offers a streamlined user sign-in experience—it replaces passwords with strong two-factor authentication by combining an enrolled device with a PIN or biometric user input for sign in. Windows Hello was easy to implement within our existing identity infrastructure and is compatible for use within our remote access solution.

The Windows Hello for Business feature can replace passwords with strong two-factor authentication that combines an enrolled device with a PIN or biometric (fingerprint or facial recognition) user input to sign in. We—the Microsoft Digital Employee Experience team—streamlined the deployment of this feature as an enterprise credential to improve our user sign-in experience and to increase the security of accessing corporate resources.

Using this feature, users can authenticate to a Microsoft account, an Active Directory account, or a Microsoft Azure Active Directory (Azure AD) account.

The Windows Hello for Business feature is a public key or certificate-based authentication approach that goes beyond passwords. This form of authentication relies on key pairs that can replace passwords and are resistant to breaches, thefts, and phishing.

Other benefits of this feature include:

• It supports our Zero Trust security model. Emphasizes an identity-driven security solution by centering on securing user identity with strong authentication as well as eliminating passwords.
• It uses existing infrastructure. We configured Windows Hello to support smart card–like scenarios by using a certificate-based deployment. Our security policies already enforced secure access to corporate resources with two-factor authentication, including smart cards and Microsoft Azure Multi-Factor Authentication. Windows Hello is currently enabled, and we anticipate an increase in usage as more biometric-capable devices become available in the market.
• It uses a PIN. Replace passwords with a stronger authentication. Users can now sign in to a device using a PIN that could be backed by a trusted platform module (TPM) chip.
• It provides easy certificate renewal. Certificate renewals automatically occur when a user signs in with their PIN before the lifetime threshold is reached.
• It permits single sign on. After a user signs in with their PIN, the user has access to email, SharePoint sites, when using the latest Office 365 versions, and business applications without being asked for credentials again.
• It is compatible with remote access. When using a certificate-based PIN, users can connect remotely using a Microsoft Digital Employee Experience VPN without the need for multi-factor authentication with phone verification.
• It supports Windows Hello. If users have compatible biometric hardware, they can set up biometrics sign-in to swipe their finger or a take a quick look at the device camera.

Our deployment environment for the Windows Hello for Business feature include:

• Server: Microsoft Azure AD subscription and Microsoft Azure AD Connect to extend on-premises directory to Azure AD:
  • For certificate-based: Active Directory Certificate Services (AD CS), Active Directory Federation Services (AD FS) Network Device Enrollment Service (NDES), and Microsoft Intune
• Client: A device, preferably with an initialized and owned TPM.

For more information about integrating on-premises identities with Microsoft Azure AD, see Integrating your on-premises identities with Microsoft Azure Active Directory.

Enrollment and setup

Windows Hello for Business user enrollment steps vary, based on our deployed scenarios. For all scenarios, users will need to use their smart card or multi-factor authentication with a verification option—such as a phone call or verification on a mobile app, such as Microsoft Authenticator, in addition to their user name and password—to complete the enrollment.

The Windows Hello for Business feature supports the following enrollment scenarios:

• On-premises Active Directory domain–joined devices. Users sign in with their domain account, the Group Policy is applied, the device is registered with Microsoft Azure Active Directory, and then the user creates a PIN.
• Microsoft Azure AD–joined devices managed by Microsoft Intune. Users must enroll in device management (or add a work account) through Microsoft Intune. After their device is enrolled and the policies are applied, the PIN credential provisioning process begins and users receive the prompt to create their PIN.

Requirements

• Two-factor authentication is required for PIN creation using one of the existing methods (virtual smart card, physical smart card, or multi-factor authentication with phone verification).
• A PIN that is at least six characters long.
• A connection to the internet or Microsoft corporate network.

Physical architecture

Our Windows domain-joined devices were already synchronized with Microsoft Azure AD through Microsoft Azure AD Connect, and we already had a public key infrastructure (PKI) in place. Already having PKI reduced the amount of change required in our environment to enable the Windows Hello for Business feature.

To deploy user certificates based on Windows Hello keys, we used AD FS, AD CS, and Group Policy.

Server roles and services

In our implementation, the following servers and roles work together to enable Windows Hello as a corporate credential:

• Microsoft Azure AD subscription with Microsoft Azure Active Directory Device Registration Service to register devices with Azure Active Directory.
• Microsoft Intune is used to enroll devices joined to Microsoft Azure Active Directory.
• AD FS is used for federated identities and Microsoft Azure AD Application Proxy for secure remote access of web applications hosted on-premises. AD FS Registration Authority is used to handle certificate issuances and renewals for devices that are joined to the domain.
• PKI includes NDES servers (with policy module) and certificate authorities (with smart card EKU—enhanced key usage—template), used for the issuance, renewal, and revocation of Windows Hello for Business certificates.

Domain-joined service workflow

The following workflow applies to any Windows 10 computers joined to our AD DS domain.

• Our domain-joined devices pull a Group Policy object that configures certificate enrollment, PIN-enablement, and notification tasks.
• After users sign out and sign in again, or if they select the pop-up notification when it displays, a PIN creation workflow runs, and they must configure their new PIN.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
  • If the client and infrastructure support Instant-On, a key-receipt verification package is downloaded and a certificate request is sent to the AD FS registration authority. AD FS confirms valid key ownership and submits the request on behalf of the user to an AD CS certification authority.
• The certificate is delivered to the computer.

Microsoft Azure Active Directory–joined service workflow

• Windows Intune pushes a device policy to Microsoft Azure Active Directory devices that contains the URL of the NDES server and the challenge generated by Intune. A policy has already been pushed to the device by the Intune service. This policy contains the URL of the NDES server and the challenge generated by Intune.
• During the next sign-in, the user is prompted to configure Windows Hello for Business, confirm their identity using multifactor authentication, and create a PIN. A private key is created and registered in Microsoft Azure AD. The user can also initiate the Windows Hello setup process from the Settings app at any time.
• The device contacts the internet-facing NDES server using the URL from the NDES server and provides the challenge response. The NDES server validates the challenge with the CRP and receives a “true” or “false” to challenge verification.
  • If the challenge response is “true,” the NDES server communicates with the certificate authority (CA) to get a certificate for the device. Appropriate ports need to be open between the NDES server and the CA for this to happen.
• The NDES server delivers the certificate to the computer.

Setting policies

Our Microsoft Digital Employee Experience team used domain-based Group Policies to push out policy-based settings to configure our Windows 10 domain-joined devices to provision Windows Hello user credentials when users sign in to Windows. Non-domain joined devices receive their policies from Intune. We also used these settings to define the complexity and length of the PIN that our users generate at registration and to control whether Windows Hello was enabled.

We had the option to configure whether we would accept certificate-based Windows Hello for Business with PIN as a software-backed credential. We chose to enable Windows Hello for Business with a hardware-required option, which means that keys are generated on the TPM.

Policies for Microsoft Active Directory domain–joined clients

You must create and deploy a Group Policy object using the settings found under User Configuration > Administrative Templates > Windows Components Windows Hello for Business.

The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. Both the Enable Windows Hello for Business setting and the Use certificate for on-premises authentication setting must be enabled.

Windows 10 also provides PIN complexity settings for control over PIN creation and management. Beginning with Windows 10 version 1703, the policy settings are found under Computer Configuration > Administrative Templates System > PIN Complexity.

Policies for Microsoft Azure Active Directory–joined clients

To use the Windows Hello/Windows Hello for Business certificate-based sign-in, configure the certificate profile (Assets & Compliance > Compliance Settings > Company Resource Access > Certificate Profiles). Select a template that has smart card sign-in extended key usage. Note that to set the minimum key size set, this certificate template should be configured in the Simple Certificate Enrollment Protocol (SCEP) Enrollment page—then you can use the Windows Hello for Business and Certificate Properties page to set the minimum key size set to 2048.

To set up the desired policy, we also need to create a new Windows Hello for Business profile (Assets & Compliance > Compliance Settings > Company Resource Access > Windows Hello for Business profiles) and specify the following required options:

• Use Windows Hello for Business
• Use a hardware security device
• Use biometrics
• PIN Complexity

User enrollment experience

When a domain-joined computer running Windows 10 Anniversary Update or later pulls Group Policy settings from a domain controller, certificate enrollment policies and the Windows Hello for Business policies are applied to the Windows 10 computer, provided all the criteria for policy application are met.

Client signs out and signs in (and unlocks) the device

The user unlocks their device, and the certificate enrollment process is triggered.

Certificate enrollment process

After a PIN is successfully created, the scheduled task runs (triggered by Event ID 300, which is “Key registration was successful.”). It checks for an existing certificate. If the user doesn’t have one, the task sends the requests for a new challenge.

At this point, Windows 10 calls on the specified Certificate Services server through AD FS and requests a challenge with an expiration time. If the PIN is cached, the certificate enrollment is triggered.

Certificate renewal behavior

We have configured PIN credential certificates to have a lifetime of 90 days from when they are issued. Renewals will happen approximately 30 days before they expire. When a user next enters their Windows Hello for Business PIN within the 30 days prior to its expiration, a new certificate will be automatically provisioned on their device.

Certificate renewal is governed by Group Policy settings for auto-enrollment. The system checks for certificate lifetime percentage and compares it against the renewal threshold. If it’s beyond the set threshold, a certificate renewal starts.

Microsoft Intune specifics

The Open Mobile Alliance Device Management client talks to the Microsoft Intune mobile device management server using SyncML. Policies are routed, and then the user receives the Simple Certificate Enrollment Protocol profile, as configured in our hybrid environment, deployed through Microsoft Intune. Within 10 minutes, the user should receive a certificate. If that fails, the user needs to manually sync.

Service management

We manage identity as a service at Microsoft and are responsible for deciding when to bring in new types of credentials and when to phase out others. When we were considering adding the Windows Hello for Business feature, we had to figure out how to introduce the new credential to our users, and to explain to them why they should use it.

Measuring service health

We’re in the process of creating end-to-end telemetry to measure the service health of Windows Hello for Business. For now, we’re monitoring the performance and status of all our servers. We’re also expanding the service, so adoption and usage numbers are very important metrics that demonstrate the success of our service. We also track the number and types of help desk issues that we see.

We use custom reports created from certificate servers and custom telemetry service metrics to collect prerequisites, and key and certificate issuance times for troubleshooting. Detailed reports about other aspects of the service can also be generated from Microsoft Intune.

We configure a user’s certificate to expire, and certificate renewals are issued with the same key. When necessary, the certificates can be revoked directly though Microsoft Intune, which provides easier administration.

TPM issues

OEM BIOS initialization instructions and TPM lockout policies are OEM-specific. We performed steps to identify and document the potential issues for each hardware provider. We also communicated to our users that clearing a TPM will cause their private key to not work in Windows Hello for Business.

Preventing PIN enrollment problems

Some of the common issues we saw with users creating their PINs could have been avoided with better communication. These issues include users not understanding the prerequisites, or the expected delays in onboarding scenarios. To help avoid this issue, we created a productivity guide to walk users through the steps.

Monitoring end-to-end service health

Windows Hello for Business relies on several underlying services: Microsoft Azure AD, AD FS, Microsoft Intune, NDES, and CA. All of these services need to be healthy and available. Certificate issuance delays can be hard to troubleshoot, but monitoring the health and performance of the supporting services can help.

• Unpack verifying identity in a Zero Trust model internally at Microsoft.
• Discover enabling a modern support experience at Microsoft.
• Explore improving security by protecting elevated-privilege accounts at Microsoft.

Active Directory and Microsoft Azure Active Directory

• Integrating your on-premises identities with Azure Active Directory
• Connect domain-joined devices to Azure AD for Windows 10 experiences
• Azure AD Join on Windows 10 devices

Management

• Network Device Enrollment Service (NDES) in Active Directory Certificate Services (AD CS)
• PART 2 – SCEP certificate enrolling using ConfigMgr 2012, CRP, NDES and Windows Intune

Policy Management

• Using a Policy Module with the Network Device Enrollment Service

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Implementing strong user authentication with Windows Hello for Business appeared first on Inside Track Blog.

Highlighted in the third edition of the Microsoft Digital Defense Report, ransomware and extortion are considered nation-level threats due to the sophistication and boldness of attacks and their financial impact. No business, organization, or government can be considered safe from the crosshairs of ransomware threat actors. Experts estimate that ransomware’s cost to the world could reach $234 billion within the next decade.

To defend against the evolving ransomware landscape, Microsoft created the Optimal Ransomware Resiliency State (ORRS), a key component of its Ransomware Elimination Program.

This post, the third in our series on ransomware, overviews the concept of ORRS and the steps that you can take to build a ransomware resiliency state of your own.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.]

What is ORRS?

Optimal Ransomware Resiliency State is the term that the Ransomware Elimination Program team uses to describe our aspiration to defeat ransomware attacks—today and in the future.

Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Specifically, ORRS is the outcome of meeting the requirements covering an extensive set of protection and operational capabilities. Built on the foundation of Zero Trust, our ORRS consists of the collection of requirements for training, capabilities, and controls aligned to the NIST Cybersecurity framework and supported by continuously improved processes and practices. These requirements are common across Microsoft’s business, service, and product groups. Their complete implementation produces an organization-wide state of readiness that protects and defends the company and its customers, while also minimizing exposure and increasing resiliency to ransomware attacks.

“Optimal means we’re doing everything we can do—all the ORRS-required capabilities and controls are in place and verified,” says Monty LaRue, the principal program manager on the Ransomware Elimination Program team.

“It’s about achieving that optimal state through the deployment and operationalization of products, like Microsoft Defender for Endpoint for devices, covering our assets, applications, and infrastructure. We consider training and awareness to be a crucial part of ORRS. It’s essential that everyone knows how to recognize threats and how to respond appropriately. Our toolkit includes, incident response plans and playbooks, phishing education and simulation, and other simulation exercises.”

Partnerships are key to producing optimal resiliency

The role of partnerships and teamwork cannot be understated in the development and maintenance of our Optimal Ransomware Resiliency State. The approach must be holistic and cohesive, closing gaps and seams where possible.

Collaboration and open lines of communication with key stakeholders across Microsoft ensure that products and systems with protection needs are accounted for; likewise, Microsoft’s Ransomware team provides requirements to partnering teams to ensure they are equipped and running the latest defensive measures to minimize their attack surface. All involved parties have a deep understanding of their role in keeping the enterprise and our customers safe.

“We’re looking at Microsoft 365, Windows, and Azure,” LaRue says. “We’re looking at the people running MacOS, Linux, and personal devices within Microsoft. If the platforms and foundations follow Zero Trust principles and highly resilient to ransomware attacks, everything built on top shares that benefit.”

The REP team also has close ties to Microsoft’s threat intelligence and research teams, which provide information on the threat landscape and how attackers’ techniques, tactics, and procedures evolve and trend on a regular basis. They also work with internal Security Operation Centers (SOCs), which monitor threat actors and provide insights via attack data and post-mortems.

The more you prevent and protect, the less you have to respond and recover. The further you are in an attack sequence, the more complex and expensive it is to respond and recover.

—Monty LaRue, principal program manager, Ransomware Elimination Program team

Maintaining our Optimal Ransomware Resiliency State also involves using existing technology, such as Microsoft Defender suite, with a continuous improvement approach to take advantage of their latest capabilities and threat information. Learnings and insights from the ransomware program team flow back to the product and engineering teams in the form of enhancements or new requirements and features, helping to further improve our commercial products and services. One example of this is the detection of abnormal file activities, such as encryption or exfiltration, for data stores and backups in commercial services such as OneDrive, SharePoint, and Microsoft Azure which extends beyond Microsoft’s walls to protect all customers.

The practice of continuous improvement is also applied to the response procedures that make up the ransomware incident response playbook. Tabletop exercises based on new threats and information help to uncover gaps in response procedures, while simulations stress test the response system to ensure the involved security professionals have response readiness excellence should an attack ever breach our protective capabilities and controls.

Our commitment to company-wide alignment reduces the risk of a successful attack and the chance of a resulting payoff. “The more you prevent and protect, the less you have to respond and recover,” LaRue says. “The further you are in an attack sequence, the more complex and expensive it is to respond and recover.”

Building toward an optimal state

As we’ve seen throughout this series, ransomware is evolving and attackers are opportunistic. The goalposts for protection continue to shift, and ransomware’s impact on the world shows no signs of slowing. Because of this, there is no universal optimal resiliency state. Every organization’s situation is unique, from level of exposure to threats, to capabilities and services deployed, to protection needs, so every organization’s optimal state must be tailored to their business and risk tolerances.

“The Optimal Ransomware Resiliency State means different things to each organization, it’s different depending on whether your systems are physical, in the cloud, or hybrid, if you provide high availability services or large data stores, and if you work with highly confidential or sensitive data in regulated environments,” LaRue says.

The task of building an optimal ransomware resiliency state begins with a comprehensive inventory of the current state—and that means asking a lot of questions and doing verifications. Start with an understanding of which business-critical systems and services across the organization must be defended and why. It also means understanding the systems themselves, their dependencies, which configurations and controls are enabled, as well as the state of existing ransomware readiness capabilities. Such an inventory can shed light on high-value targets and the unforeseen risks to them exposing potential weaknesses and highlighting strengths.

The process of establishing your current state is insightful and has the potential to be humbling, but it encourages taking the next steps in developing your ORRS roadmap. This may include investments in training for response readiness or new technologies to reduce attack surface risk, but all optimal resiliency states require implementing a continuous improvement process to keep the organization and those that depend on it safe now and in the future.

Microsoft’s investment in the Ransomware Elimination Program highlights our commitment to defeating successful ransomware attacks. Establishing our ORRS provides us with learnings and guides us to improving our security posture, which helps the company produce secure and dependable products and services.

Ransomware may be one of the biggest security threats to your organization. Taking up the challenge to develop your own ransomware resiliency state will put you on a path forward to protecting and defending what matters most.

• You will define optimal for your organization, but attackers will always be looking for new avenues. You must be able to shift focus and update ORRS quickly to match the threat and attacker’s agility.
• Ransomware elimination starts with a shared understanding, frameworks e.g., Zero Trust, and defining your ORRS. Core protections such as MFA, pervasive backups, comprehensive telemetry and alerts, as part of a holistic, cohesive effort that spans devices and services are crucial in responding to cyberthreats like ransomware.
• Implementing tamper-resistant security capabilities and controls, and attack surface reductions reduces your malware related risks.
• Understanding the right investments is difficult, especially when threats and attackers are moving fast. Engage early and often within your organization to understand your assets, risks, and state as you define your ORRS and implement capabilities, controls, processes, and practices.

• Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.
• Read blog two in our ransomware series: Why Microsoft uses a playbook to guard against ransomware.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.
• Find out how Microsoft is building a safer world together with our partners.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State appeared first on Inside Track Blog.

Copilot for Microsoft 365 Deployment and Adoption Guide

Read our step-by-step guide on deploying Copilot for Microsoft 365 at your company. It’s based on our experience deploying it here at Microsoft:

• Full version
• eBook version
• Version for executives
• eBook version for executives

Generative AI (GenAI) is rapidly changing the way businesses operate, and everyone wants to be in on the action. Whether it’s to automate tasks or enhance efficiency, the allure of what GenAI can do is strong.

However, for companies considering the adoption of GenAI, there are a multitude of challenges and risks that must be navigated. These range from data exposure or exfiltration where your company’s sensitive data can be accessed by unintended audiences to direct attacks on the models and data sources that underpin them. Not acting and waiting until the world of GenAI settles down poses its own risk. Employees eager to try out the latest and greatest will start using GenAI tools and products that aren’t vetted for use in your enterprise’s environment. It’s safe to say that we’re not just in the era of Shadow IT but Shadow AI, too.

Add to that the fact that threat actors have begun to use these tools in their activities, and you get a real sense that navigating the cyberthreat landscape of today and tomorrow will be increasingly difficult—and potentially headache-inducing!

Here at Microsoft, our Digital Security & Resilience (DSR) organization’s Securing Generative AI program has focused on solving this problem since day one: How do we enable our employees to take advantage of the next generation of tools and technologies that enable them to be productive, while maintaining safety and security?

Building a framework for using GenAI securely

At any given moment, there are dozens of teams working on GenAI projects across Microsoft and dozens of new AI tools that employees are eager and excited to use to boost their productivity or use to be more creative.

When establishing our Securing AI program, we wanted to use as many of our existing systems and structures for the development, implementation, and release of software within Microsoft as possible. Rather than start from scratch, we looked at processes and workstreams that were already established and familiar for our employees and worked to integrate AI rules and guidance into those processes, such as the Security Development Lifecycle (SDL), and the Responsible AI Impact Assessment template.

Successfully managing the secure roll-out of a technology of this scale and importance takes the collaboration and cooperation of hundreds of people across the company, with representatives from diverse disciplines ranging from engineers and researchers working on the cutting edge of AI technology, to compliance and legal specialists, through to privacy advocates.

We work extensively with our partners in Microsoft Security, Aether (AI Ethics and Effects in Engineering and Research), the advisory body for Microsoft leadership on AI ethics and effects, and the extended community of Responsible AI. We also work with security champions who are embedded in teams and divisions across the enterprise. Together, this extended community helps develop, test, and validate the guidance and rules that AI experiences must adhere to for our employees to safely use them.

One of the most popular frameworks for successful change management is the simple three-legged stool. It’s a simple metaphor, emphasizing the need for even efforts across the domains of technology, processes, and people. We’ve focused our efforts to secure GenAI on strengthening and reinforcing the data governance for our technologies, integrating AI security into existing systems and processes, and addressing the human factor by fostering collaboration and community with our employees. The recent announcement of the Secure Future Initiative with its six security pillars emphasizes security as a top priority across the company to advance cybersecurity protections.

Incorporating AI-focused security into existing development and release practices

The SDL has been central to our development and release cycle at Microsoft for more than a decade, ensuring that what we develop is secure by design, by default, and secure in deployment. We focused on strengthening the SDL to handle the security risks posed by the technology underlying GenAI.

We’ve worked to enhance embedded security requirements for AI, particularly in monitoring and threat detection. Mandating audit logging at the platform level for all systems provides visibility into which resources are accessed, which models are used, and the type and sensitivity of the data accessed during interactions with our various Copilot offerings. This is crucial for all AI systems, including large language models (LLMs), small language models (SLMs), and multimodal models (MMMs) that focus on partial or total task completion.

Preventative measures are an equally important part of our journey to securing GenAI, and there’s no shortage of work that’s been done on this front. Our threat modeling standards and red teaming for GenAI systems have been revamped to help engineers and developers consider threats and vulnerabilities tied to AI. All systems involving GenAI must go through this process before being deployed to our data tenant for our employees to use. Our standards are under constant review and are updated based on the discoveries from our researchers and the Microsoft Security Response Center.

By integrating AI into these existing processes and systems, we help ensure that our people are thinking about the potential risks and liabilities involved in GenAI throughout the development and release cycle—not only after a security event has occurred.

Improving data governance

While keeping Gen-AI models and AI systems safe from threats and harms is a top priority, this alone is insufficient for us to consider GenAI as secure and safe. We also see data governance as essential to prevent improper access, improper use, and to reduce the chance of data exfiltration—accidental or otherwise.

At the heart of our data governance strategy is a multi-part expansion of our labeling and classification efforts, which applies at both the model level and the user level.

We set default labels across our platforms and the containers that store them using Purview Information Protection to ensure consistent and accurate tagging of sensitive data by default. We also employ auto-labeling policies where appropriate for confidential or highly confidential documents based on the information they contain. Data hygiene is an essential part of this framework; removing outdated records held in containers such as SharePoint reduces the risk of hallucinations or surfacing incorrect information and is something we reinforce through periodic attestation.

To prevent data exfiltration, we rely on our Purview Data Loss Prevention (DLP) policies to identify sensitive information types and automatically apply the appropriate policies at the controls at the application or service level (e.g. Microsoft 365), and Defender for Cloud Apps (DCA) to detect the use of risky websites and applications, and if necessary, block access to them. By combining these methods, we’re able to reduce the risk of sensitive data leaving our corporate perimeter—accidentally or otherwise.

Encouraging deep collaboration and sharing of best practices

So far, we’ve covered the management of GenAI technologies and how we ensure that these tools are safe and secure to use. Now it’s time to turn our attention to our people, the employees who work with and build with these GenAI systems.

We believe that anyone should be able to use GenAI tools confidently, knowing that they are safe and secure. But doing so requires essential knowledge, which might not be entirely self-evident. We’ve taken a three-pronged approach to solving this need with training, purpose-made resource materials, and opportunities for our people to develop their skills.

All employees and contract staff working at Microsoft must take our three-part mandatory companywide security training released throughout the year. The safe use of GenAI is comprehensively covered, including guidance on what AI tools to use and when to use them. Additionally, we’ve added extensive guidance and documentation to our internal digital security portal ranging from what to be mindful of when working with LLMs to the tools which are best suited to various tasks and projects.

With so many of our employees wanting to learn how to use GenAI tools, we’ve worked with teams across the company to create resources and venues where our employees can roll up their sleeves and work with AI hands-on in a way that’s safe and secure. Hackathons are a big deal at Microsoft, and we’ve partnered with several events including the main flagship event, which draws in more than 50,000 attendees. The Skill-Up AI presentation series hosted by our partners at the Microsoft Garage allows curious employees to learn the safe and secure way to use the latest GenAI technologies not only in their everyday work, but also in their creative endeavors. By integrating guidance into the learning journey, we help enable safe use of GenAI without stifling creativity.

Here are our suggestions on how to empower your employees with GenAI while also keeping your company secure:

• Understand the challenges and risks associated with adopting GenAI technology at your company. Good places to start are assessing the potential for data exposure, direct attacks on models and data sources, and the risks associated with Shadow AI.
• Develop resources and guidance for your employees to educate them on the risks of using AI. Fostering collaboration and a strong community in support of secure use of GenAI.
• If applicable, incorporate AI-focused security into existing development and release practices. Check out the Security Development Lifecycle (SDL) and the Responsible AI Impact Assessment template for inspiration.
• Work to bolster your data governance policies. We strongly recommend starting with labeling and classification efforts, employing auto-labeling policies, and improving data hygiene. Consider tools such as Purview Data Loss Prevention (DLP) and Defender for Cloud Apps to prevent data exfiltration and limit improper data access.

Learn more about our overall approach to GenAI governance internally here at Microsoft.

• Learn how we’re providing further transparency on our responsible AI efforts at Microsoft.
• See how we’re staying ahead of threat actors in the age of AI.
• Learn more about implementing a Zero Trust security model at Microsoft.
• Start reducing your organization’s Shadow IT risk in 3 steps.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Empowering our employees with generative AI while keeping the company secure appeared first on Inside Track Blog.

We describe it as self-service with guardrails.

Giving employees that level of freedom relies on a robust governance strategy across our data estate that features employee-facing sensitivity labels for Microsoft 365 groups, SharePoint sites, Microsoft Teams, Viva Engage communities, and any other workspace or file employees create and use. The result of good governance is that employees can confidently take action in a self-service environment without the risk of revealing sensitive information.

If you’re considering updating your organization’s governance strategy, our work in this space can be a roadmap for your journey.

[Learn how we’re using sensitivity labeling to secure our meetings in Microsoft Teams Premium. Find out how we use self-service sensitivity labels in Microsoft 365. Check out how we’re getting the most out of generative AI at Microsoft with good Governance.]

We had to really step back and think about data delineation in a way that’s meaningful to the business and our employees. Labeling provides a way for us to impose policies onto objects and containers to prevent or contain any oversharing of sensitive content.

— David Johnson, principal PM architect, Microsoft Digital

What’s at stake: The importance of getting self-service right

To operate according to zero trust principles, we need a coherent system that lets us see, label, and protect data. Otherwise, the burden of data loss prevention falls solely on employees, who would have to exercise individual discretion whenever they’re deciding how to house and share potentially sensitive content.

That’s a heavy burden to put on people every time they deal with working files.

“We had to really step back and think about data delineation in a way that’s meaningful to the business and our employees,” says David Johnson, principal PM architect for Microsoft Digital (MSD), the company’s IT organization. “Labeling provides a way for us to impose policies onto objects and containers to prevent or contain any oversharing of sensitive content.”

Aside from protecting internal content, customer data, and proprietary information, the principal risk is introducing vulnerability into our data estate by leaving access credentials out in the open. For example, internal documentation might include intellectual property, like source code.

“We have a lot of security investments in protecting our data centers and sources because they’re where our most sensitive information lives, and credentials are a big part of accessing them,” says Maithili Dandige, partner group product manager with Microsoft Security and Compliance.

If malicious actors can access those credentials or other sensitive information, they can do a lot of damage. Properly classifying, labeling, and protecting files and containers is the best way to ensure sensitive information and credentials don’t get compromised.

User-centric sensitivity labels

Our IT professionals within MSD—the organization that supports, protects, and empowers the company through technology—collaborated with a cross-disciplinary team to get our governance structures right.

“We spent a massive amount of time with the oversight committee,” says Faye Harold, principal program manager for information protection services within Microsoft Security and Risk. “That involved our legal team, HR, security, and MSD to define what each label meant.”

It’s important to strike a balance between the depth necessary for supporting an array of data governance controls and the simplicity to ensure labeling isn’t burdensome for users.

At Microsoft, we use four labels for container and file classification:

• Highly confidential: We only share Microsoft’s most critical data with named recipients.
• Confidential: Any items crucial to achieving Microsoft’s goals feature limited distribution on a need-to-know basis.
• General: Daily work like personal settings and postal codes can be shared internally throughout Microsoft.
• Public: We share unrestricted data meant for public consumption freely. That includes information like publicly released source code and openly announced financials.

The way to approach sensitivity labeling is to ask what problem it solves. Labeling dictates the automated controls you apply to certain items, like encryption, watermarking, or whether employees can share an item with someone outside our organization.

— Maithili Dandige, partner group product manager, Microsoft Security and Compliance

The administrators responsible for workspaces like SharePoint sites set default labels. That serves as a foundation for appropriate access and circulation for objects within those containers. It takes the burden of labeling off employees.

“The way to approach sensitivity labeling is to ask what problem it solves,” Dandige says. “Labeling dictates the automated controls you apply to certain items, like encryption, watermarking, or whether employees can share an item with someone outside our organization.”

The sensitivity labels users and admins apply map to several different categories of policies that anticipate and mitigate data loss and risk. They communicate four key areas:

• Privacy level. Labels determine whether the workspace is broadly available internally or is a private site.
• External permissions. Guest allowance is administered via the group’s classification, allowing specified partners to access teams when appropriate.
• Sharing guidelines. We tie important governance policies to the container’s label. For example, can an employee share this workspace outside of Microsoft? Is this group limited to a specific division or team? Is it restricted to specific people? The label establishes these rules.
• Conditional access. While not implemented at Microsoft, tying identity and device verification to container labels introduces additional governance controls.

Within MSD, we’ve put a lot of thought into how each of our labels aligns with relevant policies. For example, when a container receives the default label of “Confidential,” guest membership and sharing are disabled. That provides rights protection for the file, even if it leaves the SharePoint site where the employee created it. You can see more of the logic behind our sensitivity labels and their policies below.

If a container owner needs different policies for a set of files to provide greater external access, they can self-service new groups without accidentally violating our governance practices.

Microsoft Purview, our suite of data estate management tools, is central to these governance efforts. It accomplishes three sets of tasks: mapping our labeling structure onto the relevant policies, verifying them against our standards, and backstopping self-service data loss prevention practices through automation.

Automation is particularly useful. We’ve configured Microsoft Purview Information Protection to scan automatically for wayward credentials, malicious user behaviors, and other sensitive information in items without the proper protections. When Purview detects a violation, our governance team receives alerts that prompt them to contain the risk by upgrading an item’s sensitivity label or requiring employees to remedy the issue.

The result is a system that allows flexibility for employees to self-manage their digital workspaces while providing guardrails that help our governance experts take appropriate actions without overtaxing their time and resources.

A blueprint for effective data governance

So how can you start your own governance journey? Many of the lessons we’ve learned will be adaptable across different business settings.

Your labeling, policies, and overall governance strategy won’t be identical to ours. But by putting thought into your organization’s unique needs and the problems you’re trying to solve, the labeling features of Microsoft 365 and the data governance capabilities provided by Microsoft Purview will have most of the tools you need without having to build solutions from scratch.

Break things down into where your data is as an overall estate, how it’s currently protected, and the most precious data that’s unprotected. Then you can form a plan.

— Faye Harold, principal program manager for information protection services, Microsoft Security and Risk

Start by getting a firm grasp on the condition of your data estate.

“Break things down into where your data is as an overall estate, how it’s currently protected, and the most precious data that’s unprotected,” Harold says. “Then you can form a plan.”

After you have a solid overview of your data estate, you can apply a concerted strategy to labeling and governance. Here’s a ten-step blueprint to consider for structuring your efforts.

Ten steps for getting tenant data governance right

We think you might find it easier to label your containers before you start thinking about how to label emails and files or think about auto-labeling.

	Give employees the ability to create new workspaces across your Microsoft 365 applications. By maintaining all data on a unified Microsoft 365 tenant, you ensure that your governance strategy applies to any new workspaces.		Limit your taxonomy to a maximum of five parent labels and five sub-labels. That way, employees won’t feel overwhelmed by the volume of different options.
	Make your labels simple and legible. For example, a “Business-critical” label might imply confidentiality, but every employee’s work feels critical to them. On the other hand, there’s very little doubt about what “Highly confidential” or “Public” mean.		Label your data containers for segmentation to ensure your data isn’t overexposed by default. Consider setting your container label defaults to the “Private: no guests” setting.
	Derive file labels from their parent container labels. That consistency boosts security at multiple levels and ensures that deviations from the default are exceptions, not the norm.		Train your employees to handle and label sensitive data to increase accuracy and ensure they recognize labeling cues across your productivity suite.
	Trust your employees to apply sensitivity labels, but also verify them. Check against data loss prevention standards and use auto-labeling and quarantining through Microsoft Purview automation.		Use strong lifecycle management policies that require employees to attest containers, creating a chain of accountability.
	Limit oversharing at the source by enabling company-shareable links rather than forcing employees to add large groups for access. For highly confidential items, limit sharing to employees on a “need-to-know” basis.		Use Microsoft Graph Data Connect extraction in conjunction with Microsoft Purview to catch and report oversharing after the fact. When you find irregularities, contain the vulnerability or require the responsible party to repair it themselves.

Overall, it’s important to be thoughtful about your governance strategy at each stage of this process. For a deeper dive into how we tackled these challenges and inspiration for your own initiatives, review our technical overview of Microsoft’s self-service sensitivity labeling efforts.

Extending governance throughout our productivity suite

Since we implemented our governance strategy and sensitivity labeling taxonomy, we’ve extended it internally throughout our Microsoft 365 productivity suite to solidify data protection across several different scenarios. Each one showcases a way that a unified data estate with consistent governance empowers employees and unlocks new technologies as it keeps our company’s data safe.

• Proper governance and labeling ensure that Copilot for Microsoft 365 stays within bounds when sourcing information in support of employee productivity.
• Since the widespread emergence of generative AI and the application of these technologies across Microsoft, good governance is helping us get the benefits of this technology without risking overexposure through an information free-for-all.
• We’ve added a new layer of security to Microsoft Teams Premium meetings that activates specific configurations based on a meeting’s level of sensitivity.
• Our Microsoft Teams meeting data is now subject to robust retention rules determined by the labels we apply, with implications for recordings, transcriptions, and intelligent recaps via Copilot.

These are just a few examples of how sensitivity labels paired with effective data governance are unlocking new capabilities across the Microsoft 365 suite, and our journey continues. By taking steps to apply good governance to your own data estate and building an effective labeling strategy, you can enable self-service for your employees and empower self-determination while maintaining security and minimizing risk.

Here are some tips for getting started with labeling at your company:

• Assemble an oversight committee: Bring in professionals from all relevant disciplines, including HR, legal, security, IT, and anyone else who can share relevant expertise.
• Make a plan: Be intentional about addressing your unique needs around control and governance.
• Self-service requires accountability: Set up systems like attestation, site permissions reports, and guest access reviews that trace back to employees.
• People tend to take the easiest path: Make the IT-preferred path the best and easiest so that it doesn’t erect roadblocks.
• Educate employees: Support your labeling implementation by making sure users know how and when to share files.
• Encourage focused sites: Site owners don’t always have adequate knowledge of what they host.
• Make it simple: Ensure the system you develop makes sense to employees in the easiest possible terms.

Get started with labeling at your company.

• Learn how we’re using sensitivity labeling to secure our meetings in Microsoft Teams Premium.
• Find out how we use self-service sensitivity labels in Microsoft 365.
• Check out how we’re getting the most out of generative AI at Microsoft with good Governance.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Empowering employee self-service with guardrails: How we’re using sensitivity labels to make Microsoft more secure appeared first on Inside Track Blog.

Microsoft’s cloud-first strategy enables most Microsoft employees to directly access applications and services via the internet, but remote workers still use the company’s virtual private network (VPN) to access some corporate resources and applications when they’re outside of the office.

This became increasingly apparent when Microsoft prepared for its employees to work remotely in response to the global pandemic. VPN usage increased by 70 percent, which coincides with the significant spike in users working from home daily.

So then, how is Microsoft ensuring that its employees can securely access the applications they need?

With split tunneling and a Zero Trust security strategy.

As part of the company’s Zero Trust security strategy, employees in Microsoft Digital Employee Experience (MDEE) redesigned the VPN infrastructure by adopting a split-tunneled configuration that further enables the company’s workloads moving to the cloud.

“Adopting split tunneling has ensured that Microsoft employees can access core applications over the internet using Microsoft Azure and Microsoft Office 365,” says Steve Means, a principal cloud network engineering manager in MDEE. “This takes pressure off the VPN and gives employees more bandwidth to do their job securely.”

Eighty percent of remote working traffic flows to cloud endpoints where split tunneling is enabled, but the rest of the work that employees do remotely—which needs to be locked down on the corporate network—still goes through the company’s VPN.

“We need to make sure our VPN infrastructure has the same level of corporate network security as applications in the cloud,” says Carmichael Patton, a principal security architect on Microsoft’s Digital Security and Resilience team. “We’re applying the same Zero Trust principles to our VPN traffic, by applying conditional access to each connection.”

[Learn how Microsoft rebuilt its VPN infrastructure. Learn how Microsoft transitioned to modern access architecture with Zero Trust. Read how Microsoft is approaching Zero Trust Networking.]

Securing remote workers with device management and conditional access

Moving most of the work that employees require to the cloud only became possible after the company adopted modern security controls that focus on securing devices.

“We no longer rely solely on the network to manage firewalls,” Patton says. “Instead, each application that an employee uses enforces its own security management—this means employees can only use an app after it verifies the health of their device.”

To support this transformed approach to security, Microsoft adopted a Zero Trust security model, which manages risk and secures working remotely by managing the device an employee uses.

“Before an employee can access an application, they must enroll their device, have relevant security policies, and have their device health validated,” Patton says. “This ensures that only registered devices that comply with company security policies can access corporate resources, which reduces the risk of malware and intruders.”

The team also recommends using a dynamic and scalable authentication mechanism, like Azure Active Directory, to avoid the trouble of certificates.

While most employees rely on our standard VPN infrastructure, Microsoft has specific scenarios that call for additional security when accessing company infrastructure or sensitive data. This is the case for MDEE employees in owner and contributor roles that are configured on a Microsoft Azure subscription as well as employees who make changes to customer-facing production services and systems like firewalls and network gear. To access corporate resources, these employees use Privileged Access Workstations, a dedicated operating system for sensitive tasks, to access a highly secure VPN infrastructure.

Phil Suver, a principal PM manager in MDEE, says working remotely during the global pandemic gives employees a sense of what the Zero Trust experience will be like when they return to the office.

“Hardened local area networks that previously accessed internal applications are a model of the past,” Suver says. “We see split tunneling as a gateway to prepare our workforce for our Zero Trust Networking posture, where user devices are highly protected from vulnerability and employees use the internet for their predominant workload.”

It’s also important to review your VPN structure for updates.

“When evaluating your VPN configuration, identify the highest compliance risks to your organization and make them the priority for controls, policies, and procedures,” Patton says. “Understand the security controls you give up by not flowing the connections through your internal infrastructure. Then, look at the controls you’re able to extend to the clients themselves, and find the right balance of risk and productivity that fits your organization.”

Keeping your devices up-to-date with split tunneling

Enterprises can also optimize patching and manage update compliance using services like Microsoft Endpoint Manager, Microsoft Intune, and Windows Update for Business. At Microsoft, a split-tunneled VPN configuration allows these services to keep devices current without requiring a VPN tunnel to do it.

“With a split-tunneled configuration, update traffic comes through the internet,” says Mike Carlson, a principal service engineering manager in MDEE. “This improves the user experience for employees by freeing up VPN bandwidth during patch and release cycles.”

At Microsoft, device updates fall into two categories: feature updates and quality updates. Feature updates occur every six months and encompass new operating system features, functionality, and major bug fixes. In contrast, monthly quality updates include security and reliability updates as well as small bug fixes. To balance both user experience and security, Microsoft’s current configuration of Windows Update for Business prompts Microsoft employees to update within 48 hours for quality updates and 7 days for feature updates.

“Not only can Windows Update for Business isolate update traffic from the VPN connection, but it can also provide better compliance management by using the deadline feature to adjust the timing of quality and feature updates,” Carlson says. “We can quickly drive compliance and have more time to focus on employees that may need additional support.”

Evaluating your VPN configuration

When your enterprise evaluates which VPN configuration works best for your company and users, you must evaluate their workflows.

“Some companies may need a full tunnel configuration, and others might want something cloud-based,” Means says. “If you’re a Microsoft customer, you can work with your sales team to request a customer engagement with a Microsoft expert to better understand our implementation and whether it would work for your enterprise.”

Means also said that it’s important to assess the legal requirements of the countries you operate in, which is done at Microsoft using Azure Traffic Manager. For example, split tunneling may not be the right configuration for countries with tighter controls over how traffic flows within and beyond their borders.

Suver also emphasized the importance of understanding the persona of your workforce, suggesting you should assess the workloads they may need to use remotely and their bandwidth capacity. You should also consider the maximum number of concurrent connections your VPN infrastructure supports and think through potential seasonal disruptions.

“Ensure that you’ve built for a snow day or a pandemic of a global nature,” Suver says. “We’ve had to send thousands of customer support agents to work from home. Typically, they didn’t use VPN to have voice conversations with customers. Because we sized and distributed our infrastructure for a global workforce, we were able to quickly adapt to the dramatic shift in workloads that have come from our employees working from home during the pandemic. Anticipate some of the changes in workflow that might occur, and test for those conditions.”

It’s also important to collect user connection and traffic data in a central location for your VPN infrastructure, to use modern visualization services like Microsoft Power BI to identify hot spots before they happen, and to plan for growth.

Means’s biggest piece of advice?

Focus on what your enterprise needs and go from there.

“Identify what you want to access and what you want to protect,” he says. “Then build to that model.”

Tips for retooling VPN at your company

Azure offers a native, highly-scalable VPN gateway, and the most common third-party VPN and Software-Defined Wide Area Network virtual appliances in the Azure Marketplace.

For more information on these and other Azure and Office network optimizing practices, please see:

• Office Connectivity Principles
• Network considerations for Teams
• Azure OpenVPN client
• Azure VPN Gateways
• Azure Point-to-site VPN
• VPN Network Virtual Appliances in the Azure Marketplace
• Publishing web applications using Azure Active Directory’s Application Proxy
• VPN split tunneling for Office 365
• How-to guides for common VPN platforms
• Updates for improving work-from-home employee access

• Here are some alternative ways for security professionals and IT to achieve modern security controls in remote work scenarios.
• Check our best practices and guidelines for security professionals on how to work remotely and stay secure.

Here are additional resources to learn more about how Microsoft applies networking best practices and supports a Zero Trust security strategy:

• Learn how Microsoft rebuilt its VPN infrastructure.
• Learn how Microsoft transitioned to modern access architecture with Zero Trust.
• Read how Microsoft is approaching Zero Trust Networking.

The post Using a Zero Trust strategy to secure Microsoft’s network during remote work appeared first on Inside Track Blog.

Windows 11, built on the same foundation as Windows 10, came to us at a time when Microsoft needed to manage a distributed workforce. Historically speaking, it’s not easy to roll out a new operating system across an enterprise as large and complex as ours, but the similarities to Windows 10 meant Windows 11 could leverage existing deployment capabilities, scenarios, and tools. Utilizing these familiar tools and processes allowed us to deploy to 90 percent of eligible devices in five weeks, making the Windows 11 deployment the easiest and least disruptive release experienced to date.

“In nearly every way, Windows 11 Enterprise deploys just like any other Windows 10 feature update,” says Nathalie D’Hers, corporate vice president of Microsoft Digital Employee Experience, the organization that powers, protects, and transforms the company. “When you look at the data, our time to deploy, and the number of support contacts, Windows 11 is the most successful Windows deployment in our history.”

We’ve had a great experience with Windows 11. Our migration was smooth and keeping it up to date has been even easier.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

It took our Microsoft Digital Employee Experience team fewer IT resources than ever to move to Windows 11. Most importantly, it wasn’t a burden on our employees. Our Windows 11 deployment enabled us to protect our environment, empower our people, and do so without embarking on an expensive or complicated venture.

“We’ve had a great experience with Windows 11,” D’Hers says. “Our migration was smooth and keeping it up to date has been even easier.”

[Take a look at our rich set of content that chronicles our move to Windows 11. Learn more about Microsoft’s speedy upgrade to Windows 11. Discover the new Windows 11 security features are designed for hybrid work.]

Why was it so important for us to move to Windows 11?

It’s easy to look at Microsoft and say, “Sure, you’re a giant tech company, you have all these hardware and IT resources, it must be so easy for you to stay current!”

It’s not that simple.

In our attempt to become an evergreen platform, an operating system-as-a-service, we recognized a need to promote a hardware baseline that would ensure specific productivity and secure-by-default functions are available to users. These requirements meant that some devices running Windows 10 would not be eligible, thus a need to delineate products. Windows 11 would run side-by-side with Windows 10, albeit on devices that met the hardware requirements.

Still, when all is said and done, Windows 11 is based on all the same fundamentals as Windows 10.

And there are a lot of benefits to this.

It allows us to promote adoption without the risk of our apps suddenly breaking. App compatibility between Windows 10 and Windows 11 is more than 99 percent.

In fact, Windows 11 and Windows 10 are so similar, we can run them side-by-side with the same tools. That’s why we were able to manage the Windows 11 Enterprise deployment like previous Windows 10 updates using Windows Update for Business deployment service policies.

Windows 11 is definitely an upgrade from Windows 10, but rolled out and adopted like a typical update. The baseline hardware requirements enable us to provide our people with a more secure and productive environment. We quickly experienced the benefits of Windows 11 security enhancements and new productivity tools to enable exceptional work.

A more efficient experience

Prior to migrating to Windows Update for Business deployment service, deploying Windows feature updates would be a complicated, long-term project.

“We had to create multiple packages, both 64- and 32-bit versions and for each of the supported languages used in our environment,” says Markus Gonis, a service engineer and deployment lead with Microsoft Digital Employee Experience. “Each package was tested and then deployed to multiple distribution points globally for each update. The deployment also relied on a task sequence to download and install the updates on devices which could easily be disrupted.”

This effort could take weeks or even several months.

Furthermore, the process was costly, requiring physical infrastructure dependencies for hosting packages. Gearing up for a new release would also require additional augmented staffing to help run the deployments. To top it off, network and VPN bandwidth limitations could create frustrating delays and interruptions for employees trying to install an update depending on their location.

Moving to Windows Update for Business policies saved both time and money without hurting adoption. The first release to benefit, the Windows 10 October 2018 Update, saw 95 percent adoption within 10 weeks of a feature update being made available to devices. It’s only gotten better since then.

Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

The service eliminated the need for packaging, replication, and publishing activities. All in, Microsoft Digital Employee Experience saved 120 hours of work per deployment along with an additional 90 hours in testing. Further savings were achieved by reducing the reliance on augmented staff to support deployments.

By the time Windows 11 was ready for release in 2021, we had access to Windows Update for Business deployment service.

“This made setting up the deployment even easier,” Gonis says. “Windows Update for Business deployment service reduced administrative overhead considerably by eliminating the need to manually create deployment waves.”

Windows Update for Business deployment service calculates the number of devices based on the initial configuration and deploys more frequently and efficiently to the population. Supplementing this effort, Windows Update for Business reports show us what to target, making it easy to exclude ineligible devices.

A device is your connection to your work experience, especially when you can’t go into the office. Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.

—Nathalie D’Hers, corporate vice president, Microsoft Digital Employee Experience

Knowing that the Windows 11 Enterprise deployment would be managed by the same technology and processes we rely on for feature updates made it a safe decision. Knowing that it could be done without incurring significant costs made it an easy one.

A faster experience

There is another reason we were so confident in the Windows 11 Enterprise deployment. We knew users would benefit from new productivity features without having the upgrade cut into their day.

“A device is your connection to your work experience, especially when you can’t go into the office,” D’Hers says. “Your device shouldn’t get in the way of what you’re doing, so we wanted to make sure our employees had a good upgrade experience.”

We knew certain features in Windows 11—including an improved user interface, tighter integration of Microsoft Teams across apps, and snap layouts—would help our people stay engaged throughout their day. We also knew users would avoid the upgrade if it prevented them from doing their work or became a nuisance.

To create a disruption-free experience, Windows 11 simply downloads and installs in the background and alerts the user when the device is ready. A quick restart finishes the installation, which can be scheduled to take place during non-work hours. As soon as 20 minutes later, the employee is up and running in Windows 11.

The improved update experience, flexibility, and increased end-user control around the update was an enormous success with our people. User sentiment scores for the Windows 11 Enterprise deployment averaged a full 18 points higher than the latest Windows 10 release. This is the highest satisfaction score we have ever seen for a deployment, and it’s significantly higher than the highest score ever received pre-Windows Update for Business, which was 112.

”There were no major incidents reported through support channels directly related to the Windows 11 update nor the deployment,” Gonis says. “The overall incident count unique to Windows 11 was limited to 398 across the entire 225,000 device deployment, with any additional incidents associated with random infrastructure or device management issues that one typically experiences in an enterprise environment.”

Overall, this represents a 40 percent decrease in helpdesk incidents compared to pre-Windows Update for Business deployments.

Each successive version of Windows has brought refinement and optimization to the deployment process. Windows 11 built on this refinement to become the best experience to date. By making the deployment process quick and easy, users gain important productivity features while also taking advantage of new baseline protections.

Secure by default

Windows 11 is about security from the ground up.

“It’s strategic level-setting,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the division responsible for protecting the company and our products. “At a high level, Windows 11 enforces sets of functionalities we need to make the environment secure by default.”

Windows has always let you install whatever you want from wherever. We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.

—Carmichael Patton, principal program manager, Digital Security and Resilience

To be eligible for a Windows 11 upgrade, a device must meet certain hardware specifications, including TPM 2.0. Because of these new hardware requirements, encryption keys, user credentials, and other vital information are protected from unauthorized access and tampering.

As a result, we can take existing security features found in Windows and allow them to reach their full potential. Windows 11 empowers users to have the same great Windows experience they expect without concession.

“Windows has always let you install whatever you want from wherever,” Patton says, noting that this important level of control is also a way malware can get on your device. “We can now use hardware-backed features in Windows 11 to put policies in place that still enable users to have flexibility in choosing their own applications without compromising security.”

Windows 11 continually updates this app control policy so that common and known safe apps are permitted while dangerous, unknown, and potentially malicious apps are blocked.

The same hardware-backed protections extend to user identities. Windows Defender Credential Guard and credential isolation with Local Security Authority (LSA) protection are now enabled by default on Windows 11 Enterprise edition. Both protections make it harder for attackers to infiltrate devices and steal a user’s identity.

Microsoft Defender SmartScreen can detect and warn users who are about to enter passwords into an app or website that’s known to be compromised. The feature further improves user security by promoting good password hygiene and alerts users when they perform unsafe credential practices, like saving passwords in a text file.

Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart. Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.

—Markus Gonis, service engineer and deployment lead, Microsoft Digital Employee Experience

“Windows 10 could do a lot by configuration but not by default,” Patton says. “Windows 11 moved us to having more features be secure by default. Each new release adds more secure-by-default features.”

Now that we have this security baseline provided by hardware and software synergies, we can enforce security functions in the pipeline for Windows 11.

The Windows 11 experience

We’re now a year into Windows 11 including deploying its first major update, and we can see how deployments continue to become faster, more efficient, and less disruptive. This is in large part because we do not need to adopt any new device management tools or processes. We can run Windows 11 alongside Windows 10 using the same systems.

“Updating Windows 11 is getting even faster with the download and install phases shortening from 90 to an average of 60 minutes in the background and an average 20-minute final restart,” Gonis says. “Most people at Microsoft have a device that can run Windows 11 and, by March, we reached a 97 percent compliance rate.”

Deployment of the Windows 11 2022 Update was even faster than the original release, with over 90 percent adoption in just under five weeks. Excitement around the release resulted in a 50 percent increase in employees installing the update prior to its public release.

This means users are getting the security and productivity features they need to have the best experience possible now and in the future.

Modern hardware running a modern operating system will result in a better experience for everyone involved. Windows 11 serves as a baseline that allows us to easily see the state of security at Microsoft. By lifting the hardware floor, we can ensure users have consistent performance and protection in place.

• Windows 11 strengthens your security posture, allowing you to offload legacy security solutions and centralize administration.
• Consistency in system integrations and user experiences between Windows 10 and Windows 11 makes it easy to transition without having to adopt new applications or management solutions.
• Windows Autopilot allows OEMs to automatically register devices in Intune, avoiding manual steps and allowing an organization to preconfigure new devices before distributing them to employees.
• Windows Update for Business deployment service allows IT administrators to easily segment devices, organizations, and teams to better target deployments. This makes exceptions easier to manage.

• Take a look at our rich set of content that chronicles our move to Windows 11.
• Learn more about our internal deployment of the first major update to Windows 11.
• Read our initial story on upgrading to Windows 11.
• Discover the new Windows 11 security features are designed for hybrid work.
• Get the inside scoop on Microsoft’s app compatibility promise for Windows 11.

The post Looking back at deployment of Windows 11 at Microsoft appeared first on Inside Track Blog.

While we use Microsoft products to secure our systems, infrastructure, data, and identities, the Foundational Five are product agnostic and can be scaled to meet the needs and requirements of organizations of any size. This is especially important for smaller organizations, with 70 percent of encounters with human-operated ransomware happening in organizations with fewer than 500 employees, according to the Microsoft Digital Defense Report 2023.

Our Foundational Five are:

1. Move to modern authentication with phishing-resistant multi-factor authentication.
2. Always use automatic cloud backup and file syncing.
3. Work towards having threat- and risk-free environments.
4. Upgrade your posture management to improve the health of your devices, services, and assets.
5. Apply least privileged access standards to your full technology stack.

Modern authentication with phishing-resistant multi-factor authentication

It’s a well-known fact that today’s threat actors don’t break in, they sign in. Whether done through illicitly acquired credentials, brute force attacks, or phishing, inadequate protective measures for authentication are like leaving the front door wide open for attackers to walk through.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

—2023 Microsoft Digital Defense Report

The growth in password-based identity attacks on Microsoft Entra is startling, with a 10-fold increase observed between 2022 and 2023. While the use of multi-factor authentication (MFA) adds an extra layer of security, threat actors are increasingly turning to techniques such as MFA bombing to catch unwitting users off guard. Earlier in 2023, we observed 6,000 MFA fatigue attempts per day on customer identities. This is why we strongly advise using phishing-resistant MFA.

Phishing-resistant MFA differs from traditional MFA by binding the token to the legitimate user’s device. Windows Hello for Business and FIDO2 services, like physical tokens and Passkey, are examples of technologies that can be used for added protection. When combined with conditional access policies and step-up authentication, this can be an effective method to protect users who have access to sensitive resources or high-risk roles.

Microsoft Incident Response observed that 21 percent of customers who experienced ransomware didn’t have MFA or didn’t mandate MFA for privileged accounts, while 37 percent didn’t have advanced MFA protection mechanisms enabled.

Phishing-resistant MFA with conditional access can help prevent:

• Spear phishing: Attackers craft tailored phishing emails that are sophisticated and challenging to identify, aiming to deceive specific individuals.
• Remote Desktop Protocol (RDP) brute force attacks: Unauthorized remote access to resources is attempted through the exploitation of stolen credentials.
• Local password storage: Measures are in place to prevent passwords stored locally on devices from being read or downloaded.
• Unencrypted credential storage: Credentials are safeguarded against being stored without encryption, which would otherwise allow easy unauthorized access.
• Credential and cookie theft: Security protocols are enforced to protect against the theft of credentials or cookies directly from browsers.
• Unauthorized account creation: Systems are secured to prevent the unauthorized addition of new user accounts.

What we use:

Windows Hello for Business enhances multifactor authentication by offering secure sign-in capabilities and enabling a passwordless experience.

Authenticator app is a secure and encrypted application that facilitates multifactor authentication to safeguard access to accounts and services.

Entra ID serves as a comprehensive identity and access management solution.

Secure Service Edge functions as a unified security point for protecting data and users across all network traffic.

FIDO keys offer a form of hardware-based authentication that is resistant to phishing and other forms of account compromise.

Automatic cloud backup and file-syncing for user and business-critical data

Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively.

—2023 Microsoft Digital Defense Report

Much of the Foundational Five is about setting up preventative measures to secure your organization. But in the event of a successful breach, it’s important that your data remains secure and accessible. For many organizations that have suffered a ransomware attack the biggest costs associated are restoring business continuity, including access to the files and resources vital to your organization.

Setting up automatic cloud backup and file-syncing is one of the simplest ways to help achieve this, and arguably delivers the biggest bang for the buck in a ransomware prevention strategy. Active automatic backups can thwart common ransomware tactics including the disabling of system recovery capabilities and the deletion of , which are essential for business continuity. In some cases, it might be effective in preventing the exfiltration of documents, which can be used for data dumping, or double and triple extortion.

“Microsoft has observed that approximately 16 percent of human-operated ransomware activity involved both encryption and exfiltration, while 13 percent used exfiltration exclusively,” states the 2023 Microsoft Digital Defense Report.

We recommend at a minimum setting up automatic cloud backup and file-syncing on all user devices for key folders such as Desktop, Documents, and other locations where user data and business-critical data are stored.

Automatic cloud backup and file-syncing protects people from:

• Deletion of shadow copy files: These are built-in local backup copies in Windows that aid in device restoration in the event of a compromise.
• Disabling of recovery features: It ensures that features enabling individual device recovery remain active and cannot be turned off.
• Document exfiltration for double extortion: It protects against scenarios where malicious actors not only demand a ransom to decrypt files but also threaten to release sensitive documents publicly unless an additional ransom is paid.

What we use:

OneDrive for Business is used for cloud-based device backups, ensuring data recovery in case of device compromise.

Azure Backup Center (also known as Azure Cloud Backup) is used for the automated backup of Azure infrastructure and data, providing a reliable disaster recovery solution.

Threat- and risk-free environments

As there are always new and evolving cyber-risks, it’s a continual effort to create an environment that’s protected from ransomware by proactive measures. And while it might not be possible to guarantee an environment entirely free of threats and risks, it’s something worth striving towards.

Creating a threat- and risk-free environment starts with ensuring that the devices joining your network are healthy, and that controls are put in place to ensure vulnerabilities and threats are managed. We ensure this through the comprehensive use of endpoint detection and response (EDR) and our device management policy for all devices and operating systems. Our device health policy includes mandatory encryption, antimalware, tamper protection, specific mandatory hardware configurations, and minimum operating system version requirements. Devices that aren’t patched, updated, or properly configured are frequently exploited by threat actors and are vulnerable to cyberattacks. These devices aren’t allowed on our network—no exceptions permitted.

Threat- and risk-free environments protect against:

• Platform and supply chain-based attacks: These are sophisticated attacks that target vulnerabilities in the hardware and software supply chain, potentially compromising the integrity of platforms and services.
• Threat actor reconnaissance: This refers to the preliminary activities of threat actors to gather information about systems and networks, identifying potential vulnerabilities to exploit.
• Disabling of security features or systems: Prevent unauthorized attempts to disable or circumvent security measures that are in place to protect data and systems.
• Deployment of ransomware: By maintaining a secure posture, the environment is protected against the deployment of ransomware, which can encrypt data and disrupt operations, demanding a ransom for decryption.

What we use:

Microsoft Entra Privileged Identity Management is used for managing and monitoring privileged roles within our organization.

Microsoft Defender for Cloud offers comprehensive protection across cloud services to secure infrastructure and data.

Microsoft Defender for Endpoint provides advanced threat defense and post-breach detection for endpoints.

Microsoft Entra Identity Protection uses automated responses to detected identity risks, safeguarding user identities within the organization.

Posture management for compliance and the health of devices, services, and assets

The standards and policies an organization uses to protect against ransomware are only as good as the degree of adherence. This is where security posture management can help drive down the risk of a successful ransomware attack.

The monitoring of cloud-based systems and infrastructures creates visibility and improves control over policies and configurations. It highlights risks and misconfigurations, such as insecure secrets and keys, potential points of data exposure, and data flows and resources containing sensitive and shadow data to be discovered and remediated. Increasingly, remediation can be automated when triggered by security events.

Strong posture management can protect against:

• Exploitation of vulnerable services: This prevents attackers from taking advantage of services that have known weaknesses or aren’t regularly updated with patches.
• Unpatched vulnerabilities in applications: This ensures that applications are kept up to date with the latest security patches to mitigate the risk of exploitation.
• Scheduled tasks leading to system compromise: This controls and monitors scheduled tasks to prevent them from being used as a pathway for system compromise.

What we use:

Microsoft Defender for Endpoint provides advanced protection for enterprise endpoints with threat prevention, detection, and response capabilities.

Microsoft Defender for Cloud secures cloud services by safeguarding infrastructure and data against threats.

Azure Policy enforces organizational standards and monitors compliance, providing automated remediation for policy violations.

Least privileged access applied to the entire technology stack

Least privileged access (LPA) involves limiting access to only what’s necessary to perform the intended function. This includes concepts such as removing admin from a workstation, limiting access to on-premises and cloud environments, and restricting access to critical services to only specific administrative roles. It’s a way of reducing the cyber-attack surface, stopping the spread of malicious activity. Additionally, LPA helps to prevent privilege creep, which happens when users accumulate unnecessary access to accounts over time.

LPA can help prevent ransomware attacks by limiting the access rights of users and devices to only the resources they need to perform their tasks. Should a user or device be compromised by ransomware, the impact and spread of the infection is minimized. Ransomware often relies on exploiting vulnerabilities or stealing credentials to gain access to sensitive data and systems. By applying the principle of least privilege, organizations can reduce the attack surface and the potential damage of ransomware attacks.

We recommend applying LPA over the entire technology stack as it ensures complete protection of all parts including devices, users, applications, systems, and data. Comprehensive application will require a solution that can manage and secure privileged credentials and controls.

When applied to the entire stack, LPA protects against:

• Ransomware: By ensuring that users and devices have access only to the data and systems necessary for their roles, LPA prevents ransomware from encrypting or exfiltrating data.
• Privilege creep: LPA combats the accumulation of unnecessary privileges by users over time, which can be exploited by ransomware and other malicious software.
• Inappropriate access levels: Regular monitoring and reviews under LPA ensure that users and devices maintain appropriate access levels, reducing the risk of inappropriate access.

What we use:

Entra PIM manages roles and permissions, ensuring just-in-time access to critical resources in line with LPA.

Intune protects least privilege by enabling organizations to run users as standard while elevating privileges only when necessary.

Entra Conditional Access within Microsoft Entra secures resource access by enforcing rules based on user location, device status, and sign-in behavior.

Building an even stronger foundation

The Foundational Five are an excellent starting point to defending your enterprise against ransomware. However, it’s just the beginning of a broader, more involved strategy against cybercrime.

If your organization doesn’t already have one, consider developing a ransomware incident response playbook and pressure-test its efficacy with table-top exercises or attack simulations. Incident response preparedness has an outsized effect on business continuity and recovery.

Additionally, as phishing is a common starting point for ransomware threat actors, consider frequent phishing simulations, and education and awareness training for employees on topics including business email compromise and vendor email compromise—both of which are on the rise.

Here are some suggestions for getting started with the Foundational Five of ransomware elimination at your company:

• Progressively build up and invest in your ransomware elimination strategy. The goal is to make incremental improvements to reduce your attack surface area.
• While attackers commonly sign in using stolen credentials, MFA attacks are on the rise. Consider the use of phishing-resistant credentials such as FIDO2 tokens and ensure that users have the correct privileges to limit mobility.
• Ensure that the technologies and systems you have in place are properly configured and fully operational. Test your systems to ensure they’re working as expected.

• Read the Microsoft Digital Defense Report 2023 to learn more.
• Explore deploying ransomware protection for your Microsoft 365 tenant.
• Read more about defending your users from MFA fatigue attacks.
• Unpack verifying device health at Microsoft with Zero Trust.
• Discover transitioning to modern access architecture with Zero Trust.

Strengthen your security posture with Microsoft Azure.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Lessons learned at Microsoft: Five steps you can take to reduce your ransomware risk appeared first on Inside Track Blog.

Office printing is also a potential network security risk. Between the infrastructure of the Internet of Things and the number of users needing access to these devices, the threat surface is huge. Historically we’ve relied on print servers, virtual private networks (VPNs), and printer drivers to manage users’ access to printing.

But of course, we also know the best modern software technology exists in the cloud. It affords the most security as well as the most savings. Something wasn’t adding up.

A few years ago, we at Microsoft Digital Employee Experience (MDEE)—the organization that powers, protects, and transforms the company—realized that printing, one of the most common tasks that nearly all employees do, was one of the last operations that we had not yet brought to the cloud. It became our vision to change that and bring modern security and seamless access to printers to all employees, in all our offices, across the globe.

“Everyone needs to print something at some time,” says Pete Apple, principal architect and technical program manager in the infrastructure engineering services team within MDEE. “It’s one of those universal things about working in a business. As we upgraded the protocols with nearly everything else in our network, printing remained one of the only things done ‘the old way.’ We realized that this was a common area that needed addressing.”

The path to creating Universal Print, Microsoft’s solution to the needs of modern enterprise cloud printing, has evolved over several years as technology has changed. We’ve trialed, improved, and scaled our solution with the insights gained from utilizing this solution with our own employees.

And we are on the cusp of our next breakthrough in technology and security: eliminating the need for VPNs for office printing.

[Read our earlier blog post on Universal Print where we walk through our early steps to rethink our approach to printing here at Microsoft. Learn how we’re Microsoft’s ‘Customer Zero.’ Learn how we’re doing more with less internally at Microsoft with Microsoft Azure. Learn more about the foundation for modern collaboration: Microsoft 365 bolsters teamwork. Explore a simulated experience of Universal Print.]

The road to simplification: Microsoft as the customer

A significant benefit of being a company as large, complex, and distributed as Microsoft is that we are a fantastic proving ground for new technology. If our teams can build a solution that works for our organization, we know it can work for other enterprises too. We also know that if we are experiencing a pain point, likely others are too. Because of this, we often call ourselves Customer Zero.

When it came to developing a modern solution for the needs of printing, our product groups knew who to turn to. Partnering with us in MDEE enabled the product team to develop Universal Print by testing with and taking feedback from the broad Microsoft team. The product group relied on our expertise with security review, OEM offerings, and first-hand admin feedback.

“With our partnership with MDEE we are able to gain experience as well as verifying the functionality of Universal Print,” says Jimmy Wu, senior product manager with the Universal Print team. “This helps us prove that this technology can scale to meet the needs of an enterprise as large and complex as Microsoft.”

In the last three years, Universal Print has come to eliminate the need for dedicated print servers and printer drivers, two significant headaches for admins and users alike. The one area that we hadn’t solved, until now, was the reliance on VPNs. We won’t be able to fully isolate the network printers from the core of our corporate infrastructure until we make this development.

“Using VPNs meant that every user trying to print something had to directly connect to the same network as the printer, which opens our networks to security threats. It increases the surface area for bad actors to attack,” Wu says.

Now, you send your print job to the cloud and you can “pull it down” to any printer you want, anywhere in the globe. It’s truly a universal system, and you no longer need a direct connection between your computer and the local printer you’re wanting to use. This eliminates the inherent security risk of having both the client computer and the printer on the same VPN network, while unlocking an exciting future for both improved security and an easier printing experience.

All together these changes have also resulted in significant cost savings for Microsoft and significant security and usability improvements. By simplifying our technology and reducing the scale of our infrastructure, we are realizing tens of millions of dollars in savings. This is a win-win outcome that we are all excited about.

Zero Trust: scaling security while also improving user experience.

Most employees around the globe these days are working in a hybrid setting, so when they visit one of our offices, we want their experience to be as seamless as possible. We are enabling this modern way of working by moving towards a Zero Trust environment.

Despite the intimidating name, Zero Trust provides smoother access to services for employees by ensuring user access is validated and authorized for each connection regardless of user location. In practice this means that you can easily log on to an on-campus network using the same device and same credentials you use in your home office. The experience is seamless, and the environment is more secure than ever.

This technology allows data to be transferred through secure tunnel connections. From an information security perspective this is now the gold standard for public or semi-public networks. We can further sequester our corporate network, which reduces risk to our core infrastructure. This concept is called least-privileged access, which accounts for more segmentation of users and a default to accessing only the common resources the average team member needs.

While we work towards modern security architectures, we’re also trying to minimize friction for our developers and our employees alike. “We do a real balance there. It’s a continued conversation of how we do better security while also continuing to improve the experience for folks, so it is just seamless,” Apple says.

To further this goal MDEE plans to leverage advances in Universal Print-ready printers supplied by OEM manufacturers which will connect directly to the cloud with their own Zero Trust. This new frontier is emerging through the partnership of Microsoft and manufacturers who are working together to improve printer technology to reduce complexity throughout the printing environment.

Now in 2023 we are in the process of moving all Microsoft end users over to Universal Print. With this solution we are quickly scaling up to support the whole company, worldwide. We’re now able to retire hardware and legacy solutions, and their associated risks. Fundamentally, we are shedding costs while gaining more robust security and better user experience.

Transforming the printing experience for a global workforce

While there are many employees in our headquarters backyard in the Pacific Northwest, the vast majority of our team actually work in field offices all over the globe. Being able to have a printing system that is cloud-based, which can be utilized in all our offices around the world, means a more direct connection to the business for our employees wherever they are. We can ensure that all employees’ experience is much better than it was previously.

Rolling out Universal Print affects every employee of ours and thus it is a critical task to get it right the first time. For our system admins, they now can centrally manage our printing networks and ensure a common way of operating our equipment globally, which for instance reduces printer outages as a central team can diagnose and fix issues quickly. We’ve also removed unnecessary layers of security management by utilizing the inherent, built-in security of Microsoft Azure. Again, this reduction in complexity also results in savings and increased security.

And from the perspective of our end users, we’ve moved to a system where everyone is utilizing the same service, with the same access. This scales and makes life faster for employees. The printing interface is much easier than before, and fewer printer outages getting in the way of your work is always welcome.

We are also looking at new developments right around the corner: employees will soon be able to use their own badges to release the “pull down” printing functionality, adding much-requested scanning features, and enabling admins to have better fleet management of our printers across the globe. Each of these features will further enhance user experience and admin efficiency.

“We’re changing the industry, which makes me very excited,” says Michael Munch, a senior service engineer with MDEE. “It’s not just the same old print story; it’s that we are finally arriving at the day where we can do this thing we’ve only dreamed about. It’s going to save us money, we’re going to be more secure, and it gets us ready for the future with zero-trust networking because the devices themselves will become native cloud devices.”

In essence, we’re seeing a win-win situation and the future is bright. “After presenting our plan for Universal Print the leadership quickly said, ‘Wait, you said it’s cheaper, and it’s more secure?’” says Munch, “Of course, it was a no-brainer to do.”

• Modern enterprise cloud printing is designed to provide modern security and seamless access to all printers for all users. It reduces friction for admins and users while making the enterprise more secure than ever.
• Zero Trust is an important part of keeping everyone safe and secure. By moving enterprise printing to the cloud, companies can verify user and device identity to reduce risk and keep the environment productive.
• Universal Print eliminates the need for dedicated print servers and printer drivers, which are significant headaches for admins and users alike. And by using Universal Print’s entire feature set MDEE will soon eliminate the inherent security risks of VPNs.

• Read our earlier blog post on Universal Print where we walk through our early steps to rethink our approach to printing here at Microsoft.
• Learn how we’re Microsoft’s ‘Customer Zero.’
• Learn how we’re doing more with less internally at Microsoft with Microsoft Azure.
• Learn more about the foundation for modern collaboration: Microsoft 365 bolsters teamwork.
• Explore a simulated experience of Universal Print.

The post Seamless and secure cloud printing with Universal Print appeared first on Inside Track Blog.

Underneath those broad strokes, we serve very specific, complex customers.

One set of such customers is in the federal sector, where the specific regulatory requirements of sovereign entities—such as the Department of Defense (DoD) in the US—require that we create highly secure environments that adhere to the Cybersecurity Maturity Model Certification (CMMC) standard. (CMMC is an intermediate cybersecurity certification for defense contractors that focuses on protecting controlled unclassified information through enhanced cyber hygiene practices.)

Building environments that meet the CMMC standard presents unique opportunities and challenges, especially when it comes to managing complex collaboration scenarios at scale while also ensuring the security of our customers’ confidential information.

To help us get this right, we build environments for our customers that employ our Zero Trust security model, which means operating on a “never trust, always verify” principle. This enables us to deliver secure platform tools, networks, elastic computing, and storage options. It also helps provide our customers with better collaboration and business operations tools.

This works for governments, their military and intelligence agencies, and goes beyond the high standards of our usual customers.

To specifically address these unique needs within Microsoft, we have created a specialized IT environment, called the Federal Government Operating Environment or Microsoft FedNet. Powered by Azure for Government and Microsoft 365 Government, this environment is carefully designed to match the complex requirements of our US Federal and US Defense Industrial Base clients.

Serving as Customer Zero

In this story, we’ll explain some of the unique challenges we faced internally as we implemented this “company within a company” to allow our employees to work easily across both our traditional corporate environment (CorpNet) and the more highly regulated environment (FedNet) that we use to support our US Federal customers.

We have a strong value around being Customer Zero for our products, so much so that we implement them the way we would suggest our customers use them, so we can experience the customer reality firsthand. While living on the edge of this innovation knife can be unsettling at times, it allows us to be first to encounter challenges our customers might face. As such, we become a valuable feedback loop back to our product teams, which speeds up the innovation cycle and lowers barriers to entry for actual customers.

It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected. This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Cross function, cross company

At Microsoft, our commitment to creating a dedicated environment for highly regulated workloads was not just about establishing a separate space; it was about embodying a cloud-first and deeply integrated approach across our entire business spectrum. This strategic decision was pivotal in aligning our expansive scale with the nuanced demands of compliance-focused sectors.

To get this right, our comprehensive, multi-disciplinary strategy coalesced around rethinking our sales pipeline management, financial systems, modernizing commerce tools, refining our support services, and evolving our internal engineering practices. This cross-organizational synergy was crucial to ensure that every aspect of our business supported and benefited from this new initiative.

“It was absolutely essential that we deliver a product for our federal customers that met or exceeded the experience that our own team expected,” says Jason Zander, our executive vice president of Strategic Missions and Technologies. “This is the critical benefit of our Customer Zero approach to engineering—we live and breathe the product long before it reaches an external user. That gives us time to explore and refine the customer experience to be as good as can be.”

Embracing a growth mindset, we aimed to merge the insights gained from operating a $3 trillion-dollar company with our profound understanding of servicing compliance-intensive customers. This fusion of scale and specialization was geared not only toward meeting existing needs but also toward innovating in novel and impactful ways.

Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams. This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Through this transformative journey, we have not only tailored our offerings to meet the stringent requirements of highly regulated sectors, but we have also significantly enhanced our overall business intelligence. By internalizing and refining our products early in their lifecycle, we ensure that our services not only align with but surpass the expectations of our most compliance-conscious customers, continuing our legacy as a global leader in technology solutions.

What does this mean in the real world?

In our journey to develop a more secure platform for internal use at Microsoft, we took an unconventional and immersive approach; we essentially created a new federal entity within our larger corporate organization, where the creators and users of this platform merged into one. Our team, dedicated to building this secure environment, began to experience their daily work lives within FedNet, taking meetings on Microsoft Teams and using document collaboration across Microsoft 365 and ensuring its functionality and reliability firsthand.

“Our workday began by signing in to this secure environment, using Microsoft 365 applications for our daily tasks, and collaborating through Teams,” says Dwight Jones, a principal product manager on the Microsoft Federal team in Microsoft Digital (MSD), our IT division. “This wasn’t just a separate project; it was a complete shift in our work environment. We effectively isolated ourselves within a secure bubble, distinct from the rest of Microsoft, to ensure we could operate seamlessly as an independent entity.”

This shift represented a significant change in our corporate experience.

By establishing secure Microsoft tenants in the Azure Government Community Cloud’s high-security environment, we created what we call “Microsoft Federal”—a company within a company. This bold move came with its own set of challenges, but it was essential. It enabled us to not just theorize but practically test and enhance our FedNet solution in real-world conditions, ensuring its effectiveness for our sovereign customers.

Such an approach was pivotal in validating the reliability and security of our solution. It allowed us to experience the potential challenges our customers might face and address them proactively. Ultimately, this real world experiment was more than just a test; it was a commitment to delivering a product that we ourselves could rely on and trust, setting a new standard in our offerings to highly regulated sectors.

Microsoft Federal is a prime example of the potential in public-private partnerships. We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.

— Jason Zander, executive vice president, Strategic Missions and Technologies

Getting security right

The key distinction between our traditional business and our new Federal sector business model lies in the stringent regulatory constraints from agencies like the US Department of Defense, adhering to CMMC level 2. Our FedNet environment is designed to not just meet but exceed these standards. In fact, our FedNet implementation has achieved a perfect score (Microsoft Federal Successfully Completes Voluntary CMMC Assessment), reflecting our security team’s commitment to the highest standards, covering a broad range of customer requirements.

“Microsoft Federal is a prime example of the potential in public-private partnerships,” Zander says. “We bring our expertise to key government organizations, offering them advanced, secure solutions to succeed in their missions. Together, we’re shaping the future of network security.”

To align with our Zero Trust principles in FedNet, we started by enhancing device endpoint security using a combination of Microsoft Conditional Access and Microsoft Azure Virtual Desktop (AVD). This provides our teams with secure and controlled virtual access to standard collaboration and productivity capabilities, a shift from the traditional physical machine setup in our corporate environment.

While aligning with our cloud-first strategy, this transition posed challenges.

The virtual environment offered less flexibility than a commercially managed machine, particularly in terms of software installation control. In our commercial environments, users can install a variety of first- and third-party applications to enable them to be productive. To comply with more stringent regulations, we highly regulate what applications can be installed on the virtual client—each piece of software has to be security cleared by our Security Portal for Assessment, Consulting and Engineering (ACE) tool—we had to create controlled processes to qualify each piece of software we deployed in our FedNet environment.

Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Getting to product parity

Getting back to our internal team charged with deploying a version of this platform inside the company, our internal users at Microsoft Federal need more than just robust compute platforms and Zero Trust technology—they require the same modern communication and productivity tools as any of our other employee to manage daily operations effectively. Despite differing security protocols, essential tools like Microsoft Teams and Microsoft Outlook must function just as reliably for our Microsoft Federal users as they do for our CorpNet users.

Take Microsoft Teams meetings, for example.

“Teams is the lifeblood of collaboration at Microsoft, even a few-second delay in a Teams call hosted in our AVD environment can significantly disrupt the experience for our users in Microsoft Federal, just as it would for any other user,” Jones says.

Such technical issues, if unresolved, could hinder business operations and negatively impact user perception of our products. We recognized the need for improvement in how Teams integrated within AVD highlighting key opportunities to accelerate quality of service features across both products that, once implemented, would quickly trickle down to all users of these services.

The complexity of managing change

Not surprisingly, we found that managing change and expectations was as significant a challenge as the technical blockers. The biggest hurdle became managing the cognitive shift when moving between environments, rather than addressing technical gaps. For instance, implementing data loss prevention strategies via document labeling was optional in our commercial environment but mandatory in FedNet to comply with CMMC regulations. This necessitated a new approach to data handling and required significant adjustments from our users. Training users on the rational and procedures for data handling was critical to overcome this barrier to entry for new users.

Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version.

— Dwight Jones, principal product manager, Microsoft Federal team, Microsoft Digital

Experiment, learn, adjust, grow

After establishing the basic functionality needed for our Microsoft Federal employees to most closely match the experience of their counterparts in the larger Microsoft organization, our focus shifted to optimizing the environment. This entailed refining existing solutions and introducing the latest innovations Microsoft is known for.

It was all about feature parity.

“Our Microsoft Federal environment, while more secure, should not lack any functionality or features compared to the civilian version,” Jones says.

A standout feature attracting global corporate interest in FedNet is Microsoft Teams Rooms. This innovative setup combines built-in screens, modern video cameras, eye-tracking technology, and Zero Trust security to revolutionize meeting experiences in Microsoft Teams, specifically tailored for our Microsoft Federal product.

Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business. With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.

— Jason Zander, executive vice president, Strategic Missions and Technologies

“Secure Teams Rooms is exactly what our internal Microsoft Federal users, and indeed any organization, would desire,” Jones says.

Following this, we began a pilot rollout of Microsoft Teams Rooms in select secure locations, with plans to extend this enriched experience to all employees in the Microsoft Federal environment. By using the same technologies they provide to customers, our employees gain valuable insights and experiences, enhancing their ability to support customers deploying Microsoft Teams Rooms in their organizations.

“Serving some of the world’s most security-conscious customers grants us unique experiences and insights that benefit our entire business,” Zander says. “With exciting features and products, many fueled by Microsoft’s AI innovations, we’re charting a bright future for all our customers, including those in Microsoft Federal. This is how we fulfill our mission to empower every person and organization on the planet to achieve more.”

Microsoft Federal and our experience building a company within a company exemplifies our commitment to empowering customers with secure, compliant, and innovative solutions. By harnessing technologies like Microsoft Teams, Azure, and Microsoft 365, we’re setting new standards for collaboration and security in government and beyond.

Here are some things to think about as you consider beefing up your security with a product like our FedNet solution:

• Zero Trust is now relevant to everyone: Hybrid work, cloud migration, and increased threats make taking a Zero Trust approach to security a prudent consideration in every organization.
• Lack of leadership alignment is the biggest obstacle to driving Zero Trust agendas: Leadership alignment is critical to driving Zero Trust agendas. It’s important to ensure that all stakeholders are aligned with the Zero Trust vision and understand how it fits into the broader security strategy. This includes executive leadership, IT teams, security teams, and other business units.
• Zero Trust architecture requires holistic, integrated thinking: Zero Trust architecture requires a holistic, integrated approach that spans people, processes, and technology. It’s important to have a clear understanding of your organization’s assets, data flows, and user behaviors in order to design an effective Zero Trust architecture.

Learn more about our Microsoft Federal program and offerings.

• Explore implementing a Zero Trust security model at Microsoft.
• Unpack culture, the cloud, and security: learning from Microsoft’s digital transformation.
• Discover enhancing Microsoft’s security posture with Microsoft Azure Firewall Manager.

Want more information? Email us and include a link to this story and we’ll get back to you.

Please share your feedback with us—take our survey and let us know what kind of content is most useful to you.

The post Sharing what we learned deploying our secure federal environment appeared first on Inside Track Blog.

“We’ve made significant strides to create chip-to-cloud Zero Trust out of the box,” says David Weston, vice president of Enterprise and OS Security at Microsoft. “Windows 11 is redesigned for hybrid work and security with built-in hardware-based isolation, proven encryption, and our strongest protection against malware.”

This new baseline for protection is one of several reasons Microsoft upgraded to Windows 11.

In addition to a better user experience and improved productivity for hybrid work, the new hardware-backed security features create the foundation for new protections. This empowers us to not only protect our enterprise but also our customers.

[Discover how Microsoft uses Zero Trust to protect our users. Learn how new security features for Windows 11 help protect hybrid work. Find out about Windows 11 security by design from chip to the cloud. Get more information about how Secured-core devices protect against firmware attacks.]

How Windows 11 advanced our security journey

Security has always been the top priority here at Microsoft.

We process an average of 65 trillion signals per day, with 2.5 billion of them being endpoint queries, including more than 1,200 password attacks blocked per second. We can analyze these threats to get better at guarding our perimeter, but we can also put new protections in place to reduce the risk posed by persistent attacks.

In 2019, we announced Secured-core PCs designed to utilize firmware protections for Windows users. Enabled by Trusted Platform Module (TPM) 2.0 chips, Secured-core PCs protect encryption keys, user credentials, and other sensitive data behind a hardware barrier. This prevents bad actors and malware from accessing or altering user data and goes a long way in addressing the volume of security events we experience.

“Our data shows that these devices are more resilient to malware than PCs that don’t meet the Secured-core specifications,” Weston says. “TPM 2.0 is a critical building block for protecting user identities and data. For many enterprises, including Microsoft, TPM facilitates Zero Trust security by measuring the health of a device using hardware that is resilient to tampering common with software-only solutions.”

We’ve long used Zero Trust—always verify explicitly, offer least-privilege access, and assume breach—to keep our users and environment safe. Rather than behaving as though everything behind the corporate firewall is secure, Zero Trust reinforces a motto of “never trust, always verify.”

The additional layer of protection offered by TPM 2.0 makes it easier for us to strengthen Zero Trust. That’s why hardware plays a big part in Windows 11 security features. The hardware-backed features of Windows 11 create additional interference against malware, ransomware, and more sophisticated hardware-based attacks.

At a high level, Windows 11 enforced sets of functionalities that we needed anyway. It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.

—Carmichael Patton, principal program manager, Digital Security and Resilience

Windows 11 is the alignment of hardware and software to elevate security capabilities. By enforcing a hardware requirement, we can now do more than ever to keep our users, products, and customers safe.

Setting a new baseline at Microsoft

While some security features were previously available via configuration, TPM 2.0 allows Windows 11 to protect users immediately, without IT admins or security professionals having to set specific policies.

“At a high level, Windows 11 enforced sets of functionalities that we needed anyway,” says Carmichael Patton, a principal program manager with Digital Security and Resilience, the organization responsible for protecting Microsoft and our products. “It drove the environment to demonstrate that we were more secure by default. Now we can enforce security features in the Windows 11 pipeline to give users additional protections.”

Thus, getting Windows 11 out to our users was a top priority.

Over the course of five weeks, we were able to deploy Windows 11 across 90 percent of eligible devices at Microsoft. Proving to be the least disruptive release to date, this effort assured our users would be immediately covered by baseline protections for a hybrid world.

We can now look across our enterprise and know that users running Windows 11 have a consistent level of protection in place.

The real impact of secure-by-default

Moving from configurable to built-in protection means that Windows 11 becomes the foundation for secure systems as you move up the stack.

It simplifies everything for everyone, including IT admins who may not also be security experts. You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.

—David Weston, vice president, Enterprise and OS Security

Applications, identity, and the cloud are able to build off the hardware root-of-trust that Windows 11 derives from TPM 2.0. Application security measures like Smart App Control and passwordless sign-in from Windows Hello for Business are all enabled due to hardware-backed protections in the operating system.

Secure-by-default does all of this without removing the important flexibility that has always been part of Windows.

“It simplifies everything for everyone, including IT admins who may not also be security experts,” Weston says. “You can change configurations and optimize Windows 11 protections based on your needs or rely on default security settings. Secure-by-default extends the same flexibility to users, allowing them to safely choose their own applications while still maintaining tight security.”

Going forward, IT admins working in Windows 11 no longer need to put extra effort in enabling and testing security features for performance compatibility. Windows 11 makes it easier for us to gain security value without extra work.

This is important when you consider productivity, one of the other drivers for Windows 11. We need to empower our users to stay productive wherever they are. These new security components go hand-in-hand with our productivity requirements. Our users stay safe without seeing any decline in quality, performance, or experience.

“With Windows 11, the focus is on productivity and thinking about security from the ground up,” Patton says. “We know we can do these amazing things, especially with security being front and center.”

Now that Windows 11 is deployed across Microsoft, we can take advantage of TPM 2.0 to bring even greater protections to our users, customers, and products. We’ve already seen this with the Windows 11 2022 update.

For example, Windows Defender App Control (WDAC) enables us to prevent scripting attacks while protecting users from running untrusted applications associated with malware. Other updates include improvements to IT policy and compliance through config lock: a feature that monitors and prevents configuration drift from occurring when users with local admin rights change settings.

These are the kinds of protections made possible with Windows 11.

“Future releases of Windows 11 will continue to add significant security updates that add even more protection from the chip to the cloud by combining modern hardware and software,” Weston says. “Windows 11 is a better way for everyone to collaborate, share, and present, all with the confidence of hardware-backed protections.”

• Learn about and upgrade to Windows 11.
• Learn more about the security benefits of Windows 11.

• Discover how Microsoft uses Zero Trust to protect our users.
• Learn how new security features for Windows 11 help protect hybrid work.
• Get more information about how Secured-core devices protect against firmware attacks.

The post Hardware-backed Windows 11 empowers Microsoft with secure-by-default baseline appeared first on Inside Track Blog.

Adding and removing employees from groups has been mostly a hand-cramping manual task, and this is especially true for large organizations like ours, where group membership management is daily work. Amidst all the life shifts that employees experience––role changes, department transitions, taking leaves, moving to hybrid or remote offices––it’s hard for our admins to keep our groups 100 percent current.

And when a group is out of date, people get left out of meetings and communications while others get access to information that’s no longer relevant or, worse, something they should no longer be able to see.

“Manually managing the groups was the old way,” says David Johnson, a principal program manager for our Microsoft Digital Employee Experience team, the organization where we power, protect, and transform the company. “Especially now with hybrid workspaces, you need connection between the leader and organization in many ways, and you don’t want to have to manually manage that space.”

Entering data by hand is also an error-prone process that we needed to move beyond. Our Microsoft Digital Employee Experience team responded by building an automated solution that improved our inclusion, compliance, and security.

[Learn more about Microsoft’s data governance strategy. Discover how to set up Dynamic Groups in Microsoft Azure Active Directory.]

Automating group membership management

A few years ago, there was a growing desire to automate Microsoft 365 group membership. As people started to realize the benefits of Microsoft 365 applications for effective live event and community management, the need for a solution to allow rule-based membership management became increasingly intense. However, at that time, there was no good solution readily available to meet these needs. Microsoft needed to manage live events and communities that involved large organizations, and there was not a good solution readily available. For example, organizations eagerly wanted to leverage Microsoft Yammer (we’re now using Microsoft Viva Engage) broadcasting to keep employees connected and engaged with leaders, but maintaining accurate Yammer community members was a manual task. Furthermore, before the shift to the cloud, groups were nested, which means they were folded into hierarchical layers, and each team took the responsibilities to manually manage the immediate team membership and contribute to the parent group level.

In the cloud, group membership is managed in a flattened way.

While this structure ensured security and compliance, it also compounded the complexity for manual membership management. Reestablishing roles and permission for every group member in all apps had to be done one at a time by hand, which likely only benefited the businesses of carpal-tunnel therapists.

The tedious processes required were unwieldy. Maintaining accurate membership is a multi-step process involving batch exporting member lists from HR systems, manually scrubbing from multiple Excel worksheets, then identifying the members to be added or removed. As soon as someone joined or left an organization, an admin would have to do this all over again.

Group membership was only accurate on the day it was entered, so groups were frequently out of date. Sending personalized messages to individuals with a commonality (such as a holiday, disaster, or local celebration) required manually updating group membership: a time-quaffing undertaking.

“Reaching everyone was so important to us, but the technology to maintain aliases wasn’t there,” says Cindy Jensen, a senior executive assistant with Microsoft Customer and Partner Solutions, one of Microsoft’s Sales and Marketing organizations with over 100,000 people. “Our volumes were too large.”

We said, let’s build something. We can automate membership management.

—Olivia Han, a senior program manager with Microsoft Digital Employee Experience

Microsoft Digital Employee Experience dedicated themselves to the challenge of making group member management a better and less manual process.

Engineering an answer

At Microsoft, we realized we had a significant issue back in 2017. We had to manage Yammer communities and live broadcast streams in particular. The demand for reaching broad audiences, especially C-suite level audiences, initiated our journey to find a solution.

“We said, ‘let’s build something,’” says Olivia Han, a senior program manager with Microsoft Digital Employee Experience. “We can automate membership management.’”

And they did.

The tool—broadly launched internally at Microsoft in 2021—is called Group Membership Management (GMM). It’s a solution that dynamically manages the membership of Microsoft Azure Active Directory (AAD) Groups. Once it’s set up, it automatically updates when HR data changes and when other source groups membership changes.

Microsoft already has the powerful Dynamic Groups feature in Microsoft Azure Active Directory, which allows attribute-based groups. GMM is needed for large leader-based groups and all of their reporting hierarchy. Now, source groups can have thousands of levels of nesting.

We never have to think about our aliases again, and we always know our communication is going to the right group.

—Cindy Jensen, a senior executive assistant with Microsoft Customer and Partner Solutions (MCAPS)

“Putting people in groups and taking them out of groups may sound trivial from an outsider’s perspective, but what I’ve come to really love and appreciate about the project is the scale,” says Paul Daly, a principal software engineering manager with Microsoft Digital Employee Experience. “The scale and impact of this problem necessitates that we focus on both performance and reliability.”

Benefitting from automation

Admins at in Microsoft’s Sales and Marketing organization and its more than 100,000 employees were very happy once they were able to start taking advantage of GMM.

“We never have to think about our aliases again, and we always know our communication is going to the right group,” Jensen says. “I set my groups up once—I update them never.”

Automating group membership has resulted in dramatic error reduction, which means there are far fewer security risks posed by stale membership and inappropriate access.

“Admins can now focus on more impactful work that can’t be automated,” Han says. Unsurprisingly, freedom to give their attention to other projects is among the first-mentioned benefits by administrators who have leveraged the GMM solution.

We want everybody to feel valued and included. Group Membership Management gives us that.

—Cindy Jensen, a senior executive assistant with Microsoft Customer and Partner Solutions (MCAPS)

In addition to stronger security, Jensen in Microsoft’s Sales and Marketing organization celebrates the role of accuracy in enhancing inclusivity. When group membership is updated automatically and daily, no one is forgotten or left out, and Jensen says that now she can make special groups on the fly to send personalized messages with very little effort.

She made aliases for people who celebrate Diwali so she could wish them a joyful one. She’s created aliases for people living in the Puget Sound area so they could participate in a huge annual Microsoft Give drive. This wasn’t easily achievable before.

“We want everybody to feel valued and included,” Jensen says. “GMM gives us that.”

Making automated group membership management more accessible

Now, nearly anyone can leverage GMM. It’s an open-source application that’s available to everyone on GitHub.

“Customers needed it,” Han replies when asked why it’s open source. Microsoft did not want to withhold the tool from the public while it waits for a home in within a product.

“What’s cool about GMM, the version that’s on GitHub, is that it’s actually the same version that we run internally,” Daly says.

Group Membership Management has been a lifesaver for Microsoft groups, and its engineers continue to enhance its sophistication. Here are words of wisdom for anyone wanting to leverage the benefits of Group Member Management for their organization.

• Consider leveraging GMM to take advantage of a variety of scenarios that Group Member Management enables, including creating Yammer communities for specific audiences, giving live broadcasts via Microsoft Stream to individual organizations, and making secure, collaborative environments for teams to finish projects.
• Evaluate your data so that you have the right attributes in place for automated group member management.
• Think about who gets access as part of your governance policy. Good group member management encourages strong security practices while also promoting inclusivity.
• Tell your IT developer that the opensource code for Group Member Management is on GitHub today. (Eventually this functionality will be incorporated into an existing Microsoft product.)
• Once you’ve deployed Group Membership management, have fun creating groups with commonalities––such as holidays and regions––to craft personalized messages that enhance company culture and inclusivity.

• Learn more about Microsoft’s data governance strategy.
• Discover how to set up Dynamic Groups in Microsoft Azure Active Directory.

The post The future of Group Member Management: How Microsoft is leading the way with automation appeared first on Inside Track Blog.

Attackers are more focused and targeted, they’re on a mission. It’s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.

—Henry Duncan, senior security program manager, Digital Security and Resilience

As we discussed in our previous ransomware post, REP was purpose-built atop the philosophy of the philosophy of Zero Trust to give Microsoft a way to centralize defense, recovery, and resilience against ever changing cyberthreats. Core to the program is the ransomware playbook, our internal guide to ensure teams across the company take the right action to respond, recover, and remediate in the event of an attack. Adherence to the playbook limits the opportunity for attacks and minimizes the potential reward that criminals seek.

“Attackers are more focused and targeted, they’re on a mission,” says Henry Duncan, a senior security program manager on REP, part of DSR, the team responsible with protecting our enterprise so that we can deliver and operate secure products and services to our customers. “It’s not a phishing email that spreads out to a bunch of random addresses and hopes someone clicks. That only nets you random targets. Human-operated ransomware aims for an enterprise and tries for big returns.”

The longer threat actors are active in an environment and can move around, the greater the risk to the target. Each passing moment presents an opportunity to acquire more access to data through compromised accounts, or tamper with security and backup systems—and that means a higher likelihood of data being compromised and a larger ransom demand. Time is of the essence.

[Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware. | Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State. | Learn more about human-operated ransomware. | Discover how Microsoft’s Zero Trust effort keeps the company secure.]

Writing the book on ransomware

When conceptualizing what it wanted the playbook to achieve, the REP team knew it needed to facilitate excellence in operational response readiness, have the flexibility and scope to address cyberattacks of any scale, and to align response processes across the company.

“We needed the playbook to articulate and visualize what everyone’s role in a process is,” Duncan says. “It’s not just a security thing; we have to get other teams involved, like legal, finance, and enterprise business continuity.”

Engaging with stakeholders from those organizations allowed the REP team to better understand the different methods used across the company to triage, contain, and escalate events. Such conversations and interviews were a vital learning opportunity, and when combined with industry and internal best practices, illuminated gaps and weaknesses and generated ideas to bridge them. Collaborative cross-team dialogue shaped the framework the team used to develop key processes, including what is used to recover critical services.

With this information synthesized, the REP team began structuring the ransomware playbook around addressing these four key questions:

• How prepared are we for a cyber event?
• What controls are in place to detect and identify malicious activity in our environment?
• What is the appropriate response from various teams to contain and recover from threats?
• How should a post-incident and root-cause analysis be performed?

The resulting document provides a unified and holistic response to cyberthreats for the company to use.

Walking the walk

“For a playbook to work, you need to test,” Duncan says. “It’s easy to think you’ve captured everything on the page, but we need to see what happens in practice.”

Performing simulations for a variety of scenarios demonstrated what might happen if an attack were to occur at Microsoft.

It’s hard to measure the significance and when to escalate events; are we talking about a handful of machines or a large critical system? Now we have processes to have a consistent plan for triaging and triggering events.

—Henry Duncan, senior security program manager, Digital Security and Resilience

Security professionals and stakeholders were put to the test. Detection and prevention systems were put through the wringer. Backup and restore functions were reviewed, ensuring the resiliency and recovery precautions needed to circumvent the leverage of cybercriminals were in place.

Not only did these live drills verify steps within the ransomware playbook, they also allowed the REP team to gather additional feedback, including ways to better categorize and triage ransomware.

“It’s hard to measure the significance and when to escalate events; are we talking about a handful of machines or a large critical system?” Duncan says. “Now we have processes to have a consistent plan for triaging and triggering events.”

Because ransomware continues to change, so must Microsoft’s response. The playbook is a living document, updated with regular reviews of testing and stakeholder engagement, enabling it to stay current with the quickly changing tactics of threat actors.

The benefits of playing it by the book

While the primary function of the ransomware playbook is to ensure Security Operation Centers (SOCs) and engineering teams across Microsoft have a documented process for responding to and recovering from ransomware, the playbook’s design has additional built-in benefits.

For instance, its detail clearly outlines who is responsible for what, creates visibility at the appropriate time, and clarifies escalation. The right process owners get the right information at the right time.

“You need visibility into how an event surfaces,” Duncan says. “Now we have a predictable mechanism to trigger incident response. Those definitions bring leadership into appropriate major events.”

In practice, Duncan and the REP team found the playbook to be a useful tool for continuous improvement. Regularly run internal tabletop exercises help DSR and the REP team measure Microsoft’s ability to effectively respond to specific types of attacks. Simulations and tests provide vital opportunities to expose issues, refine internal processes, and close the gap in eliminating ransomware. In using the playbook, Microsoft isn’t just more prepared against ransomware, but against security attacks in general.

This also happens to make the ransomware playbook a valuable training tool. Its adoption across the company is essential to a successful and holistic response to an attack. With training, the knowledge of roles and responsibilities, combined with muscle memory of the right actions to take ensures those involved are ready when put on the spot.

“We’ve also found that teams love the playbook as an onboarding tool,” Duncan says. “Anyone who joins Microsoft can know what the expectations are and loop that into their training. They’ll know how they fit into the ransomware equation.”

There’s a plan in place

Having the Ransomware Elimination Program along with the playbook gives teams across the company more visibility into the importance of ransomware. Microsoft now has a platform to share knowledge across organizations and centralize efforts to reduce the opportunity and reward for cybercriminals.

Human-operated ransomware is a full-time job for cybercriminals. None of us are perfect but being aware, having the right technology in place, and putting a plan in place reduces the likelihood and impact of an attack on the environment.

—Henry Duncan, senior security program manager, Digital Security and Resilience

“We can champion how people protect the environment while also involving them to improve response procedures,” Duncan says. “REP is the frontline of what an optimal ransomware resilience state should look like. That’s going to happen by working with different teams throughout Microsoft to research and understand the greatest risks.”

With a playbook at hand, there’s more confidence than ever that Microsoft’s people are prepared to detect and respond appropriately to malicious activity. The structure provided by REP and its playbook empowers Microsoft to capture important insights about its own resiliency, helping to drive future improvements. That’s critical, especially as ransomware continues to evolve.

“Human-operated ransomware is a full-time job for cybercriminals,” Duncan says. “None of us are perfect but being aware, having the right technology in place, and putting a plan in place reduces the likelihood and impact of an attack on the environment.”

While the ransomware playbook is internal to Microsoft, the REP team is investigating the best way to share its learnings so others can build their own.

• The ransomware playbook serves as a single source of truth for detecting, responding, and recovering to ransomware. It helps identify the strategy and preparation approach for resiliency
• Leverage your existing resources; you don’t have to start from scratch when developing a ransomware playbook
• Invite stakeholders to participate in the development of your ransomware playbook. It will create a more comprehensive and inclusive document, and will improve adoption
• Clarity of documentation is essential. Be sure to define expectations, roles, and responsibilities. Create diagrams and process flows whenever possible

• Read blog one in our ransomware series: Sharing how Microsoft protects against ransomware.
• Read blog three in our ransomware series: Building an anti-ransomware program at Microsoft focused on an Optimal Ransomware Resiliency State.
• Learn more about human-operated ransomware.
• Discover how Microsoft’s Zero Trust effort keeps the company secure.

The post Why Microsoft uses a playbook to guard against ransomware appeared first on Inside Track Blog.