“Every business will be a software business!” That said Satya Nadella, CEO of Microsoft, at the Microsoft Convergence conference in 2015. If you think about this, you will notice that this sentence could change a lot for you and for your business. Your organization may already be engaged in a business transformation to work more digital and become ‘Digital to the core’. Digital Transformation provides new opportunities. You might even create a whole new market or you would be an industry leader.
Does your organization develops itself to be a market leader? Does your business compete with new competitors through digitization? Are you being acquired by a start-up? Digital transformation accelerated organizations by the use of mobile technology, cloud applications, big data and Internet of Things (IoT). However, security is a very important item with Digital Transformation.
Microsoft and security: no future without a past
Microsoft launched Trustworthy Computing with the introduction of Windows Server 2003: “Trustworthy Computing Focuses on creating and delivering secure, private, and reliable computing experiences based on sound business practices. Our goal is a safer, more trusted Internet. The security of our customers’ computers and networks is a top priority. We are committed to building software and services That help protect our customers and the industry. Our approach to security includes both technological and social aspects, and we Strive to ensure That information and data are safe and confidential. Drawing on industry best practices, we make investments to Increase the security of our technologies and to providence guidance and training to help minimize the impact of malicious software. “(https://www.microsoft.com/en-us/twc/security .aspx)
Security is a priority within Microsoft for a while now. Microsoft launches the product family: Microsoft ForeFront. ForeFront was focused on security and protection. However, after initial rumors in 2012, Microsoft announced in 2013 that the ForeFront product line would be stopped again late in 2015. (https://blogs.technet.microsoft.com/hybridcloud/2013/12/17/important-changes-to-the-forefront-product-line/)
But with the end of ForeFront, does Microsoft has focus on security? During the Microsoft World Wide Partner Conference in 2014, Microsoft CEO Satya Nadella announced, that Microsoft is very seriously about security and has added security as a fifth strategic pillar next to: Cloud, Mobile, Big Data and Social. (https://news.microsoft.com/speeches/satya-nadella-wpc-2014-keynote/#sm.00001xwzgevb5e3pyl72gdgz1zvzo)
In the interview (October 2015) Nadella suggested that he feels personally responsible when it comes to focusing on Security, Trust, Transparency & Compliance. But, ForeFront is end of life now. Is there still be a focus on security and what are the solutions that Microsoft will offer?
A “loose” product line for security solutions are no longer the way forward, stated Microsoft. Therefore, Microsoft integrates the necessary security right now in all existing solutions and products. Some examples: Multi-Factor Authentication in Office 365, encryption in Azure, Office 365 Message Encryption, Azure Information Protection, Windows Hello, Exchange Advanced Threat Protection, Shielded Virtual Machines in Windows Server 2016 and Windows 10 Advanced Threat Protection. The list is too long to describe exhaustively in this blog post, but there is obvious focus on security by Microsoft. At the Worldwide Partner Conference 2016 Microsoft announced that Enterprise Mobility Suite will be renamed to ‘Enterprise Mobility + Security’. Also Operations Management Suite will be renamed to ‘Operations Management + Security’. Windows Server 2016 and System Center 2016 are announced as GA at Microsoft Ignite 2016 in September. These products have a lot of security components and customer could configure a lot security controls.
Security, Trust, Transparency & Compliance
A common view is that “safe” work only has to deal with the aspect of security. That is not the case: this is much more the combination of Security, Trust, Transparency & Compliance. Microsoft calls these aspects also very explicit in its vision of Digital Transformation. Cloud is an important concept that enables Digital Transformation (and here again: IoT and Big Data). All the four aforementioned key aspects of security are applicable to cloud.
Everything starts with the principle of trust or confidence. Microsoft (cloud) customers should have confidence in the service or product. This confidence is part generated by Service Level Controls such as service level agreements and uptime guarantees. On the other hand, Microsoft has some specific (security) controls available so that customers could manage their data depending on the requirements and conditions of their organization.
Microsoft also gives extra confidence through increased transparency in its services. Thus, for example, Microsoft does not have access to the data of a customer within the Office 365 application. Only when the customer asks specific help from a Microsoft engineer, access to the data by Microsoft is possible. A Microsoft engineer could get access to customer data when a customer requires this and the engineer gets access to execute a specific task for a limited periode of time. All approved by the customer. This particular process is called ‘Customer Lockbox’. All operations are logged during this process. This information could be audited by an external party. This Microsoft meets many certifications in the areas of compliance, such as HIPAA, ISO, DISA and SOC 1 and SOC 2. (https://www.microsoft.com/en-us/TrustCenter/Compliance?service=Office#Icons)
From cloud to datacenter
Certain solutions in Microsoft public cloud services – such as Office 365 and Azure – are present, in on-premise software products that are recently launched. Think of Windows Server 2016, Azure Stack and System Center 2016. In Windows Server 2016 Just in Time (JIT) and Just Enough Administration Administration (JEA) is present. This makes it no longer necessary for an administrator to have full and unrestricted administrator rights to all the domain features. The administrator will be granted specific rights only for a certain time period necessary rights to perform an action. In this way, the work could be executed, but the risks of implementation of other non-desirable (side) operations are minimized.
Third party solutions
Today, Microsoft is more ‘open’ than ever before. So Microsoft now offers various APIs (Application Programming Interfaces) to which third parties could provide additional security solutions to their customers. Think of the “Activity API” in Office 365: several suppliers have built reporting solutions on top of this API. Or take the firm Barracuda, with their “Web Application Firewall” and “Next Generation Firewall” which provides additional functionality within Azure, so that customers get even more protection.
“Building a cloud for global good” – but where do you feel most comfortable with?
Perhaps a somewhat lengthy introduction to come to the final conclusion that Microsoft is indeed very active in the area of Security, Trust, Transparency & Compliance. For both cloud solutions and on-premise products.
When you want to have more detailed information about the vision of Microsoft for Security, Trust Compliance & Transparency, I recommend to view the presentation given by Brad Smith (President and Chief Legal Officer, Microsoft) at the World Wide Partner Conference 2016: Building a cloud for global good (https://youtu.be/LNExqi1_pzg).