Microsoft Azure Archives

26 May 2022

Banks, Compliance, Credit Unions Christine Ray 0 comment

Community Banks Use CloudInsight™ M365 Security Basics to Increase Security

Community Banks Use CloudInsight M365 Security Basics to Increase Security

To meet the challenges of escalating cyber threats and constantly evolving technology, organizations must have appropriate security measures in place to protect their network, data, and other assets. Financial institutions that use Microsoft Azure Directory and M365 can capitalize on CloudInsight™ M365 Security Basics to ensure they have the right security, identity, and compliance settings to keep their information safe in the Cloud. The product fills a critical need because Microsoft is always enabling and disabling features in Azure AD and M365, which can make it difficult for institutions to maintain the best security settings.

M365 Security Basics increases the visibility of potential security risks through three main services:

Reporting — The delivery of user-friendly Microsoft data
Alerting — Notifications of common indicators of compromise
Quarterly Reviews — Expert analysis and consultations

Here are two case study summaries to show how different institutions are using CloudInsight M365 Security Basics to gain better visibility into their cloud security and Microsoft settings:

Affinity Bank

Atlanta-based Affinity Bank wanted to get a better handle on potential security threats—particularly those relating to email. It implemented CloudInsight M365 Security Basics to prevent compromised user accounts, unknown users and forwarders, unapproved email access, and other risks. “Being able to receive alerts when attempted logins from outside of the country come through is a big reason why we were interested in the product,” said Senior Vice President and Chief Operations Robert Vickers. Just having the ability to put in preventative features blocking employees from sending or setting up a forward to an external email address was another plus for Affinity Bank. With almost $800 million in assets, three locations across Georgia, and a long-term relationship with Safe Systems, Affinity Bank anticipates significant improvement in its cloud security and overall security posture thanks to M365 Security Basics’ monitoring, alerting, and other tools. Aside from the tools that M365 Security Basics provides for Affinity Bank, the real advantage given to the bank is the relationship with Safe Systems. “The team at Safe Systems has been able to provide us with great expertise on exactly where we need to go, what we need to do, and best practices to get us there,” said Vickers. “Almost immediately after we signed on for CloudInsight, they gave us recommendations we could implement straight away.” Read more.

Franklin Bank & Trust Company

Since its inception in 1958, Franklin Bank & Trust Company has prioritized adapting to constant changes in technology to maintain its security. M365 Security Basics proved to be the ideal solution for the Franklin, Kentucky-based community bank, which has $700 million in assets and five branches across the state. Since implementing CloudInsight M365 Security Basics, the bank achieved improved efficiencies in its cloud security and settings. After the initial meeting with the new service, reports came back with deficiencies that the bank didn’t even know it had and that could expose them to potential data breaches and threats. They were able to tighten up privacy settings, including the bank’s Microsoft OneDrive, and impose conditional access policies to ensure data was protected. “Adding CloudInsight M365 Security Basics to our roster has really shone a light on our whole Microsoft cloud footprint. It has shown us which areas we need to shore up and, in turn, has made our bank more efficient and secure,” said IT Project Manager Aaron Miller. Read more.

Learn More

CloudInsight M365 Security Basics is a flexible, cost-effective solution that institutions can incorporate based on their specific priorities and requirements. While Affinity Bank used M365 Security Basics to primarily address email management, Franklin Bank & Trust Company wanted to gain better overall visibility into Microsoft security settings. In both cases, M365 Security Basics fit the bill. Depending on their license, financial institutions can use M365 Security Basics to customize a wide array of security settings in Azure AD, M365, and Exchange Online. This includes OneDrive and SharePoint Sharing; Teams and External Collaboration; and the Protection, Security, Compliance, and M365 Admin centers. Institutions can further enhance cloud security by adjusting the settings associated with Azure AD Premium P1, Intune, and Azure Information Protection. They can also apply conditional access policies, password protection, and a myriad of other security features.

For more information about how your institution can optimize Microsoft security settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

22 Apr 2022

Banks, Credit Unions, Technology Marshall Jones 0 comment

More Microsoft Azure and 365 Security Basics

Banks and credit unions today face an ever-increasing number of cloud security hazards. Here’s the good news: Financial institutions that use Microsoft Active Directory (Azure AD) and Microsoft 365 can lower their risk by modifying their security settings for these services. Not only can this help the financial institution minimize threats, but it can allow them to customize the features of Azure AD and Microsoft 365 (previously called Office 365) to their specific preferences and requirements.

Organizations are responsible for managing Azure AD and its security settings because when they purchased M365 licenses, they established a Microsoft tenant with Azure AD. From a compliance perspective, adjusting Azure AD’s settings is crucial since Microsoft automatically enables certain features that may violate or conflict with compliance policies for organizations in regulated industries.

Optimizing /M365 and Exchange Online Settings

Depending on your institution’s licenses, there is a wide range of security and compliance settings you can customize in Azure AD, M365, and Exchange Online such as:

OneDrive and SharePoint Sharing: Review the default level of sharing to control the flow of data based on what is appropriate for your institution.
Teams and External Collaboration: Review the platform’s default security and compliance settings, and if they are not sufficient, you can block all external domains to keep users from communicating externally.
Exchange Online: Control access, how emails are transmitted, the types of messages users can send to recipients in external domains, and the devices or apps that can connect.
Protection Center: Use the Basic Mobility and Security feature to manage and secure the mobile devices that are connected to your Microsoft 365 organization.
Security Center: Optimize email management by employing anti-spam policies for inbound emails, blocking automatic forwarding of outbound emails, using phishing simulations, quarantining potentially harmful messages, and blocking messages from fake senders.
Compliance Center: Implement a retention policy to manage the data by proactively choosing how to retain or delete content.
M365 Admin Center: Use modern authentication‎ in ‎Exchange Online‎ to enhance your institution’s security with features like conditional access and multifactor authentication. (Microsoft‎ strongly recommends turning off basic authentication for your organization.)

More Ways to Boost Security

You can further enhance cloud security by modifying the settings related to Azure AD Premium P1, Intune, and Azure Information Protection (AIP) licenses. With Azure AD Premium P1, for instance, you can include your institution’s logo, color scheme, and other branding elements on your Azure AD sign-in pages. You can also employ the hybrid Azure AD joined devices, conditional access policies, and password protection features. Microsoft Intune integration lets you configure policies to control how your institution’s devices and applications are used, including smartphones, tablets, and laptops. And AIP allows you to use deep content analysis to minimize data loss and enhance the labeling capabilities of Microsoft 365 to protect documents and emails.

M365 Security Basics Can Help

There are countless security settings that can be adjusted in Azure AD and /M365, and Microsoft is always introducing new features. This can make it difficult for institutions to ensure they have the most appropriate security, identity, and compliance settings—but our CloudInsight™ M365 Security Basics solution can make the process easier. M365 Security Basics is a collection of services designed to give community banks and credit unions a cost-effective way to manage their M365 settings. It offers reporting, the delivery of Microsoft data in a user-friendly format; alerting, notifications of the most common indicators of compromise; and quarterly reviews, expert analysis of M365 Security Basics reports, and explanations of the risk visible on the report and ways those risks may be mitigated.

To learn more about how to customize your institution’s Azure AD and M365 settings to bolster cloud security, access our “Microsoft Azure and M365 Security Basics” white paper.

09 Mar 2022

Banks, Credit Unions, Technology Eric Delgado 0 comment

Microsoft Azure and 365 Security Basics Continued

When your institution acquired Microsoft 365 (also known as M365 and formerly called Office 365), it automatically created a Microsoft tenant with Azure AD. Since that tenant belongs to your organization, you are responsible for managing Azure AD and its security settings. Microsoft Azure services enable various default features that could be incompatible with the security, identity, and compliance requirements of your institution. it’s essential to customize the settings in Azure AD, M365, and Exchange Online (or Azure AD Premium P1, Intune, and Azure Information Protection) to fit your organization’s needs.

Customizing Azure AD Defaults

Security Defaults — Turn on security defaults to make it easier for your institution to thwart cyberattacks by using preconfigured security settings. (If your tenant was created on or after October 22, 2019, security defaults may already be enabled in your tenant.)
Password Policy — Configure the password policy applied to every user account that is created and managed directly in Azure AD. (Institutions with on-premises AD password policies governing password expirations should expect to manually synchronize their Azure AD password policy and their on-premises AD password policy.)
Azure AD Device Registration — Prevent users from joining devices on their own and require multi-factor authentication (MFA) to register or join devices with Azure AD.
Enterprise and Registered Apps — Keep non-administrator users from arbitrarily adding enterprise or registered applications, which can significantly increase risk. Afterwards, make sure to review every enterprise and registered application.
External Collaboration — Restrict regular users from inviting guests for collaboration and keep guest users from signing into your apps and services with their own work, school, or social identities.
Hybrid Identity with Password Hash Synchronization — Employ a hybrid identity architecture to synchronize users from on-premises Active Directory to Azure AD to minimize the number of identities users have across various platforms.
Azure AD Administration Portal — Limit regular users’ ability to read data in the Azure AD Administration Portal.
Administrator Review — Grant administrators only the specific permission they need to do their job and limit the number of static Global Administrator role assignments to fewer than five people.
Partners – When working with Microsoft-certified solution providers (partners) to purchase and manage solutions for your institution, they could be granted Global/Helpdesk admin roles giving them delegated administrative capabilities to your Azure instance. Make sure to review all partners and their delegated rights regularly.

Altering M365 and Exchange Online Settings

In M365, you can customize a variety of settings. In OneDrive, SharePoint Online, and Teams, look at configuring external collaboration capabilities of users. For Exchange Online, there are many settings to review but one to start with is the current forwarding capabilities and settings for users both globally and per-user. Modifying or reviewing these settings is highly advisable since they are inherently designed to facilitate interaction and external collaboration. In addition, you can use the Protection Center to secure mobile devices that are connected to your Microsoft 365 organization; the Security Center to refine email management; the Compliance Center to implement an effective data retention policy; and the M365 Admin Center to enhance security with modern authentication, which encompasses MFA. (According to Microsoft, 99.9 percent of account compromises can be blocked with MFA.)

And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

M365 Security Basics Solution

Once your institution has sufficient settings in place to support your policies, it is essential to monitor for exceptions with reporting and alerting features such as those provided with Safe Systems CloudInsight™ M365 Security Basics solution. Financial institutions that partner with Safe Systems can gain critical visibility into their security settings helping them successfully navigate the complexities of optimizing M365’s features..

For more information about how your institution can optimize Azure AD and O365/M365 settings to improve cloud security, download our white paper on “Azure and M365 Security Basics.”

Important Disclaimer

The security settings that are discussed in this paper can have a dramatic impact on end-users and/or service functionality and should only be employed if deemed appropriate and after careful consideration. There are a variety of security options available, but organizations should strive to implement these technology services strategically and, ideally, through planned phases of objectives over potentially several months or even years. The recommendations, statements, and other concepts contained within this paper are provided primarily for the consideration of IT Administrators of financial institutions.

17 Feb 2022

Banks, Compliance, Credit Unions Eric Delgado 0 comment

Microsoft Azure and 365 Security Basics

Microsoft Azure and 365 Security Basics Featured Blog Image_Featured Image

Financial Institutions that employ Microsoft 365 (also known as M365 and formerly branded as Office 365) are in the Cloud, and therefore, face a growing number of cyber threats. Consider this: The FBI’s Internet Crime Complaint Center (IC3) has seen a 400-percent increase in cybersecurity complaints since the pandemic started.

The surge in cybercrimes means financial institutions that use M365 need to focus on protecting their assets in the Cloud. Our CloudInsight™ M365 Security Basics makes it easy and affordable for institutions to start the process. M365 Security Basics provides visibility into security settings for Microsoft Azure Active Directory (Azure AD) and M365. Banks and credit unions can leverage this multi-faceted solution to get ahead of cyber threats and enhance cloud security.

Importance of Customizing Your Azure AD and M365 Settings

Your financial institution likely has a Microsoft tenant with Azure AD, whether you realize it or not. This is partly because every exchange online and M365 implementation requires the creation of a Microsoft tenant and Azure AD, even if the services are managed through a third party. There are also many other scenarios requiring the creation a Microsoft tenant, making it rare for most institutions not to have one.

It is important to understand whether you have a Microsoft tenant with Azure AD because the tenant belongs to your institution—not the licensing reseller—it is your obligation to know how to manage the security settings in these systems, including Azure AD, M365, and Exchange Online. This can be challenging because Microsoft’s default settings might conflict with your institution’s security and compliance requirements. Therefore, you must customize these settings to create more sophisticated and appropriate security, identity, and compliance policies for your institution. This should entail building policies around what users are allowed to do, what your institution’s risk assessment defines, what your institution’s compliance policies dictate, and what users will tolerate.

Once your institution has sufficient policies in place, it is essential to monitor for exceptions with reporting and alerting. And with the proper license, you can further enhance cloud security by optimizing the settings for Azure AD Premium P1, Intune, and Azure Information Protection.

How M365 Security Basics Can Help

Microsoft is constantly adjusting its platforms and automatically enabling new features to adapt to an ever-evolving security environment, making it difficult for banks and credit unions to keep up. Partnering with a value-added technology expert like Safe Systems can help you better manage your M365 tenant. Our M365 Security Basics service identifies cloud security blind spots and common risks such as compromised user accounts, enabled insecure protocols, and targeted phishing or SPAM attacks.

M365 Security Basics key services:

Reporting – Collects Microsoft data that may not be readily available to institutions and assembles it in a user-friendly format
Alerting – Delivers notifications for the most common indicators of compromise in Microsoft M365 tenants
Quarterly reviews – Provide a vital, objective look at M365 Security Basics reports to help institutions determine the optimal security settings for their requirements

The Importance of MFA

An invaluable security control financial institutions should also consider implementing is multi-factor authentication (MFA). MFA applies a combination of factors to validate people’s identity before giving them access to sensitive data, account information, and other assets. MFA offers effective, low-cost protection against cyberattacks and other threats; and not implementing this security feature in Azure AD is risky. According to Microsoft, 99.9 percent of account compromises can be blocked with MFA, but the overall MFA adoption rate we have seen in the financial industry is only around 46 percent.

The bottom line: Microsoft is constantly enabling and disabling features in Azure AD and M365—, therefore, financial institutions must be able to manage the complexities of optimizing their security, identity, and compliance settings. To learn more about how your institution can customize Azure AD and M365 settings to enhance cloud security, read our “Azure and M365 Security Basics” white paper.

14 May 2020

Banks, Credit Unions, Technology Brendan McGowan 0 comment

Key Benefits of Cloud Infrastructure for Banking IT Operations

Cloud technology has been driving efficiency and innovation across many industries for years and today, many community banks and credit unions are adopting cloud services for their IT operations.

In a recent webinar, Safe Systems presented an overview of cloud infrastructure and the key benefits to financial institutions. Here are a few points to keep in mind if you’re thinking about implementing cloud services:

Data Centers

Cloud service providers, like Microsoft Azure or Amazon Web Services, have some of the best data centers in the world, providing space, power, cooling, and physical security. You no longer have to worry about the management burdens of an on-premise solution or co-location when your servers and applications are hosted in a secure cloud environment.

Lifecycle Management

The cost of server hardware does not end with its purchase. There are hidden costs of tracking which assets are still healthy, supported, and under warranty. Replacing aging equipment every few years often requires a complex project that impacts availability and takes time away from meeting more important objectives. With cloud services, you can eliminate lifecycle management of your server equipment, enabling you to focus your effort on higher-value projects that drive your business.

Availability

When you adopt cloud services, the availability of your critical application infrastructure and data is the responsibility of the cloud provider. The major cloud providers are able to attract and retain the best talent in the world to keep systems healthy and secure. They deliver your services from a highly resilient network of multiple data centers, vastly reducing your dependency on any single datacenter.

Flexibility

Experimentation

If your goal is to develop a specialized project for your institution, a platform like Microsoft Azure has many different services to make it easy for you to test scenarios or try new ideas without investing in hardware or navigating the justification and purchase order process. You simply visit the website, turn on a resource, and experiment. Later, you’re able to turn it off with no further commitment.

Fast Turnup and Fast Turndown

Cloud services enable you to get up and running fairly quickly in this new environment. Instead of having to order hardware and wait for it to be shipped or spend time setting up the solution, you can go from having an idea to having the solution turned on literally within a few minutes. Fast turndown is equally important. When you no longer need the solution, you can simply turn it off, and more importantly, the billing ends as well.

Elasticity

The elasticity of cloud service means that you can add capacity when you need it and remove expense when you don’t. For periodic computing tasks, like month-end processes, extra computing power can be added to your cloud services and then removed after the job is complete. This is more cost-effective than building an infrastructure that is sized for the busiest day of the year.

Serverless Functions

Lastly, large cloud providers have many advanced functions that can provide community banks and credit unions with new capabilities like serverless computing. Some workloads that traditionally required a dedicated server, like a Microsoft SQL database, may be able to move into a serverless alternative like Azure SQL. This creates the opportunity to start reducing the quantity of Windows Server instances that need to be patched and maintained.

Cloud infrastructure allows community banks and credit unions to reduce servers, internal infrastructure, and applications that would typically have to be hosted on-premises, in addition to the associated support each one requires. It also enables you to experiment and find the right services that fit your institution’s corporate strategy and IT objectives.

To learn more about cloud services, including cloud-based disaster recovery, watch our webinar recording, “The Cloud: Recovery and Resiliency is Just a Click Away.”

07 May 2020

Banks, Credit Unions Jamie Davis 0 comment

How the Cloud Revolutionizes Disaster Recovery for Financial Institutions

Disaster recovery is a concern for all financial institutions, regardless of size or location, and is essential to protecting data, infrastructure, and overall business operations. In addition to having a thorough disaster recovery (DR) plan, community banks and credit unions need to have a solid site recovery environment to facilitate a quick return to normal business operations, in the event of a natural disaster or other disruption.

Cloud disaster recovery solutions are growing in popularity among many community banks and credit unions. However, it is important to understand the key differences in site recovery models to determine the best fit for your institution.

In a recent webinar, Brendan McGowan, Chief Technology Officer at Safe Systems, outlined the three most common site recovery models available to community banks and credit unions today and discussed key considerations when implementing each.

In-House Site Recovery

When using an in-house site recovery model, financial institutions commonly have a virtualized server environment. These machines often run in a VMware vSphere environment which sits on top of a storage array. On the DR side, there is essentially a clone of the production environment to receive the replicated data. This works well for many financial institutions, however, there are a few considerations to keep in mind.

House Site Recovery

With in-house site recovery, you’ll need to:

Have redundant hardware in the DR environment at an additional cost.
Purchase an additional facility like a co-location or branch for DR.
Oversee hardware and software lifecycle management for both production and DR environments.
Set up dedicated connectivity like multi-protocol label switching (MPLS) to point replication to the DR environment.
Conduct regular maintenance to ensure all replications are healthy and perform periodic testing.
Have significant expertise and talent to make sure the system works correctly and consistently.

Cloud Site Recovery

In this model, the production environment remains the same, but the hardware and software used in the DR environment are replaced with a cloud-based solution. With cloud site recovery, financial institutions don’t have to pay for servers and computing time until the day they need to turn on the disaster recovery solution. Until then, the institution will only be billed for the amount of storage it consumes.

Cloud Site Recovery

When you use a cloud site recovery solution like Microsoft Azure Site Recovery, you create a storage pool to receive replication from a small server on-premise, which is the cloud site recovery replication server. The replication server works by having each of your production servers send its data changes in real-time to the cloud application server. This server is compressing, encrypting, and deduplicating all of the incoming data and continuously shipping it securely to your cloud site recovery storage pool.

With the cloud site recovery model, you no longer have to:

Deal with redundant hardware on the DR side since everything is stored in the cloud.
Manage hardware and lifecycle management on the DR-side.
Pay for separate facilities since the data is in the cloud, and you can store your data anywhere in the world.
Worry about dedicated connectivity because you can send all of the replication over the internet with a simple virtual private network (VPN).
Handle all of the maintenance or have the expertise required to run the system.

Cloud-Native Resilience

In the cloud-native site recovery model, both the production and disaster recovery environments are in the Cloud. To set up the cloud environment, using Microsoft Azure, for example, you can sign up for Azure Virtual Machines, which would correlate to VMware vSphere in your environment. After that, you can set up your production virtual machines.

Cloud-Native Site Recovery

At this point, you can register for cloud site recovery for your institution’s individual virtual machines. Once you’ve selected your machines for replication, the system automatically moves that data to whichever Azure zone you select so you get to choose some zone disparity.

In the cloud-native resilience model:

There is no Azure site replication server as there was in the cloud site recovery model.
Since both environments are cloud-native, all the data is in the cloud and you need not worry about a replication server. Simply check a box to turn it on.
In addition, file backup is also a simple checkbox for each server, providing you the option to choose the location to store the data.

Migrating to cloud-based services is a great option to reduce maintenance; significantly speed up the disaster recovery process; and improve overall operations for your institution. If you are interested in implementing a cloud-based disaster recovery solution, Safe Systems can help you determine the right environment for your institution.

To learn more about disaster recovery and moving to the Cloud, watch our recorded webinar, “The Cloud: Recovery and Resiliency is Just a Click Away.”