Tag Archives: compliance

BlackBerry and Microsoft partner to empower the mobile workforce

Companies deliver seamless Mobile App experience and policy compliance; BlackBerry Secure platform now available on Azure

WATERLOO, ONTARIO and REDMOND, Wash. – March 19, 2018 BlackBerry Limited (NYSE: BB; TSX: BB) and Microsoft Corp. (NASDAQ: MSFT) today announced a strategic partnership to offer enterprises a solution that integrates BlackBerry’s expertise in mobility and security with Microsoft’s unmatched cloud and productivity products.

BlackBerry logoThrough this partnership, the companies have collaborated on a first-of-its-kind solution: BlackBerry Enterprise BRIDGE. This technology provides a highly-secure way for their joint customers – the world’s largest banks, healthcare providers, law firms, and central governments – to seamlessly use native Microsoft mobile apps from within BlackBerry Dynamics.

By making Microsoft’s mobile apps seamlessly available from within BlackBerry Dynamics, enterprise users will now have a consistent experience when opening, editing, and saving a Microsoft Office 365 file such as Excel, PowerPoint, and Word on any iOS® or Android™ device. This enables users to work anytime, anyplace, with rich file fidelity. At the same time, corporate IT departments benefit from a greater return on their existing investments, and added assurance that their company’s data and privacy is secured to the highest standards and in compliance with corporate and regulatory policies.

“BlackBerry has always led the market with new and innovative ways to protect corporate data on mobile devices,” said Carl Wiese, president of Global Sales at BlackBerry. “We saw a need for a hyper-secure way for our joint customers to use native Office 365 mobile apps. BlackBerry Enterprise BRIDGE addresses this need and is a great example of how BlackBerry and Microsoft continue to securely enable workforces to be highly productive in today’s connected world.”

Microsoft logo“In an era when digital technology is driving rapid transformation, customers are looking for a trusted partner,” said Judson Althoff, executive vice president of Worldwide Commercial Business at Microsoft. “Our customers choose Microsoft 365 for productivity and collaboration tools that deliver continuous innovation, and do so securely. Together with BlackBerry, we will take this to the next level and provide enterprises with a new standard for secure productivity.”

“Along with a number of our peers in the Financial Services industry, we see strategic partnerships like this one as key to enhancing and bringing new products to market,” said George Sherman, Managing Director, CIO Global Technology Infrastructure, JPMorgan Chase. “This partnership will help create a more seamless mobile experience for end-users, which is a top priority for us at JPMorgan Chase.”

Lastly, the companies shared that the BlackBerry Secure platform for connecting people, devices, processes and systems, has been integrated with the Microsoft Azure cloud platform. Specifically, BlackBerry UEM Cloud, BlackBerry Workspaces, BlackBerry Dynamics, and BlackBerry AtHoc are now available on Azure.

To learn more, please visit  BlackBerry.com.

About Microsoft

Microsoft (Nasdaq “MSFT” @microsoft) is the leading platform and productivity company for the mobile-first, cloud-first world, and its mission is to empower every person and every organization on the planet to achieve more.

About BlackBerry

BlackBerry is a cybersecurity software and services company dedicated to securing the Enterprise of Things. Based in Waterloo, Ontario, the company was founded in 1984 and operates in North America, Europe, Asia, Australia, Middle East, Latin America and Africa. The Company trades under the ticker symbol “BB” on the Toronto Stock Exchange and New York Stock Exchange. For more information, visit www.BlackBerry.com.

BlackBerry and related trademarks, names and logos are the property of BlackBerry Limited and are registered and/or used in the U.S. and countries around the world. All other marks are the property of their respective owners. BlackBerry is not responsible for any third-party products or services.

###

Media Contacts:

BlackBerry

(519) 597-7273

mediarelations@BlackBerry.com

Microsoft Media Relations

WE Communications for Microsoft

(425) 638-7777

rrt@we-worldwide.com

Investor Contact:

BlackBerry Investor Relations

(519) 888-7465

investor_relations@BlackBerry.com

 

The post BlackBerry and Microsoft partner to empower the mobile workforce appeared first on Stories.

Office 365 labels help keep content under control

Office 365 labels make it easy to classify data for compliance purposes through both manual and automatic methods.

Office 365 label policies, included with E3 subscriptions, provide a central location to configure and publish labels to Exchange Online, SharePoint Online and the services that depend on them, such as Office 365 Groups.

For example, administrators can add a label named Financial Data to the Security & Compliance Center and designate it to keep data with that label for six years. An Office 365 label policy pushes that label out to the other Microsoft services on the platform.

Users mark items in their inbox or documents with labels. Office 365 labels have policies that retain or delete data based on the organization’s needs. Personal data might get marked for deletion after a certain amount of time following a review, for example, or other information might get marked as an organizational record, so nobody can change or purge it.

The Advanced Data Governance functionality in an E5 subscription enables the automatic application of data labels based on keywords or sensitive information. Policies could mark all data with Social Security numbers as personal data or mark all data with credit card numbers as financial data.

The Advanced Data Governance functionality in an E5 subscription enables the automatic application of data labels based on keywords or sensitive information.

Label policies require some forethought to cover different types of information. Many organizations might require multiple labels to cover the types of data to retain or delete.

Office 365 labels take approximately 24 hours before they appear. Automatic labeling starts after about seven days.

User or organization-wide retention policies that hold data take precedence over Office 365 labels. A policy that holds data for 10 years across the organization will overrule one that removes certain data after five years.

View All Videos

Compliance Manager tool aims to ease security audit process

underlying environment also means they are at Microsoft’s mercy for its answers on regulatory compliance audits. To address this situation and others, Microsoft developed a Compliance Manager tool that provides a real-time risk analysis of the different cloud workloads.

Over the last year, there has been an uptick in security measures in the enterprise. Two compliance regulations that come up frequently are the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR).

For HIPAA, introduced in 1996, the rise in hospital audits by the Office for Civil Rights and data breaches in recent years has many enterprises re-evaluating their security practices around patient data. GDPR is the compliance requirement that starts May 25, 2018, for organizations that handle the data of European Union citizens.

Most organizations that deal with HIPAA, GDPR or any other regulatory compliance know the difficulties associated with tracking results from audits, questionnaires, surveys and other standard operating procedures. The amount of information required to satisfy requests for compliance checklists and security assessments can overwhelm many Exchange administrators.

Regardless of the industry, the IT staff must address regulatory compliance audits; otherwise, the company can face financial and legal penalties. Microsoft released its Compliance Manager tool in November to assist IT in these efforts.

Compliance Manager tool offers compliance overview

Compliance Manager is a SaaS application located in the Service Trust Portal that features a dashboard summary of an organization’s data protection, compliance status and documentation details related to GDPR, HIPAA and other requirements.

The Compliance Manager tool provides an automated assessment of Microsoft workloads such as Office 365, Dynamics 365 and some in Azure. The utility suggests ways to boost compliance and data protection in the environment.

Compliance audits often require gathering the same information. Exchange administrators can save some time by using the Compliance Manager tool, which acts as a central repository of audit details and documentation. Admins can maintain this documentation over time and ensure they meet the compliance processes mandated by their teams.

The Compliance Manager tool is still in preview mode; Microsoft said it plans to have all the compliance templates set prior to May 2018, but anyone with an Office 365 subscription can sign up to test it.

For on-premises workloads, the Compliance Manager tool provides the requirements that need to be validated and evaluated by the administrators. Microsoft has not indicated if it will extend the automated assessment feature to any on-premises tools.

Compliance Manager assists administrators with compliance requirements across the different Microsoft workloads with full document management features and task management.

Compliance Manager assessments
The dashboard in the Compliance Manager tool gives a summary of the controls fulfilled by the customer and by Microsoft to meet a standard or regulation.

Compliance Manager breaks down compliance for a standard or regulation into assessments. Each assessment consists of controls mapped to a standard that are shared between Microsoft and the tenant. The dashboard shows which controls a customer and Microsoft have met to comply with a regulation or standard.

Administrators can use the Compliance Manager portal to manage control assignments for team members based on specific compliance requirements. Microsoft calls this task management feature action items, and it allocates different controls to individuals within the organization. This helps organize the tasks needed from each IT worker, such as data or email retention associated with GDPR, that Exchange administrators must complete. The platform enables administrators to set the priority and the individual responsible for it.

There are a few other features in the Compliance Manager tool worth noting:

  • A flexible platform that supports multiple regulations. In the initial preview release of the Compliance Manager tool, the application only supports GDPR, ISO 27001 and ISO 27018. Microsoft said it will add support for HIPAA and other regulatory standards, such as the National Institute of Standards and Technology Special Publication 800-53. Having one tool that covers the range of regulatory compliance requirements makes it a very attractive option for IT and Exchange administrators.
  • Coverage on multiple platforms. After Microsoft introduced Office 365, a number of Exchange Online administrators began to manage more than just Exchange workloads. It’s the responsibility of the IT department to ensure the interdependent workloads associated with Exchange Online meet compliance requirements. Microsoft includes assessments of Dynamics 365, Azure and the full Office 365 suite in the Compliance Manager tool to give IT full visibility into all the workloads under one compliance platform.

Compliance Manager tool shows promise

Microsoft has certainly delivered a good snapshot of what most compliance officers and administrators would like in its preview version of Compliance Manager. However, the tool only addresses three existing compliance requirements, when many in IT will want to see coverage extend to include the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act, HIPAA, Food and Drug Administration 21 Code of Federal Regulations part 11 and others. 

While there are a number of mature compliance and auditing tools in the market that offer more certifications and regulatory compliance, Compliance Manager eliminates the daunting task for administrators to produce detailed assessments under each of the compliance requirements. Some of this manual work includes interviewing Microsoft technical resources, gathering legal and written statements with certain security configurations, and, in some cases, hiring third-party auditors to validate the findings.

Microsoft will need to cover the rest of the compliance spectrum to encourage administrators to embrace this platform. But the platform is easy to use and addresses many of the concerns organizations have with the upcoming GDPR.

Office 365 compliance features keep data locked down

Stricter guidelines for compliance regarding messaging retention are forthcoming thanks to rules such as the EU…

General Data Protection Regulation. Administrators new to Office 365 must learn the nuance of this service’s features to prepare for these changes.

Office 365 compliance features differ with those of on-premises systems, such as Exchange Server. The tools to identify, retain and remove data are built in to the Office 365 Security & Compliance Center. This portal enables businesses to keep data for as long as necessary without third-party tools or extra storage, and it works across Microsoft’s cloud services.

This article looks at the Office 365 compliance features, where they lack and how admins can adjust for these shortcomings.

Master the Office 365 Security & Compliance Center

Until recently, Office 365 mirrored its on-premises counterpart — IT managers administered and managed compliance within each individual service. To keep data in Exchange Online, the admin would adjust settings in the Exchange Admin Center with terminology specific to Exchange. It works the same with SharePoint Online.

The Security & Compliance Center changes all this. It uses a unified portal to manage compliance functionality across the Office 365 suite. Admins use the portal to create policies for all data within the Office 365 tenant. Admins also use this section to perform discovery and searches across multiple services within Office 365.

Office 365 Security & Compliance Center
Figure 1: Admins use the Security & Compliance Center to handle compliance tasks for data across the Office 365 suite.

Admins use the Security & Compliance Center to manage data in several areas. Your organization might need more than one of these Office 365 compliance features.

  • Data loss prevention (DLP): This section identifies sensitive content automatically and prevents users from uploading or sharing the data externally or internally.
  • Data governance: This area sets policies across Office 365. It works to define how long to keep, and when to remove, data. Admins can also archive data or mark it for supervision review.
  • Classifications: This section lets admins define labels to tag content in OneDrive, SharePoint and Exchange services. These labels work with the data governance function to categorize data and apply preservation rules.
  • Sensitive information types: These definitions automatically match data, such as credit card or Social Security numbers. Built-in definitions cover most financial, medical, health and personal data, and admins can also add customized definitions. DLP functions and classifications use these definitions to auto detect sensitive data.

Understand the capabilities of Office 365 compliance features

An enterprise’s most common compliance requirement is to keep all data for a certain amount of time. Most organizations must retain data for five to 10 years, although the requirement is longer for some.

With an on-premises mailbox server, organizations typically use email journaling for compliance purposes. An email journal makes a copy of every email message — this includes the message envelope and BCC recipients — on a separate system. The business retains the copy for as long as necessary.

[embedded content]

How to build new labels in Office 365
then publish them with a policy.

Organizations on Office 365 do not need a product that copies and stores data from Exchange or SharePoint. If a worker alters or removes data from the mailbox, SharePoint sites or OneDrive for Business, data governance keeps the original in Office 365.

In Figure 2, an admin creates a policy that targets all Office 365 data. The preservation lock feature prevents the Office 365 administrator from removing the policy to add an extra layer of security.

Office 365 policies
Figure 2: This policy protects data in all areas of the Office 365 suite.

Use DLP to hinder leaks

Many organizations with on-premises messaging servers try to prevent disclosures of sensitive data in email with edge-based DLP tools. But edge-based DLP tools only defend the email gateway and do not account for other ways users share sensitive information. Unless it integrates with OneDrive or SharePoint, an edge-based DLP tool does not scan documents included as a link, rather than an attachment, in email.

Office 365 DLP works across both Exchange and SharePoint and prevents sensitive data from being uploaded and shared. For example, admins can configure Office 365 DLP to prevent users from sending a list of credit card numbers to a OneDrive for Business account. Alternatively, admins can set a DLP policy to stop users from sharing credit card numbers with external guests.

New DLP policy
Figure 3: This Office 365 DLP policy sends an alert if the content includes insurance information or passport numbers.

The classifications feature identifies and marks this sensitive data for retention and removal. Autolabel policies can search for data across Exchange, SharePoint and OneDrive by keyword. The admin can further adjust settings in sensitive information types to mark data and remove it.

Enterprise compliance with PCI DSS is up, says Verizon

Verizon has some good news and some bad news about organizations’ compliance with PCI DSS.

In its 2017 “Payment Security Report,” Verizon analyzed the “compliance patterns and control failures” of organizations subject to PCI DSS. The report also pulled information from Verizon’s annual “Data Breach Investigations Report” and looked at the correlation between the findings of each.

The good news in the report is that more companies reached full compliance with PCI DSS in 2016 than in 2015.

“For the first time, more than half (55.4%) of companies we assessed were fully compliant at interim validation, compared to 48.4% in 2015,” Verizon wrote. “But that means that nearly half of stores, hotels, restaurants, practices and other businesses that take card payments are still failing to maintain compliance from year to year.”

While having more than half of organizations compliant is a positive trend, Verizon also noted that compliance doesn’t necessarily mean security, particularly because organizations tend to “lose focus” once they achieve compliance. The trick, according to the report, is not to focus purely on meeting the compliance requirements, but to “make sustainability and resilience part of their larger security program.”

The bad news is that those organizations not fully in compliance with PCI DSS are missing the mark by a wider margin than before. The companies that failed their compliance assessments in 2015 were missing 12.4% of the required controls, and in 2016, 13% of the controls were missing.

“Many of the security controls that weren’t in place cover fundamental security principles with broad applicability, and their absence could be material to the likelihood of suffering a data breach,” said Verizon.

However, the report said that this isn’t necessarily happening because companies aren’t putting effort into security, but one factor is that the controls they do implement are ineffective. This can be due to controls losing effectiveness over time or to controls that don’t adapt to other changes in the environment. Either way, the problem is significant.

“Over the past five years we’ve analyzed PCI DSS compliance, the proportion of companies achieving 100% has gone up almost fivefold,” Verizon said. “Despite this general improvement, the control gap of companies failing their interim assessment has actually grown worse. Looking at it requirement by requirement, five out of six of the worst performers are the same now as they were in 2012.”

In comparing the data in the “Payment Security Report” to the “Data Breach Investigation Report,” Verizon noticed another significant connection.

“Of all the payment card data breaches that Verizon has investigated between 2010 and 2016 — nearly 300 — not a single organization was fully PCI DSS compliant at the time of the breach.”

So, while compliance with PCI DSS may not guarantee the security of an organization, it likely decreases the odds of it being the victim of a data breach.

In other news:

  • The cyber-espionage group Turla has developed a new backdoor attack called WhiteBear. Kaspersky Lab APT Intelligence Reporting has been tracking these attacks that use Gazer — the name given by Eset to the second stage backdoor used in WhiteBear — since 2016. Turla, which is allegedly based in Russia, was targeting computers at various embassies, diplomatic and foreign affairs organization, but has recently turned its focus to defense-relation organizations. “WhiteBear infections appear to be preceded by a condensed spear phishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules,” Kaspersky Lab wrote on its site SecureList. “The exact delivery vector for WhiteBear components is unknown to us, although we have very strong suspicion the group spear phished targets with malicious pdf files.” Turla was also behind the recent plot to use Britney Spears’ Instagram account to conceal and spread malware.
  • A firmware update is now available to patients with a radio frequency-enabled St. Jude Medical implantable pacemaker or defibrillator. The devices from St. Jude Medical — now Abbott’s — have a flaw in the firmware that enabled attackers to remotely access them and cause rapid battery depletion and cause dangerous pacing or shocks. The patch was issued in January 2017 after months of drama from St. Jude Medical, which at first denied the existence of the flaw until a security researcher discovered it, allegedly shorted the company’s shares, and then finally went public with it. Now, the FDA has approved the patch and patients can start getting updates that don’t require surgery. However, the FDA does warn that the update has potential issues, including the reloading of an earlier firmware version, the loss of preprogrammed device settings, the loss of diagnostic data, and the complete loss of device functionality.
  • A group of security and technology companies banded together to take down the WireX Android DDoS botnet this month. Researchers from Google, Cloudflare, Flashpoint, Akamai, Oracle, RiskIQ and Team Cymru shut down the WireX botnet that at its peak may have infected hundreds of thousands of Android devices with malicious apps. The apps were sending a huge amount of requests to websites through HTTPS, which would deplete the resources of the servers the websites were hosted on. Google found the malware that infected the Android devices in its Play Store and removed the hundreds of infected applications. WireX may have been active as early as Aug. 2, but the attacks on the websites on Aug. 15 are what prompted the companies to work together. A blog post explaining the botnet and the efforts to take it down said that, though the attacks leveraged user apps, the users seemed to not be affected. “The applications that housed these attack functions, while malicious, appeared to be benign to the users who had installed them,” Akamai wrote. The post also praises the collaboration efforts, saying, “These discoveries were only possible due to open collaboration between DDoS targets, DDoS mitigation companies and intelligence firms. Every player had a different piece of the puzzle; without contributions from everyone, this botnet would have remained a mystery.”

Cisco Spark app gets features for regulated organizations

Cisco has added to Spark the content protection, compliance and security features the collaboration service needs to attract highly regulated organizations, such as healthcare providers, government agencies and financial institutions.

The improvements, introduced this week, include content protection in the Cisco Spark app for mobile devices, legal team access to all documents and messages, and the option of on-premises deployment of the Spark key server, which handles decryption and encryption of all data flowing in the service.

Cisco is not the only collaboration vendor to add features attractive to organizations that need the highest levels of security and content control. Slack moved in that direction this year by providing support for third-party mobility management and data loss prevention products. Symphony Communication Services has always focused on regulated industries with a secure messaging app used by 80% of global investment banks.

The latest Spark enhancements correct weaknesses that hampered adoption by organizations watched closely by regulators.

“Not having these kinds of controls has slowed implementation of Spark, especially in larger and regulated organizations,” said Irwin Lazar, an analyst at Nemertes Research, based in Mokena, Ill. “In these kinds of companies, we’ve found a reluctance to embrace a cloud-based messaging solution that doesn’t provide end-to-end encryption, enterprise mobility management integration, and the ability for an organization to control its own keys.”

Spark’s key server ensures all content is encrypted and cannot be read by Cisco or anyone else unless authorized by the organization using the service. To satisfy the most security-conscious organizations, Cisco introduced the option of letting them hold the key server on premises rather than in the vendor’s cloud.

Cisco Spark app Control Hub enhancements

Along with in-house key management, Cisco added control features to the Spark management console, called the Control Hub. Through the platform, administrators can identify individuals who get access to all documents and messages in Spark. That level of access is necessary for lawyers and compliance officers.

Besides the new Control Hub features, Cisco opened up the console to third-party security systems through the release of what it calls the Pro Pack. The software, which costs extra, lets organizations integrate third-party compliance and archiving, data loss prevention and identity management systems.

Cisco also beefed up security in the Cisco Spark app that runs on smartphones and tablets. Features include automatically logging off users when they leave the corporate network and adding a method called certificate pinning that prevents man-in-the-middle attacks. Also, managers can set the app to deny access to mobile users that fail to set their devices’ PIN lock after three warnings.

Finally, Cisco made improvements to the Spark analytics engine. Users can more easily manipulate data to determine, for example, whether any users are experiencing poor call quality and whether the problem is affecting others. The better analytics are also available in WebEx, the company’s video conferencing and file-sharing software.

Veritas Data Insight adds GDPR compliance tool with AI

With the clock ticking on General Data Protection Regulation compliance, Veritas Technologies LLC has added a tool that uses machine learning to identify sensitive and personal data.

The vendor added its Integrated Classification Engine into the Veritas Data Insight 6.0 analytics application, which was released in June. Veritas will also make the engine available as an add-on to Enterprise Vault 12.2 for archive data this month. Veritas has long-term plans to incorporate the application, which is built on Docker containers, across all the products within its data management platform.

Veritas Data Insight identifies and profiles data by analyzing metadata attributes and user behavior. Veritas claims it can predict risk and target malicious activities.

“We have preconfigured patterns to detect over 100 different sensitive data patterns today, and more than 60 preloaded policies, such as General Data Protection Regulation and HIPAA,” said Zachary Bosin, director of solutions marketing at Veritas. “It will grow over time.”

The data classification engine was first integrated last year in Enterprise Vault 11.2 for Microsoft Exchange.

The European Union’s General Data Protection Regulation [GDPR] is a global data protection law because it applies to all companies that store information on EU citizens, regardless of where the company storing the data is based. Organizations have until May 25, 2018 to comply, and those found not in GDPR compliance could face millions of dollars in fines.

Application provides ‘Insight’ into data patterns

Sean Doherty, an analyst covering workforce productivity and compliance at 451 Research, said Veritas Data Insight and the Integrated Classification Engine are particular timely, as organizations have less than a year to prepare for GDPR compliance.

“I’m getting a lot of inquiries around GDPR compliance from a lot of customers,” Doherty said. “It started to ramp up after the July holidays. There will be a lot of interest in this toward the end of the year as we get closer to the deadline.”

There are a wide variety of uses that can be applied to these policies. We think it is super important that companies have these out-of-the-box capabilities.
Zachary Bosindirector of solutions marketing, Veritas

The classification engine’s machine learning feature applies a confidence level to the data patterns. For example, the technology can learn variations of a certain Social Security number so that it is 90% sure that number is one that should be tagged for privacy. The same rule can be applied for other personal data.

Veritas’ Bosin said the Integrated Classification Engine includes more than 100 sensitive data patterns, such as driver’s license numbers, Social Security numbers, national health insurance numbers, passport numbers and bank account numbers. Those identifiers can be stitched together to create a policy that is used across all personally identifiable information within the organization.

“There are a wide variety of uses that can be applied to these policies. We think it is super important that companies have these out-of-the-box capabilities,” Bosin said. “This is technology that we built in-house. It uses different algorithms to understand sensitive data. It does check sum validation to compare different patterns to quickly scan through terabytes of data.”

Veritas Data Insight is part of the vendor’s strategy to transform from a data protection company into a full data management provider following its 2016 spin off from Symantec.

Powered by WPeMatico