Microsoft is urging users to abandon telephone-based multi-factor authentication (MFA) solutions like one-time codes sent via Short Message Service (SMS) and voice calls and instead replace them with newer MFA technologies, like app-based authenticators and security keys.

The warning comes from Alex Weinert, Director of Identity Security at Microsoft. For the past year, Weinert has been advocating on Microsoft's behalf, urging users to embrace and enable MFA for their online accounts.

In a blog post last year, citing internal Microsoft statistics, Weinert said that users who enabled multi-factor authentication (MFA) ended up blocking around 99.9% of automated attacks against their Microsoft accounts.

But in a follow-up blog post, Weinert says that if users have to choose between multiple MFA solutions, they should stay away from telephone-based MFA.

The Microsoft exec cites several known security issues, not with MFA, but with today's state of the telephone networks.

Weinert says that both SMS and voice calls are transmitted in cleartext and can be easily intercepted by determined attackers, using techniques and tools like software-defined-radios, FEMTO cells, or SS7 intercept services.

SMS-based one-time codes are also phishable via open source and readily-available phishing tools like Modlishka, CredSniper, or Evilginx.

Further, phone network employees can be tricked into transferring phone numbers to a threat actor's SIM card – in attacks known as SIM swapping – allowing attackers to receive MFA one-time codes on behalf of their victims.

On top of these, phone networks are also exposed to changing regulations, downtimes, and performance issues, all of which impact the availability of the MFA mechanism overall, which, in turn, prevents users from authenticating on their account in moments of urgency.

SMS and voice calls are the least secure MFA method today.

All of these make SMS and call-based MFA "the least secure of the MFA methods available today," according to Weinert.

The Microsoft exec believes that this gap between SMS & voice-based MFA "will only widen" in the future.
As MFA adoption increases overall, with more users adopting MFA for their accounts, attackers will also become more interested in breaking MFA methods, with SMS and voice-based MFA naturally becoming their primary target due to its extensive adoption.

Weinert says that users should enable a more robust MFA mechanism for their accounts, if available, recommending Microsoft's Authenticator MFA app as a good starting point.

But if users want the best, they should go with hardware security keys, which Weinert ranked as the best MFA solution in a blog post he published last year.
​
This preference for app or security key alternatives for MFA shouldn't mean that users should disable SMS or voice-based MFA for their accounts without substituting another MFA approach. SMS MFA is still way better than no MFA at all.

In the UK, all Internet of Things (IoT) and smart consumer devices will need to adhere to specific security requirements, under new government proposals.

The legislation aims is to help protect citizens and businesses from the threats posed by cybercriminals increasingly targeting Internet of Things devices.

By hacking IoT devices, cybercriminals can build an army of devices that can be used to conduct DDoS attacks to take down online services, while poorly secured IoT devices can also serve as an easy way for hackers to get into networks and other systems across a network.

The proposed measures from the Department for Culture, Media and Sport (DCMS) have been developed in conjunction with the UK's National Cyber Security Centre (NCSC) and come following a consultation period with information security experts, product manufacturers and retailers and others.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers threatening people's privacy and safety," said Matt Warman, minister for digital and broadband at DCMS.

They also follow on from the previously suggested voluntary best practice requirements. Still, the legislation would require that IoT devices sold in the UK must follow three particular rules to be allowed to sell products in the UK. They are:

• All consumer internet-connected device passwords must be unique and not resettable to any universal factory setting.
• Manufacturers of consumer IoT devices must provide a public point of contact so anyone can report a vulnerability, and it will be acted on promptly.
• Manufacturers of consumer IoT devices must explicitly state the minimum length of time for which the device will receive security updates at the point of sale, either in-store or online.

It is currently unclear how these rules will be enforced under any future law. While the government has said that its "ambition" is to introduce legislation in this area, and said this would be done "as soon as possible," there is no detail on when this would take place. A DCMS spokesperson said that the department would be working with retailers and manufacturers as the proposals move forward.

Many connected devices are shipped with simple, default passwordswhich in many cases can't be changed. At the same time, some IoT product manufacturers often lack a means of being contacted to report vulnerabilities – especially if that device is produced on the other side of the world.

In addition to this, it's been known for IoT products to stop receiving support from manufacturers suddenly, and by providing an exact length of time that devices will be supported will allow users to think about how secure the product will be in the long-term.

If products don't follow these rules, the new law proposes that these devices could potentially be banned from sale in the UK.

"Whilst the UK Government has previously encouraged industry to adopt a voluntary approach, it is now clear that decisive action is needed to ensure that strong cybersecurity is built into these products by design," said Warman.

"Our new law will hold firms manufacturing and selling internet-connected devices to account and stop hackers from threatening people's privacy and safety. It will mean robust security standards are built-in from the design stage and not bolted on as an afterthought," he added.

"Smart technology is increasingly central to the way we live our lives, so the development of this legislation to ensure that we are better protected is hugely welcomed," said Nicola Hudson, Policy and Communications Director at the NCSC.

"It will give shoppers increased peace of mind that the technology they are bringing into their homes is safe, and that issues such as pre-set passwords and sudden discontinuation of security updates are a thing of the past."
​
The UK isn't alone in attempting to secure the Internet of Things – ENISA, the European Union's cybersecurity agency, is also working towards legislation in this area. At the same time, the US government is also looking to regulate IoT to protect against cyber-attacks.

Cryptocurrency investors in the United States are receiving letters from the Internal Revenue Service (IRS) which are proposing backdated tax payments relating to the trade of virtual assets. 

As reported by Bloomberg, some traders are receiving notices asking for input on revised tax returns, based on estimates of profit generated by cryptocurrency-related activities.

The CP2000 notices have been sent in recent weeks, and while they do acknowledge mistakes in past tax returns might be due to cryptocurrency platforms and exchanges rather than individuals, they do signal a clampdown by the IRS on the burgeoning industry. 

In July, the IRS also sent warnings to investors to make them aware that tax may be owed on their trading activities. Some investors received demands for the disclosure of cryptocurrency trades between 2013 and 2017. 

An IRS spokesperson said that the latest batch of warning notices are sent to taxpayers when discrepancies between tax returns and information obtained from third parties are flagged. 

Aletter shared with CoinDesk estimates that an investor owes close to $4,000 in taxes and interest for potentially misreported cryptocurrency profits during the 2017 fiscal year. 

"We received information from third parties such as employers or financial institutions that doesn't match the information you reported on your tax return," the letter reads. 

Recipients can accept the changes and make any further payments required, or they can challenge the IRS' decision if they have supporting evidence. 

According to the IRS website, CP2000 receivers should respond within 30 days even if only to say they need more time. The notices are not straight bills or demands, but what the IRS calls "a proposal [that] informs you about the information we have received, and how it affects your tax."

The IRS won a landmark case against Coinbase in 2017 which forced the cryptocurrency exchange to hand over the records of 14,000 customers that purchased, sold, or obtained over $20,000 in cryptocurrency between 2013 and 2015.

The acquisition, though small, is the latest in Microsoft’s attempts to level up with Amazon. Over the last few years, the company has garnered individual partnerships with retailers, which has laid the groundwork for marketers to see it as a potential alternative to the Jeff Bezos behemoth. Still, Microsoft has a long way to go: Amazon has a substantial leg up on both advertising (which brought in $3 billion this past quarter) and cloud storage (which hit $8.38 billion in Q2 of this year). Adding PromoteHQ – which has clients that include Overstock.com, Office Depot, and Kohl’s – indicates that Microsoft is strategizing about how to expand and undercut the competition quietly.

Until now, Microsoft has had to face Google as its primary advertising competitor. The acquisition hints at Microsoft’s ambition to go beyond search. Bloomberg estimated search would bring in about $7.9 billion in annual revenue for the fiscal year 2019, a drop in the bucket compared to Google’s $120 billion in annual ad sales. Earlier this year, Microsoft announced it was changing its ads name from Bing Ads to Microsoft Ads, which also implied that it had grander horizons beyond mere web search, which Google will almost certainly always dominate. Indeed, the PromoteHQ purchase is a way for Microsoft to go beyond search in its quest to court retailers – effectively providing a platform so that brands with e-commerce sites can run ads on their own storefronts.

Microsoft over the last few years has become a quietly growing alternative to the ever-growing Amazon behemoth, something that retailers squeamish to do business with Amazon would welcome. Even though Amazon Web Services has about one-third of the cloud market share, retailers have been inking long-term contracts with competitors like Microsoft to try to chip away at the e-commerce giant’s bottom line. Kroger, for example, has signed significant agreements with both Microsoft Azure and Google Cloud. With that, the grocery chain announced that it was working with Microsoft to build out in-store technology – including a connected store experience and digital shelving that would serve shoppers personalized ads. Walmart too has reportedly told vendors it wants them to stop using AWS.

There are other examples too. Walgreens also signed a long-term deal with Microsoft, as have Walmart and Gap.

“What Microsoft has done well over the last three to five years,” said Ray Wang, principal analyst at Constellation Research, “is [work] with retailers.” But what it’s been very weak on, he said, is advertising. These incremental moves over the last few months – the Microsoft Ads rebrand, as well as acquisitions like PromoteHQ – are setting the groundwork to work with retailers on multiple fronts, including advertising. “Every retailer feels they have a gun to their head from Google, Amazon, and Facebook,” Wang said. “There’s a unique opportunity for Microsoft to be in this space.” Of course, other software giants working with large companies are likely trying to follow suit, such as Salesforce, Adobe, and Oracle,” Wang added.

All of these announcements are piecemeal, but they do add up to a more significant strategy. Retailers want to rely as little on Amazon as possible while growing their e-commerce businesses, and Microsoft has laid the groundwork to offer solutions that are direct alternatives. Meanwhile, as Microsoft continues to make individual long-term deals with big retail companies, it puts it in the position to have future clients as it increases its advertising and software offerings.
​
For retailers, forgoing Amazon could become an almost moral imperative. By doing business with them, said Wang, “you’re giving [Amazon] the ability to crush you.” Thus, if Microsoft were to continue to play to these fears – and focus on more retail-adjacent products like PromoteHQ – its business stands to grow even more.

A new security product has been launched, and it’s packed with features for a reasonable price. Authen2cateis a single-sign-on (SSO) and multi-factor authentication (MFA) service provider. Authen2cate provides a full-service, end-to-end solution that includes consulting services, implementation, integration, and ongoing maintenance and support.

Reduce Security Risk. The need for multi-factor authentication in today’s world is only becoming more and more apparent. According to The Password Exposefrom LastPass, the average employee is managing 191 passwords. Even a genius would sweat at the thought of remembering 191 unique, strong passwords from memory. This promotes the re-use of basic passwords and is a looming threat to every company. Remember, a simple eight-character alphanumeric password can be cracked in a matter of minutes.

As the internet and cloud solutions become an even more significant part of everyday life, especially in the workplace, ensuring identities can be properly authenticated and access is securely granted to only the right people, passwords alone are an outdated security measure. The National Institute of Standards and Technology (NIST)states that “MFA should be used wherever possible for any external access like VPN, Outlook Web Access or Citrix” and advised that many of the security issues they see today stem from passwords. Also, NIST recommended that businesses should incorporate Multi-Factor Authentication in their login policies, and that password management and policies are not “one-size-fits-all.” Authen2cate is designed to help with these issues. 

By implementing Authen2cate’s unified Identity and Access Management solution, users can prevent identity attacks and data compromise with an added layer of security. 

Meet Compliance Requirements. Security and privacy are essential topics in many industries: Healthcare, Government, IT, Education, and more. Most industry compliance guidelines and requirements from HIPAA, HITECH, PCI, FIPS, NIST, and others require or highly recommend added layers of security. By implementing Authen2cate’s Multi-Factor Authentication solutions, users can better prepare for audits and meet compliance standards to protect their organization.

Multi-Factor Authentication allows for added security to protect user logins and sensitive data. In today’s technical world, where everything is saved on a computer, in a server, or the cloud, it is more important than ever to protect personal information further. Should a username and password become compromised, MFA serves as a second layer of security preventing access to sensitive information.

Provisioning. One of the critical requirements of all compliance standards is not only creating access for a new user but also making sure that when a user leaves the organization, access is revoked. Authen2cate’s solution allows the administrator to seamlessly and automatically provision a new user by simply adding them to the application group in the directory. Applications like Office 365, Salesforce, Oracle, SAP, and many more take only a few minutes to deploy. When a user leaves the organization, delete them from the directory or remove them from the application group, and access is terminated for all applications they had previously been assigned.

Simple User Experience. Authen2cate's unified Identity and Access Management solution offers a seamless and straightforward experience for all users while adding another layer of security. How can Authen2cate make your life easier and more secure?

•   Single Sign-On Portal: Sign in once to your customized portal and get instant, secure access to all your apps in one central platform.

•   Mobile App: Three benefits all in one application. Implement Multi-Factor Authentication to add another layer of security to your applications. Securely reset your passwords straight from the app. And lastly, unlock your account if you completed too many failed login attempts.

Pricing. Authen2cate offers a 45-day free trial, and its subscription is $3/user/month with a minimum of 10 users.

Microsoft’s Windows 10 OS has been facing multiple problems in recent months. In the latest development, Microsoft has now released an important new Windows 10 warning to 800 million users. 

The company has identified a serious and long-running bug on its OS platform. The bug is more of a problem that was inadvertently introduced through design implementations. Microsoft has admitted to quietly switching off Registry backups in Windows 10. It has been observed that Registry backups would randomly show that backup operation has been completed despite no backup file being created. 

For users and businesses, Registry Backups are critical, as they are the last line of defense. If the Windows System Restore point fails, the registry backup is the only option for users. According to Microsoft, “Starting in Windows 10, version 1803, Windows no longer automatically backs up the system registry to the RegBack folder. If you browse to the WindowsSystem32configRegBack folder in Windows Explorer, you will still see each registry hive, but each file is 0kb in size.” 

Windows 10 1803 was released in October last year. While users flagged the issue to Microsoft, the company never admitted it. The disclosure comes just two months after Microsoft pledged to offer control, quality, and transparency to Windows 10 users. 

According to Microsoft, the company has done this to reduce the overall disk footprint size of Windows. The registry backup is usually 50 to 100 MB in size. To recover the system with a corrupt registry hive, Microsoft recommends using a system restore point. You can enable the period registry backup by manually editing the registry entry. 
​
Windows will back up the registry to the RegBack folder when the computer restarts. Windows stores the task information in the Scheduled Task Library in the Registry folder.

Microsoft and Oracle recently said they reached an agreement to make their two cloud computing services work together with high-speed links between their data centers, targeting significant business users and uniting against cloud computing leader Amazon Web Services. 

The two companies said the high-speed link between their data centers would start with facilities in the eastern United States and spread to other regions. They will also work together to let joint users login to services from either company with a single user name and get tech support from either company. 

The move comes as both Oracle and Microsoft are courting large businesses and government customers considering moving computing tasks currently handled in their own data centers to cloud providers. 

“With Oracle’s enterprise expertise, this alliance is a natural choice for us as we help our joint customers accelerate the migration of enterprise applications and databases to the public cloud,” Microsoft’s cloud chief Scott Guthrie said in a statement. 

AWS, the largest cloud computing provider, is encroaching on many of those customers, including in Oracle’s historical stronghold in the database market. 

“With this alliance, our joint customers can migrate their entire set of existing applications to the cloud without having to re-architect anything, preserving the large investments they have already made,” Don Johnson, executive vice president of Oracle’s cloud infrastructure unit, said in a statement. 

Microsoft has previously inked a deal with German software maker SAP SE and Adobe to make their services work better together. 

Ed Anderson, a Gartner research analyst, said the move was a clear “jab” at AWS, especially for Oracle. “It’s no secret that Oracle views AWS as a major competitor in the database market,” he said. 

Anderson also said there remained some unanswered questions about the deal, such as whether customers would face data transfer fees for moving large amounts of information back and forth between services. 

But overall, Anderson said the move would likely benefit Microsoft and Oracle by helping their pitch to large businesses already using services from both. 
​
“It’s a great way for both companies to be able to hitch their cloud offerings together,” Anderson said.

Regulators in the US have taken a big step toward bringing antitrust suits against American tech giants, but they face a long road ahead.

Amazon, Apple, Google, and Facebook are facing unprecedented scrutiny in their own backyard. The US Department of Justice (DoJ) and the Federal Trade Commission are preparing antitrust investigations into the companies, and plan to divvy up the work. As the news emerged, the firm’s share prices were hammered, a clear signal that Wall Street believes the Feds mean business.

Congress also plans to put the companies under the microscope. The Judiciary Committee of the House of Representatives said it's launching a wide-ranging investigation of the market power of the tech giants.

The obvious question is: why now? The European Union has been sounding the alarm about Big Tech’s super-sized influence for years – and imposing massive fines on Google in particular for anti-competitive behavior.

The most likely answer is American politics. Some prominent Democrats, including senator and presidential candidate Elizabeth Warren, have been calling loudly for tech giants to be broken up to stop them harming consumers’ interests. With a presidential election on the horizon, the Republicans likely want to be seen as tough on Big Tech, too. There’s also a widespread suspicion of Silicon Valley’s liberal tendencies. President Donald Trump has a history of trading barbs with Jeff Bezos, Amazon’s boss, and regularly rails against what he sees as social media and search companies’ anti-conservative bias.

Politics aside, there’s plenty for antitrust watchdogs to sink their teeth into. Amazon is accused of using data from its online platform to gain an unfair advantage over other sellers. The EU has already punishedGoogle's manipulation of search results to favor its businesses. Apple’s fighting a private lawsuit which alleges its 30% take on apps sold in its apps store is an abuse of monopoly power. And Facebook dominates the digital ad market together with Google.

Critics such as Warren have used sporting analogies to justify calls for breaking up the tech giants. “You can get to be the umpire in a baseball game, or you can have a team in the game, but you don’t get to be the umpire and have a team in the game,’ she tweeted earlier this year.

If any of the tech giants are found guilty of anti-competitive behavior, they’re likely to be hit with Hefty fines and other sanctions. That may not be enough to satisfy people like Warren, but trying to force through a breakup of one or more of the companies will be tough to do because:

1.Big tech firms have generally made their services available for free. US antitrust law focuses primarily on whether a monopolist has harmed consumers by driving up prices and restricting investment in a market. While firms like Facebook and Google certainly aren’t paragons when it comes to things like privacy, they’ve provided a cornucopia of free stuff to consumers and invest heavily in R&D. That doesn’t mean they can’t be sanctioned for abusing their market power to, say, manipulate search results in ways that drive up prices. But it would be hard to prove they have harmed consumers broadly in the eyes of the law.

2.They aren’t “natural monopolies” like those found in, say, the utility industry, where the cost to enter a market is so vast other companies are dissuaded from doing so, allowing incumbents to drive up prices. The challenge would-be rivals face is to overcome the “network effects” that underpin the big tech companies’ success. A service like Amazon has a magnetic attraction for buyers because they know they will find plenty of the sellers on its platform. And as more buyers roll up, even more sellers will want to join. This will undoubtedly deter competition, but it’s not illegal.

3.Big tech firms dominate data gathering and use insights to provide even more free services. The vast number of customers using their products mean Big Tech firms benefit from what’s helpful to think of as a data snowball. The more customers they attract, the more data they can harvest from them. That information is then used to tailor new services that attract even more users. This cycle is even more powerful in the era of AI, which relies on crunching vast amounts of data for its efficacy.
​
The Microsoft precedent: None of this may deter US regulators, who can draw on Microsoft’s experience in the 1990s for inspiration. The DoJ tried to split Microsoft up to stop it bundling its Internet Explorer web browser with its dominant Windows operating system. The effort failed, but the bruising court battles harmed the company’s reputation and curbed its anti-competitive instincts. History could be about to repeat itself in the internet era.

On the heels of Google buying analytics startup Looker last week for $2.6 billion, Salesforce today announced a huge piece of news in a bid to step up its own work in data visualization and tools to help enterprises make sense of the sea of data that they use and amass: Salesforce is buying Tableau for $15.7 billion in an all-stock deal.

The latter is publicly traded, and this deal will involve shares of Tableau Class A and Class B common stock getting exchanged for 1.103 shares of Salesforce common stock, the company said, and so the $15.7 billion figure is the enterprise value of the transaction, based on the average price of Salesforce’s shares as of June 7, 2019.

This is a significant jump on Tableau’s last market cap ($10.79 billion two days earlier.)

This is a massive deal for Salesforce as it continues to diversify beyond CRM software and into deeper layers of analytics to offer a 360-degree view of the customer and become a de facto data stack for the enterprise.
The company reportedly worked hard to buy LinkedIn but lost out to Microsoft. While there isn’t a whole lot in common between LinkedIn and Tableau, this deal will also help Salesforce extend its engagement (and data intelligence) for the customers that Salesforce already has — something that LinkedIn would have also helped it to do.

Even with Google’s move to buy Looker, one could argue that analytics is a big enough area that all major tech companies are getting their ducks in a row with stronger data analytics strategies and products. It’s unclear whether the two deals were made in response to each other, although it seems that Salesforce has been eyeing Tableau for years.

 “We are bringing together the world’s #1 CRM with the #1 analytics platform. Tableau helps people see and understand data, and Salesforce helps people engage and understand customers. It’s truly the best of both worlds for our customers – bringing together two critical platforms that every customer needs to understand their world,” said Marc Benioff, chairman, and co-CEO of Salesforce. “I’m thrilled to welcome Adam and his team to Salesforce.”

Tableau has about 86,000 business customers, including Charles Schwab, Verizon, Schneider Electric, Southwest and Netflix. Salesforce said Tableau would operate independently and under its own brand post-acquisition. It will also remain headquartered in Seattle, Wash., headed by CEO Adam Selipsky along with others on the current leadership team.

Indeed, later during an analyst conference call, Benioff let it drop that Seattle would become Salesforce’s official second headquarters with the closing of this deal.

That’s not to say, though, that the two will not be working together.

On the contrary, Salesforce is already talking up the possibilities of expanding what the company is already doing with its Einstein platform (launched back in 2016, Einstein is the home of all of Salesforce’s AI-based initiatives.) 

“Joining forces with Salesforce will enhance our ability to help people everywhere see and understand data,” said Selipsky. “As part of the world’s #1 CRM company, Tableau’s intuitive and powerful analytics will enable millions of more people to discover actionable insights across their entire organizations. I’m delighted that our companies share very similar cultures and a relentless focus on customer success. I look forward to working together in support of our customers and communities.”

“Salesforce’s incredible success has always been based on anticipating the needs of our customers and providing them the solutions they need to grow their businesses,” said Keith Block, co-CEO, Salesforce. “Data is the foundation of every digital transformation, and the addition of Tableau will accelerate our ability to deliver customer success by enabling a truly unified and powerful view across all of a customer’s data.”

Networks today are subject to many threats including ransomware, cryptocurrency-miner threats, or state-sponsored hackers.

In line with other security industry pros, Microsoft has confirmed in its 24th annual security intelligence report that ransomware has taken a backseat to pesky cryptocurrency miners. 

But the company also warns that supply-chain attacks are on the rise. These are where an attacker uses a supplier or business partner to spread an infection. 

Past examples include the NotPetya not-ransomware outbreakthat caused over a billion dollars in losses for global firms and the Dofoil BitTorrent attacks. 
    
"Supply-chain attacks are insidious because they take advantage of the trust that users and IT departments place in the software they use," Microsoft warns in the report. 

"The compromised software is often signed and certified by the vendor, and may give no indication that anything is wrong, which makes it significantly more difficult to detect the infection. They can damage the relationship between supply chains and their customers, whether the latter are corporate or home users.

"By poisoning software and undermining delivery or update infrastructures, supply-chain attacks can affect the integrity and security of goods and services that organizations provide."

While attacks are changing and Windows 10 built-in security is improving, the company's advice to customers remains the same. However, there are conflicting data about the best approach to staying secure.  
Microsoft recommends only using software from trusted sources, though this 'security hygiene' measure could be undermined in a supply-chain attack. 

The company also recommends "rapidly applying the latest updates to your operating systems and applications, and immediately deploying critical security updates for OS, browsers, and email."

Deploying patches quickly is generally a good idea. However, Microsoft recently revealed that vulnerabilities in its software are most likely to be exploited as a zero-daybefore the company has even had a chance to release a patch. 

However, its other tips don't present obvious security conflicts.  

"Deploy a secure email gateway that has advanced threat protection capabilities for defending against modern phishing variants," Microsoft warns, adding that businesses should "Enable host anti-malware and network defenses to get near real-time blocking responses from the cloud (if available in your solution)." 

The other important measures organizations should take include implementing access controls, and teaching employees to be suspect of messages that ask them to divulge sensitive information. 

Microsoft also recommends keeping "destruction-resistant backups of your critical systems and data" and using cloud storage services for online backups. 
​
"For data that is on premises, regularly back up important data using the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite," says Microsoft.