Fannie Mae is a leading source of mortgage financing in all markets and at all times, making sustainable homeownership and workforce rental housing a reality for millions of people.
And Fannie Mae relies on data. It needed a solution that both helps protect data and creates efficiencies for the data scientists who must analyze vast troves of complex data. It turned to Microsoft Security solutions, underwriting data transfer with Microsoft Azure and Microsoft Defender for Cloud Apps. It uses Microsoft Purview Data Loss Prevention to prevent sensitive data exfiltration while also lifting effectiveness for its IT teams and data scientists.
Protecting data in flight is more difficult than data at rest. We adopted Microsoft Purview Data Loss Prevention because we’re hyper-focused on helping secure data end to end.
Kiran Ramineni: Vice President of Single-Family Architecture and Cloud, Data, AI/ML, and Infrastructure Architecture Fannie Mae
Fannie Mae is a government-sponsored enterprise (GSE) created in 1938 during the Great Depression to provide a reliable source of mortgage financing. Today, Fannie Mae’s mission is to facilitate equitable and sustainable access to homeownership and quality affordable rental housing across the United States.
Fannie Mae neither originates mortgage loans nor lends money directly to consumers. As a leading source of financing for mortgages in the United States, Fannie Mae purchases mortgages from lenders and helps facilitate the flow of capital into the housing market by issuing and guaranteeing mortgage-related securities. Fannie Mae’s work helps to promote the 30-year, fixed-rate mortgage—a mainstay of the US mortgage financing market.
In 2021, the company provided $1.4 trillion in liquidity to the mortgage market, which enabled the financing of approximately 5.5 million home purchases, refinancing, and rental units. From the onset of the COVID-19 pandemic through December 31, 2021, Fannie Mae initiated more than 1.4 million single-family forbearance plans to help borrowers by temporarily suspending their monthly mortgage payments.
“A core part of our mission is to provide affordable housing,” says Ron Hulen, Principal of Digital Workplace and Technology Services at Fannie Mae. “We’re also proud to have helped families who couldn’t make their loan payments because of the COVID-19 crisis. As of December 2021, approximately 1.3 million homeowners have exited forbearance plans.”
That success wouldn’t be possible without Fannie Mae’s insistence on working to secure the personally identifiable information (PII) it manages, in-depth analysis of market trends by its data science team, and superior productivity. Fannie Mae achieves all of this with Microsoft Security solutions.
Helping protect a matrix of sensitive data
The company’s objective was to create a trust model that helps protect its data and environment from internal and external risks in pace with the evolving cybersecurity space. It turned to classification features within Microsoft Purview Data Loss Prevention as its cloud-native solution to cohesively govern its SharePoint in Microsoft 365, Office 365, and cloud application data. It adds Microsoft Defender for Cloud to fortify its multicloud environment with detailed compliance recommendations.
“When I thought of security posture, it was exciting for me to consider how I could provide users with all the capabilities and maintain our board’s desire to lower risk,” recalls Hulen.
Protecting sensitive loan applicant PII is top priority.
“We take a Zero Trust approach, from the way we’ve designed our network to how we access endpoints,” explains Hulen.
“Helping to ensure containment is paramount, and that means understanding how data is used within the company to help prevent data exfiltration.”
Fannie Mae needed a data loss prevention solution that answers all its stringent security requirements while also facilitating compliance with a host of housing industry and other regulations, including those of the Federal Housing Administration (FHA).
Having enjoyed a long relationship with Microsoft, Fannie Mae decided to make full use of the data protection and governance solutions in its Microsoft 365 E5 license. “Protecting data in flight is more difficult than data at rest,” says Kiran Ramineni, Vice President of Single-Family Architecture and Cloud, Data, AI/ML, and Infrastructure Architecture at Fannie Mae.
Understanding what is happening with all of its data and how that data could be used is paramount to Fannie Mae’s ability to build trust with its customers. “We adopted Microsoft Purview Data Loss Prevention because we’re hyper-focused on helping secure data end to end,“ he adds.
Building protection with a unified platform and multicloud environment
Fannie Mae aspires to the maximum possible cloud-native footprint. Cloud-native applications and technologies are designed to optimize the scalability and agility of the cloud. Prior to its Microsoft Purview rollout in late 2021, Fannie Mae had optimized a range of Microsoft solutions, such as the Windows 10 operating system, Microsoft 365, and Azure.
In addition to its Azure-based workloads, the company uses two other major cloud providers—Amazon Web Services (AWS) and Google Cloud Platform. While AWS is its primary cloud solution, Fannie Mae relies on Azure to control data movement and security. “We maintain the service in Azure, which offers the network control we need to maintain segmentation as the data moves from endpoint to endpoint,” says Ramineni.
“Because we use cloud-native Azure and cloud-native Microsoft Defender for Cloud, we gain detection controls that prevent sensitive data from being exfiltrated or exported.” Fannie Mae’s on-premises environment is also connected to Defender for Cloud.
Microsegmentation—dividing the cloud environment and on-premises infrastructure into granular segments, even to the individual workload—is a crucial part of the company’s security strategy. “The beauty of the microsegmentation approach with our footprint in Azure is that we can segment for any of our clouds or on-premises to exactly a specific database,” says Hulen, illustrating the way that Fannie Mae unites Microsoft cloud technologies with Microsoft Purview Data Loss Prevention.
“We can grant access only to the production environment within a certain sensitive area of data containment yet enable access to the test and development acceptance areas when that user is outside the containment area. It’s that granular.”
Finally, Fannie Mae adds Microsoft Defender for Cloud Apps to strengthen the company’s safety net by connecting it with Fannie Mae’s Microsoft 365 productivity apps. “We began by using Defender for Cloud Apps to tag our content,” says Ramineni. “We expanded that approach throughout the enterprise, also tagging our other datasets with the systems.”
Fannie Mae employees store data in OneDrive, collaborating on that data via SharePoint. “We stand up Defender for Cloud Apps in front of OneDrive,” says Hulen. “That’s a big win for us because we use OneDrive so extensively.”
Fencing malicious actors out without fencing data scientists in
Fannie Mae effectively threads the needle of helping protect its data without slowing its productivity and innovation. “One of our biggest data loss prevention challenges is how to comply with regulations and protect sensitive data while helping ensure that our data scientists can extract non-sensitive information from the secure environment, then share it with internal and external entities,” explains Terry Herring, PhD, Vice President of Digital Workplace and Technology Services at Fannie Mae.
He developed a series of personas that Hulen and Ramineni used to define data access for Fannie Mae employees. The data scientist persona challenged the team to safeguard data without impeding data scientist productivity. “We use Microsoft Purview Data Loss Prevention as our key tool to provide containment for data scientists where they can more safely explore information, conducting modeling or analysis,” says Ramineni.
Hulen lauds Fannie Mae’s new capabilities and the seamless interplay between the Microsoft Purview Data Loss Prevention and Microsoft 365 productivity apps like OneDrive. Data scientists can access queries they have on OneDrive to work with sensitive data, according to Hulen. The tool is designed to block data that contains PII from being moved back to the user’s OneDrive folders, but it allows non-PII data to go back to shared folders.
“Merging Microsoft Purview Data Loss Prevention and Defender for Cloud Apps with our Microsoft 365 apps gives us both sides of the coin,” he says. ”We make it easy for data scientists to do their work, be more productive, and collaborate as necessary with those who are outside of the containment environment, and yet, we help keep data secure.”
The company also appreciates the productivity boost for its IT teams.
“We couldn’t have achieved this level of security, efficiency, and cost-effectiveness with a non-cloud-native solution,” insists Ramineni. “We would have had to deploy several agents and tools on top of the infrastructure, making it far more difficult to manage.”
Planning for a dynamic future
After the company has completely transitioned to the cloud, it looks forward to deepening its security infrastructure. “Microsoft Purview Information Protection is an important next step for us,” says Hulen. “We’ll expand the scope of our security controls across all of our documents, not just those within a secure environment.” He envisions a simple-to-use but extensive process of assessing numerous layers of requirements that will provide customized protection for every type of document—possibly with documents containing PII in one environment and those without in a less strictly controlled environment.
Fannie Mae is gratified by its gains to date but isn’t resting on its laurels. “Being cloud native is our key tenet as we plan our environment,” Hulen explains. “If we tried to replicate the same proactive data controls using a non-cloud-native technology, we would need to deploy several agents and tools on top of the image, complicating management and incurring more CPU load.” He contrasts that scenario with Fannie Mae’s unfolding strategy.
“Our vision is to inject cloud capabilities natively into our applications with the capabilities we get with Azure. That’s how we’re realizing the value of our investment in these technologies.”
Fannie Mae’s commitment to the solution will support its cloud-native transformation in the future.
“Our key tenet with our customers, regulators, and ourselves is to maintain a very low-risk posture,” concludes Ramineni. “So, we work to evolve as the threat landscape evolves, defending our environment from internal and external actors. The best security is never done.”
We couldn’t have achieved this level of security, efficiency, and cost-effectiveness with a non-cloud-native solution. We would have had to deploy several agents and tools on top of the infrastructure, making it far more difficult to manage.
Kiran Ramineni: Vice President of Single-Family Architecture and Cloud, Data, AI/ML, and Infrastructure Architecture
Fannie Mae