Microsoft has made a giant leap forward in making your online world more secure by making passwords optional for personal MSA accounts like your personal Office 365 account/Hotmail etc.
It’s no secret, that Microsoft is actively striving to make passwords a thing of the past by supporting passwordless accounts. Microsoft already have support for passwordless sign in for commercial Microsoft 365 users as well as personal (MSA) accounts, but is taking this a step further by allowing the password to be totally removed!!!
Beginning today, you can now completely remove the password from your Microsoft consumer account. Use Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favourite apps and services, such as Outlook, OneDrive, FamilySafety, and more.
Vasu Jakkal | CVP of Microsoft Security
How is passwordless more secure than MFA?
Firstly, Microsoft isn’t alone in their view here with both Facebook and Google also starting to actively champion the “death of the password” which is typically the weakest link in online account security since it’s often compromised stolen or phished. Lets face it, nobody likes passwords as we have to create evermore complex and unique passwords, remember them, and change them frequently (and of course use different ones across different sites).
In a blog on the topic today, Microsoft said that they “have heard great feedback from our enterprise customers who have been on the passwordless journey with us. In fact, Microsoft itself is a great test case — nearly 100% of our employees use passwordless options to log in to their corporate account.”.
In order to make your MSA account totally passwordless, you need to ensure you have and are using the Microsoft Authenticator app on your phone and ensure it’s set-up to use Muti-Factor Authentication.
Once this is working, you can then go to https://account.microsoft.com , sign in, and then navigate to “Advanced Security Options”. Once here, you should now see a subsection called “Additional Security Options” where there will be a “Passwordless Account” option, which you can turn on.
It is unknown if or when Microsoft will remove passwords all together and at the moment, you can still re-add a password for your Microsoft account if you want/need to.
Microsoft have announced that real-time co-authoring support for encrypted documents (which has been in preview for a while) is now generally available. Co-authoring is a feature that allows users to collaborate on documents across Word, Excel, and PowerPoint for example, but it only worked on files that weren’t protected with encrypted….. until now.
“With Microsoft 365, when sensitivity labels are used to encrypt Word, Excel, or PowerPoint documents, multiple users can now edit these documents in real-time with AutoSave, empowering teams to do their best work while maintaining protection across the document lifecycle,” Paras Kapadia, Principal Program Manager for Office 365 explained.
Co-authoring support for protected files is supported now on the Web, Windows and Apple Mac clients and willbe coming to iOS and Android “soon“.
You must “enable it” to enable it!!
It’s worth noting that unlike many Microsoft 365 features which are “on by default”, organisations who want to use co-authoring on protected documents need to enable this in the Microsoft 365 Compliance Center.
Microsoft also provide full guidance for admins on how to do this here. Please note: once enabled, you need to contact Microsoft support should you want/need to turn this off for any reason.
Microsoft have announced a more cost effective endpoint protection plan for Microsoft 365 and Windows customers. Named Microsoft Defender for Endpoint P1 this provides comprehensive threat prevention and protection for any endpoints including those running Windows, macOS, Android, and iOS and will be included for free in Microsoft 365 E3/A5 SKUs.
The existing Microsoft Defender for Endpoints SKU will become Defender for Endpoints Plan 2 and is the version currently included in Windows E5 and Microsoft 365 E5.
Microsoft say that this new solution “will make it easier for more security teams across the globe to buy and adopt the best of breed fundamentals of Microsoft Defender for Endpoint” and will provide generation protection, device control, endpoint firewall, network protection, web content filtering, attack surface reduction rules, controlled folder access, device based conditional access, APIs and connectors, and the ability to bring your own custom TI are some of the capabilities of this new plan.
The endpoint remains one of the most targeted attack surfaces as new and sophisticated malware and ransomware continue to be prevalent threats and it’s not slowing down. Ransomware in particular continues to persist and evolve, financial damage continues to increase, and the impact is felt across numerous industries.
Over the last year, Microsoft have seen more than a 120% increase in organisations who have encountered some form of ransomware attack as shown in the graphic provided by Microsoft.
Microsoft are keen to ensure they provide “security for all” and this comes just days after a commitment with Biden to invest more than $20billion in security over the next 5 years.
Microsoft claims they already provide best of breed, multi-platform, and multi-cloud security for all organisations across the globe and their integrated suite of security and threat protection and remediation services provides simplified, comprehensive protection that prevents breaches and enables our customers to innovate and grow.
Microsoft say that “as part of that commitment, we’re excited to offer a foundational set of our market leading endpoint security capabilities for Windows, macOS, Android, and iOS at a lower price in a new solution to be named Microsoft Defender for Endpoint Plan 1 (P1) which will also be included in Microsoft 365 E3 for free.
Licensing and Pricing
The great news is that “Plan 1” will be included in Microsoft 365 E3 /A3 at no addition cost and will be a made available as a low cost add-on for other SKUs. Microsoft 365 E5/A5 will continue to include Defender for Endpoint “Plan 2”.
This is currently in public preview, meaning you can sign-up for it for free for 90 days now. After the 90 days is up, you can buy this from your friendly Microsoft CSP or licensing partner. Customers already of Microsoft 365 E3/A5 will get this for free once released for General Availability (within the next 90 days) and will then be able to enable/user the service.
Plan and Plan 2 compared
The diagram below shows the extent of the threat protection and remediation services offered by Microsoft Defender for Endpoints.
Plan 1 is aimed at organisations looking for mainly endpoint protection (EPP) where you get best of breed fundamentals in prevention and protection for all your client endpoints. It includes next generation protection, device control, endpoint firewall, network protection, web content filtering, attack surface reduction rules, controlled folder access, device based conditional access, APIs and connectors, and the ability to bring your own custom TI. Finally, it includes access to the Microsoft 365 Defender security experience to view alerts and incidents, security dashboards, device inventory, and perform investigations and manual response actions on next generation protection events.
Plan 2 is aimed at most larger enterprises who need full endpoint detection and response (EDR). This builds on Plan 1 and provides full EDR capabilities to further prevent security breaches, reduce time to remediation, and minimise the scope of attacks with vulnerability management, endpoint detection and response, fully automated remediation, advanced hunting, sandboxing, managed hunting services, and in-depth threat intelligence and analysis about the latest malware campaigns and nation state threats.
The below table offers a comparison of capabilities are offered in Plan 1 versus Plan 2.
You can sign up for the preview using the link here, and Microsoft have provided a detailed blog which goes into more detail than have shared above also provide a simple walk-through for admins and sec ops.
You can also read the latest Gartner report which details Industry leading security capabilities.
MICROSOFT and Rubrik (a US-based, Gartner leading data backup and protection company) have announced a new strategic partnership which will see them working together to providing Zero Trust data protection to help organisations protect and mitigate against the rising threat and risks of ransomware attacks across cloud and hybrid cloud environments, including or course Azure and Microsoft 365.
This work will address the rising customer needs to protect against surging ransomware attacks, which are growing 150% year on year.
As part of the partnership, Microsoft has also made an equity investment in Rubrik.
Who are Rubrik?
Rubrik work with enterprise customers, helping them protect and recover from ransomware attacks, automate data security operations, and transition data from on premises data centres to the cloud.
Like Microsoft, Rubrik takes a Zero Trust approach to data management, which follows the NIST principles of Zero Trust. Zero Trust is based on the concept of “never trust, always verify.” In practice, this means that access to any resource within the network must be subject to specified trust dimensions, or parameters. Failure to meet these parameters results in denial or revocation of access. This is in complete contrast to previous security models thatassumed implicit trust within the network perimeter.
Rubrik said in an annoucement that;
“As the pioneer of Zero Trust Data Management, Rubrik is helping the world’s leading organizations manage their data and recover from ransomware. Together with Microsoft, we are delivering tightly integrated data protection while accelerating and simplifying our customer’s journey to the cloud.”
Bipul Sinha | Co-founder and CEO |Rubrik
The better together story
Rubrik and Microsoft are already partners and according to Microsoft in their press statement, have been working together with over 2,000 mutual customers using Azure across six continents. In a press release announcing this new strategic partnership, Microsoft said that “the two companies will be providing Zero Trust data protection for hybrid cloud environments, including Microsoft 365“.
“End-to-end application and data management is critical to business success, and we believe that integrating Rubrik’s Zero Trust Data Management solutions with Microsoft Azure and Microsoft 365 will make it easy for customers to advance their Zero Trust journey and increase their digital resilience. ”
Nick Parker, Microsoft CVP Global Partner Solutions.
Summary and Thoughts
The data backup and recovery market is a big and crowded marketplace with leading companies like Veeam, Acronis, Veritas, ArcSerce, Commvault etc, making data backup and recovery their market and currency.
Microsoft uses a “shared responsibility” model for data and availability in that they take responsibility for the services being available, online and resilient, but it’s up to the customer delivered online to govern, secure, backup, and maintain their data and content which has been where the traditional backup and recovery vendors have stepped in.
This investment could signal a new longer term area of focus and growth for Microsoft which could put pressure on the other vendors in this space especially if Microsoft now have a vetted interest to have a “preferred” partner / vendor for data protection and recovery.
What do you think?
Do you work with or use Rubrik for data protection? How do you see this playing out. Good or bad for the market?
Microsoft 365 now has “Safe Links” protections across Microsoft Teams for any organisation that uses Microsoft Defender for Office 365 (formally Office 365 ATP).
What is Safe Links?
Safe Links is a feature of Defender for Office 365 that scans URLs clicked by end users to check for malware and malicious or phishing sites in real time.
Safe Links was first introduced in 2015 (for just Exchange Online at the time) and was originally used to “detonate” links in e-mails to detect malicious payloads. Safe Links was subsequently added to Microsoft 365 applications, as well, such as PowerPoint and Word.
With the latest update and expansion across Microsoft 365, Safe Links now provides transparent, integrative and native intelligent protections against malicious links in conversations, group chats and channels chat across Microsoft Teams.
Enabling the feature
This can be configured in the Microsoft 365 Defender portal. Detailed instructions can be found here
As with SafeLinks across the other Office services, admins can add exclusions and trusted sites if needed.
After their acquisition RiskIQ just last week and ReFirm the month before, Microsoft have just annouced they are now aquiring CloudKnox, a leader in Cloud Infrastructure Entitlement Management (CIEM).
Who are CloudKnox?
Founded in 2015, CloudKnox, are the only multi-cloud, hybrid cloud permissions management platform that provide granular visibility, automated remediation and continuous monitoring consistently enforcing least-privilege principles to reduce risk. CloudKnox works with Azure, as well as the AWS and Google public clouds as well with leading virtualisation and hybrid cloud vendors including VMware.
CloudKnox are the leaders in Cloud Infrastructure Entitlement Management (CIEM) space and offers complete visibility into privileged access within cloud services.
What Microsoft plans to do with the CloudKnox acquisition.
In Microsoft’s most recent security blog, Joy Chik (VP of Identity at Microsoft) said:
“Modern identity security needs to protect all users and resources consistently across multi-cloud and hybrid cloud environments….Today, Microsoft is taking a significant step toward this goal with the acquisition of CloudKnox Security, a leader in Cloud Infrastructure Entitlement Management (CIEM). CloudKnox offers complete visibility into privileged access. It helps organizations right-size permissions and consistently enforce least-privilege principles to reduce risk, and it employs continuous analytics to help prevent security breaches and ensure compliance. This strengthens our comprehensive approach to cloud security.”
Joy Chik, Corporate VP of Microsoft Identity
The post (which can be read here) summarises how Microsoft will leverage the CloudKnox technology to help Security Admins with tasks such as managing privileged access in multi-cloud and hybrid cloud environment through a set of comprehensive yet simple threat assessments and prevention methods as well as ensuring security enforcement and governance.
Finally Microsoft said that the acquisition of CloudKnox will allow Microsoft to further harden Azure Active Directory with more granular visibility, continuous monitoring and automated remediation for their hybrid and multi-cloud identities, access and permissions further solidifying their market leading position in Identity and Access Management.
Extended Security Updates were made available (at a cost) by Microsoft for both SQL Server and Windows Server versions 2008 and 2008 R2 since “official support” ended but these extended support update are also now coming to an end on:
SQL Server 2008: July 9th, 2022
Windows Server 2008/2008 R”: Jan 14th, 2023 respectively.
If your organisation is still running any of these older server products in Azure then you will be currently entitled to (and receiving) 3 years of free Extended Security Updates, and Microsoft have recently announced that one more year of Extended Security Updates will be available BUT ONLY if these workloads are running in Azure.
SQL Server and Windows 2012
Support for SQL Server 2012 and Windows Server 2012 / 2012 R2 is also coming to an end:
SQL Server 2012: July 12th, 2022
Windows Server 2012/2012 R2 on October 23rd 2023
As with version 2008, Microsoft will be making (again at a cost) 3 years of Extended Security Updates available from your licensing partner or Cloud Solution Provider (CSP) and, as before these will be free if these workloads are running (or moved into) Azure.
If you are no planning on moving these into Azure, then you’ll need to buy licences for each server instance you need to cover.
Cost for ESU are
Year 1: 75% of the licence cost
Year 2: 100% of the licence cost
Year 3: 125% of the licence cost
What are my options?
If you are still on Windows Server 2008 or SQL 2008, you have 3 options:
Migrate the VMs/Servers into Azure for ONE MORE YEAR of free support
Migrate or Rehost apps and workloads to Windows Server and SQL Server on Azure virtual machines
Modernize with Azure services such as App Service and Azure SQL Managed Instance, and never have to patch or upgrade again.
If you are Windows or SQL Server 2012, you have 4 options:
Pay for Extended Support for up to 3 years
Upgrade the Servers to a supported version of SQL and Windows
Migrate or Rehost apps and workloads to Windows Server and SQL Server on Azure virtual machines
Modernize with Azure services such as App Service and Azure SQL Managed Instance, and never have to patch or upgrade again.
Windows365 is a new service that will let users access their corporate ‘cloud’ PC from anywhere by streaming a version of Windows 10 (or Windows 11 when released) in a web browser. At initial launch, (2nd August 2021), organisations have two edition options – Windows 365 Business and Windows 365 Enterprise – with multiple Cloud PC configurations in each edition based on performance needs.
Designed for the disparate and agile workforce
Windows 365 allows organisations to equip distributed workforces, temporary and seasonal employees, contractors, and employees who have a need for specialised workloads in a flexible and highly secure manner – regardless of their location or device. Windows 365 will allow organisations to add and remove users with secure managed Cloud PCs according to the changing needs of the business and of the individual user, allowing them to scale for busy periods without the logistical challenges of issuing new hardware. Cloud PCs can be scoped, and scales based on the specification/power that best meets the user need and is paid for on a simple per user per month price.
Built on Azure Virtual Desktop – runs on anything
Windows 365 is built on Azure Virtual Desktop but simplifies the virtualization experience and licensing. Organisations that require greater customization and flexibility can of course still opt for Azure Virtual Desktop to modernize their VDI (Virtual Desktop Infrastructure) in the cloud or use a combination of both.
Windows 365 offers a consistent Windows experience, across any device/operating system including Windows, Mac, Linux, iOS, or Android. It promises to support all your business apps such as Microsoft 365, Dynamics 365, Power Platform, line of business apps, and more as well as the Office 365 suite.
It provides an instant-on boot experience that enables users to stream all their personalized applications, tools, data, and settings from the cloud across any device and allow them to pick up right where they left off. The state of a user’s Cloud PC remains the same, even when they switch devices.
Consistent Device Management
Microsoft Endpoint Manager is used to procure, deploy, and manage Cloud PCs for their organisation, since Windows 365 is consistent with how they manage physical devices with Microsoft End Point Manager. Cloud PCs are managed alongside physical devices and can apply management and security policies to them in the same way as they do on physical devices. There is extensive monitoring too and IT can change on the fly the specification (processor, RAM, and disk) to adjust the performance of the Cloud PC to make sure the users are getting the best experience. There’s also built-in analytics and performance metrics to look at connection health across network to make sure the Cloud PC users can reach everything they need.
Build on Zero Trust Foundation
Windows 365 is built with a focus on a Zero Trust architecture. It stores information in the cloud, not on the device, and encryption is used everywhere as you’d expect with an Azure service. All managed disks running Cloud PCs are encrypted, stored data is encrypted at rest, and all network traffic to and from the Cloud PCs is also encrypted.
Unlike other virtualisation services, Windows 365 is priced on a per-user price and are allocated via the Microsoft 365 admin centre portal in the same way as other Microsoft 365 E3/E5 licenses.
Windows 365 will initially come in two flavours – Business and Enterprise, and Microsoft will offer 12 different configurations for both the editions. The Cloud PCs can be configured with a single CPU, 2GB of RAM, and 64GB of storage at the low-end, all the way up to eight CPUs, 32GB of RAM, and 512GB of storage.
A full range of available configuration and example scenarios is available here.
Windows 365 will be officially available on August 2, 2021, and pricing will be announced on the same day, though rumours say we expect pricing to start from ~£25pupm
Microsoft has just announced that they are to acquire cyber security company RiskIQ ina $500m deal.
RiskIQ provide cloud-based software as a service (SaaS) for businesses to identity various phishing, fraud, malware and other online threats.
Microsoft’s Eric Doerr (VP of Cloud Security) explained in their annoucement how RiskIQ’s expertise and global threat intelligence platform will help their customers to better apprehend online threats in their digital transformation journey with the technology to become part of their integrated Security and Threat protection suite(s).
“The combination of RiskIQ’s attack surface management and threat intelligence empowers security teams to assemble, graph, and identify connections between their digital attack surface and attacker infrastructure and activities to help provide increased protection and faster response”.
Eric Doerr (Microsoft VP of Cloud Security)
Microsoft have a growing and comprehensive industry leading portfolio of integrated security and threat protection solutions for addressing the needs of hybrid and multi-cloud environments. The acquisition of RiskIQ’s expertise follows an ongoing list of acquisitions in the cybersecurity area.
“Our (Risk IQs) technology and amazing people will be a powerful addition to Microsoft solutions. Together, we’ll empower CISOs and security operations teams to proactively detect and defend their enterprise against all threats, both on-premise and across multi-cloud. “
Statement from RiskIQ
You can read the full annoucement in the Microsoft Security Blog here.
Microsoft Inspire is Microsoft’s largest (and global) annual partner event and as usual features several high-profile global execs including CEO Satya Nadella and EVP of Worldwide Commercial Business Judson Althoff.
What might we hear about?
Last year, there was huge news and updates around Azure, Microsoft Teams, Microsoft Edge as you’d expect with also a focus on new services such as Microsoft Lists, and Power Automate Desktop.
This year we can expect to hear some new enhancements and updates and I expect to see a focus around the recently(ish) announced Microsoft Viva along with more updates around Windows (following the event on the 24th June) and probably some new things none of us are expecting… .
You can register for Microsoft Inspire 2021 on this page with your Microsoft account, Office 365, LinkedIn, or GitHub account.