Build AI you can trust with responsible ML

As AI reaches critical momentum across industries and applications, it becomes essential to ensure the safe and responsible use of AI. AI deployments are increasingly impacted by the lack of customer trust in the transparency, accountability, and fairness of these solutions. Microsoft is committed to the advancement of AI and machine learning (ML), driven by principles that put people first, and tools to enable this in practice.

In collaboration with the Aether Committee and its working groups, we are bringing the latest research in responsible AI to Azure. Let’s look at how the new responsible ML capabilities in Azure Machine Learning and our open-source toolkits empower data scientists and developers to understand ML models, protect people and their data, and control the end-to-end ML process.

Understand

As ML becomes deeply integrated into our daily business processes, transparency is critical. Azure Machine Learning helps you to not only understand model behavior but also assess and mitigate unfairness.

Interpret and explain model behavior

Model interpretability capabilities in Azure Machine Learning, powered by the InterpretML toolkit, enable developers and data scientists to understand model behavior and provide model explanations to business stakeholders and customers.

Use model interpretability to:

Build accurate ML models.
Understand the behavior of a wide variety of models, including deep neural networks, during both training and inferencing phases.
Perform what-if analysis to determine the impact on model predictions when feature values are changed.

"Azure Machine Learning helps us build AI responsibly and build trust with our customers. Using the interpretability capabilities in the fraud detection efforts for our loyalty program, we are able to understand models better, identify genuine cases of fraud, and reduce the possibility of erroneous results." 
—Daniel Engberg, Head of Data Analytics and Artificial Intelligence, Scandinavian Airlines

Assess and mitigate model unfairness

A challenge with building AI systems today is the inability to prioritize fairness. Using Fairlearn with Azure Machine Learning, developers and data scientists can leverage specialized algorithms to ensure fairer outcomes for everyone.

Use fairness capabilities to:

Assess model fairness during both model training and deployment.
Mitigate unfairness while optimizing model performance.
Use interactive visualizations to compare a set of recommended models that mitigate unfairness.

“Azure Machine Learning and its Fairlearn capabilities offer advanced fairness and explainability that have helped us deploy trustworthy AI solutions for our customers, while enabling stakeholder confidence and regulatory compliance.”  —Alex Mohelsky, EY Canada Partner and Advisory Data, Analytic and AI Leader

Protect

ML is increasingly used in scenarios that involve sensitive information like medical patient or census data. Current practices, such as redacting or masking data, can be limiting for ML. To address this issue, differential privacy and confidential machine learning techniques can be used to help organizations build solutions while maintaining data privacy and confidentiality.

Prevent data exposure with differential privacy

Using the new WhiteNoise differential privacy toolkit with Azure Machine Learning, data science teams can build ML solutions that preserve privacy and help prevent reidentification of an individual’s data. These differential privacy techniques have been developed in collaboration with researchers at Harvard’s Institute for Quantitative Social Science (IQSS) and School of Engineering.

Differential privacy protects sensitive data by:

Injecting statistical noise in data, to help prevent disclosure of private information, without significant accuracy loss.
Managing exposure risk by tracking the information budget used by individual queries and limiting further queries as appropriate.

Safeguard data with confidential machine learning

In addition to data privacy, organizations are looking to ensure security and confidentiality of all ML assets.

To enable secure model training and deployment, Azure Machine Learning provides a strong set of data and networking protection capabilities. These include support for Azure Virtual Networks, private links to connect to ML workspaces, dedicated compute hosts, and customer managed keys for encryption in transit and at rest.

Building on this secure foundation, Azure Machine Learning also enables data science teams at Microsoft to build models over confidential data in a secure environment, without being able to see the data. All ML assets are kept confidential during this process. This approach is fully compatible with open source ML frameworks and a wide range of hardware options. We are excited to bring these confidential machine learning capabilities to all developers and data scientists later this year.

Control

To build responsibly, the ML development process should be repeatable, reliable, and hold stakeholders accountable. Azure Machine Learning enables decision makers, auditors, and everyone in the ML lifecycle to support a responsible process.

Track ML assets using audit trail

Azure Machine Learning provides capabilities to automatically track lineage and maintain an audit trail of ML assets. Details—such as run history, training environment, and data and model explanations—are all captured in a central registry, allowing organizations to meet various audit requirements.

Increase accountability with model datasheets

Datasheets provide a standardized way to document ML information such as motivations, intended uses, and more. At Microsoft, we led research on datasheets, to provide transparency to data scientists, auditors and decision makers. We are also working with the Partnership on AI and leaders across industry, academia, and government to develop recommended practices and a process called ABOUT ML. The custom tags capability in Azure Machine Learning can be used to implement datasheets today and over time we will release additional features.

Start innovating responsibly

In addition to the new capabilities in Azure Machine Learning and our open-source tools, we have also developed principles for the responsible use of AI. The new responsible ML innovations and resources are designed to help developers and data scientists build more reliable, fairer, and trustworthy ML. Join us today and begin your journey with responsible ML!

Additional resources

Learn more about responsible ML.
Get started with a free trial of Azure Machine Learning.
Learn more about Azure Machine Learning and follow the quick start guides and tutorials.

Quelle: Azure

Developer Velocity: Empowering developers to fuel business performance

Developers have been drivers of innovation and transformation for decades. They have pioneered innovation across countless industries and helped businesses weather tough conditions. Now, we are living in unprecedented times where organizations in every industry and sector are working to adjust to a new normal, rethinking how business is done and meeting new, changing customer demands.

Because technology underpins everything from how businesses run to the products and services you sell, organizations must learn to excel at developing software. Business leaders need to empower developers to unlock productivity and innovation, in what the industry has started referring to as Developer Velocity.

Developer Velocity isn’t just about increasing the speed of delivery, but about unleashing developer ingenuity—turning developers’ ideas into software that supports the needs of your customers, and the goals of your business.

McKinsey & Company recently conducted a comprehensive review of what it takes for a company to become a technology company (have tech intensity) and converged on a single holistic metric—Developer Velocity Index (DVI). They shared their findings and key insights in their recent Developer Velocity: How software excellence fuels business performance report.

The report concluded that driving business performance from software development comes down to creating the right environment and removing points of friction for developers to innovate. Organizations that recognize this outpace revenue growth up to five times that of their competitors. They also have 60 percent higher total shareholder returns and 20 percent higher operating margins and perform better on customer satisfaction and brand perception.  

Helping every organization increase Developer Velocity

How do you increase Developer Velocity for your organization? Developer Velocity involves focusing on critical enablers and minimizing barriers to developer productivity. Microsoft understands the core enablers as we’ve been building software and tools to support the unique needs of developers for decades. Microsoft’s comprehensive developer toolchain and platforms are designed to help modern developers and development teams. The more you enable developers to build productively, collaborate globally and securely, and scale what they invent, the better business outcomes you’ll see in areas including financial performance, innovation, and customer satisfaction.

Build productively with best-in-class tools

In my journey as an engineering and business leader, I’ve learned that a key driver in digital transformation for every company is hiring top talent. Attracting and retaining top engineering talent comes down to providing developers with opportunities to work on interesting projects and enabling them with the best engineering systems and tools to do their job.

According to McKinsey, the leading driver of business performance is best-in-class tools. Organizations with strong tools are 65 percent more innovative, and their developer satisfaction and retention rates are 47 percent higher.

Software development is a constantly evolving craft and developer tools need to reflect the changes in development workflows. As developers’ responsibilities continue to expand to embrace new technologies, it’s important to automate core development processes like testing and CI/CD so that developers can focus on what matters. In addition, empowering developers to use their favorite languages, open source frameworks, and tools helps them be more productive and feel at home.

At Microsoft, we infuse modern development practices and emerging technologies into our tools. Our mission with the Visual Studio product family is to provide best-in-class tools for every developer. I am humbled by the millions of developers around the world who use Visual Studio Code and Visual Studio as their preferred tools every day.

Many development teams have long been distributed and geographically dispersed, but now everyone is making this transition, in addition to new challenges like developers being disconnected from their dedicated dev boxes. To address one of the biggest pain points for developers—setting up a new dev box, a common scenario when engaging on a new project, or moving to remote work, we recently announced Visual Studio Codespaces. Developers can experience Codespaces with Visual Studio and Visual Studio Code, or directly within GitHub. Codespaces uses the power of the cloud to enable developers to create fully configured development environments in minutes. Today at Build, we're announcing even more innovation to help developers code, collaborate, and ship from anywhere.

Collaborate globally and securely

The top-performing organizations as measured by McKinsey showed that open-source adoption is the biggest differentiator. These organizations are seeing three times more impact from the adoption of open source than the rest of the industry. Organizations that are best-in-class on open source capabilities score 30 percent higher on innovation and 20 percent higher on developer satisfaction.

Open source adoption is not just about the use of open source code or technologies. It’s about embracing an open source mindset—creating a culture of knowledge sharing and contributing to software development to realize the collective power of a broader development team or community. Effective collaboration is the biggest accelerator in helping making teams be more productive and satisfied. 

With GitHub, you can bring the collaboration best practices used by over 50 million developers into your organization. Through empowering collaboration internally, you can both attract and retain the best talent and increase the impact of your software development investments. To ensure GitHub is accessible for all developers, we recently announced that GitHub is free for teams. And to provide a seamless code-to-cloud experience, today we are announcing new integrations for GitHub Actions for Azure. More than 30 GitHub Actions for Azure help your development teams easily create and automate workflows to build, test, package, release, and deploy to Azure. You can learn more about GitHub’s latest announcements here.

Scale your innovation with Azure 

McKinsey identified public-cloud adoption as a catalyst of Developer Velocity is especially strong for non-software companies—public-cloud adoption has four times the impact on their business performance than it does for software companies.

With Azure, we’ve built an end-to-end cloud that enables developers to focus on building apps and not have to worry about the underlying infrastructure the apps run on. Azure supports developers’ favorite languages, open source frameworks, and tools while also creating easy pathways to learn new skills.

Our latest Azure innovations enable developers to build cloud-native applications as well as modernize existing applications. To ensure developers in your organizations can modernize Windows applications, we recently announced the general availability of Windows Server containers for Azure Kubernetes Service. To make it incredibly easy for developers to instantly scale applications on demand with limitless, guaranteed speed and performance, today we announced new innovations to Azure Cosmos DB and considerable cost savings gained by pairing autoscale with the Azure Cosmos DB free tier. Azure also makes it easy for developers to add AI to applications with Azure Cognitive Services. Today, we announced several new capabilities including enhanced voice styles and container support for Azure Cognitive Services.

The McKinsey research also reported that leading companies use low-code and no-code platforms. Companies that utilize this technology score 33 percent higher on innovation compared with bottom-quartile companies. Power Apps offers a low code application development platform designed to rapidly build web and mobile experiences. Today, we’re seeing many of our customers turning to a combination of Power Apps and Azure to quickly deliver solutions that respond to changing business needs. You can learn more about Power Apps and Azure here.

Developing with Azure puts the latest cloud technology and best-in-class tools at the fingertips of developers with a breadth of skills. Today at Build, we're announcing even more innovation in Azure here.

Next steps with Developer Velocity

In times like this, every organization in every industry is evolving to address the current realities. At Microsoft, we're working closely with organizations around the world to build and accelerate the delivery of secure, cost-effective, cloud-based solutions. Companies like Carhartt, Optio3, and Swedish Health Services are examples of organizations increasing Developer Velocity with the support of Microsoft developer tools and cloud platform.

You can learn more about Developer Velocity and how Microsoft can help here. Today, we are also releasing the new Developer Velocity Assessment tool to help you measure your organization’s Developer Velocity Index (DVI) score, get a benchmark relative to peers in your industry, and actionable recommendations and guidance to drive better business outcomes for your organization.

I’d like to welcome every developer around the world to Build 2020. Today’s announcements give developers cutting-edge tools to create the next generation of applications. Please join us at the Microsoft Build 2020 digital event including my Azure: Invent with Purpose keynote. I look forward to seeing what you build!
Quelle: Azure

Code, collaborate, and ship your apps from anywhere

Welcome to Microsoft Build 2020! This all-new 48-hour digital experience is designed to help you and other developers around the world come together to solve challenges, share knowledge, and stay connected. Here we’ll cover some of our latest innovations in developer tools and cloud platform technologies—to help you code, collaborate, and ship your apps from anywhere, so you can support the changing needs of your business and continue to deliver the quality experiences that your customers expect.

So how do you overcome the challenges of today and remain productive as developers? Thankfully, in today’s digital world there are tools to help you work remotely and be as productive as ever: with Azure as your trusted cloud platform and cloud-powered developer tools with Visual Studio and GitHub.

Code

Developers often spend endless hours configuring dev machines for new projects: cloning source code, installing runtimes, setting up linters and debuggers, configuring extensions—just to do it all again for the next project, the next bug, or the next code review. The challenge is even more prevalent in times of remote work, where you might not have access to your preferred development machine. Visual Studio Codespaces, available in preview, enables you to create a cloud-hosted development environment that’s ready to code, in seconds. You can access it from Visual Studio Code or Visual Studio and it also includes a full web-based editor you can use to edit, run, and debug your applications from any device. We recently announced that Codespaces is coming to GitHub in preview, so you can also easily code from any repo.

To help .NET developers share code across platforms, today we released .NET 5 Preview 4. With .NET 5, we continue the journey to unify the .NET platform across all workloads like mobile, desktop, and web. .NET 5 Preview 4 also has many improvements for working with containers and reducing the size of images particularly for multi-stage build scenarios.

For developers with C# and HTML skillsets looking to create web apps, Blazor is a free and open-source web framework that allows you to do that—without writing JavaScript. Today, we announced ASP.NET Blazor WebAssembly that lets you build web apps that run completely in the browser with C#, which can perform better, take up less memory than JavaScript, and can run completely offline.

If you are building a modern single page application with JavaScript and looking for minimal configuration and deployment globally in minutes, then check out a new hosting option in Azure App Service, Static Web Apps, now available in preview. Static Web Apps supports frameworks like Angular, React, and Vue or Static Site Generators such as Gatsby and Hugo. Initializing a Static Web App with a Git repo hooks up GitHub Actions that then connects smart defaults to your CI/CD pipeline. This means that any time a developer makes a change, it will go through the quality and security checks.

For applications optimized for cloud scale and performance, we recently announced the general availability of Azure Kubernetes Service (AKS) support for Windows Server containers. If you’re looking to lift and shift your Windows applications in containers, you can now run them on a managed Kubernetes service in Azure and get the full benefits of portability, scalability, and self-healing for your production workloads. To help you instantly scale your apps on demand with limitless, guaranteed speed and performance, today we announced new innovations to Azure Cosmos DB and considerable costs savings gained by pairing autoscale with the Azure Cosmos DB free tier.

Azure also makes it easy for developers to add AI into applications with Azure Cognitive Services. Today, we announced new capabilities, such as enhanced voice styles, enabling you to tailor the voice of your app to fit your brand or unique scenario. If you’re looking to run AI anywhere, we also announced general availability of container support for Language Understanding and Text Analysis.

And, if you need deliver apps quickly, take advantage of the combination of Microsoft Power Apps, a low code platform, and Azure to analyze data, automate processes and create virtual agents. Learn how to extend Power Apps with Azure services such as Bot Services, Logic Apps, and Functions. 

Collaborate

To effectively collaborate as a local or distributed development team, you need the ability to accommodate flexible work schedules, collaborate both asynchronously and in real-time when needed, and track and prioritize work. With Visual Studio Live Share, you can create shared coding sessions and co-edit, co-debug applications with your peers securely—no matter where you are. Today, we announced expanded capabilities for Visual Studio Live Share, which include text and voice chat support. With these additions, your team can collaborate more effectively from the comfort of your own dev tools, without the need for additional apps.

With over 50 million developers, GitHub is the place where developers code together. We continue to innovate to ensure collaboration is seamless at every stage of the software development lifecycle. For example, you may find yourself needing to brainstorm feature ideas, help new users get their bearings, and collaborate on best ways to use the software.  GitHub Discussions recently announced at GitHub Satellite helps you do just that and is in public beta. Learn more about the latest GitHub innovations to help you collaborate with your team members.

Ship

Over the past six months, we’ve published more than 30 GitHub Actions for Azure to help you create workflows to build, test, package, release and deploy to multiple Azure services, from web applications to serverless functions to Kubernetes. We heard from you that it can be difficult to craft CI/CD pipelines by editing a bunch of YAMLs and you spend a considerable time setting up and switching between different discrete tools. We are pleased to announce that GitHub Actions for Azure are now integrated into Visual Studio Code, Azure CLI and the Azure Portal simplifying the experience of deploying to Azure from your preferred entry points. Download the new Visual Studio Code extension or install the Azure Command-Line Interface (CLI) extension for GitHub Actions for Azure.

Security is also top of mind when releasing code into production. At GitHub Satellite, we announced cloud betas of code scanning and secret scanning to help developers consume and ship code safely. With code scanning enabled in GitHub, every “Git push” is scanned for new security concerns using the world’s most advanced semantic analysis engine, CodeQL. Secrets scanning is now available for private repositories. This feature watches private repositories for known secret formats and immediately notifies developers when they are found. Developers can now identify, remediate, and prevent vulnerabilities in source code before they are deployed into production.

More exciting news for every developer

With all the new coding improvements and advancements combined with Windows 10—it truly is a great time to be a developer. Today, we announced the general availability of Windows Terminal 1.0, which provides a modern, fast terminal application for users of command-line tools and shells like Command Prompt, PowerShell, WSL, and Azure Cloud Shell. We also announced upcoming support for GPU compute in the Windows Subsystem for Linux (WSL) for faster computations. And coming soon is GUI app support which means you can open a WSL instance and run a Linux GUI app directly (without the need of a third-party X Server). You can use this feature to run your favorite IDE in a Linux environment, or some applications that you could only find on Linux.​ 

Join us

Regardless if your team is onsite or remote, we want to help developers spend less time setting up environments, configuring systems and dealing with underlying infrastructure so you can spend more time coding and building solutions. We want to ensure development teams can easily collaborate on projects regardless of where you sit. We want to help you deliver and maintain code with automated workflows that are free from security vulnerabilities. Microsoft offers an end-to-end cloud platform and developer tools designed to meet your engineering needs and keep you and your team as productive as possible wherever you work.

Please join me in Scott Guthrie’s, Azure: Invent with purpose session, and make sure to watch Scott Hanselman’s session, Every Developer is Welcome, to see many of these new innovations designed for every developer. I can’t wait to see what you build!
Quelle: Azure

Migrate to Azure: Save now, be future ready

The global health crisis has transformed the way we work and live. Remote work has surged across industries, and the ability to scale and manage your business from anywhere has become essential. As our customers are moving beyond resolving immediate crisis needs, many are thinking about the next set of IT investments that can set them up for long term success. Microsoft is here to help.

Moving to the cloud has clear economic benefits. Convert upfront capital expenditures into operating expenditures and pay as you consume. The cloud scales up and down to meet demand as you need, so you don’t need to over-provision resources to be ready for peak usage and incur expenses on idle servers. Best of all, the cloud improves operational productivity for your staff, so they can focus on priority business initiatives.

When migrating to the cloud, Azure can provide unique and differentiated value that can help you save. Here’s how…

Save money with unique offers and programs

Meeting your business and budget needs has always been a priority for us. We make this possible through unique offers, transparent and competitive pricing, and free cost management tools. Azure is the most cost-effective cloud for Windows Server and SQL Server with offers like Azure Hybrid Benefit and free extended security updates—AWS is 5x more expensive. Lower your migration costs and risk through best practice guidance with the Cloud Adoption Framework for Azure, expert assistance with the Azure Migration Program, and free cost optimization tools.

Having worked with many of you, we have found that a simple ‘lift-optimize-shift’ migration strategy is your best bet to quickly realize cost savings and efficiencies. Start this process with a few simple steps. First, perform an assessment with our free Azure Migrate tool to help identify which workloads are cloud-ready, understand rightsizing recommendations, and opportunities to apply cost-savings offers unique to Azure. Next, migrate your Windows Server, SQL Server, and Linux infrastructure to Azure IaaS (or Azure VMware Solutions for VMware environments) using assessment results. And then keep your workloads secure and well managed on Azure. Customers such as Allscripts and Maersk have used this approach to save money and time.

Drive scale and operational efficiencies and focus on what matters

Many customers are migrating to the cloud to scale their most demanding workloads—for example, e-commerce web sites or health care portals—to drive cost savings and reliability. Migrating these web applications to Azure App Service unlocks benefits like automated load balancing and infrastructure maintenance, giving your staff valuable time back. There is opportunity to easily assess whether your website can be rapidly moved to App Service with the App Service Migration assistant. And, migrating your website’s database to a fully managed database like Azure SQL Database reduces the management and database administration overhead such as patching, high availability setup, and access control. Migrating to these Azure services requires little to no change to your existing web application and database, so it’s low-risk and cost-effective.

Keep your investments safe with unmatched security and built-in resiliency

Microsoft spends $1B annually on cybersecurity. We have over 3,500 Microsoft security professionals constantly monitoring our customers’ environments through advanced AI, analyzing more than 6.5 trillion security signals to detect and respond to threats with Azure Security Center. Use Azure Sentinel, a cloud native security information event management (SIEM) for end to end threat detection and response across your enterprise.

Azure provides built-in high-availability and disaster recovery options to ensure maximum resilience for your workloads. This includes infrastructure investments such as paired datacenter regions and availability zones for the best possible performance and security, as well as cost effective services like Azure Backup and Azure Site Recovery to keep your applications running during planned or unplanned outages.

Stay flexible with the cloud that’s hybrid by design

We understand that your organization will be in a hybrid state with investments that span multiple environments for the foreseeable future. We also know that you need flexibility to extend your on-premises investments and leverage them as you move to the cloud. Azure Hybrid Benefit enables you to re-use your existing Windows Server and SQL Server investments in the cloud and save money.

If you are ready to make the move and need help, join the Azure Migration Program, where we, along with our partner ecosystem, will help you accelerate your journey in a low-risk, cost-effective way. Learn more by visiting Azure migration center.
Quelle: Azure

Monitor your Azure workload compliance with Azure Security Benchmark

The Azure Security Benchmark v1 was released in January 2020 and is being used by organizations to manage their security and compliance policies for their Azure workloads. We are pleased to share that you can now track and monitor your compliance with the benchmark across your Azure environment in Azure Security Center.

The Azure Security Benchmark is a collection of over 90 security best practice recommendations you can employ to increase the overall security and compliance of all your workloads in Azure. The Azure Security Benchmark is based on common compliance frameworks and standards but is tailored to cloud deployments and specifically to Azure workloads. The benchmark provides specific guidance on how these common controls apply to Azure, and what you specifically need to implement in Azure to meet those requirements.

Now, not only can you understand the fundamental compliance framework requirements in Azure terms, but you can also measure and track how your own deployed Azure workloads are meeting those requirements at any given time.

Azure Security Center provides built-in automation for monitoring your compliance with the benchmark controls across different Azure resource types and workloads. Azure Security Center not only measures your compliance with the controls but also provides actionable recommendations for how to remediate the non-compliant resources and meet the requirements. The benchmark guidance and recommendations are contextualized for each Azure service, making it easier for you to implement the controls for the Azure services you are actively using.

The benchmark can be monitored using the Azure Security Center Regulatory Compliance Dashboard. The Azure Security Center compliance dashboard enables you to track and monitor industry-driven common compliance frameworks like NIST 800-53, Azure CIS, PCI-DSS, and ISO 27001, among others. To monitor the benchmark in this dashboard, you need to onboard the Azure Security Benchmark as a tracked standard. Once you onboard, you get a clear view of how your currently deployed Azure environment is meeting the benchmark controls. You can use the dashboard to track the status of your Azure resources with respect to benchmark requirements, download a summary report, and improve your compliance posture using Azure Security Center remediation guidance and automation.

To onboard the benchmark to your Azure Security Center compliance dashboard, you need to add the Azure Security Benchmark initiative package to your compliance view. You can then view the dashboard and start tracking your compliance status with benchmark controls.

 

Increasing coverage of the Azure Security Benchmark

The Azure Security Benchmark core requirements are already being met by all major Azure services, and those controls can be monitored and tracked in this dashboard today. With time, coverage will increase even further as Azure services are working to create additional features supporting the full set of security and compliance requirements of the Azure Security Benchmark, and monitors for those.
Here are a couple of recent examples of Azure services providing added capabilities to help you implement the security benchmark:

Encrypt sensitive information at rest: In some cases, you may want to use your own encryption key to protect your data. Fifty new services including Azure Cosmos DB and Azure Data Lake now support customer-managed keys for encryption at rest.
Protect Azure resources within virtual networks: Private Link allows you to securely access an Azure Service over a private endpoint in your virtual network. Thirteen new services including Azure Kubernetes Service and Azure Data Explorer now support Private Link.

Over time, a larger portion of controls will be supported and will be monitorable using the dashboard. 

The Azure Security Benchmark and Secure Score

Secure Score in Azure Security Center is a measure that helps you track your security posture, and effectively and efficiently improve your security by prioritizing the actions most likely to create a risk to your organization. Secure Score is comprised of a set of controls, where each control reflects a certain attack surface. Each control has an associated score (number of points) that represents your vulnerability for that attack surface, along with a set of security recommendations for reducing your vulnerability and improving your security. The cumulative scores for all controls are then used to calculate your overall Secure Score, which is a single KPI measurement representing your security posture.

The underlying security recommendations stipulated by Secure Score are the same as those associated with the Azure Security Benchmark controls. They are comprised of the same set of actions, that ultimately serve the common purpose of maximizing your Azure security posture. The Secure Score adds the additional dimension of threat analysis, risk, and vulnerability to each of those recommendations, and thus helps you prioritize action according to the most significant factors in reducing risk in your environment. The benchmark then illustrates how these security settings and factors apply to compliance framework requirements. It also adds some additional requirements that are compliance-focused but don’t have a direct impact on security risk.
 

Our recommendation is to use Azure Secure Score view to address misconfigurations starting with the highest priority recommendations.  The Azure Security Benchmark view is helpful for understanding your compliance and is sorted by controls rather than score impact.

Summary and next steps

The Azure Security Benchmark compliance dashboard in Azure Security Center can help you continuously track your compliance posture in Azure and improve your Azure workloads’ adherence to compliance requirements.

Get started now by learning about the Azure Security Benchmark and onboarding the benchmark to the Security Center compliance dashboard.

You can look forward to seeing upcoming releases of the dashboard with additional automation and improved coverage for benchmark controls, as well as extended capabilities to manage compliance controls and additional report types.

We would love to hear your feedback, you can use this link to send us an email.
Quelle: Azure

Microsoft and Redis Labs collaborate to give developers new Azure Cache for Redis capabilities

Now more than ever, enterprises must deliver their applications with speed and robustness that matches the high expectations of their customers. The ability to provide sub-millisecond response times, reliably support the demands of enterprises from small to large, and scale seamlessly to handle millions of requests per second are critical to modern application development. At the same time, technology solutions need to be more open and flexible to handle cloud native architectures while maintaining mission-critical uptime and reliability.

Microsoft and Redis Labs partnering to bring new features to Azure Cache for Redis

With this in mind, I am announcing a new partnership between Microsoft and Redis Labs to bring their industry-leading technology and expertise to Azure Cache for Redis. This partnership represents the first native integration between Redis Labs technology and a major cloud platform, underscoring our commitment to customer choice and flexibility.

For years, developers have utilized the speed and throughput of Redis to produce unbeatable responsiveness and scale in their applications. We’ve seen tremendous adoption of Azure Cache for Redis, our managed solution built on open source Redis, as Azure customers have leveraged Redis performance as a distributed cache, session store, and message broker. The incorporation of the Redis Labs Redis Enterprise technology extends the range of use cases in which developers can utilize Redis, while providing enhanced operational resiliency and security.

Redis integration designed for enterprise customers

With this partnership, we worked together with Redis to build a new expanded offering powered by Redis Labs technologies aimed specifically at the needs of enterprise customers. With the integration of Redis Labs technology with Azure Cache for Redis, customers can now access Redis Labs-developed modules including, RediSearch, RedisBloom, and RedisTimeSeries, which provide new data structures that will further enable use cases like data analytics and machine learning.

These modules will be paired with existing features of Azure Cache for Redis including data persistence, clustering, geo-replication, and network isolation. Customers will also now have the option to deploy on SSD flash storage, offering up to ten times larger cache sizes and similar performance levels at a lower price per GB. Reliability will be an even greater priority with an enhanced SLA and the capability to utilize active geo-replication to configure a globally available cache that can fail over to another region without any data loss. In the future, this capability will make it possible to connect on-premise caches with caches in Azure for availability and failover.

Native Azure management creates streamlined experience for developers

While the new service is managed natively in Azure as two new Enterprise tiers, customers will subscribe to the Redis Labs software through Azure Marketplace as an integral part of the configuration process. This unique integration provides all the benefits of using a service embedded in Azure, including management through the Azure portal and command-lines, security and standards compliance, and a unified billing experience.

Microsoft will handle first-line support and collaborate with Redis Labs on specific support issues to utilize their deep knowledge of the technology. As a native offering, developer teams will now find it significantly easier to integrate Redis Enterprise functionality into their Azure development efforts by taking advantage of the security, configuration, and support tools they are already familiar with. Plus, developers can enable these new features with no downtime or change in billing management.

We are thrilled to be expanding our relationship with Redis Labs and continuing our collaboration with the Redis open source community. Together, we will unlock the potential of Redis and enable enterprises to build applications that are more responsive and scalable than ever before with tools that developers love.

Learn more

For more information on the Redis Labs partnership, you can read the blog post from Redis Labs CEO, Ofer Bengal. Additional product information is also available on the Redis Labs blog. The initial announcement was made at RedisConf 2020 Takeaway. Preview for this new offering will be available later this year. Sign up to be notified when the preview is available.
Quelle: Azure

Announcing the general availability of Azure Spot Virtual Machines

Today we’re announcing the general availability of Azure Spot Virtual Machines (VMs). Azure Spot VMs provide access to unused Azure compute capacity at deep discounts. Spot pricing is available on single VMs in addition to VM scale sets (VMSS). This enables you to deploy a broader variety of workloads on Azure while enjoying access to discounted pricing compared to pay-as-you-go rates. Spot VMs offer the same characteristics as a pay-as-you-go virtual machine, the differences being pricing and evictions. Spot VMs can be evicted at any time if Azure needs capacity.

The workloads that are ideally suited to run on Spot VMs include, but are not necessarily limited to, the following:

Batch jobs.
Workloads that can sustain or recover from interruptions.
Development and test.
Stateless applications that can use Spot VMs to scale out, opportunistically saving cost.
Short lived jobs which can easily be run again if the VM is evicted.

Spot VMs have replaced the preview of Azure low-priority VMs on scale sets. Eligible low-priority VMs have been automatically transitioned over to Spot VMs.

Spot Virtual Machine pricing

Unlike low-priority VMs, prices for Spot VMs will vary based on capacity for size or SKU in an Azure region. Spot pricing can give you insights into the availability and demand for a given Azure VM series and specific size in a region. The prices will change slowly to provide stabilization, thus allowing you to better manage budgets. In the Azure portal, you will have access to the current Azure VM Spot prices to easily determine which region or VM size best fits your needs. Spot prices are capped at pay-as-you-go rates.

 

Deployment of Spot Virtual Machines

Spot VMs are easy to deploy and manage. Deploying a Spot VM is similar to configuring and deploying a regular VM. For example, in the Azure portal, you can simply select Azure Spot instance to deploy a Spot VM. You can also define your maximum price for your Spot VMs. You get a couple of options:

You can choose to deploy your Spot VM without capping the price. Azure will charge you the Spot VM price at any given time, giving you piece of mind that your VMs will not be evicted for price reasons.
 
Alternatively, you can decide to provide a specific price to stay within your budget. Azure will not charge you above the maximum price you set and will evict the VM if the spot price rises above your defined maximum price.
  
 

There are a few other options available to lower costs:

If your workload does not require a specific VM series and size, then you can find other VMs in the same region that may be cheaper.
If your workload is not dependent on a specific region and you do not have data residency requirements, then you can find a different Azure region to reduce your cost.

Quota for Spot VMs

As part of this announcement, to give better flexibility, Azure is also rolling out a separate quota for Spot VMs that is separate from your pay-as-you-go VM quota. The quota for Spot VMs and Spot VMSS instances is a single quota for all VM sizes in a specific Azure region. This approach will give you easy access to a broader set of VMs.
  

Handling evictions

Azure will try to keep your Spot VM running and minimize evictions, but your workload should be prepared to handle evictions as runtime for an Azure Spot VMs and VMSS instances is not guaranteed. You can optionally get a 30-second eviction notice by subscribing to scheduled events. Your VMs can be evicted due to the following reasons:

Spot prices have gone above the max price you defined for the VM. Azure Spot VMs get evicted when the Spot price for the VM you have chosen goes above the price you defined at the time of deployment. You can try to redeploy your VM by changing prices.
Azure needs to reclaim capacity.

In both scenarios, you can try to redeploy the VM in the same region or availability zone.

Best practices

Here are some effective ways to best utilize Azure Spot VMs:

For long running operations, try to create checkpoints so that you can restart your workload from a previously known checkpoint to handle evictions and save time.
In scale-out scenarios, to save costs, you can have two VMSS, where one has regular VMs and the other has Spot VMs. You can put both in the same load balancer to opportunistically scale out.
Listen to eviction notifications in the VM to get notified when your VM is about to be evicted.
If you are willing to pay up to pay-as-you-go prices then use Eviction type to Capacity Eviction only, in the API provide -1 as max price as Azure never charges you more than the Spot VM price.
To handle evictions, build a retry logic to redeploy VMs. If you do not require a specific VM series and size, then try to deploy a different size that matches your workload needs.
While deploying VMSS, select max spread in portal management tab or FD==1 in the API to find capacity in a zone or region.

Customer success stories

We are pleased with the feedback customer and partners are providing, and we plan to extend the capabilities of this offering to meet the needs of our stakeholders.

“We constantly hear from our customers that they want flexibility in their HPC environment. Flexibility in VM types, available capacity, and even up-front commitment. Azure’s Spot offering is exciting because it provides that flexibility, which combined with Rescale provides cost efficiencies and reduced preemption risk.” Gerhard Esterhuizen, VP of Engineering at Rescale and Brian Tecklenburg, VP of HPC Marketing at Rescale

“We benchmark performance across cloud providers, and Azure has consistently been among the top performers. Azure Spot VMs now allow our customers to use the best infrastructure available in an ad-hoc fashion. Azure Spot VMs, combined with Rescale’s HPC job orchestration and automated checkpoint restarts, help mitigate preemption risks. As a result, our customers can finally use the best cloud infrastructure, whenever they want.” Mulyanto Poort, VP of HPC Engineering at Rescale

 

“InMobi runs one of our largest platforms, the InMobi Exchange, entirely on Azure. Having a cost-effective, cloud-native solution supporting high degrees of concurrency and scale was critical for our business, as the InMobi Exchange frequently finds itself catering to fluctuating traffic curves given the seasonal nature of the digital advertising industry. Leveraging the Azure Spot VM offerings, we’ve been able to rewire our application stack to be fully stateless and it’s been a real game changer with respect to making it cost efficient . Since InMobi was one of the early adopters of the Spot VM offering, we’ve found Microsoft to be excellent partners in ensuring the product evolves to meet our required levels of scale and functionality. As of now, we’ve moved the majority of our serving and data processing compute needs to Azure Spot VMs. And by doing so, we have been able to realize nearly 50-60 percent cost efficiencies on our compute needs, and that’s been a massive help in making our business more economically efficient.” Prasanna Prasad, Senior Vice President, Engineering, InMobi

Learn more about Azure Spot Virtual Machines

Spot VM webpage.
Spot VM pricing: Windows and Linux.
Create Spot VMs in Azure portal.
Create Spot VMs in Azure CLI.
Create Spot VMs in Azure PowerShell.
Create Spot VMs in Azure Resource Manager templates.
Create Spot VMSS in Azure Resource Manager templates.

Quelle: Azure

Announcing Azure Front Door Rules Engine in preview

Starting today, customers of Azure Front Door (AFD) can take advantage of new rules to further customize their AFD behavior to best meet the needs of their customers. These rules bring the specific routing needs of your customers to the forefront of application delivery on Azure Front Door, giving you more control in how you define and enforce what content gets served from where.

Azure Front Door provides Azure customers the ability to deliver content fast and securely using Azure’s best-in-class network. We’ve heard from customers how important it is to have the ability to customize the behavior of your web application service, and we’re excited to announce Rules Engine, a new functionality on Azure Front Door, in preview today. Rules Engine is for all current and new Azure Front Door customers but is particularly important for customers looking to streamline security and content delivery at the edge.

New scenarios in Azure Front Door

Rules Engine allows you to specify how HTTP requests are handled at the edge.

The malleable nature of Rules Engine makes it the ideal solution to address legacy application migrations, where you don’t want to worry about users accessing old applications or not knowing how to find content in your new apps. Similarly, geo match and device identification capabilities ensure that your users are always seeing the best content for where they are and what device they are accessing it on. Implementing security headers and cookies with Rules Engine can also ensure that no matter how your users come to interact with the site, that they’re doing so over a secure connection, preventing browser-based vulnerabilities from impacting your site.

Different combinations of match conditions and actions give you fine-grained control over which users get which content and make the possible scenarios that you can accomplish with Rules Engine endless. Some of the technical capabilities that empower these new scenarios on AFD include the following:

Enforce HTTPS, ensure all your end users interact with your content over a secure connection.
Implement security headers to prevent browser-based vulnerabilities, like HTTP Strict-Transport-Security (HSTS), X-XSS-Protection, Content-Security-Policy, X-Frame-Options, as well as Access-Control-Allow-Origin headers for CORS scenarios. Security-based attributes can also be defined with cookies.
Route requests to mobile or desktop versions of your application based on the patterns in the contents of request headers, cookies, or query strings.
Use redirect capabilities to return 301/302/307/308 redirects to the client to redirect to new hostnames, paths, or protocols.
Dynamically modify the caching configuration of your route based on the incoming requests.
Rewrite the request URL path and forward the request to the appropriate backend in your configured backend pool.

Rules Engine is designed to handle a full breadth of scenarios. To learn more, a full list of match conditions and AFD Rules Engine actions can be found in our documentation.

How Rules Engine works

Rules Engine handles requests at the edge. Once configuring Rules Engine, when a request hits your Front Door endpoint, Web Application Firewall (WAF) will be executed first, followed by the Rules Engine configuration associated with your frontend or domain. When a Rules Engine configuration is executed, it means that the parent routing rule is already a match. Whether all actions in each of the rules within the Rules Engine configuration are executed is subject to all of the match conditions within that rule being satisfied. If a request matches none of the conditions in your Rule Engine configuration, then the default Routing Rule is executed.

For example, in the configuration below, a Rules Engine is configured to append a response header which changes the max-age of the cache control if the match condition is met.
  

In another example, we see that Rules Engine is configured to send a user to a mobile version of the site if the match condition, device type, is true.
 

In both examples, when none of the match conditions in Rules Engine are met, the default behavior specified in the Route Rule is what gets executed.

Next steps

We look forward to seeing how Rules Engine helps you unlock further capabilities in Azure Front Door. To learn more about what’s available today, check out the documentation for Azure Front Door Rules Engine.
Quelle: Azure

Learn how to deliver insights faster with Azure Synapse Analytics

Today, it’s even more critical to have a data-driven culture. Analytics and AI play a pivotal role in helping businesses make insights-driven decisions—decisions to transform supply chains, develop new ways to interact with customers, and evaluate new offerings.

Many organizations are turning to cloud analytics solutions to quickly create a data-driven culture, accelerate time to insight, reduce costs, and maximize ROI. Join us on Wednesday, June 17, 2020, from 10:00 AM–11:00 AM Pacific Time for Azure Synapse Analytics: How It Works, a virtual event where you’ll hear directly from Microsoft Azure customers. They’ll explain how they’re using the newest Azure Synapse capabilities to deliver insights faster, bring together an entire analytics ecosystem in a central location, reduce costs, and transform decision-making.

In technical demos, customers will show how they combine data ingestion, data warehousing, and big data analytics in a single cloud-native service with Azure Synapse. If you’re a data engineer trying to wrangle multiple data types from multiple sources to create pipelines, or a database administrator with responsibilities over your data lake and data warehouse, you’ll see how all this can be simplified in a code-free environment.

Customers will also demonstrate how Power BI provides a graphical complement to Azure Synapse with built-in Power BI authoring, giving their employees access to unprecedented insights from enterprise data—in seconds, through beautiful visualizations.

Companies have demonstrated significant cost reductions with cloud analytics solutions. Compared to on-premises solutions, these solutions:

Require lower implementation and maintenance costs.
Reduce analytics project development time.
Provide access to more frequent innovation.
Deliver higher levels of security and business continuity.
Help ensure better competitive advantage and higher customer satisfaction.

With cloud analytics, organizations pay for data and analytics tools only when needed, pausing consumption when not in use. Businesses can reallocate budget previously spent on hardware and infrastructure management to optimizing processes and launching new projects. In fact, customers average a 271 percent ROI with Azure Synapse—savings that come from lower operating costs, increased productivity, reallocating staff to higher-value activities, and increasing operating income due to improved analytics. Analytics in Azure is up to 14 times faster and costs 94 percent less than other cloud providers.

BI specialists, data engineers, and other IT and data professionals all use Azure Synapse to build, manage, and optimize analytics pipelines, using a variety of skillsets and in multiple industries. The Azure Synapse studio provides a unified workspace for data prep, data management, data warehousing, big data, and AI tasks.

Data engineers can use a code-free visual environment for managing data pipelines.
Database administrators can automate query optimization and easily explore data lakes.
Data scientists can build proofs of concept in minutes.
Business analysts can securely access datasets and use Power BI to build dashboards in minutes—all while using the same analytics service.

At the Azure Synapse Analytics: How It Works event, you’ll learn how to access and analyze all your data, from your enterprise data lake to multiple data warehouses and big data analytics systems, with blazing speed. With Azure Synapse, data professionals can query both relational and non-relational data using the familiar SQL language, using either serverless or provisioned resources.

Of course, trust is critical for any cloud solution. Customers will share how they take advantage of advanced Azure Synapse security and privacy features such as automated threat detection and always-on data encryption. They help ensure that data stays safe and private by using column-level security and native row-level security, as well as dynamic data masking to automatically protect sensitive data in real time.

Attend the Azure Synapse Analytics: How It Works virtual event on June 17, 2020, to learn how to deliver:

Powerful insights.
Unprecedented ROI.
Unified experience.
Limitless scale.
Unmatched security.

Register early for a chance to win a Microsoft Surface Go tablet (three winners total). Winners will be selected at random. NO PURCHASE NECESSARY. Open to any registered event attendee 18 years of age or older. Void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, and where prohibited. Sweepstakes ends June 17, 2020. See the Official Rules.  
Quelle: Azure

Office Licensing Service and Azure Cosmos DB part 1: Migrating the production workload

This post is part 1 of a two-part series about how organizations use Azure Cosmos DB to meet real world needs, and the difference it’s making to them. In part 1, we explore the challenges that led the Microsoft Office Licensing Service team to move from Azure Table storage to Azure Cosmos DB, and how it migrated its production workload to the new service. In part 2, we examine the outcomes resulting from the team’s efforts.

The challenge: Limited throughput and other capabilities

At Microsoft, the Office Licensing Service (OLS) supports activation of the Microsoft Office client on millions of devices around the world—including Windows, Mac, tablets, and mobile. It stores information such as machine ID, product ID, activation count, expiration date, and more. OLS is accessed by the Office client more than more than 240 million times per day by users around the world, with the first call coming from the client upon license activation and then every 2-3 days thereafter as the client checks to make sure the license is still valid.

Until recently, OLS relied on Azure Table storage for its backend data store, which contained about 5 TB of data spread across 18 tables—with separate tables used for different license categories such as consumer, enterprise, and OEM pre-installation.

In early 2018, after years of continued workload growth, the OLS service began approaching the point where it would require more throughput than Table storage could deliver. If the issue wasn’t addressed, the inherent throughput limit of Table storage would begin to threaten overall service quality to the detriment of millions of users worldwide.

Danny Cheng, a software engineer at Microsoft, who leads the OLS development team explains:

“Each Table storage account has a fixed maximum throughput and doesn’t scale past that. By 2018, OLS was running low on available storage throughput, and, given that we were already maintaining each table in its own Table storage account, there was no way for us to get more throughput to serve more requests from our customers. We were being throttled during peak usage hours for the OLS service, so we had to find a more scalable storage backend soon.

In looking for a long-term solution to its storage needs, the OLS team wanted more than just additional throughput. We wanted the ability to deploy OLS in different regions around the world, as a means of minimizing latency by putting copies of the service closer to where our users are. But with Table storage, geo-replication capabilities are fairly limited.”

The OLS team also wanted better disaster recovery. With Table storage, they were storing all data in multiple regions within the United States. All reads and writes went to the primary region, and there were no SLAs in place for replication to the two backup regions, which could take up to 60 minutes. If the primary region became unavailable, human intervention would be required and data loss would be likely.

“If a region were to go down, it would be a real panic situation—with 30 to 60 minutes of downtime and a similar window for data loss,” says Cheng.

The solution: A lift-and-shift migration to Azure Cosmos DB

The OLS team chose to move to Azure Cosmos DB, which offered a lift-and-shift migration path from Table storage—making it easy to swap-in a premium backend service with turnkey global distribution, low latency, virtually unlimited scalability, guaranteed high availability, and more.

“At first, when we realized we needed a new storage backend, it was intimidating in that we didn’t know how much new code would be needed,” says Cheng. “We looked at several storage options on Azure, and Azure Cosmos DB was the only one that met all our needs. And with its Table API, we wouldn’t even need to write much new code. In many ways, it was an ideal lift-and-shift—delivering the scalability we needed and lots of other benefits with little work.”

Design decisions

In preparing to deploy Azure Cosmos DB, the OLS team had to make a few basic design decisions:

Consistency level, which gave the team options for addressing the fundamental tradeoffs between read consistency and latency, availability, and throughput.

“We picked strong consistency because some of our business logic requires reading from storage immediately after writing to it,” explains Cheng.

Partition key, which dictates how items within an Azure Cosmos DB container are divided into logical partitions—and determines the ultimate scalability of the data store.

“With the Azure Cosmos DB Table API, partition keys naturally map to what we had in Table storage—so we were able to reuse the same partition key,” says Cheng.

Migration process

Although Azure Cosmos DB offered a data migration tool, its use at that time would have entailed some downtime for the OLS service, which wasn’t an option. (Note: Today you can do live migrations without downtime.) To address this, the OLS team built a data migration solution that consisted of three components:

A Data Migrator that moves current data from Table storage to Azure Cosmos DB.
A Dual Writer that writes new database changes to both Table storage and Azure Cosmos DB.
A Consistency Checker that catches any mismatches between Table storage and Azure Cosmos DB.

The Data Migrator component is based on the same one provided to Microsoft customers by the Azure Cosmos DB team.

“To solve the downtime problem, we added Dual Writer and Consistency Checker components, which run on the same production servers as the OLS service itself,” explains Cheng.

The OLS team completed the migration process in late 2019. Today, Azure Cosmos DB is deployed to the same three regions as Table storage, which the team did to mimic the Table storage topology as closely as possible during the migration. Similarly, North Central US is the primary (read/write) region while the other two regions are currently read-only. The Azure Cosmos DB environment has 18 tables containing 5 TB of data and consumes about 1 million request units per second (RU/s), which are the units used to reserve guaranteed database throughput in Azure Cosmos DB.

Now that migration is complete, the team plans to turn on multi-master capabilities, which will write-enable all regions instead of just the primary one. Tying into this, the team also plans to scale out globally by replicating its backend store to additional regions around the world—as a means of improving latency from the perspective of the Office client by putting copies of the OLS data closer to where its users are.

In part 2 of this series, we examine the outcomes resulting from the team’s efforts to build its new Office Licensing Service on Azure Cosmos DB.

Get started with Azure Cosmos DB today

Visit Azure Cosmos DB.

See Introduction to Azure Cosmos DB Table API.

Quelle: Azure