Security and Compliance Azure was the topic of the 3rd SAM Club Azure User Group meeting, that was kindly held by HEMPSONS at their central London office. The group has grown with several new attendees to this event and it was great to have their insight on the journey to Azure.
The meeting kicked off with a presentation from Stuart Aston, National Security Officer at Microsoft. Discussing how the journey to Azure starts for many companies, it tends to start with Office applications via Office 365, or IaaS as it’s an easy left and shift of on premises services.
Microsoft Service Trust Platform
Stuart introduced the group to a great resource for fact finding around security and compliance of the Microsoft Cloud. This portal provides access to reports such as ISO surveillance, penetration test results and government blueprints.
Microsoft spend $1 billion a year on security to provide assurance to clients that their data will remain safe in the cloud and work closely with Government cybersecurity.
Decisions to make internally when moving to Cloud
Identity – one of the first things to be targeted by hackers. Microsoft highly recommend using Multifactor authentication, it reduces the chances of success two-fold.
Device – Devices need to be secure and software updated, policies such as BYOD need to be reviewed if considering moving to cloud. A BYOD policy equals higher risk – the Martini effect: Anytime, Anyplace Anywhere. The end user device is where most data breaches happen and is where the hackers target. Consider regular health checks on the device and consider if it is safe for the end user to access firm data via that device.
Apps and data – decisions need to change around risk assumption, such as admin users having unrestricted access.
An example was raised of the Ashley Madison website hack, where 37 million user’s personal information was leaked and there were many work email addresses used. One in five people use the same password for work and personal use. How many people in your organisation are doing this?
Azure Sentinal
Stuart recommended a new tool from Microsoft called Azure Sentinal which enables IT to see and stop threats before they happen. It is a Cloud and AI application that provides a bird’s eye view across the enterprise.
Microsoft share threat intelligence and are part of the CISP (Cyber security Information Sharing Partnership) which is an initiative between the government and industry to combat cyber threats.Information is shared on threat intelligence only, not any customer information or data.
Stuart recommended joining CISP if your firm is not already a member.
Microsoft Datacenter security
Stuart discussed the level of physical security at the 39 Microsoft datacenters around the world – such as tank traps, zigzagged roads, biometric and body scans people must get through before even entering the building.
Even then the data is totally anonymous, nobody in the building knows which company’s data is stored on a server and all hard disks that are not in use are destroyed on site.
There are several highly regulated industries already using the Cloud and it’s unlikely that most organisations would have the billions of dollars spent on security that Microsoft do.
Cloud Principles
There is access online to guidance on what to request from suppliers when compiling questions and gaining evidence to present to the board when moving to the cloud to address security and compliance concerns.
Round table discussion
The round table session posed some questions from the group:
Stuart was asked to discuss an example of a use case where there was resistance to moving to the cloud and what the success factors were in converting them.
Cost – Microsoft state it’s generally cheaper to move infrastructure to the cloud
Security – it’s more secure, Microsoft carry out more PAT tests, they have an attack team who regularly try to penetrate their own systems. They have access to threat intelligence and are always using the latest Operating System.
New features are delivered faster in Cloud – this does also provide some level of risk.
Where data is held is the biggest fear for law firms
There are 39 Cloud regions worldwide. When starting with Azure you can decide on which region to use to store your data. Stuart mentioned the Microsoft Dublin data centre case to highlight the lengths Microsoft went to in ensuring an individual customer’s privacy. Microsoft took the case to one of the most expensive courts in the World to challenge a warrant seeking emails belonging to an individual stored in Dublin.
How AI is used to check for malware
Law firms are using Mimecast to protect their email and Microsoft also recommend Defender ATP, plus steps made internally to whitelist and stop people gaining admin access – making hacking harder. Scanning your own services for attacks – defence in depth should be a policy to lower the risks.
Multifactor Authentication outage
Microsoft’s outage of the MFA service caused users a lot of problems with accessing Office applications. Stuart said that whilst this was not good enough – it happened, and organisations should plan for offline working in case of any outage incidence.
OneDrive is a back up solution so that users can access office applications.
How can the IT dept keep up with the complexity of new features from Microsoft?
There are notifications from Microsoft of new features and Roadmaps provide details of the new features coming up, these are now drip-fed throughout the year rather than in one hit. Need to monitor and prioritise which vendors to invest time in tracking.
To help with training and implementing Azure and new features the following resources are available:
Microsoft direct account team
Fast track Azure Team
Online Learning – MSLearn
The Trust portal is a useful tool for presenting to the board, it can help you put together a matrix of questions and evidence to present to them.
Office 365 Security and Compliance guide
Next meeting
The meeting rounded up with an agreement on the next topic : Chatbots – how they are implemented and real use cases.
To find out what was discussed at our previous meetings, please see our recent blog posts – Azure User Group Meeting and Azure Dev Test. If you are interested in attending the next meeting please register.
