EU Data Boundary for the Microsoft Cloud | Frequently Asked Questions
On May 6, 2021, we announced a new pledge for the European Union. If you are a commercial or public sector customer in the EU, we will go beyond our existing data residency commitments and enable you to process and store all your data in the EU. In other words, we will not need to move your data outside the EU. This commitment will apply across all of Microsoft’s main cloud services—Azure, Microsoft 365, and Dynamics 365. We are beginning work immediately on this added step, and we will complete by the end of next year the implementation of all engineering work needed to execute on it. We’re calling this plan the EU Data Boundary for the Microsoft Cloud. The new step we’re taking builds on our already strong portfolio of solutions and commitments that protect our customers’ data, and we hope today’s update is another step toward responding to customers who want even greater data residency commitments. We will continue to consult with customers and regulators about this plan in the coming months and move forward in a way that is responsive to their feedback.Join Our Security Community
We want you to speak directly to our engineering teams. We believe that the best way to improve our security products is by having no filter between you and the people that create them. That's why we need your participation in our security community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. Join Us To join our community, click here, and then click the join button and the heart icons of the groups your are interested in, as pictured below. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find Us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free connect with me. Customer Advisory Board (CAB) We periodically select customers to be part of our Customer Advisory Board (CAB). We form a close relationship with these organizations, inviting them to exclusive, in-person events and giving them access to non-public roadmaps and information. CAB members give in-depth feedback our on products and consequently exert a great deal of influence our plans, priorities, and designs. Part of our criteria for choosing CAB members is how active they are in this community. If you would like to be part of our CAB, join our community, participate heavily, and then reach out to me. If you are a member, you can find our private CAB group here. Note that in order to access this group, you will first have to join our public groups using the instructions above, and then contact us to be added to the private access list. Conference Calls Several of our product teams hold regular conference calls where they preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations are posted on the product spaces within the communities. Contact me if you would like to join the calls and cannot find what you are looking for. Submit Feature Requests In addition to engaging us in the ways listed above, you can also submit and vote on feature requests at https://microsoftsecurity.uservoice.com. We hope to hear from you soon!This was my preparation for the exam Microsoft Certified: Cybersecurity Architect Expert (SC-100)!
Dear Microsoft 365 Security and Azure Security Friends, When I first read about this certification I was immediately excited! But at the same time I had a lot of respect, because it is an expert certification. I quickly started collecting information. The first thing I learned was that it takes a so-called prerequisite exam to become a Microsoft Certified: Cybersecurity Architect Expert certification. The following prerequisite exams are available (only one of these exams must be passed): Microsoft Certified: Security Operations Analyst Associate (SC-200) https://docs.microsoft.com/en-us/learn/certifications/security-operations-analyst/ Microsoft Certified: Identity and Access Administrator Associate (SC-300) https://docs.microsoft.com/en-us/learn/certifications/identity-and-access-administrator/ Microsoft Certified: Azure Security Engineer Associate (AZ-500) https://docs.microsoft.com/en-us/learn/certifications/azure-security-engineer/ Microsoft 365 Certified: Security Administrator Associate (MS-500) https://docs.microsoft.com/en-us/learn/certifications/m365-security-administrator/ I have taken all these prerequisite exams. The two exams AZ-500 and MS-500 helped me the most in preparing for the SC-100 (this is certainly not the case for everyone). In this SC-100 exam you will be quizzed on topics in Microsoft Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender for Cloud Apps (and all other Defender products), Azure Policy, Azure landing zone, etc. This spectrum is huge, please take enough time to "explore" these "portals" deeply. You don't have to have the technical knowledge down to the last detail. No not at all, in this exam it is important to use all the features and products with the right strategy. This was among other things my way to success! Now to my preparations for the exam: 1. First of all, I looked at the Exam Topics to get a first impression of the scope of topics. https://docs.microsoft.com/en-us/learn/certifications/cybersecurity-architect-expert/ Please take a close look at the skills assessed: https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWVbXN 2. So that I can prepare for an exam I need an Azure test environment (this is indispensable for me). You can sign up for a free trial here. https://azure.microsoft.com/en-us/free/ Next, I set up a Microsoft 365 test environment. You can sign up for a free trial here. https://www.microsoft.com/en-us/microsoft-365/business/compare-all-microsoft-365-business-products I chose the "Microsoft 365 Business Premium" plan for my testing. I have also registered several free trials to test the various Defender products. 3. Now it goes to the Microsoft Learn content. These learn paths (as you can see below, all 4) I have worked through completely and "mapped"/reconfigured as much as possible in my test environment. https://docs.microsoft.com/en-us/learn/paths/sc-100-design-zero-trust-strategy-architecture/ https://docs.microsoft.com/en-us/learn/paths/sc-100-evaluate-governance-risk-compliance/ https://docs.microsoft.com/en-us/learn/paths/sc-100-design-security-for-infrastructure/ https://docs.microsoft.com/en-us/learn/paths/sc-100-design-strategy-for-data-applications/ 4. Register for the exam early. This creates some pressure and you stay motivated. https://docs.microsoft.com/en-us/learn/certifications/cybersecurity-architect-expert/ 5. Please also watch the video of John Savill, it is very helpful! https://youtu.be/2Qu5gQjNQh4 6. The Exam Ref for the SC-200 exam was also very supportive. https://www.microsoftpressstore.com/store/exam-ref-sc-200-microsoft-security-operations-analyst-9780137666720 7. Further I have summarized various links that have also helped me a lot. Sorted by Functional Group. Design a Zero Trust strategy and architecture: https://docs.microsoft.com/en-us/security/cybersecurity-reference-architecture/mcra https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-governance https://docs.microsoft.com/en-us/azure/architecture/framework/security/monitor-audit https://docs.microsoft.com/en-us/security/benchmark/azure/security-control-logging-monitoring https://docs.microsoft.com/en-us/azure/security/fundamentals/log-audit https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-connectivity https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-network-segmentation https://docs.microsoft.com/en-us/security/zero-trust/deploy/infrastructure https://docs.microsoft.com/en-us/security/zero-trust/integrate/infrastructure https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/define-security-strategy https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/business-resilience https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/strategy/technical-considerations/ https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/organize/ https://docs.microsoft.com/en-us/azure/security/fundamentals/operational-checklist https://azure.microsoft.com/en-us/services/defender-for-cloud/#features https://docs.microsoft.com/en-us/azure/sentinel/overview https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation https://docs.microsoft.com/en-us/security/compass/incident-response-overview https://docs.microsoft.com/en-us/security/compass/incident-response-planning https://docs.microsoft.com/en-us/security/compass/incident-response-process https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/secure/security-operations https://docs.microsoft.com/en-us/security/compass/security-operations https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/organize-resources https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-setup-guide/manage-access https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/identity-access https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices https://docs.microsoft.com/en-us/azure/active-directory/external-identities/external-identities-overview https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-methods https://docs.microsoft.com/en-us/microsoft-365/education/deploy/design-credential-authentication-strategies https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authentication https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-identity-authorization https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/plan-conditional-access https://docs.microsoft.com/en-us/azure/architecture/guide/security/conditional-access-zero-trust https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate https://docs.microsoft.com/en-us/azure/active-directory/roles/groups-concept https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure https://docs.microsoft.com/en-us/security/compass/identity https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-delegate https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/privileged-identity-management-for-active-directory-domain-services https://docs.microsoft.com/en-us/microsoft-identity-manager/pam/principles-of-operation https://docs.microsoft.com/en-us/azure/active-directory/roles/security-planning Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies: https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/govern/policy-compliance/regulatory-compliance https://docs.microsoft.com/en-us/azure/security/fundamentals/technical-capabilities https://docs.microsoft.com/en-us/security/compass/governance https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-manager?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/compliance-score-calculation?view=o365-worldwide https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-security-controls https://docs.microsoft.com/en-us/azure/governance/policy/overview https://docs.microsoft.com/en-us/azure/governance/policy/tutorials/create-and-manage https://azure.microsoft.com/en-us/global-infrastructure/data-residency/ https://azure.microsoft.com/en-us/resources/achieving-compliant-data-residency-and-security-with-azure/ https://azure.microsoft.com/en-us/overview/trusted-cloud/privacy/ https://azure.microsoft.com/en-us/blog/10-recommendations-for-cloud-privacy-and-security-with-ponemon-research/ https://docs.microsoft.com/en-us/security/benchmark/azure/introduction https://docs.microsoft.com/en-us/azure/defender-for-cloud/update-regulatory-compliance-packages https://docs.microsoft.com/en-us/azure/defender-for-cloud/regulatory-compliance-dashboard https://docs.microsoft.com/en-us/azure/defender-for-cloud/secure-score-access-and-track https://docs.microsoft.com/en-us/azure/defender-for-cloud/enhanced-security-features-overview https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-governance-landing-zone https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/considerations/landing-zone-security https://docs.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/design-area/security https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/office-365-ti?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management?view=o365-worldwide https://techcommunity.microsoft.com/t5/security-compliance-and-identity/reduce-risk-across-your-environments-with-the-latest-threat-and/ba-p/2902691 Design security for infrastructure: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines https://docs.microsoft.com/en-us/windows-server/security/security-and-assurance https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/minimum-requirements?view=o365-worldwide https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory https://docs.microsoft.com/en-us/azure/active-directory-domain-services/secure-your-domain https://docs.microsoft.com/en-us/azure/key-vault/general/about-keys-secrets-certificates https://docs.microsoft.com/en-us/azure/security/fundamentals/management https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/cloud-services-security-baseline https://azure.microsoft.com/en-us/overview/iot/security/ https://docs.microsoft.com/en-us/azure/azure-sql/database/security-overview?view=azuresql https://docs.microsoft.com/en-us/azure/azure-sql/database/security-best-practice?view=azuresql https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/sql-database-security-baseline https://docs.microsoft.com/en-us/azure/cosmos-db/database-security?tabs=sql-api https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/synapse-analytics-security-baseline https://docs.microsoft.com/en-us/azure/app-service/overview-security https://docs.microsoft.com/en-us/azure/app-service/security-recommendations https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/app-service-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/storage-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/container-instances-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/container-registry-security-baseline https://docs.microsoft.com/en-us/security/benchmark/azure/baselines/aks-security-baseline https://docs.microsoft.com/en-us/azure/aks/concepts-security https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security?tabs=azure-cli https://docs.microsoft.com/en-us/azure/architecture/framework/services/compute/azure-kubernetes-service/azure-kubernetes-service Design a strategy for data and applications: https://docs.microsoft.com/en-us/azure/security/develop/threat-modeling-tool-mitigations https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-threat-model https://docs.microsoft.com/en-us/compliance/assurance/assurance-security-development-and-operation https://docs.microsoft.com/en-us/azure/security/develop/secure-design https://docs.microsoft.com/en-us/azure/defender-for-cloud/defender-for-app-service-introduction https://docs.microsoft.com/en-us/azure/architecture/framework/security/resilience https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-governance-strategy https://docs.microsoft.com/en-us/azure/architecture/data-guide/scenarios/securing-data-solutions https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-storage https://docs.microsoft.com/en-us/security/benchmark/azure/security-controls-v3-data-protection https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-overview https://docs.microsoft.com/en-us/azure/security/fundamentals/data-encryption-best-practices https://docs.microsoft.com/en-us/azure/security/fundamentals/encryption-atrest https://docs.microsoft.com/en-us/azure/architecture/framework/security/design-storage-encryption 8. You can find a list of all the links here: https://github.com/tomwechsler/Microsoft_Cloud_Security/blob/main/SC-100/Links.md I know you've probably read and heard this many times: read the exam questions slowly and accurately. Well, that was the key to success for me. It's the details that make the difference between success and failure. Let me give you an example at this point. You want to make a business app available. The authentication should be done by each person with his own LinkedIn account. Which variant of Azure Active Directory do you use for this? At this point you should know the different types of Azure Active Directory. One final tip: When you have learned something new, try to explain what you have learned to another person (whether or not they know your subject). If you can explain it in your own words, you understand the subject. That is exactly how I do it, except that I do not explain it to another person, but record a video for YouTube! I hope this information helps you and that you successfully pass the exam. I wish you success! Kind regards, Tom Wechsler P.S. All scripts (#PowerShell, Azure CLI, #Terraform, #ARM) that I use can be found on github! https://github.com/tomwechslerBlog Series: Charting Your Path to Cyber Resiliency
Cyber resiliency is an organization’s ability to build and manage technology systems that limit the impact of cyberattacks. It helps organizations maintain operations, securely and effectively, when cyberattacks occur. As Microsoft notes, “An organization can never have perfect security, but it can become resilient to security attacks.” In Part 1 of this series, we looked at how the concept of cyber resiliency originated, introduced 2 foundational cyber resiliency frameworks and wrapped up with a quick look at some Microsoft cyber resiliency resources from our 2022 Digital Defense Report. In Part 2, we’ll dive deeper into Microsoft’s approach to cyber resiliency, starting back in 2002 with the famous Trustworthy Computing memo from Bill Gates himself. TrustWorthy Computing In 2002, Microsoft founder and CEO Bill Gates emailed a memo to all Microsoft employees, outlining the need for a new approach to how the company provided security and resiliency to our customers, and calling for changes to Microsoft products and culture. Gates referenced September 11 and several serious malware incidents in 2001 that had caused significant business disruptions, emphasizing "how important it is to ensure the integrity and security of our critical infrastructure, whether it’s the airlines or computer systems." Gates also foresaw how increasingly connected and dependent on the Internet the world would become in the future – a concept that played a key role in the development of cyber resilience frameworks. The Trustworthy Computing initiative was not created specifically to address cyber resiliency, but like cyber resiliency it was holistic in its treatment of security, covering diverse areas such as software development and customer support, as well as Microsoft’s internal operational and business practices. A 2014 article by Forbes praised Microsoft for the impact of Trustworthy Computing on Security, not just for Microsoft products, but for the entire IT industry, noting "We’ve come a long way from the 'Wild West” era of malware—thanks in large part to the ongoing efforts of Microsoft Trustworthy Computing." Zero Trust Microsoft didn't invent Zero Trust but has been an industry leader in actively promoting and developing Zero Trust strategies for many years, as well as using Zero Trust to secure our own environments. For example, Microsoft has collaborated with NIST (the National Institute of Standards and Technology) and other vendors to develop a practice guide to help organizations design and build Zero Trust architectures. Zero Trust and cyber resiliency are not the same, but there are many similarities between them, starting with the idea that we must Assume Breach, given the speed, scale and sophistication of threat actors and the challenges every Security team faces. In addition: Both stress the importance of identifying the most critical business resources and prioritizing the protection of those resources Both are concerned with limiting the blast radius of an attack and reducing the attacker’s ability to move laterally Both are designed to protect hybrid environments across multiple pillars that include both legacy and modern technologies Both emphasize the need for the organization to continually adapt protections to keep up with threat actors Secure Future Initiative There are many similarities between the TrustWorthy Computing initiative and Microsoft’s current Secure Future Initiative (SFI). Again, it began with an internal memo to employees, this time by Microsoft Security EVP Charlie Bell, in November 2023. Like TrustWorthy Computing, SFI illustrates Microsoft’s leadership in addressing current cybersecurity challenges that now include AI advancements, increasingly sophisticated ransomware-as-a-service organizations, and nation-state activity targeting critical infrastructure. Like TrustWorthy Computing, SFI is holistic in nature. As Vice Chair and President Brad Smith emphasized in his own intro to SFI "This new initiative will bring together every part of Microsoft to advance cybersecurity protection." The Secure Future Initiative is also rooted in Microsoft’s experiences as a company dedicated to continually improving our own cyber resilience. In a May 2024 report on SFI progress, Microsoft CEO Satya Nadella noted that cyberattacks, such as the 2023 Storm-0558 attack that targeted Microsoft, 'underscore the severity of the threats facing our company and our customers, as well as our responsibility to defend against these increasingly sophisticated threat actors." Finally, like TrustWorthy Computing, SFI is clear that security – both for Microsoft and for our customers – is the company’s number one priority. Satya concluded his message with a familiar call to action for Microsoft employees: "If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security." Microsoft's Key Issues Impacting Cyber Resiliency Part 1 of this series introduced Microsoft’s key issues impacting cyber resiliency. These are issues that we in MIRCAT (the Microsoft Incident Response Critical Action Team) routinely address in our incident response/compromise recovery work with clients: Insecure configuration of identity provider Insufficient privilege access and lateral movement controls No Multi-Factor Authentication Low maturity security operations Lack of information protection control Limited adoption of modern security frameworks Each of these issues is further broken down into distinct components. For example, the issue Insufficient privilege access and lateral movement controls has 5 components: No privilege isolation in Active Directory via tier model No use of Privilege Access Workstations Lack of local admin password management controls Lack of Privilege Access Management controls Excessive admin credentials found Trying to address all cyber resilience issues can be overwhelming for clients, which is why we emphasize taking a phased approach to each issue and component. For example, Lack of Privilege Access Management controls in Entra can be addressed by Microsoft Privileged Identity Management (PIM). When helping a client implement PIM, we employ a phased approach that might look something like this: Phase 1: Implement PIM to protect privileged roles in Entra, starting with Global Administrators and guest accounts. Gradually onboard additional Entra Admin roles. Phase 2: Implement PIM to protect select highly privileged roles in the most business-critical Azure subscriptions. Gradually onboard additional subscriptions. Phase 3: Extend PIM management to more complex use cases involving time-bound privileged group membership, authentication context and approval workflows. When implementing a security technology to help your organization increase cyber resiliency, your goal should be to implement it fully with no exceptions. Unfortunately, in incident response and compromise recovery engagements we often see gaps that limit our clients’ resilience to cyberattacks. For example, we regularly work with clients who tell us that they’ve implemented PIM, only to find that many privileged roles have been permanently assigned outside of PIM. In other cases, we see PIM used only for Entra roles while no privileged access controls are applied to Azure subscriptions running business-critical workloads. At the same time, when business reasons dictate that a cyber resilience control cannot be fully implemented, organizations should not adopt an all-or-nothing approach. For example, financial constraints prohibit some clients from providing privileged access workstations to all administrators or FIDO 2 compatible security keys to all users. In those cases, organizations are encouraged to start by providing those additional protections to Tier 0 administrators at a minimum, followed by Tier 1 administrators of business-critical workloads. Conclusion In Part 2 of our series, we explored how Microsoft has been an industry leader in cyber resiliency over the years, beginning with the days of TrustWorthy Computing more than 20 years ago. We also delved deeper into Microsoft’s current guidance on the key issues that we see limiting our customers’ cyber resilience. The journey to cyber resilience is a challenging and time-consuming one with a lot of Big Rocks that clients commonly struggle with: Vulnerability management Policy management Securing privileged access Adapting to the continuously changing cyber threat landscape Maturing the SecOps capability Fortunately, it’s a journey that organizations don’t have to make alone, and increasingly it’s a journey that AI can help with. And that’s what we’ll examine in the final part of this series.
