Category Archives : Security

10

Oct

­Protect data in use with the public preview of Azure confidential computing

It has been an incredible year for Azure confidential computing, working with partners and customers, that has culminated in our confidential computing offerings becoming publicly available. At Ignite, we announced our intent, and I am excited to say that just two weeks later we are delivering on our promise of releasing the DC-series of virtual machines and open sourcing the Open Enclave SDK.

As a quick recap, Azure confidential computing protects your data while it’s in use. It is the final piece to enable data protection through its lifecycle whether at rest, in transit, or in use. It is the cornerstone of our ‘Confidential Cloud’ vision, which aims to make data and code opaque to the cloud provider.

Today, we are excited to announce a public preview of the DC-series of virtual machines in US East and Europe West. Years of work with our silicon vendors have allowed us to bring application isolation technology to hardware in our datacenters to support this new VM family. While these virtual machines may ‘look and feel’ like standard VM sizes from the control plane, they are backed by hardware-based Trusted Execution Environments (TEEs), specifically the latest generation of Intel Xeon Processors with Intel

Share

09

Oct

Driving identity security in banking using biometric identification

Combining biometric identification with artificial intelligence (AI) enables banks to take a new approach to verifying the digital identity of their prospects and customers. Biometrics is the process by which a person’s unique physical and personal traits are detected and recorded by an electronic device or system as a means of confirm identity. Biometric identifiers are unique to individuals, so they are more reliable in confirming identity than token and knowledge-based methods, such as identity cards and passwords. Biometric identifiers are often categorized as physiological identifiers that are related to a person’s physicality and include fingerprint recognition, hand geometry, odor/scent, iris scans, DNA, palmprint, and facial recognition.

But how do you ensure the effectiveness of identifying a customer when they are not physically in the presence of the bank employee? As the world of banking continues to go digital, our identity is becoming the key to accessing these services. Regulators require banks to verify that users are who they say they are, not bad actors like fraudsters or known money launderers. And verifying identities online without seeing the person face to face is one of the biggest challenges online and mobile services face today.

It’s problematic because identity documents

Share

09

Oct

Making HIPAA and HITRUST compliance easier
Making HIPAA and HITRUST compliance easier

Many healthcare organizations are starting to adopt artificial intelligence (AI) systems to gain deeper insight into operations, patient care, diagnostic imaging, cost savings and so on. However, it can sometimes be daunting to even know where to get started. Many times, you need a clear lighted path to start your journey and embrace AI and machine learning (ML) capabilities rapidly.

One method is using an Azure Healthcare AI blueprint. It’s a shortcut to using Microsoft Azure at low cost and without deep knowledge of cloud computing. Blueprints include resources such as example code, test data, security, and compliance support. The largest advantage of using a blueprint is explicit advice and clear instructions on keeping your solution in compliance. We’re trying to eliminate the mystery, so you don’t have to research it yourself.

Three core areas where the blueprint can help with compliance are cloud provider and client responsibilities, security threats, and regulatory compliance. These three areas can get overlooked at the beginning of any technology project, yet they are important parts of creating healthcare systems. Applying formal discipline to these areas is made easier by using the blueprint to create an AI/ML experiment installation.

Helpful artifacts

The blueprint includes

Share

04

Oct

Provide feedback on detected threats in Azure Security Center
Provide feedback on detected threats in Azure Security Center

Azure Security Center automatically collects, analyzes, and integrates log data from your Azure resources to detect threats. Machine learning algorithms run against collected data and generate security alerts. A list of prioritized security alerts is shown in Security Center along with the information you need to quickly investigate the problem, as well as recommendations for how to remediate an attack.

However, the threat landscape is constantly changing, and different customers have different needs. Therefore, it is important to stay in contact with customers and to continuously improve our threat detection capabilities, and to provide customers with the right information to help them address a security threat. To fulfill this, we have added the Alerts Customer Feedback to Azure Security Center, which gives the Security Center customers a channel to give feedback on the alerts that they received. This capability is currently available in public preview and is accessible from the alert blade. In the bottom part of the alert you will see the question “Was this useful?”, as shown below:

At this point, you can provide feedback in multiple resolutions with a simple user interface. The first resolution is to provide a feedback on whether the alert was useful

Share

04

Oct

Microsoft joins LOT Network, helping protect developers against patent assertions

We are pleased to announce that Microsoft is joining the LOT Network, a growing, non-profit community of companies that is helping to lead the way toward addressing the patent troll problem, an issue that impacts businesses of all sizes.

Microsoft has seen this problem firsthand. We’ve faced hundreds of meritless patent assertions and lawsuits over the years, and we want to do more to help others dealing with this issue. In most cases, the opportunists behind these assertions were not involved in the research and development of the ideas that came to be embodied in patents. Many do not even understand the technical concepts described in them. In the most extreme cases, we’ve seen mass mailings and campaigns to extract value from small businesses who are not equipped to understand patents. Although these problems are less acute in the US today than in the past, in part because of changes in the law, the challenge persists for many businesses. Entrepreneur magazine cited a recent study showing that 40 percent of small companies involved in patent litigation reported “significant operational impact” from those suits, which some described as a “death knell.”

What does all of this mean for you if you’re

Share

03

Oct

Bring Your Own Keys for Apache Kafka on HDInsight
Bring Your Own Keys for Apache Kafka on HDInsight

One of the biggest security and compliance requirements for enterprise customers is to encrypt their data at rest using their own encryption key. This is even more critical in a post-GDPR world. Today, we’re announcing the public preview of Bring Your Own Key (BYOK) for data at rest in Apache Kafka on Azure HDInsight.

Azure HDInsight clusters already provide several levels of security. At the perimeter level, traffic can be controlled via Virtual Networks and Network Security Groups. Kerberos authentication and Apache Ranger provide the ability to finely control access to Kafka topics. Further, all managed disks are protected via Azure Storage Service Encryption (SSE). However, for some customers it is vital that they own and manage the keys used to encrypt the data at rest. Some customers achieve this by encrypting all Kafka messages in their producer applications and decrypting them in their consumer applications. This process is cumbersome and involves custom logic. Moreover, it doesn’t allow for usage of community supported connectors.

With HDInsight Kafka’s support for Bring Your Own Key (BYOK), encryption at rest is a one step process handled during cluster creation. Customers should use a user-assigned managed identity with the Azure Key Vault (AKV) to

Share

01

Oct

Time synchronization for financial services in Azure
Time synchronization for financial services in Azure

You know the expression: “Time is money.” For many workloads in the capital markets space, time accuracy is money. Depending on the application and applicable regulation, financial transactions need to be traceable down to the second, millisecond, or even microsecond. Financial institutions themselves are under scrutiny to prove the validity and traceability of these transactions. At Microsoft, we want to ensure our customers are aware of time accuracy and synchronization best practices, and how you can mitigate the risk of negative impact due to time synchronization issues on Azure.

Time accuracy for a computer clock generally refers to how close the computer clock is to Coordinated Universal Time (UTC), the current time standard. In turn, UTC is based on International Atomic Time (TAI), a measure of time that combines the output of some 400 atomic clocks worldwide that yield approximately 1 second of deviation from mean solar time at 0° longitude. While the most precise time accuracy can be achieved by reading the time from these reference clocks themselves, it is impractical to have a GPS receiver attached to every machine in a datacenter. Instead, a network of time servers, downstream from these systems of record, are used to achieve

Share

01

Oct

Advanced Threat Protection for Azure Storage now in public preview

We are excited to announce that this week we have made Advanced Threat Protection available for public preview on Azure Storage Blob service. Advanced Threat Protection for Azure Storage detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit storage accounts.

The introduction of this feature helps customers detect and respond to potential threats on their storage account as they occur. For a full investigation experience, it is recommended to configure diagnostic logs for read, write, and delete requests for the blob services.

The benefits of Advanced Threat Protection for Azure Storage include:

Detection of anomalous access and data exfiltration activities. Email alerts with actionable investigation and remediation steps. Centralized views of alerts for the entire Azure tenant using Azure Security Center. Easy enablement from Azure portal. How to set up Advanced Threat Protection Launch the Azure portal. Navigate to the configuration page of the Azure Storage account you want to protect. In the Settings page, select Advanced Threat Protection. In the Advanced Threat Protection configuration blade: Turn on Advanced Threat Protection. Click Save to save the new or updated Advanced Threat Protection policy.

Get started today

We encourage you to try out Advanced Threat

Share

26

Sep

Strengthen your security posture and protect against threats with Azure Security Center

In my recent conversations with customers, they have shared the security challenges they are facing on-premises. These challenges include recruiting and retaining security experts, quickly responding to an increasing number of threats, and ensuring that their security policies are meeting their compliance requirements.

Moving to the cloud can help solve these challenges. Microsoft Azure provides a highly secure foundation for you to host your infrastructure and applications while also providing you with built-in security services and unique intelligence to help you quickly protect your workloads and stay ahead of threats. Microsoft’s breadth of security tools range span across identity, networking, data, and IoT and can even help you protect against threats and manage your security posture. One of our integrated, first-party services is Azure Security Center.

Security Center is built into the Azure platform, making it easy for you start protecting your workloads at scale in just a few steps. Our agent-based approach allows Security Center to continuously monitor and assess your security state across Azure, other clouds and on-premises. It’s helped customers like Icertis or Stanley Healthcare strengthen and simplify their security monitoring. Security Center gives you instant insight into issues and the flexibility to solve these challenges with

Share

26

Sep

Manage your SQL Information Protection policy in Azure Security Center

We are pleased to share that your SQL Information Protection policy can now be centrally managed for your entire tenant within Azure Security Center. SQL Information Protection is an advanced security capability for discovering, classifying, labeling, and protecting sensitive data in your Azure data resources. With central policy management you can now define a customized classification and labeling policy that will be applied across all databases on your tenant.

SQL Information Protection

SQL Information Protection (SQL IP) consists of an advanced set of capabilities that form a new information protection paradigm in SQL aimed at protecting the data, not just the database. It provides the following abilities:

Discovery and recommendations: The classification engine scans your database and identifies columns containing potentially sensitive data. It then provides you an easy way to review and apply the appropriate classification recommendations via the Azure portal. Labeling: Sensitivity classification labels can be persistently tagged on columns using new classification metadata attributes introduced into the SQL engine. This metadata can then be utilized for advanced sensitivity-based auditing and protection scenarios. Monitoring/Auditing: Sensitivity of the query result set is calculated in real time and used for auditing access to sensitive data. Visibility: The database classification state

Share