In preparation to IT/Dev Connections, we decided to talk cybersecurity with one of the speakers, Andy Malone, a Microsoft MVP with a prestigious international career as a security instructor and consultant spanning 21 years. He shared plenty of insight into how Microsoft data center security works, what leads to data breaches in enterprises, and many other exciting topics. Dig right in!
Q: Many businesses are heavily reliant on cloud services while also having concerns about the security of their data. What are some of the most popular questions you get, and how do you usually answer them?
Andy: The most popular questions I get about data security are: “Why should I move my data to the cloud?”, “Who has access to my data?” and “Where is my data stored?”
Many people think that keeping data on premises is safer than moving it to the cloud. The biggest downside of the former is that accidents happen. Power outages, viruses, ransomware — all of these are legitimate threats, especially if you’re a small or medium-sized business and may not have enough resources to invest in data security.
Microsoft are incredibly strict, they do thorough, top secret standard background checks on all their data center employees. The staff have no idea where your data is, or whose data is in a certain data center.
So why should you move your data to the cloud? I’ve spent quite a bit of time in a Microsoft data center, and I could see what their security is like firsthand. You see, Microsoft isn’t just a giant company that says: “Hey, we’ve got his product, and we’re going to try and sell it to you.” There are immense security requirements they have to adhere to, like ISO 27001 and the EU General Data Protection Regulation, which comes into practice in May next year. According to these, all the data is encrypted, and staff have very limited access to your data.
Let me give you an example. If I’m an employee in a Microsoft data center, and I need to replace a board on a rack, I first need to get a key to the room where the rack is located. A Microsoft data center is enormous on a scale that you can’t even imagine, but I’m on camera all the time, no matter where I go. Let’s say I go to room 131, open the room with the key I took earlier, go to rack 2, pull the rack, and do the job. If I touch any other rack, or go to an area that contains personally identifiable data, it’s immediate dismissal. If I walk into any other room, it’s immediate dismissal. If the key goes off site, it’s immediate dismissal. Microsoft are incredibly strict, they do thorough, top secret standard background checks on all their data center employees. The staff have no idea where your data is, or whose data is in a certain data center.
A lot of customers worry about accidentally deleting something, but they really shouldn’t — you can recover your data.
Let’s also look at how a Microsoft call center works. Say, you call me and ask for help. Microsoft has something called Customer Lockbox, which means I can’t access your data. I have to go to my manager and say: “I’ve got a lady here that needs help with such and such issue.” The manager then approves my request, and you receive an invitation to authorize me. Now I can access your data and help you, but once our call is over, that’s it, the access is gone. This is called just-in-time access.
As you see, it’s all extremely secure.
Addressing the next question, “Where is my data stored?”, I explain that Microsoft has regional data centers all over the world. It’s a bit like the movie “Independence Day”, like a chess game all over the world.
For most of Europe, data centers are located in Dublin and Amsterdam. In a data center, your data goes to a disk. The disk is married to another disk, and the rack is married to another rack. And then there are backups within the same data center and another one — there are at least ten copies of your data.
Human beings are the number one cause of data breaches.
Because governments need to keep their data within the country, we’re also starting to see a lot of localized data centers in addition to the regional ones. There are dedicated places inside these localized data centers that just store government data, and their security is even higher.
A lot of customers worry about accidentally deleting something, but they really shouldn’t — you can recover your data. Typically, you can restore data within 30 days, but depending on where you are in the world, you may have up to 90 days.
The main idea is that you get an enterprise-scaled software that small businesses can use without worrying about all the backend stuff.
Q: Is there a specific kind of data that you should never put in the cloud?
Andy: To be honest, it depends on what kind of business and Microsoft account you have.
If you’re a government or a financial institution, you probably need to speak with a representative, tell them what type of data you want to store, and find out what they can offer.
But remember, when you put data in the cloud, you sign a contract with Microsoft. So Microsoft do their part — they keep your data in-store. But you’re responsible for securing your data — you can put extra security on it, or take additional measures. It’s a two-way relationship.
As an employer, you need to establish good security practices within your company. Know who’s in your company, who they live with, what they do outside of work hours. Are your employees happy?
The one huge benefit that Microsoft has is that they’ve got the infrastructure and the state-of-the-art security. Viruses, ransomware, trojans — all of this kind of stuff will get stopped. They’ve got a lot of intelligence systems. The “Advanced Threat Analytics” protocol that Microsoft has developed analyzes your behavior, so if you log on in the morning from the UK, and 10 minutes later there’s an activity from your account in Japan, it sends an alert signal to an administrator, and they let you know that your account has been compromised, and tell you what to do about it.
Q: What is the key to good cybersecurity?
Andy: You know, technology is a bit like the Wild West. At the frontier, there were cowboys coming to America, and right behind them, there were the bad guys looking to make a buck or two. But behind them, there was the law.
That’s exactly where we are today. We’re in the Wild West. Are we always going to be ready to beat the bad guy? Sometimes, the bad guy will be one step ahead. The key to good cybersecurity is to not do stupid things, like clicking on things you know you shouldn’t click on. You also need staff training, up-to-date computers and software, and a good antivirus.
Q: What are the top factors that can lead to a data breach in an enterprise?
Andy: Stupidity. Human beings are the number one cause of data breaches. Employees clicking on things they shouldn’t click on, or copying data onto their portable hard drives and taking it outside the company.
The key to good cybersecurity is to not do stupid things, like clicking on things you know you shouldn’t click on.
As an employer, you need to establish good security practices within your company. Know who’s in your company, who they live with, what they do outside of work hours. Are your employees happy? How do you deal with disgruntled employees? If an employee wants to leave your company, what do you do? Do you give them a six weeks’ notice to go and cause havoc on your systems? Or do you say: “Goodbye, out you go. Take a little muffin, and there’s still 6 weeks’ pay coming, but you just can’t be here.”
To be honest, you’ll never be 100 percent safe. There’s no such thing as 100 percent security. What you can do is make it harder for the bad guy. I call this a Game of Thrones approach to security. Think about all the things you’d have to go through if you were to attack a king in a castle. You’d have to go through the drawbridge, take down the main door, climb the walls to get inside — there are all these “rings of protection.” Take this approach and apply it to your security.
Q: Is there a security skills gap right now? Do you think companies should invest more in security training?
Andy: Many people think: “We need to get a security specialist on, it needs to be special!” when in reality, the best kind of security is often the cheapest kind of security — it’s common sense. Train your staff, make sure they know that if a pop up comes up and says they’ve won a lottery, they don’t click.
To be honest, you’ll never be 100 percent safe. There’s no such thing as 100 percent security. What you can do is make it harder for the bad guy.
Of course, there are other things you can do, like keeping your systems up-to-date. One of the things that Microsoft and lots of other big companies now offer is subscription-based software. In the past, you’d buy a license and you’d own it — a bit like a vinyl record. But now, with subscriptions, your software is updated all the time, and you’re therefore less vulnerable.
Q: Do you have any tips on how to protect personal data?
Andy: Don’t give too much away. Be careful with what you say on social media. Every time you log onto these websites, you’re essentially filling in a marketing report. Do you know where your information goes? Remember that these days, social media companies are primarily marketing companies. It’s like that old Police song: “Every move you make, every step you take, I’ll be watching you.” That’s how social media work.
Q: Do you ever fear what would happen if technology failed?
Andy: I expect it to fail. In Star Wars, technology never worked for the Emperor and Darth Vader. And they were beaten by Ewoks, furry teddy bears. If technology didn’t work for them, it isn’t going to work for me and you.
Don’t give too much away. Be careful with what you say on social media. Every time you log onto these websites, you’re essentially filling in a marketing report.
We saw a classic case of technology failure about two months ago with the British Airways computer crash. (On May 27, BA cancelled all flights from Heathrow and Gatwick due to a major IT failure that affected BA’s booking system, baggage handling, mobile phone apps and check-in desks. BA’s chief executive claimed that the IT failure was down to a “power surge.”)
They relied on a computer system too heavily, and it went horribly wrong. British Airways didn’t have contingency plans in place, and so when something stupid happened, they didn’t know what to do. And they’re not even saying what really happened — just that it was something serious. I’m sure they were attacked in one way or another. One employee unplugging something shouldn’t have been able to cause that much trouble.
Q: What topics are you going to cover in your sessions during IT/Dev Connections, and what are your expectations from the conference?
Andy: I’ve been speaking at IT Dev/Connections for four years now, and I’ve been doing pre-cons as well. This year, I’m doing an Office 365 pre-con event, as well as seven sessions. One of my favorite sessions is called “20,000 Leagues Under Azure AD Connect,” I’m going to go really deep into this topic. I’ll also have a few security sessions, and an Office 365 troubleshooting session.
I’m really looking forward to this year’s IT/Dev Connections in San Francisco. San Francisco is one of the American cities I’ve never really been to, so I’m really excited about visiting it.