Tag Archives: Identity

The importance of AI for fraud prevention

Jumio, the identity verification technology vendor, released Jumio Go, a real-time, automated platform for identity verification. Coming at a time when cybercriminals are becoming ever more technologically advanced, Jumio Go uses a combination of AI, optical character recognition and biometrics to automatically verify a user’s identity in real time.

Jumio, founded in 2010, has long sold an AI for fraud prevention platform used by organizations in financial services, travel, gaming and retail industries. The Palo Alto, Calif., vendor’s new Jumio Go platform builds on its existing technologies, which include facial recognition and verification tools, while also simplifying them.

Jumio Go, launched Oct. 28, provides real-time identity verification, giving users results much faster than Jumio’s flagship product, which takes 30 to 60 seconds to verify a user, according to Jumio. It also eliminates the need to add a component, meaning the process of matching a real-time photo of a user’s face to a saved photo is entirely automated. That speeds up the process, and enables employees to take on other tasks, but also potentially could make it a little less secure.

The new product accepts fewer ID documents than Jumio’s flagship platform, but the tradeoff is the boost in real-time speed. Using natural language processing, Jumio’s platforms can read through and extract relevant information from documents. The system scans that information for irregularities, such as odd wordings or misspellings, which could indicate a fraud.

AI for fraud prevention in finance

For financial institutions, whose customers conduct much more business online, this type of fraud detection and identity verification technology is vital.

For combating fraud, “leveraging AI is critical,” said Amyn Dhala, global product lead at AI Express, Mastercard’s methodology for the deployment of AI that grew out of the credit card company’s 2017 acquisition of Brighterion.

.

AI for fraud prevention, fraud
To help stop fraudsters, financial institutions are using AI-powered security tools.

Through AI Express, Mastercard sells AI for fraud prevention tools, as well as AI-powered technologies, to help predict credit risk, manage network security and catch money-laundering.

AI, Dhala said in an interview at AI World 2019 in Boston, is “important to provide a better customer experience and drive profitability,” as well as to ensure customer safety.

The 9 to 5 fraudster

For financial institutions, blocking fraudsters is no simple task. Criminals intent on fraud are taking a professional approach to their work, working for certain hours during the week and taking weekends off, according to an October 2019 report from Onfido, a London-based vendor of AI-driven identity software.

Also, today’s fraudsters are highly technologically skilled, said Dan Drapeau, head of technology at Blue Fountain Media, a digital marketing agency owned by Pactera, a technology consulting and implementation firm based in China.

Cybercriminals are always that one step ahead.
Dan DrapeauHead of technology, Blue Fountain Media

“You can always throw new technology at the problem, but cybercriminals are always going to do something new and innovative, and AI algorithms have to catch up to that,” Drapeau said. “Cybercriminals are always that one step ahead.”

“As good as AI and machine learning get, it still will always take time to catch up to the newest innovation from criminals,” he added.

Still, by using AI for fraud prevention, financial organizations can stop good deal of fraud automatically, Drapeau said. Now, combining AI with manual work, such as checking or double-checking data and verification documents, works best, he said.

Go to Original Article
Author:

Adobe brings graph database to customer journey touchpoints

Identity resolution is a difficult technology issue for marketers to solve, because current customer experience platforms have a hard time understanding when the same person contacts a company from multiple devices. Adobe’s Customer Journey Analytics, announced today, tackles the problem with a graph database.

Customer Journey Analytics is a feature subset of Adobe Analytics, itself a part of the Adobe Experience Platform. It features an interface that closely resembles Photoshop’s layers, the UX model familiar to  marketers and designers who typically use that application somewhere along the way creating marketing and sales content.

Combining a graph database — which makes more connections between data points than traditional relational databases — with analytics is a new way to solve the problem of identity resolution in the case of multiple customer journey touchpoints, said Nate Smith, Adobe Analytics product marketing manager.

Instead of creating new records when a customer who typically uses a smartphone app switches over to a desktop computer, for example, the graph database can connect the dots.

“It will tie those devices together to a unique ID,” Smith said.

Adobe Analytics dashboard screenshot
Adobe Analytics adds deeper insights to its platform capabilities for mapping customer journeytouchpoints.

Data science for marketers

It’s the latest chapter in a technology trend where customer experience platform vendors bring more data science capabilities to marketers, who aren’t typically data scientists. Using the metaphor of the customer journey, the features track the various stages of customer interaction with a company, from discovery to shopping to completing a purchase.

It’s the latest chapter in a technology trend where customer experience platform vendors bring more data science capabilities to marketers.

The idea is to subdivide the transaction process in order to find more opportunities for additional sales, upsells or retargeting. This becomes a more complex proposition as new customer journey touchpoints, such as social media mobile apps or even smart speakers such as Amazon’s Alexa, become popular among a company’s customers.

Smith said the “layers” approach enables customer experience teams to look for new potential revenue opportunities by mixing and matching different data sets, such as brick-and-mortar and website sales. Teams can also analyze trends to determine what’s behind issues such as customer attrition problems.

For customer experience teams employing data scientists, Adobe Analytics includes an advanced data analysis tool, Adobe Experience Platform Query Service.

The graph database component of Customer Journey Analytics pairs well with Adobe Sensei AI, according to Forrester analyst James McCormick. Together they can automate deduplication of records, a time-intensive manual task, closer to real time. The Photoshop-esque interface will help customers dive into the analytics tools more quickly, he added.

“These are iterative moves towards Adobe vision of creating a uniformed user experience across a fully integrated Adobe Experience Cloud,” McCormick said. “This common approach will really help Adobe customers work with, and across, multiple products.”

Go to Original Article
Author:

CloudKnox Security adds privileged access features to platform

CloudKnox Security, a vendor in identity privilege management, introduced new features to its Cloud Security Platform, including Privilege-on-Demand, Auto-Remediation for Machine Identities and Anomaly Detection.

The offerings intend to increase enterprise protection from identity and resource risks in hybrid cloud environments. According to CloudKnox Security, the new release is an improvement on its existing Just Enough Privileges Controller, which enables enterprises to reduce overprovisioned identity privileges to appropriate levels across VMware, AWS, Azure and Google Cloud.

Privileged accounts are often targets for attack, and a successful hacking attempt can result in full control of an organization’s data and assets. The 2019 Verizon Data Breach Investigations Report highlighted privileged account misuse as the top threat for security incidents and the third-leading cause of security breaches.

The Privilege-on-Demand feature from CloudKnox Security enables companies to grant privileges to users for a certain amount of time and on a specific resource on an as-needed basis. The options include Privilege-on-Request, Privilege Self-Grant or Just-in-Time Privilege that give users access to a specific resource within a set time to perform an action.

The Auto-Remediation feature can frequently and automatically dismiss unused privileges of machine identities, according to the vendor. For example, the feature can be useful dealing with service accounts that perform repetitive tasks with limited privileges, because when these accounts are overprovisioned, organizations will be particularly vulnerable to privilege misuse.

The Anomaly Detection feature creates risk profiles for users and resources based on data obtained by CloudKnox’s Risk Management Module. According to the vendor, the software intends to detect abnormal behaviors from users, such as a profile carrying out a high-risk action for the first time on a resource they have never accessed.

The company will demonstrate the new features at Black Hat USA in Las Vegas this year for the first time. CloudKnox’s update to its Cloud Security Platform follows competitor CyberArk‘s recent updates to its own privileged access management offering, including zero-trust access, full visibility and control of privileged activities for customers, biometric authentication and just-in-time provisioning. Other market competitors that promise insider risk reduction, identity governance and privileged access management include BeyondTrust and One Identity.

Go to Original Article
Author:

LifeLock vulnerability exposed user email addresses to public

Symantec’s identity theft protection service, LifeLock, exposed millions of customers’ email addresses.

According to security journalist Brian Krebs, the LifeLock vulnerability was in the company’s website, and it enabled unauthorized third parties to collect email addresses associated with LifeLock user accounts or unsubscribe users from communications from the company. Account numbers, called subscriber keys, appear in the URL of the unsubscribe page on the LifeLock website that correspond to a customer record and appear to be sequential, according to Krebs, and that lends itself to writing a simple script to collect the email address of every subscriber.

The biggest threat with this LifeLock vulnerability is attackers could launch a targeted phishing scheme — and the company boasted more than 4.5 million users as of January 2017.

“The upshot of this weakness is that cyber criminals could harvest the data and use it in targeted phishing campaigns that spoof LifeLock’s brand,” Krebs wrote. “Of course, phishers could spam the entire world looking for LifeLock customers without the aid of this flaw, but nevertheless the design of the company’s site suggests that whoever put it together lacked a basic understanding of web site authentication and security.”

Krebs notified Symantec of the LifeLock vulnerability, and the security company took the affected webpage offline shortly thereafter. Krebs said he was alerted to the issue by Atlanta-based independent security researcher Nathan Reese, a former LifeLock subscriber who received an email offering him a discount if he renewed his membership. Reese then wrote a proof of concept and was able to collect 70 email addresses — enough to prove the LifeLock vulnerability worked.

Reese emphasized to Krebs how easy it would be for a malicious actor to use the two things he knows about the LifeLock customers — their email addresses and the fact that they use an identity theft protection service — to create a “sharp spear” for a spear phishing campaign, particularly because LifeLock customers are already concerned about cybersecurity.

Symantec, which acquired the identity theft protection company in 2016, issued a statement after Krebs published his report on the LifeLock vulnerability:

This issue was not a vulnerability in the LifeLock member portal. The issue has been fixed and was limited to potential exposure of email addresses on a marketing page, managed by a third party, intended to allow recipients to unsubscribe from marketing emails. Based on our investigation, aside from the 70 email address accesses reported by the researcher, we have no indication at this time of any further suspicious activity on the marketing opt-out page.

LifeLock has faced problems in the past with customer data. In 2015, the company paid out $100 million to the Federal Trade Commission to settle charges that it allegedly failed to secure customers’ personal data and ran deception advertising.

In other news:

  • The American Civil Liberties Union (ACLU) of Northern California said Amazon’s facial recognition program, Rekognition, falsely identified 28 members of Congress as people who were arrested for a crime in its recent test. The ACLU put together a database of 25,000 publicly available mugshots and ran the database against every current member of the House and Senate using the default Rekognition settings. The false matches represented a disproportionate amount of people of color — 40% of the false matches, while only 20% of Congress members are people of color — and spanned both Democrats and Republicans and men and women of all ages. One of the falsely identified individuals was Rep. John Lewis (D-Ga.), who is a member of the Congressional Black Caucus; Lewis previously wrote a letter to Amazon’s CEO, Jeff Bezos, expressing concern for the potential implications of the inaccuracy of Rekognition and how it could affect law enforcement and, particularly, people of color.
  • Researchers have discovered another Spectre vulnerability variant that enables attackers to access sensitive data. The new exploit, called SpectreRSB, was detailed by researchers at the University of California, Riverside, in a paper titled, “Spectre Returns! Speculation Attacks using the Return Stack Buffer.” “Rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return addresses,” the research team wrote. The RSB aspect of the exploit is what’s new, compared with Spectre and its other variants. It’s also why it is, so far, unfixed by any of the mitigations put in place by Intel, Google and others. The researchers tested SpectreRSB on Intel Haswell and Skylake processors and the SGX2 secure enclave in Core i7 Skylake chips.
  • Google Chrome implemented its new policy this week that any website not using HTTPS with a valid TLS certificate will be marked as “not secure.” In the latest version of the browser, Google Chrome version 68, users will see a warning message stating that the site in not secure. Google first announced the policy in February. “Chrome’s new interface will help users understand that all HTTP sites are not secure, and continue to move the web towards a secure HTTPS web by default,” Emily Schechter, Chrome Security product manager, wrote in the announcement. “HTTPS is easier and cheaper than ever before, and it unlocks both performance improvements and powerful new features that are too sensitive for HTTP.”

Microsoft launches identity bounty program, offers up to $100,000

Microsoft this week expanded its bug bounty program to include security vulnerabilities in its identity services.

The software giant launched the Microsoft Identity Bounty Program, which offers payouts between $500 and $100,000 for vulnerabilities reported in Microsoft’s identity services. The scope of the identity bounty includes both consumer and enterprise services — Microsoft Accounts and Azure Active Directory, respectively — as well as login tools such as login.live.com, account.windowsazure.com, portal.office.com and the Microsoft Authenticator for iOS and Android applications.

In addition, Microsoft said the identity bounty will be available for bugs reported in the company’s implementations of specific OpenID standards.

“If you are a security researcher and have discovered a security vulnerability in the Identity services, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details,” wrote Phillip Misner, principal security group manager for the Microsoft Security Response Center, in a blog post. “Further in our commitment to the industry identity standards work that we have worked hard with the community to define, we are extending our bounty to cover those certified implementations of select OpenID standards.”

The expanded bug bounty program will pay up to $100,000 for the most serious vulnerabilities, including design vulnerabilities in identity standards and bypasses for multifactor authentication. Standards-based implementation flaws will pay a maximum of $75,000, while “significant” authentication bypasses will pay a maximum of $40,000.

The identity bounty program is the latest expansion of Microsoft’s bug bounty efforts. In 2015, the company announced a major expansion of its bug bounty program that included Microsoft’s Azure platform as well as specific vulnerabilities for its Hyper-V virtualization software.

IAM engineer roles require training and flexibility

BOSTON — As identity and access management become more critical to security strategies, organizations must be on the lookout for good identity engineers — and there are a few different ways IT can approach this staffing.

Identity and access management (IAM) is increasingly essential as mobile devices add new access points for employees and fresh ways to leak corporate data. But the job market still lacks skilled IAM engineer candidates, so organizations may be better off training existing IT staff or hiring general security engineers to educate on IAM expertise, experts said here at this week’s Identiverse conference.

“Focus on general IT skills and roles [when you] hire engineers,” said Olaf Grewe, director of access certification services at Deutsche Bank, in a session. “Don’t wait for this elusive candidate that has all of this baked in. Bring them up to where you need to be.”

IAM job market landscape

Job growth in IAM has surged in the past year, with about 1,500 IAM engineer openings currently in the Boston area, 4,800 in the D.C. area and 3,320 in Silicon Valley, according to a presentation by Dave Shields, a senior security architect for IAM at DST Systems, a financial technology company in Kansas City.

“It is finally reaching a state where people see that it’s a viable place to have [a career],” said Shields, who was also recently the managing director of IT and ran IAM at the University of Oklahoma. “There are so many things you can do with it.”

There aren’t enough people already skilled in IAM to fill these roles, however, and ones that are may not live nearby. Instead, IT departments can train up existing staff on IAM — but the key is to choose the right people.

“The best engineers you’re going to find are the people who aren’t afraid to break stuff,” Shields said. “Maybe you have a sysadmin who gets into systems and was able to make them do things they were never able to do before. Talk to that person.”

The person should also be flexible, adaptable to change and willing to ask questions others don’t want to hear, he said. Other desirable qualities for an IAM engineer are creativity and an ability to understand the business’ functions and the technology in use.

“Find someone who can look at something and say, ‘I can make that better,'” Shields said. “There are some things that simply cannot be taught.”

IAM and security go hand in hand

Deutsche Bank is currently building up an IAM team that includes existing IT staff and external hires, which the company then trains on IAM skills. That involves four major steps: baseline IAM training, then vendor-specific education, then CISSP, followed by continuous learning over time via conferences, lunch and learns, and updated vendor training.

We need to make sure people have access to the right resources.
Olaf Grewedirector of access certification services, Deutsche Bank

“We need to make sure people have access to the right resources,” Grewe said. “We want to have people who are continuously developing.”

General security skills are especially important for IAM engineer candidates, experts said. Sarah Squire, a senior technical architect at Ping Identity, started out by learning the important security specs and standards as a way toward training up on identity management.

“It’s a lot of on-the-job training,” Squire said. “We’re starting to realize that we really need a base body of knowledge for the entire field.”

For that reason, Squire along with Ian Glazer, vice president for identity product management at Salesforce, founded IDPro, a community for IAM professionals. Launched at last year’s Identiverse (then Cloud Identity Summit), IDPro is currently forming the body of knowledge that an IAM engineer must know, and plans to offer a certification in the future, Squire said.

“It’s really important that people who come in not only understand IAM but also really understand security,” Grewe said.

It’s also important to determine where within the organization those IAM professionals will live. Is it operations? Development? Security?

“A lot of people just don’t know where that fits,” Shields said. “There is nowhere better for them to be in my opinion than on the IT security team.”

Grewe’s team at Deutsche Bank, for instance, works under the chief security officer, which has a lot of budget to work with, he said. At IBM, the team that handles internal identity management works closely with HR and other groups that are involved in employees’ access rights, said Heather Hinton, vice president and chief information security officer for IBM Hybrid Cloud.

“[Organizations] need to figure out how to be less siloed,” she said.

Ping adds AI-driven API protection with Elastic Beam acquisition

BOSTON — Ping Identity is moving beyond single sign-on and further into API security with its latest acquisition.

At the Identiverse 2018 conference on Tuesday, the Denver-based identity and access management (IAM) provider announced the acquisition of Elastic Beam, a Redwood City, Calif., cybersecurity startup that uses artificial intelligence to monitor and protect APIs. Terms of the deal were not disclosed.

Ping CEO Andre Durand discussed the importance of API protection in the past as part of the company’s “intelligent identity” strategy. The company, which specializes in IAM services such as single sign-on, had previously introduced PingAccess for API management and security.

Elastic Beam, which was founded in 2014, will become part of Ping’s new API protection offering, dubbed PingIntelligence for APIs. Elastic Beam’s API Behavioral Security (ABS) automatically discovers an organization’s APIs and monitors the activity using AI-driven behavioral analysis.

“The moment it detects abnormal activity on an API, it automatically blocks that API,” said Bernard Harguindeguy, founder of Elastic Beam.

Harguindeguy, who joined Ping as its new senior vice president of intelligence, said ABS’ use of AI is ideal for API monitoring and defense, because there are simply too many APIs and too much data around them for human security professionals to effectively track and analyze on their own.

“API security is a very hard problem. You cannot rely on roles and policies and attacker patterns,” he said. “We had to use AI in a very smart way.”

Durand said the explosion of APIs in both cloud services and mobile applications has expanded the attack surface for enterprises and demanded a new approach to managing and securing APIs. While Durand acknowledged the potential for AI systems to make mistakes, he said improving API protection can’t be done without the help of machine learning and AI technology.

“We’re in the early stages of applying AI to the enormity of traffic that we have access to today,” he said. “We want to limit the space and time that users have access to, but there’s no policy that can do that. I don’t think there’s a way to have that breakthrough without machine learning, big data and AI.”

PingIntelligence for APIs is currently in private preview, and it will be generally available in the third quarter this year.

Blockchain identity management simplifies personal security

Identity management is a pain point for many companies and individuals, but blockchain could help solve some of the challenges.

When banking, traveling, providing proof of age or accessing corporate data, individuals must prove their identity. But it can be difficult for users to keep track of all the different pieces of identification they must present to do so. ShoCard, a software provider in Cupertino, Calif., aims to eliminate the need for multiple forms of identification, usernames and passwords, and give users more control through the use of its blockchain identity management tool.

“Since it is your data, really, you have the right to hold it, to operate it as you wish,” said Alexander Novoselov, the head of innovation at Creditinfo Group, a ShoCard customer headquartered in Iceland.

How blockchain identity management works

ShoCard offers an identity management tool that uses a blockchain-based digital verification and authentication process. Blockchain is a type of database that is secured using cryptography and encryption key techniques. A user’s identity information is stored on the blockchain to a hashed version of what’s called the public key. Each user also has a private key, which allows them to safeguard their personal data and prove to those with whom they share the data that it belongs only to the person sharing it.

The idea with blockchain identity management is to store and encrypt data on users’ mobile devices, rather than in a central database. Since credentials are stored on the device, an attacker would have to hack phone by phone and wouldn’t be able to compromise many identities at once.

Although the mass appeal of blockchain identity management remains to be seen, there is potential in very strict compliance-oriented fields, said Eric Klein, director of mobile software at VDC Research in Natick, Mass.

“They are definitely unique in the market for doing something that hadn’t occurred to me as a means of enhancing your security,” Klein said.

Customers can use ShoCard software development kits to integrate the technology into their mobile applications and servers. The client app then prompts users to take pictures of their valid government IDs, and ShoCard extracts the personal information. The user then sets up a passcode or fingerprint verification as an added security measure. When a user decides to share the data with a third party, the information is placed in an encrypted container on the blockchain, which no one — including ShoCard — can access, except the party with whom the user is sharing it.

Blockchain pays off

Creditinfo adopted ShoCard for a few of its customers. It needed to allow customers to not only have control over their own credit data, but also be able to securely transfer data between different countries, Novoselov said.

For example, if a person from India goes to a U.S. bank and tries to get a credit card, it brings complications. Creditinfo cannot share data from India in the U.S. because of a difference in privacy laws between the two countries. Creditinfo needed a tool to allow people to bring their credit histories with them anywhere.

This is a new way of bringing confidence that the data is in safe hands.
Alexander Novoselovhead of innovation at Creditinfo

Customers can now download the Creditinfo app, which incorporates ShoCard technology via the vendor’s software development kit, and securely access and share their credit score data on their mobile devices.

“This is a new way of bringing confidence that the data is in safe hands,” Novoselov said.

Based on this same blockchain identity management technology, ShoCard also offers ShoBadge, an app that allows employees to hold their encrypted ID information on their mobile devices. Unlike with ShoCard, customers don’t have to write any code; instead, they just use the app directly.

ShoBadge allows employees to access all of their corporate apps by authenticating through the app, rather than requiring different logins to different applications or devices. It also allows them to securely share their identities at the workplace — with human resources, for example. There is no longer a central database at the company where all the users’ sensitive personal information is stored. Thus, employees bring their own identity, and there is no username and password management in the hands of a third party.

The identity management market remains fragmented, with some existing vendors who have the benefit of being in the game for a long time, Klein said. But this does not mean that all customers have decided on which technology to adopt, which is why a new company like ShoCard has been attracting some pretty serious venture funding, he said.

“There are people betting on other technologies maybe surpassing what we have today,” he added. “Integrating sophisticated blockchain capabilities as a path certainly has potential.”

How we secure your data in Azure AD

Howdy folks,

With all the breaches of cloud identity services over the last few years, we get a lot of questions about how we secure customer data. So today’s blog is a dive into the details of how we protect customer data in Azure AD.

Datacenter and Service Security

Let’s start with our datacenters. First, all of Microsoft’s datacenter personnel must pass a background check. All access to our datacenters is strictly regulated and every entry and exit are monitored. Within these datacenters, the critical Azure AD services that store customer data are located in special locked racks—their physical access is highly restricted and camera-monitored 24 hours a day. Furthermore, if one of these servers is decommissioned, all disks are logically and physically destroyed to avoid data leakage.

Next, we limit the number of people who can access the Azure AD services, and even those who do have access permissions operate without these privileges day-to-day when they sign in. When they do need privileges to access the service, they need to pass a multi-factor authentication challenge using a smartcard to confirm their identity and submit a request. Once the request is approved, the users privileges are provisioned “just-in-time”. These privileges are also automatically removed after a fixed period of time and anyone needing more time must go through the request and approval process again.

Once these privileges are granted, all access is performed using a managed admin workstation (consistent with published Privileged Access Workstation guidance). This is required by policy, and compliance is closely monitored. These workstations use a fixed image and all software on the machine is fully managed. To minimize the surface area of risks, only selected activities are allowed, and users cannot accidentally circumvent the design of the admin workstation since they don’t have admin privileges on the box. To further protect the workstations, any access must be done with a smartcard and access to each one is limited to specific set of users.

Finally we maintain a small number (fewer than five) of “break glass” accounts. These accounts are reserved for emergencies only and secured by multi-step “break glass” procedures. Any use of those accounts is monitored, and triggers alerts.

Threat detection

There are several automatic checks we do regularly, every few minutes to ensure things are operating as we expect, even as we are adding new functionality required by our customers:

  • Breach detection: We check for patterns that indicate breach. We keep adding to this set of detections regularly. We also use automated tests that trigger these patterns, so we are also checking if our breach detection logic is working correctly!
  • Penetration tests: These tests run all the time. These tests try to do all sorts of things to compromise our service, and we expect these tests to fail all the time. If they succeed, we know there is something wrong and can correct it immediately.
  • Audit: All administrative activity is logged. Any activity that is not anticipated (such as an admin creating accounts with privileges) causes alerts to be triggered that cause us to do deep inspection on that action to make sure it not abnormal.

And did we say we encrypt all your data in Azure AD? Yes, we do – we use BitLocker to encrypt all Azure AD identity data at rest. What about on the wire? We do that as well! All Azure AD APIs are web-based using SSL through HTTPS to encrypt the data. Access to information is restricted through token-based authorization and each tenant’s data is only accessible to accounts permitted in that tenant. In addition, our internal APIs have the added requirement to use SSL client/server authentication on trusted certificates and issuance chains.

A final note

Azure AD is delivered in two ways, and this post described security and encryption for the public service delivered and operated by Microsoft. For similar questions about our National Cloud instances operated by trusted partners, we welcome you to reach out to your account teams.

(Note: As a simple rule of thumb, if you manage or access your Microsoft Online services through URLs ending with .com, this post describes how we protect and encrypt your data.)

The security of your data is a top priority for us and we take it VERY seriously. I hope you found this overview of our data encryption and security protocol reassuring and useful.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Microsoft acquires Adallom to advance identity and security in the cloud

I’m pleased to announce today that Microsoft has acquired Adallom, an innovator in cloud security and a leader in helping customers protect their critical assets across cloud applications. This acquisition is the latest example of Microsoft’s commitment to delivering innovative identity and security capabilities to our customers, across both on-premises and multiple clouds.

OMB_8_9With more frequent and advanced cybersecurity attacks continuing to make headlines, customer concerns around security remain top of mind. These concerns pose real challenges for IT, who are charged with protecting company data in this rapidly evolving mobile-first, cloud-first world. In this world, identity is a critical control plane for managing and protecting access to applications and data.

Adallom expands on Microsoft’s existing identity assets, and delivers a cloud access security broker, to give customers visibility and control over application access as well as their critical company data stored across cloud services. Adallom works with popular cloud applications including Salesforce, Box, Dropbox, ServiceNow, Ariba, and of course Office 365. As a cloud-delivered, security-as-a-service solution, Adallom will complement existing offerings that Microsoft makes available today as part of Office 365 and the Enterprise Mobility Suite (EMS), including our recent Microsoft Advanced Threat Analytics release.

Adallom, cofounded in 2012 by Assaf Rappaport, Ami Luttwak and Roy Reznik, has assembled a world-class team with a dedicated focus on making it easier to enhance data security in the cloud.  The team will continue to evolve, build technology, sell solutions and work with customers as we complete the integration into Microsoft.

Once again, we are thrilled to welcome the Adallom team into the Microsoft family. Advanced threats and cybercrime will persist in this mobile-first, cloud-first era, but at Microsoft we remain committed to helping our customers protect their data with new and innovative identity and security capabilities.  We encourage our customers to evaluate and use this offering starting today, to learn more visit http://www.adallom.com.