Multicloud computing has become the foundation for digital businesses, with 86% of organizations having already adopted a multicloud approach. However, for all its benefits around increased agility, flexibility, and choice, Microsoft also see unique challenges with multicloud—including the need to manage security, identity, and compliance across different cloud service providers (CSPs), ensure data portability, and optimize costs.

Securing multicloud environments is a deeply nuanced task, and many organizations struggle to fully safeguard the many different ways cyberthreat actors can compromise their environment. In Microsoft’s latest report, “2024 State of Multicloud Security Risk,” Microsoft analyzed usage patterns across Microsoft Defender for Cloud, Microsoft Security Exposure Management, Microsoft Entra Permissions Management, and Microsoft Purview to identify the top multicloud security risks across Microsoft Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and beyond. This is the first time Microsoft has released a report sharing key insights across aspects of cloud security, including identity and data.

This multidimensional analysis is key because it provides deeper visibility into all of the angles cyberattackers can use to breach cloud environments. For example, Microsoft found that more than 50% of cloud identities had access to all permissions and resources in 2023. Can you imagine what would happen if even one of these “super identities” were compromised? Looking beyond identity and access, Microsoft also discovered significant vulnerabilities in development and runtime environments and within organizations’ data security postures. These threats and more are the driving forces behind Microsoft’s work to advance cybersecurity protections by sharing the latest security intelligence and through programs like the recently expanded Secure Future Initiative, which works to guide Microsoft advancements according to secure by design, secure by default, and secure operations principles.

Multicloud Security Demands a Proactive, Prioritized Approach

Any practitioner who has worked in cloud security can tell you just how challenging it is to analyze, prioritize, and address the hundreds of security alerts they receive every day. Security teams are also responsible for managing all exposed assets and other potential risk vectors. The average multicloud estate has 351 exploitable attack paths that lead to high-value assets, and Microsoft discovered more than 6.3 million exposed critical assets among all organizations.

Cloud security posture management (CSPM) is one solution, but rather than taking a siloed approach, Microsoft recommend driving deeper, more contextualized CSPM as part of a cloud-native application protection platform (CNAPP).

CNAPPs are unified platforms that simplify securing cloud-native applications and infrastructure throughout their lifecycle. Because CNAPPs can unify CSPM with things like multipipeline DevOps security, cloud workload protections, cloud infrastructure entitlement management (CIEM), and cloud service network security (CSNS), they can correlate alerts and eliminate visibility gaps between otherwise disparate tools. This allows security teams to proactively identify, prioritize, and mitigate potential cyberattack paths before they can be exploited.

CNAPP Embeds Secure Best Practices Throughout the Entire Application Lifecycle

Properly securing cloud-native applications and infrastructure from initial code development to provisioning and runtime is a significant challenge area for many organizations. Microsoft found that 65% of code repositories contained source code vulnerabilities in 2023, which remained in the code for 58 days on average. Given that one quarter of high-risk vulnerabilities are exploited within 24 hours of being published, this creates a significant window for threat actors to take advantage and compromise your environment.

In addition to delivering proactive protection during runtime, CNAPP can act as a shared platform for security teams to work with developers to unify, strengthen, and manage multipipeline DevOps security. And because CNAPP unites multiple cloud security capabilities under a single umbrella, security teams can also enforce full-lifecycle protections from a centralized dashboard. This shifts security left and heads off development risks before they become a problem in runtime.

Organizations Need a Unified Security Approach to Secure Cross-cloud Workloads

Multicloud security goes deeper than attack path analysis and strong DevSecOps. Organizations also need to examine how the growing use and variety of cloud workloads impact their exposure to cyberthreats. When cloud workloads span across multiple cloud environments, that creates a more complex threat landscape with additional complexities and dependencies that require proper configuration and monitoring to secure.

Microsoft’s CNAPP solution, Microsoft Defender for Cloud, has an extended detection and response (XDR) integration that provides richer context to investigations and allows security teams to get the complete picture of an attack across cloud-native resources, devices, and identities. Roughly 6.5% of Defender for Cloud alerts were connected to other domains—such as endpoints, identities, networks, and apps and services—indicating cyberattacks that stretched across multiple cloud products and platforms.

Rather than using individual point solutions to manage cross-cloud workload threats, organizations need an easy way to centralize and contextualize findings across their various security approaches. A CNAPP delivers that unified visibility.

Securing Growing Workload Identities Requires a More Nuanced Approach

Also central to multicloud security is the idea of identity and access management. In the cloud, security teams must monitor and secure workload identities in addition to user identities. These workload identities are assigned to software workloads, such as apps, microservices, and containers. The growing usage of workload identities creates several challenges.

For starters, workload identities make up 83% of all cloud identities within Microsoft Entra Permissions Management. When examining the data, Microsoft found that 40% of these workload identities are inactive—meaning they have not logged in or used any permissions in at least 90 days. These inactive identities are not monitored the same way as active identities, making them an attractive target for cyberattackers to compromise and use to move laterally. Workload identities can also be manually embedded in code, making it harder to clean them without triggering unintended consequences.

What’s concerning, though, is the fact that the average organization has three human super identities for every seven workload super identities. These workload super identities have access to all permissions and resources within the multicloud environment, making them an enormous risk vector that must be addressed. And because workload identities are growing significantly faster than human identities, Microsoft expect the gap between human and workload super identities to widen rapidly.

Security teams can address this risk by establishing visibility into all existing super identities and enforcing least privilege access principles over any unused or unnecessary permissions—regardless of the cloud they access.

CIEM Drives Visibility and Control Over Unused Permissions

Speaking of permissions, Microsoft’s report found that more than 51,000 permissions were granted to users and workloads (up from 40,000 in 2022). With more permissions come more access points for cyberattackers.

A CIEM can be used to drive visibility across the multicloud estate, eliminating the need for standing access for super identities, inactive identities, and unused permissions. Just 2% of human and workload identity permissions were used in 2023, meaning the remaining 98% of unused permissions open organizations up to unnecessary risk.

By using a CIEM to identify entitlements, organizations can revoke unnecessary permissions and only allow just-enough permissions, just in time. This approach will significantly mitigate potential risks and enhance the overall security posture.

A Multilayered Data Security Approach Eliminates Complexity and Limits Blind Spots

Finally, organizations need a comprehensive data security approach that can help them uncover risks to sensitive data and understand how their users interact with data. It’s also important to protect and prevent unauthorized data use throughout the lifecycle using protection controls like encryption and authentication.

A siloed solution won’t work, as organizations with 16 or more point solutions experience 2.8 times as many data security incidents as those with fewer tools. Instead, organizations should deploy integrated solutions through a multilayered approach that allows them to combine user and data insights to drive more proactive data security. At Microsoft, Microsoft accomplish this through Microsoft Purview—a comprehensive data security, compliance, and governance solution that discovers hidden risks to data wherever it lives or travels, protects and prevents data loss, and investigates and responds to data security incidents. It can also be used to help improve risk and compliance postures and meet regulatory requirements.

Uncover Strategies for Mitigating Your Biggest Multicloud Risks

Ultimately, multicloud security has multiple considerations that security teams must account for. It is not a check-the-box endeavor. Rather, security teams must continuously enforce best practices from the earliest stages of development to runtime, identity and access management, and data security. Not only must these best practices be enforced throughout the full cloud lifecycle, but they must also be standardized across all cloud platforms.

In a recent episode of Microsoft’s podcast, Uncovering Hidden Risks, Microsoft sat down with Christian Koberg-Pineda, a Principal Security DevOps Engineer at S.A.C.I. Falabella, to dive into his journey toward uncovering the challenges and strategies for safeguarding cloud-native applications across various cloud platforms. In it, he talks about the complexity of securing multiple clouds, including navigating differing configurations, technical implementations, and identity federation.

Source: Microsoft

Fill out the form to download the full 2024 State of Multicloud Security Report and supercharge your security strategy now!

Connect like never before in a three-dimensional (3D) immersive space, helping virtual meetings and experiences feel more like face-to-face connections. Immersive spaces have unique attributes that create a perception of being physically together in a 3D digital space, including spatial interaction, co-presence, and immersion.

There are several ways to join an immersive space from Teams:

• A scheduled meeting through Teams or Outlook
• When you start a meeting by Meet now
• Channel meetings when you select Join from any Teams chat group

You can have as many people in immersive spaces as in your Teams meeting, but only 16 participants are allowed in the same immersive space at a time.

In today’s rapidly evolving digital landscape, businesses across industries are leveraging cloud services to enhance their operations and security. This case study explores how our SUPERHUB partnered with a toy manufacturing company in Hong Kong, which had its main office in Hong Kong and a factory in China. By addressing their pain points and providing comprehensive solutions, we successfully transformed their IT infrastructure and improved their overall efficiency.

The toy manufacturing company encountered several challenges prior to subscribing to cloud services. They had experienced malware attacks and ransomware incidents, highlighting the urgent need for robust security measures. Their IT systems were unmanaged, and the absence of an IT manager further compounded their issues. Additionally, their existing enterprise resource planning (ERP) system relied on outdated thin-client technology, hindering productivity and collaboration.

To address the challenges faced by the toy manufacturing company, our team proposed a comprehensive set of solutions, with a focus on leveraging Microsoft cloud services for future-proofing their IT infrastructure.

Recognizing their security concerns, we recommended subscribing to Microsoft 365 Security, Microsoft Defender, and Data Loss Prevention (DLP) solutions. These powerful tools would fortify their security infrastructure and protect sensitive data from malware and ransomware attacks. Microsoft Intune for managing and securing their endpoint devices. This proactive measure would provide centralized control and enhance the overall security posture of their IT environment.

On the other hand, to facilitate efficient communication and collaboration between their Hong Kong and China offices, we proposed the implementation of SharePoint. This secure platform would enable seamless document transfer while adhering to stringent security controls, ensuring data integrity and confidentiality. We also Understanding their need for expert IT management and support. Customer subscribed our Managed Cloud IT (MCIT) Service. Our team of remote and on-site engineers would provide comprehensive support, resolving issues promptly and ensuring uninterrupted operations. The MIT Service would also include remote support for their China operations.

By partnering with SUPERHUB, the toy manufacturing company is poised to achieve significant improvements in their operations. With a comprehensive security strategy in place, they can proactively defend against malware and ransomware attacks, safeguarding their critical business data. Also, the SharePoint was implemented successfully. The seamless document transfer and enhanced collaboration between their Hong Kong and China offices will become a reality, improving overall productivity and efficiency.

We also continue to provide comprehensive consultation and training on Microsoft 365, ensuring that their employees are well-equipped to utilize the suite of tools effectively. This will maximize productivity and efficiency, enabling them to leverage the full potential of the cloud.

Introducing GPT-4o: OpenAI’s New Flagship Multimodal Model

Now in Preview on Azure

Microsoft is thrilled to announce the launch of GPT-4o, OpenAI’s new flagship model on Azure AI. This groundbreaking multimodal model integrates text, vision, and audio capabilities, setting a new standard for generative and conversational AI experiences. GPT-4o is available now in Azure OpenAI Service, to try in preview, with support for text and image.

A Step Forward in Generative AI for Azure OpenAI Service

GPT-4o offers a shift in how AI models interact with multimodal inputs. By seamlessly combining text, images, and audio, GPT-4o provides a richer, more engaging user experience.

Launch Highlights: Immediate Access and What You Can Expect

Azure OpenAI Service customers can explore GPT-4o’s extensive capabilities through a preview playground in Azure OpenAI Studio starting today in two regions in the US. This initial release focuses on text and vision inputs to provide a glimpse into the model’s potential, paving the way for further capabilities like audio and video.

Efficiency and Cost-effectiveness

GPT-4o is engineered for speed and efficiency. Its advanced ability to handle complex queries with minimal resources can translate into cost savings and performance.

Potential Use Cases to Explore with GPT-4o

The introduction of GPT-4o opens numerous possibilities for businesses in various sectors:

·     Enhanced Customer Service: By integrating diverse data inputs, GPT-4o enables more dynamic and comprehensive customer support interactions.

·     Advanced Analytics: Leverage GPT-4o’s capability to process and analyze different types of data to enhance decision-making and uncover deeper insights.

·     Content Innovation: Use GPT-4o’s generative capabilities to create engaging and diverse content formats, catering to a broad range of consumer preferences.

Exciting Future Developments: GPT-4o at Microsoft Build 2024

Microsoft is eager to share more about GPT-4o and other Azure AI updates at Microsoft Build 2024, to help developers further unlock the power of generative AI.

Source: Introducing GPT-4o: OpenAI’s New Flagship Multimodal Model Now in Preview on Azure – The Official Microsoft Blog

LBS, the leading hygiene company in Hong Kong, adopts a business continuity strategy by leveraging Microsoft Azure Site Recovery (ASR) service.  There are tremendous cost savings on secondary data centers, while having increases on availability of their mission critical operation system, web application and database.

With 1300 employees and a business footprint across Asia, LBS has sought out new technologies to promote efficiency and agility.

The account team at SUPERHUB, in conjunction with their cloud architect, worked closely with LBS to create a hybrid-cloud DR solution using Azure Site Recovery (ASR). This cloud-based DR orchestration service coordinates the replication and recovery of private clouds across sites. It also provides non-disruptive testing of recovery plans and remote monitoring of cloud health, which then eliminates the need for maintaining a secondary data center location.

With Azure’s ability to replicate and backup different workloads like VMware and Hyper-V, it became a big driver for LBS to move their business continuity and disaster recovery to the cloud. LBS’ IT manager, Percy Lee, also commented on the beauty of Azure’s pay-by-consumption model. With hybrid flexibility, entire workloads or pieces of on-premises workloads can be run in the cloud.

Like many organizations, LBS was hesitant to migrate to the cloud from day one. Taking the first step of moving Exchange to Microsoft 365, LBS discovered the empowerment cloud technologies provided and its effect on employees’ productivity and the leeway to re-focus their attention on more strategic initiatives.

The second step was to use Azure as the cloud platform, which demonstrated once again, SUPERHUB’s cloud expertise through their pre- and post-sales support. SUPERHUB offers a unique “+” Managed Service on different cloud platforms to enable faster deployment, better adoption, hassle-free managed service and balanced security for their customers. This ensures a peace of mind for LBS, and for them to retain SUPERHUB as its long-term digital transformation partner.

Cost optimization using Azure Migrate

The higher energy cost and the resulting increase in the cost of doing business have led to a tighter economic outlook for most businesses around the world. This, in turn, is a major contributing factor to customers becoming more cost-conscious, leading to an increased need for optimization features in products and services. Azure Migrate’s comprehensive suite includes many features to optimize cost, while catering to your performance needs to meet service level agreements (SLAs). Agentless discovery and mapping of your entire on-premises IT estate, software inventory analysis for assessment and planning, and right-sized migration using a single portal to start, run, and track your projects, are a few cost-effective features that also contribute to ease of use. Once in Azure, the path towards greater optimization and cost savings continues through modernization to platform as a service (PaaS) and software as a service (SaaS).
Customer requirements and benefits

The customer must stay competitive, both on the technical and business fronts, to ensure continued success. Technical competency requires an agile and innovative IT platform with data analytics to provide insights that can help differentiate from the competition. It would be ideal if such an innovative platform were available at a competitive cost. Incidentally, modernizing existing IT infrastructure, applications, and data-to-PaaS/SaaS models in the cloud delivers on all these requirements, leading to a higher return on investment (ROI) for the customer.

The higher efficiency and lower cost due to the adoption of modern cloud-native architectures also lead to greater levels of flexibility and reduced vendor lock-in. Thus, setting the stage for the customer to realize greater value as they progress from IaaS to PaaS and onto SaaS models. Please download our analyst report for details on options and value due to application modernization in Azure.

Microsoft’s focus on cost optimization

During Microsoft Ignite, we are highlighting our continued commitment to cost optimization through support for SQL Server assessments, prior to migration and modernization using Azure Migrate. Customers can now perform unified, at-scale, agentless discovery and assessment of SQL Servers on Microsoft Hyper-V, bare-metal servers, and infrastructure as a service (IaaS) of other public clouds, such as AWS EC2, in addition to VMware environments. The capability will allow customers to analyze existing configurations, performance, and feature compatibility to help with right-sizing and estimating cost. It will also check on readiness and blockers for migrating to Azure SQL Managed instance, SQL Server on Azure virtual machine, and Azure SQL Database. All this information can also be presented in a single coherent report for easy consumption while reducing cost for customers.

Source: Cost optimization using Azure Migrate | Microsoft

According to the latest policy issued by the International Civil Aviation Organization (ICAO), all known consignors subjected to approval by the local Civil Aviation Department must implement 100% cargo security screening by June 30, 2021. Hong Kong Secure Transportation System Company Limited (HKSTS) is transforming the industry with Smartsec System, which can check the seal of consignment via IOT device instead of relying on visual inspection. More importantly, it automates the handling and reporting logistics that increases the competitiveness of Hong Kong air freight industry to international standards.

Hong Kong Secure Transportation System Company Limited (HKSTS) was established in 2019 to provide security transportation measures approved by the Civil Aviation Department for the Hong Kong air freight industry. Built on the Microsoft Azure platform, the Smartsec System can ensure screened cargo are transported from the security warehouse to the Cargo Terminal Operator (CTO) without any unlawful interference or suspicious contact. The Azure cloud platform possesses rich program resources that enable seamless integration of Smartsec with other existing HKSTS platforms, such as a secure transportation system and global agency network.  In addition, it provides intelligent full-process visualization services for customers to accurately track their order status.

Although the cargo security screening measure is due for implementation by June 30, 2021, the demand for its services is subject to many unknown factors, such as the economic environment, ever-changing customer needs and marketing competition.  If HKSTS builds the Smartsec System in a traditional data centre with a one-off infrastructure purchase, it will incur huge investments.

After the development and implementation, HKSTS will face issues of terminating technical support, hardware, and software End-of-Life (EOL) down the road.

With the maturity of cloud technology and availability of a subscription model on Azure, HKSTS decided to develop the SmartSec application on the platform. It greatly resolved problems encountered in business operations and fundamentally improved the service efficiency offered by HKSTS.

In addition, two VMs running the Smartsec application operating in tandem with hot standby would greatly increase the SLA of the platform.

Developing the application on Azure platform has brought the following benefits to HKSTS:

• Optimizing Investment and Demand Management

It saved CAPEX investment and the hassle to project demand and capacity on infrastructure, particularly important during their development stage with unknown demand. There is the option for different subscription modes, like Pay-as-you-go (PAYG) or Reserve Instance (RI) to suit their needs.

• Enhancing Flexibility and Security in Infrastructure

It improved the flexibility and security of the infrastructure. Maintenance management and security protection are no longer factors that need to be taken into consideration. With the global compliance standard due to launch in 6 months, the air freight industry will still face a lot of unknown factors such as COVID-19 and market competition.

Goutham Upadhyay, Microsoft Cloud Solution Architect

Are you a Microsoft customer running your workload on Azure?

Holiday seasons like Black Friday, Double 11, and Christmas Sale will test your app’s limits, and so it’s time for your Infrastructure and Application teams to ensure that your platforms deliver when it is needed the most. Be it shopping applications on the web and mobile or payment gateways or banking systems supporting payments or inventory systems or billing systems – anything and everything associated with the shopping season should be prepared to face the load.

Application resilience is vital to keep up with the higher customer demand during the holiday season. Below are the top 10 considerations to ensure your App is resilient on Azure and to make sure your Technology team can handle your platform with grace.

Here are my top ten considerations for running your workload on Azure to handle this holiday season:

• Multi Region: Consider running in multiple Azure regions for resilience check our mission critical reference architecture. If running Active-Passive, then Perform DR drill in paired Azure region. If running in single region for whatever reason please consider running your workload across multiple availability zones for better resilience.

• Load Test: Perform load testing preferably use fully managed service like Azure load test it is easy to generate high-scale load and identify app performance bottlenecks with Azure load tests.

• Right Sizing: Ensure you have tested if your current instance size/count of different Azure components in your solution can handle the load, if not, please re-size well ahead of time. Baseline your Azure resources to support peak. Don’t just fully rely on Auto scale as scaling your infrastructure to extreme spikes will still take some time.

• Test for reliability: using Azure chaos studio a method of experimenting with controlled fault injection against your applications. Review this reliability checklist for more exhaustive set of reliability guidance under well architected framework (WAF) and best practices.

• Azure Advisor:  Advisor is a personalized cloud consultant that helps you follow best practices to optimize your Azure deployments.

• Quota: Review the Quota for the resources you are using in your subscriptions. Quotas can be adjustable or non-adjustable. Adjustable quotas for which you can request quota increases fall into this category. Each subscription has a default quota value for each quota. You can request an increase for an adjustable quota from the Azure Home My quotas page, providing an amount or usage percentage and submitting it directly. This is the quickest way to increase quotas.

• Supported version: Be on supported version of the service ex: If you are running Azure Kubernetes Service upgrade to supported AKS versions ideally 1.26 or even higher. This will make sure even if you run into issues Microsoft support teams can help you.

• Service Health: Configure service health advisory and service issues alerts. This is the only way Azure communicating back and most often missing to act on key alerts/notifications can be costlier.

• Monitoring for reliability: Get an overall picture of application health. If something fails, you need to know that it failed, when it failed, and why. Azure Monitor is a comprehensive monitoring solution for collecting, analyzing, and responding to monitoring data from your cloud environments.

• Review Reliability: Across all the services on Azure via Reliability Workbook key tabs to look at is Availability zones and capacity for each services that you care about. This is the newest and most cool feature that I personally found useful to review against some common mistakes.

• DDOS: Holiday season is DDOS Season as well. Ensure all key security measures are also taken care along with DDOS

Obviously, this list is not fully exhaustive list, but I’ve tried to capture few top ones to make sure you are setup for success running on Azure this holiday season. Please let me know what you think.

Source from Microsoft