Quadra

How Ready are you to be Inspired?

Over the past few months, the excitement has been building up in the Microsoft partner community. And there’s a good reason, too! For the first time, Microsoft Inspire and Microsoft Ready (Microsoft’s internal readiness event) are all set to take place in the similar city and during the same time.

This co-location of two of Microsoft’s largest events will help us - Microsoft partners, to learn, network and deep dive into cutting-edge Microsoft solutions that will unlock tremendous opportunities for our businesses as we help our customers reap the benefits of digital transformation. I personally believe that the incredible learning and networking opportunities at Microsoft Inspire and Ready will open our minds to new possibilities and exciting business models.

Enhance your experience at Microsoft Inspire 2018 with a well-devised plan

Opportunities at Inspire are available in abundance. For example, you can brainstorm with a program manager who drives engineering and development for some of the coolest Azure solutions. Where else can you meet some of the most brilliant minds in the technology industry, who are behind the technologies that are changing our world? But before you get ready to capitalize on the opportunities coming your way, it is more important to get ready for the event with a well-devised plan. Here are a few things that should be considered while you plan for the event.

●        Set your objective: If you intend to achieve a great ROI from Microsoft Inspire, you should have a clear objective of why you are attending the event. You may have one or more than one objective, such as:

➢    Gaining in-depth insights into how the business would transform in the coming fiscal year and aligning your business plans, accordingly

➢    Understanding from Microsoft leadership the company’s vision or more precisely, key priorities for the coming year

➢    Exploring the latest technologies in the industry and how you can leverage your partnership with Microsoft to develop your business practices in these new areas

➢    Learning about new product announcements from Microsoft and new initiatives for partners to be launched in the coming year

➢    Networking with Microsoft executives and fellow partners from 150 countries across the globe

●        Have the basics in place: No matter how senior or experienced you are, it pays to have the basics in place – an elevator pitch, for instance. You will run into people who can make a difference to your business at every step in Inspire – so make you create an impact with a pitch on what you and your business do. And don’t forget to pack plenty of business cards!

●        Create a networking target list: Prepare a target list with in-depth details, including:  A. People (be it Microsoft executives or partners) you want to connect with, in addition to background details B. Companies you are looking at connecting with C. Exhibiting organizations you are planning to visit. You can always seek your PAM’s help to reach out to the right people at Microsoft, or even identify partners who can complement your business. If you’re a member of the IAMCP, then that’s a great way to connect with partners across the world. If you are not a member yet, sign up today by visiting www.iamcp.org

●        Plan beforehand for your meetings: Being prepared is half the job done. One of the most valuable opportunities at Microsoft Inspire are the meeting possibilities with the corporate and product teams who play a leading role in influencing product strategy and business direction within Microsoft. Use the Connect tool to identify people whom you wish to connect with. While reaching out, it always helps to present an outline of what you are looking for from the meeting, and the value that you can bring. It will help you make these meetings more purpose-driven and impactful.

●        Allot some time for area lounges and expo hall: If you aim at expanding in new markets, this is the place where you can meet and collaborate with your neighbors from a wide number of countries. Network with Microsoft representatives and your partner peers from across the world while finding out new opportunities for your organization. On the other hand, visit expo hall to meet exhibitors and sponsors displaying the latest products and solutions available in the market. It’s an excellent opportunity to learn about latest innovations and stay on changing frontier of technology.

●        Don’t forget to have fun! Inspire is about working hard, but also having fun. There are numerous parties every evening – great places to meet people in an informal environment and forge lasting bonds. Look out for the mother of all parties – the combined Celebration with a Grammy award winning artist performing. Who is it, you ask? Visit the Inspire website and sign in!

Last but not the least, keep some spare time. In an event of this scale and size, and especially since it is being co-hosted with Microsoft Ready this year, there are bound to be unexpected opportunities and developments. Throughout the conference, set your focus around the plan you have created. It will help you make the most of the conference and go back feeling informed and inspired. 

The current methods of authentication with passwords alone are not sufficient to keep users safe. Users reuse and forget passwords. Passwords are breachable, phishable, prone to cracks, and guessable. They also get difficult to remember and prone to attacks like “pass the hash”.

What is Windows Hello for Business?

Windows Hello for Business is a private/public key or certificate-based authentication approach for organizations and consumers that goes beyond passwords. This form of authentication relies on key pair credentials that can replace passwords and are resistant to breaches, thefts, and phishing.

Windows Hello for Business lets a user authenticate to a Microsoft account, a Windows Server Active Directory account, a Microsoft Azure Active Directory (Azure AD) account, or a non-Microsoft service that supports Fast IDentity Online (FIDO) authentication. After an initial two-step verification during Windows Hello for Business enrollment, Windows Hello for Business is set up on the user's device, and the user sets a gesture, which can be Windows Hello or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello for Business to authenticate the user and help them to access protected resources and services.

The private key is made available solely through a “user gesture” like a PIN, biometrics, or a remote device like a smart card that the user uses to sign in to the device. This information is linked to a certificate or an asymmetrical key pair. The private key is hardware attested if the device has a Trusted Platform Module (TPM) chip. The private key never leaves the device.

The public key is registered with Azure Active Directory and Windows Server Active Directory (for on-premises). Identity Providers (IDPs) validate the user by mapping the public key of the user to the private key, and provide sign-in information through One Time Password (OTP), PhoneFactor, or a different notification mechanism.

Why should enterprises adopt Windows Hello for Business?

By enabling Windows Hello for Business, enterprises can make their resources even more secure by:

• Setting up Windows Hello for Business with a hardware-preferred option. This means that keys will be generated on TPM 1.2 or TPM 2.0 when available. When TPM is not available, software will generate the key.
• Defining the complexity and length of the PIN, and whether Hello usage is enabled in your organization.
• Configuring Windows Hello for Business to support smart card-like scenarios by using certificate-based trust.

How does Windows Hello for Business work?

1. Keys are generated on the hardware by TPM or software. Many devices have a built-in TPM chip that secures the hardware by integrating cryptographic keys into devices. TPM 1.2 or TPM 2.0 generates keys or certificates that are created from the generated keys.
2. The TPM attests these hardware-bound keys.
3. A single unlock gesture unlocks the device. This gesture allows access to multiple resources if the device is domain-joined or Azure AD-joined.

How does the Windows Hello for Business lifecycle work?

• The user proves their identity through multiple built-in proofing methods (gestures, physical smart cards, multi-factor authentication) and sends this information to an Identity Provider (IDP) like Azure Active Directory or on-premises Active Directory.
• The device then creates the key, attests the key, takes the public portion of this key, attaches it with station statements, signs in, and sends it to the IDP to register the key.
• As soon as the IDP registers the public portion of the key, the IDP challenges the device to sign with the private portion of the key.
• The IDP then validates and issues the authentication token that lets the user and the device access the protected resources. IDPs can write cross-platform apps or use browser support (via JavaScript/Webcrypto APIs) to create and use Windows Hello for Business credentials for their users.

What is the deployment requirement for Windows Hello for Business?

At the enterprise level

The enterprise has an Azure subscription.

At the user level

As long as we’ve had passwords, people have tried to guess them. Let us get up to speed on a common attack called password spray which has become MUCH more frequent recently.  There are some best practices that we can adopt to defend against this sophisticated attack.

In a password spray attack, the bad guys try the most common passwords across many different accounts and services to gain access to any password protected assets they can find. Usually these span many different organizations and identity providers.

Four easy steps to disrupt password spray attacks:

Step 1: Use cloud authentication

In the cloud, we see billions of sign-ins to Microsoft systems every day. Microsoft’s security detection algorithms allow them to detect and block attacks as that are happening. Because these are real time detection and protection systems driven from the cloud, they are available only when doing Azure AD authentication in the cloud (including Pass-Through Authentication).

Smart Lockout

In the cloud, Microsoft uses Smart Lockout to differentiate between sign-in attempts that look like they’re from the valid user and sign-ins from what may be an attacker. They can lock out the attacker while letting the valid user continue using the account. This prevents denial-of-service on the user and stops overzealous password spray attacks. This applies to all Azure AD sign-ins regardless of license level and to all Microsoft account sign-ins.

Tenants using Active Directory Federation Services (ADFS) will be able to use Smart Lockout natively in ADFS in Windows Server 2016 starting in March 2018. They can look for this ability to come via Windows Update.

IP Lockout

IP lockout works by analyzing those billions of sign-ins to assess the quality of traffic from each IP address hitting Microsoft’s systems. With that analysis, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Attack Simulations

Now available in public preview, Attack Simulator as part of Office 365 Threat Intelligence enables customers to launch simulated attacks on their own end users, determine how their users behave in the event of an attack, and update policies and ensure that appropriate security tools are in place to protect an organization from threats like password spray attacks.

Step 2: Use multi-factor authentication

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password. To stop them, we need to use something more than just a password to distinguish between the account owner and the attacker. The three ways to do this are below.

Risk-based multi-factor authentication

Azure AD Identity Protection uses the sign-in data mentioned above and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables enterprise customers to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session. This lessens the burden on your users and puts blocks in the way of the bad guys.

Always-on multi-factor authentication

For even more security, Enterprises can use Azure MFA to require multi-factor authentication for their users all the time, both in cloud authentication and ADFS. While this requires end users to always have their devices and to more frequently perform multi-factor authentication, it provides the most security for the enterprise. This should be enabled for every admin in an organization.

Azure MFA as primary authentication

In ADFS 2016, Microsoft has the ability use Azure MFA as primary authentication for passwordless authentication. This is a great tool to guard against password spray and password theft attacks: if there’s no password, it can’t be guessed. This works great for all types of devices with various form factors. Additionally, enterprises can now use password as the second factor only after an OTP has been validated with Azure MFA.

Step 3: Better passwords for everyone

Even with all the above, a key component of password spray defence is for all users to have passwords that are hard to guess. It’s often difficult for users to know how to create hard-to-guess passwords. Microsoft helps you make this happen with these tools.

Banned passwords

In Azure AD, every password change and reset runs through a banned password checker. When a new password is submitted, it’s fuzzy-matched against a list of words that no one, ever, should have in their password (and l33t-sp3@k spelling doesn’t help). If it matches, it’s rejected, and the user is asked to choose a password that’s harder to guess. Microsoft builds the list of the most commonly attacked passwords and updates it frequently.

Custom banned passwords

To make banned passwords even better, Microsoft is going to allow tenants to customize their banned password lists. Admins can choose words common to their organization—famous employees and founders, products, locations, regional icons, etc.—and prevent them from being used in their users’ passwords. This list will be enforced in addition to the global list, so enterprises don’t have to choose one or the other. It’s in limited preview now and will be rolling out this 2018.

Banned passwords for on-premises changes

This spring, Microsoft is launching a tool to let enterprise admins ban passwords in hybrid Azure AD-Active Directory environments. Banned password lists will be synchronized from the cloud to the on-premises environments and enforced on every domain controller with the agent. This helps admins ensure users’ passwords are harder to guess no matter where—cloud or on-premises—the user changes his/her password. This launched to limited private preview in February 2018 and will go to GA this year.

Change how you think about passwords

A lot of common conceptions about what makes a good password are wrong. Usually something that should help mathematically actually results in predictable user behaviour: for example, requiring certain character types and periodic password changes both result in specific password patterns. If an enterprise is using Active Directory with PTA or ADFS, they have to update their password policies. If they are using cloud managed accounts, enterprises need consider setting their passwords to never expire.

Step 4: More awesome features in ADFS and Active Directory

If an enterprise is using hybrid authentication with ADFS and Active Directory, there are more steps they can take to secure their environment against password spray attacks.

The first step: for organizations running ADFS 2.0 or Windows Server 2012, plan to move to ADFS in Windows Server 2016 as soon as possible.  The latest version will be updated more quickly with a richer set of capabilities such as extranet lockout. Microsoft has made it really easy to upgrade from Windows Server 2012R2 to 2016.

Block legacy authentication from the Extranet

Legacy authentication protocols don’t have the ability to enforce MFA, so the best approach is to block them from the extranet. This will prevent password spray attackers from exploiting the lack of MFA on those protocols.

Enable ADFS Web Application Proxy Extranet Lockout

If enterprises do not have extranet lockout in place at the ADFS Web Application proxy, they should enable it as soon as possible to protect their users from potential password brute force compromise.

Deploy Azure AD Connect Health for ADFS

Azure AD Connect Health captures IP addresses recorded in the ADFS logs for bad username/password requests, gives admins additional reporting on an array of scenarios, and provides additional insight to support engineers when opening assisted support cases.

(To deploy, admins must download the latest version of the Azure AD Connect Health Agent for ADFS on all ADFS Servers (2.6.491.0). ADFS servers must run Windows Server 2012 R2 with KB 3134222 installed or Windows Server 2016).

Use non-password-based access methods

Without a password, a password can’t be guessed. These non-password-based authentication methods are available for ADFS and the Web Application Proxy:

• Certificate based authentication allows username/password endpoints to be blocked completely at the firewall.
• Azure MFA, as mentioned above, can be used to as a second factor in cloud authentication and ADFS 2012 R2 and 2016. But, it also can be used as a primary factor in ADFS 2016 to completely stop the possibility of password spray.
• Windows Hello for Business, available in Windows 10 and supported by ADFS in Windows Server 2016, enables completely password-free access, including from the extranet, based on strong cryptographic keys tied to both the user and the device. This is available for corporate-managed devices that are Azure AD joined or Hybrid Azure AD joined as well as personal devices via “Add Work or School Account” from the Settings app.

- Based on a blog from Microsoft Security

If your enterprise is preparing for a digital transformation journey and is looking for a simple strategy to test waters (or road testing, if you want), here is what none can refuse to accept – a free ticket to kick start your journey and that with the pioneer that offered infrastructure as a service – Amazon.

Let us first look at what services are offered for free for 12 months by AWS in its Free Tier

(Only available to new AWS customers, and are available for 12 months following an AWS sign-up date).

Elastic Compute Cloud (EC2)

Use this to create Virtual machines for your workloads.

• 750 hours of Amazon EC2 Linux t2.micro instance usage (1 GiB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month
• 750 hours of Amazon EC2 Microsoft Windows Server† t2.micro instance usage (1 GiB of memory and 32-bit and 64-bit platform support) – enough hours to run continuously each month

Elastic Load Balancer

Automatically distributes incoming application traffic across multiple targets – Available as Application load balancer, Network load balancer and Classic load balancer

• 750 hours of an Elastic Load Balancer shared between Classic and Application load balancers, 15 GB data processing for Classic load balancers, and 15 LCUs for Application load balancers

Elastic Block Storage

Persistent block storage volumes for EC2 instances / Virtual machines

• 30 GB of Amazon Elastic Block Storage in any combination of General Purpose (SSD) or Magnetic, plus 2 million I/Os (with EBS Magnetic) and 1 GB of snapshot storage

Elastic Container Registry

A fully-managed Docker container registry that makes it easy for developers to store, manage, and deploy Docker container images.

• 500 MB-month of Amazon Elastic Container Registry storage for new customers

Amazon Simple Storage Service (S3)

Object storage built to store and retrieve any amount of data from anywhere

• 5 GB of Amazon S3 standard storage, 20,000 Get Requests, and 2,000 Put Requests

Amazon Elastic File System (EFS)

A simple, scalable file storage for use with Amazon EC2 instances

• 5 GB per month of Amazon EFS capacity free

Amazon Relational Database Service (RDS)

Set up, operate, and scale a relational database in the cloud.

• 750 hours of Amazon RDS Single-AZ db.t2.micro Instances, for running MySQL, PostgreSQL, MariaDB, Oracle BYOL or SQL Server (running SQL Server Express Edition) – enough hours to run a DB Instance continuously each month
• 20 GB of database storage, in any combination of RDS General Purpose (SSD) or Magnetic storage
• 10 million I/Os (for use with RDS Magnetic storage; I/Os on RDS General Purpose (SSD) storage are not separately billed)
• 20 GB of backup storage for your automated database backups and any user-initiated DB Snapshots

Amazon Cloud Directory

Enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions. With Cloud Directory, you can create directories for a variety of use cases, such as organizational charts, course catalogs, and device registries including AD LDS

• 1GB of storage per month; 10,000 write requests per month; 100,000 read requests per month;

Amazon Connect

A self-service cloud-based contact center service to deliver better customer service

• 90 minutes per month of Amazon Connect usage; A local direct inward dial (DID) number for the AWS region; 30 minutes per month of local (to the AWS region) inbound DID calls; 30 minutes per month of local (to the AWS region) outbound calls; For US regions, a US toll-free number for use per month and 30 minutes per month of US inbound toll-free calls

Amazon GameLift

A managed service for deploying, operating, and scaling dedicated game servers for session-based multiplayer games

• 125 hours per month of Amazon GameLift c4.large.gamelift On-Demand instance usage; 50 GB EBS General Purpose (SSD) storage

Data Transfer

• 15 GB of data transfer out and 1GB of regional data transfer aggregated across all AWS services

Amazon Data Pipeline

A web service to reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals

• 3 low frequency preconditions running on AWS per month; 5 low frequency activities running on AWS per month

Amazon ElastiCache

Fully managed Redis and Memcached to seamlessly deploy, operate, and scale popular open source compatible in-memory data stores

• 750 hours of Amazon ElastiCache cache.t2micro Node usage - enough hours to run continuously each month.

Amazon CloudFront

A global content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to viewers with low latency and high transfer speeds.

• 50 GB Data Transfer Out, 2,000,000 HTTP and HTTPS Requests of Amazon CloudFront

Amazon API Gateway

A fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale

• 1 Million API Calls per month

Amazon Cognito

Add user sign-up, sign-in and access control of web and mobile application users

• The Your User Pool feature has a free tier of 50,000 MAUs each month; 10 GB of cloud sync storage; 1,000,000 sync operations per month.

Amazon Sumerian

Create and run virtual reality (VR), augmented reality (AR), and 3D applications quickly and easily without requiring any specialized programming or 3D graphics expertise.

• 50MB published scene that receives 100 views per month for free in the first year

Amazon Elasticsearch Service

A fully managed service to deploy, secure, operate, and scale Elasticsearch for log analytics, full text search, application monitoring etc.

• 750 hours per month of a single-AZ t2.micro.elasticsearch instance or t2.small.elasticsearch instance; 10GB per month of optional EBS storage (Magnetic or General Purpose)

Amazon Pinpoint

Engage your customers by tracking the ways in which they interact with your applications

• 5,000 free targeted users per month; 1,000,000 free push notifications per month; 100,000,000 events per month

AWS OpsWorks for Chef Automate

A fully-managed configuration management service that hosts Chef Automate, a suite of automation tools from Chef for configuration management, compliance and security, and continuous deployment.

• 7500 node hours (which equals 10 nodes) per month

AWS OpsWorks for Puppet Enterprise

A fully-managed configuration management service that hosts Puppet Enterprise, a set of automation tools from Puppet for infrastructure and application management.

• 7500 node hours (which equals 10 nodes) per month

Amazon Polly

A Text-to-speech service that turns text into lifelike speech, allowing to create applications that talk, and build entirely new categories of speech-enabled products

• 5 million characters per month

AWS IoT

A managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices.

• 250,000 messages (published or delivered) per month

Amazon Lex

An automatic speech recognition / speech-to-text service for building conversational interfaces into any application using voice and text

• 10,000 text requests per month; 5,000 speech requests per month

Here below is the list of services that are always free (non-expiring)

These free tier offers do not automatically expire at the end of your 12 month AWS Free Tier term and are available to all AWS customers. 

Amazon DynamoDB

A fully managed, fast and flexible NoSQL database service for all applications that need consistent, single-digit millisecond latency at any scale

• 25 GB of Storage, 25 Units of Read Capacity and 25 Units of Write Capacity – enough to handle up to 200M requests per month with Amazon DynamoDB.

Amazon Cognito

Add user sign-up, sign-in and access control of web and mobile application users

• The Your User Pool feature has a free tier of 50,000 MAUs each month; The Federated Identities feature for authenticating users and generating unique identifiers is always free with Amazon Cognito.

(The Your User Pool feature is currently in Beta and you will not be charged for sending SMS messages for Multi-Factor Authentication (MFA) and phone verification. However, separate pricing for sending SMS messages will apply after the conclusion of Beta period.)

AWS CodeCommit

A fully-managed source control service that makes it easy for companies to host secure and highly scalable private Git repositories

• 5 active users per month; 50 GB-month of storage per month; 10,000 Git requests per month

Amazon CloudWatch

A monitoring service for AWS cloud resources and the applications you run on AWS

• 10 Amazon Cloudwatch custom metrics, 10 alarms, and 1,000,000 API requests; 5 GB of Log Data Ingestion; 5 GB of Log Data Archive; 3 Dashboards with up to 50 metrics each per month

AWS X-Ray

Analyze and debug production, distributed applications, such as those built using a microservices architecture

• 100,000 traces recorded per month; 1,000,000 traces scanned or retrieved per month

Amazon Mobile Analytics – Now called Amazon Pinpoint

Engage customers by tracking the ways in which they interact with your applications.

• 100 million free events per month

AWS Database Migration Service

Migrate databases to AWS quickly and securely

• 750 Hours of Amazon DMS Single-AZ dms.t2.micro instance usage; 50 GB of included General Purpose (SSD) storage

AWS Storage Gateway

A hybrid storage service that enables your on-premises applications to seamlessly use AWS cloud storage for backup and archiving, disaster recovery, cloud bursting, storage tiering, and migration

• Up to 100GB a month free; up to $125 a month maximum charges

Amazon Chime

A communications service for online meetings, video conferencing, calls, chat, and to share content, both inside and outside your organization.

• Unlimited usage of Amazon Chime Basic

Amazon Simple Workflow Service (SWF)

A task-based API that makes it easy to coordinate work across distributed application components by providing a programming model and infrastructure for coordinating distributed components and maintaining their execution state in a reliable way.

• 1,000 Amazon SWF workflow executions and a total of 10,000 activity tasks, signals, timers and markers, and 30,000 workflow-days.

Amazon Simple Queue Service (SQS) and Amazon Simple Notification Service (SNS)

SQS is a fully managed message queuing service to decouple and scale microservices, distributed systems, and serverless applications. SNS is a flexible, fully managed pub/sub messaging and mobile notifications service for coordinating the delivery of messages to subscribing endpoints and clients.

• 1,000,000 Requests of Amazon Simple Queue Service; 1,000,000 Requests, 100,000 HTTP notifications and 1,000 email notifications for Amazon Simple Notification Service

Amazon Elastic Transcoder

A media transcoding service for developers and businesses to convert (or “transcode”) media files from their source format into versions that will playback on devices like smartphones, tablets and PCs.

• 20 minutes of SD transcoding or 10 minutes of HD transcoding

AWS Key Management Service

A managed service to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys

• 20,000 free requests per month

AWS Lambda

A platform service to run code without provisioning or managing servers

• 1,000,000 free requests per month; Up to 3.2 million seconds of compute time per month

AWS CodePipeline

A continuous integration and continuous delivery service for application and infrastructure updates. 

• 1 active pipeline per month

AWS Device Farm

An app testing service that lets you test and interact with your Android, iOS, and web apps on many devices at once, or reproduce issues on a device in real time.

• Free one-time trial of 1,000 device minutes

AWS Step Functions

A serverless platform service to orchestrate AWS Lambda functions for serverless applications.

• 4,000 state transitions per month

Amazon SES

A cloud-based email sending service designed to help digital marketers and application developers send marketing, notification, and transactional emails to customers.

• 62,000 Outbound Messages per month to any recipient when you call Amazon SES from an Amazon EC2 instance directly or through AWS Elastic Beanstalk.; 1,000 Inbound Messages per month.

Amazon QuickSight

A business analytics service that makes it easy to build visualizations, perform ad-hoc analysis, and quickly get business insights from your data

• 1 user, 1 GB of SPICE (Super-fast, Parallel, In-memory, Calculation Engine)

Amazon Glacier

A secure, durable cloud storage service for data archiving and long-term backup

• 10 GB of Amazon Glacier data retrievals per month for free. The free tier allowance can be used at any time during the month and applies to Standard retrievals.

Amazon Macie

A security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS.

• 1 GB processed by the content classification engine; 100,000 events

AWS Glue

A fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics

• 1 Million objects stored in the AWS Glue Data Catalog; 1 Million requests made per month to the AWS Glue Data Catalog

AWS CodeBuild

A fully managed build service that compiles source code, runs tests, and produces software packages that are ready to deploy

• 100 build minutes per month of build.general1.small compute type usage

 † The following Windows variants are not eligible for the free tier: Microsoft Windows Server 2008 R2 with SQL Server Web, Microsoft Windows Server 2008 R2 with SQL Server Standard, Microsoft Windows 2008 R2 64-bit for Cluster Instances and Microsoft Windows 2008 R2 SQL Server 64-bit for Cluster Instances.

AWS Marketplace offers free and paid software products that run on the AWS Free Tier. If you qualify for the AWS Free Tier, you can use these products on an Amazon EC2 t2.micro instance for up to 750 hours per month and pay no additional charges for the Amazon EC2 instance (during the 12 months).

Refer this page for more details

Microsoft has showcased how it solved the Fake leads problem as a Leader in Digital Transformation

“Fake leads” is the problem to tackle

When people sign up via online forms, they sometimes give a fake name, company name, email, or phone number. They may submit randomly typed characters (keyboard gibberish) or use profanity. Or, they may accidentally make a small typographical error, but otherwise the name is real—so we don’t want to classify the lead as junk.

The abundance of fake lead names across Microsoft subsidiaries results in:

·         Lost productivity for our global marketers and sellers. Fake names waste an enormous amount of time since sellers rely on accurate information to follow up with leads.

·         Lost revenue opportunities. Among thousands of fake lead names, there could be one legitimate opportunity.

Each day, thousands of people sign up using thousands of web forms. But, in any month, many of the lead names—whether a company or a person—are fake.

The solution to tackle “Fake leads”

Improving data quality is critical. To do that, and to determine if names are real or fake, Microsoft built a machine learning solution that uses:

·         Microsoft Machine Learning Server (previously Microsoft R Server).

·         A data quality service that integrates machine learning models. When a company name enters the marketing system, the system calls their data quality service, which immediately checks if it’s a fake name.

So far, machine learning has reduced the number of fake company names that enter Microsoft’s marketing system, at scale. Their solution has prevented thousands of names from being routed to marketers and sellers. Filtering out junk leads has made their marketing and sales teams more efficient, allowing them to focus on real leads and help customers better.

Microsoft Machine Learning Server

Microsoft needed a scalable way to eliminate fake names across millions of records and to build and operationalize their machine learning model—in other words, they wanted a systematic, automated approach with measurable gains. They chose Machine Learning Server, in part, because:

·         It can handle their large datasets—which enables them to train and score their model.

·         It has the computing power that they need.

·         They can control how they scale their model and operationalize for high-volume business requests.

·         Access is based on user name and password, which are securely stored in Azure Key Vault.

·         It helps expose the model as a secure API that can be integrated with other systems and improved separately.

The difference between rule-based model to Machine Learning

Rules

Experts create static rules to cover common scenarios. As new scenarios occur, new rules are written. A static, rules-based model can make it hard to capture varying types of keyboard gibberish (like akljfalkdjg). With static rules, Microsoft’s marketers must waste time sorting through the fake leads and deciphering misleading or confusing information.

Machine Learning

Algorithms are used to train the model and make intelligent predictions. Algorithms help build and train the model by labeling and classifying data at the beginning of the process. Then, as data enters the model, the algorithm categorizes the data correctly—saving valuable time. Microsoft used the Naive Bayes classifier algorithm to categorize names as real/fake. This algorithm is influenced by how LinkedIn detects spam names in their social networks.

Scenarios where the model is used

Microsoft’s business team identified their subsidiaries worldwide that are most affected by fake names. Now, they are weeding out fake names so that marketers and sellers don’t have to. Going forward, they plan to:

·         Create a lead data quality metric with more lead-related signals and other machine learning models that allow them to stack-rank their leads. The goal is to give a list to their sellers and marketers that suggests which leads to call first and which to call next.

·         Make contact information visible to their sellers and marketers when they’re talking on the phone with leads. For example, if the phone number that someone gave in an online form is real, but the company name isn’t, their seller can ask the lead to confirm the company name.

Choosing the technology

Microsoft incorporated the following technologies into their solution:

·         The programming language R and the Naive Bayes classifier algorithm for training and building the model are based, in part, on the approach that LinkedIn uses.

·         Machine Learning Server with machine learning, R, and artificial intelligence (AI) capabilities help them build and operationalize their model.

·         Their data quality service, which integrates with the machine learning models to determine if a name is fake – person or company.

Designing the approach

Microsoft designed their overall architecture and process to work as follows:

1.       Marketing leads enter their data quality and enrichment service, where their team does fake-name detection, data matching, validation, and enrichment. They combine these data activities using a 590-megabyte model. Their training data consists of about 1.5 million real company names and about 208,312 fake (profanity and gibberish) company names. Before they train the model, they remove commonly used company suffixes such as Private, Ltd., and Inc.

2.       They generate n-grams—combinations of contiguous letters—of three to seven characters and calculate probabilities that each n-gram belongs to the real/fake name dataset in the model. For example, an n-gram that shows three sequenced letters of the name “Microsoft” would look like “Mic,” “icr” “cro” and so on. The training process computes how often the n-grams occur in real/fake company names and stores the computation in the model.

3.       They have four virtual machines that run Machine Learning Server. One serves as a web node and three serve as compute nodes. They have more compute nodes so that they can scale to handle the volume of requests that they have. The architecture gives them the ability to scale up or down by adding/removing compute nodes as needed based on the volume of requests. The provider calls a web API hosted on the web node, with company name as input.

4.       The web API calls the scoring function on the compute node. This scoring function generates n-grams from the input company name and calculates the frequencies of these n-grams in the real/fake training dataset.

5.       To determine whether the input company name is real or fake, the predict function in R uses these calculated n gram frequencies stored in the model, along with the Naive Bayes rule.

To summarize, the scoring function that’s used during prediction generates the n-grams. It uses the frequencies of each n-gram in the real/fake name dataset that’s stored in the model to compute the probability of the company name belonging to the real/fake name dataset. Then, it uses these computed probabilities to determine if the company name is fake.

What Microsoft learned about Business, technical, and design considerations

·         Ideally, the business problem should be solved within your organization itself rather than outsourcing it. Your organization will have deeper historical knowledge of the business domain, which helps to design the most relevant solution.

·         Having good training and test data is crucial. Most of the work Microsoft did was labeling their test data, analyzing how Naive Bayes performed compared to rxLogisticRegression and rxFastTrees algorithms, determining how accurate their model was, and updating their model where needed.

·         When you design a machine learning model, it’s important to identify how to effectively label the raw data. Unlabeled data has no information to explain or categorize it. Microsoft labels the names as fake/real and apply the machine learning model. This model takes new, unlabeled data and predicts a likely label for it.

·         Even in machine learning, you risk having false positives and negatives, so you need to keep analyzing predictions and retraining the model. Crowdsourcing is an effective way to analyze whether the predictions from the model are correct; otherwise, these can be time-consuming tasks. In Microsoft’s case, due to certain constraints they faced, they didn’t use crowdsourcing, but they plan to do so in the future.

Operationalizing with Machine Learning Server vs. other Microsoft technologies

Some other technical and design considerations included deciding which Microsoft technologies to use for creating machine learning models. Microsoft offers great options such as Machine Learning Server, SQL Server 2017 Machine Learning Services (previously SQL Server 2016 R Services), and Azure Machine Learning Studio. Here are some tips to help you decide which to use for creating and operationalizing your model:

·         If you don’t depend on SQL Server for your model, Machine Learning Server is a great option. You can use the libraries in R and Python to build the model, and you can easily operationalize R and Python models. This option allows you to scale out as needed and lets you control the version of R packages that you want to use for modeling.

·         If you have training data in SQL Server and want to build a model that’s close to your training data, SQL Server 2017 Machine Learning Services works well—but there are dependencies on SQL Server and limits on model size.

·         If your model is simple, you could build it in SQL Server as a stored procedure without using libraries. This option works well for simpler models that aren’t hard to code. You can get good accuracy and use fewer resources, which saves money.

·         If you’re doing experiments and want quick learning, Azure Machine Learning Studio is a great choice. As your training dataset grows and you want to scale your models for high-volume requests, consider Machine Learning Server and SQL Server 2017 Machine Learning Services.

Challenges and roadblocks Microsoft faced

·         Having good training data. High-quality training data begins with a collection of company names that are clearly classified as real or fake—ideally, from companies around the world. Microsoft feeds that information into their model for it to start learning the patterns of real or fake company names. It takes a while to build and refine this data, and it’s an iterative process.

·         Identifying and manually labeling the training and test dataset. Microsoft manually labeled thousands of records as real or fake, which takes a lot of time and effort. Instead, one can take advantage of crowdsourcing services if possible, to avoid manual labeling. With these services, one can submit company names through a secure API and a human says if the company name is real or fake.

·         Deciding which product to use for operationalizing the model. Microsoft tried different technologies, but found computing limitations and versioning dependencies between the R Naive Bayes package they used and what was available in Azure Machine Learning Studio at the time. Microsoft chose Machine Learning Server because it addressed those issues, had the computing power they needed, and helped them easily scale out their model.

·         Configuring load balance. If Microsoft’s Machine Learning Server web node gets lots of requests, it randomly chooses which of the three compute nodes to send the request to. This can result in one node that’s overutilized while another is underutilized. They like to use a round-robin approach, where all nodes are used equally to better distribute the load. This can be achieved by using an Azure load balancer in between the web and compute node.

Measurable benefits Microsoft has seen so far

The gains Microsoft has made thus far are just the beginning. So far, Machine Learning Server has helped them in the following ways:

·         With the machine learning model, their system tags about 5 to 9 percent more fake records than the static model. This means the system prevented 5 to 9 percent more fake names from going to marketers and sellers. Over time, this represents a vast number of fake names that their sellers do not have to sort through. As a result, marketer and seller productivity is enhanced.

·         They have captured more gibberish data and most profanities, with fewer fake positives and fake negatives. They have a high degree of accuracy, with an error rate of +/– 0.2 percent.

·         Their time to respond to requests has improved. With 10,000 data classifications of real/fake in 16 minutes and 200,000 classifications in 3 hours 13 minutes, they have ensured that their data quality service meets service level agreements for performance and response time. They plan to improve response time by slightly modifying the algorithm in Python.

Next steps

Microsoft is excited about how their digital transformation journey has already enabled them to innovate and be more efficient. They will build on this momentum by learning more about business needs and delivering other machine learning solutions. Their roadmap includes:

·