Our marketing department asked me to do an interview on Securing the Modern Workplace and I’ve actually been planning to do a short training and awareness session inside the company on securing cloud resources. I thus decided to take a (temporary) break from my series on WordPress on Azure PaaS and use this blog to prepare for the interview and the training session. As I was writing this article I realised I cannot really do the topic justice in one, short article. Today I will thus spend some time sketching the background and explaining the various solutions at high level and in 5 separate future articles (when I get the time) I will do a further deep-dive into each of the individual solution areas for those wanting more details.
Today we look at how you can secure the Modern Workplace using Microsoft 365.
Modern IT Management faces a number of challenges due to a rapidly changing landscape and IT is no longer just a cost center but is expected to add real, tangible business value to the company. IT mangers should be focusing on how to help the business benefit from technology advancements, rather than spending large amounts of time on rather basic needs such as providing users with a secure desktop and standard office automation facilities. Both business and end users have further come to expect a quick, friendly and out of the box experience, leveraging self-service capabilities and allowing them to work anywhere and on any device. Business however has also come to expect an ever decreasing TCO and the agility to light up new cloud services quickly, as and when business needs arise. For many IT managers this has become a complex juggling act or even a complete nightmare.
Traditionally, the workplace was concentrated around office locations and datacenters. Devices were configured and deployed by IT, everything was locked down with the message “you will use this device only like IT tells you to” (I know, I was also guilty as an IT manager pre-2000) and things were physically safeguarded by requiring devices to either be on premise or to connect to the on premise physical location by means of VPN or some form of Server Based Computing (e.g. Terminal Server, Citrix XenApp etc). Security was mainly at the perimeter, i.e. when you’re on site, at the office, you’re “inside” the perimeter and can be trusted and when you’re working remotely you’re “outside” the perimeter and thus not trusted until you manage to get inside the perimeter somehow. In short, IT had to be a police department that not only keeps out the bad guys but also constantly police their own citizens.
With Cloud Computing, things have changed. Your applications are no longer in one datacenter but in multiple datacenters simultaneously and the applications are not only used by you only but the underlying platforms and services are shared with many other customers using the same SaaS solutions. Users have also become more mobile and expect to be able to work safely “anywhere” and “at any time“. They further want to be able to quickly and effortlessly share data with others and securely collaborate around this data. Devices are no longer limited to one, centrally manged device only but users tend to roam across devices, from their corporate desktop, to a laptop, to a smartphone, to a tablet and to a web browser on some random (unsecured) machine. This means the “perimeter” as we know it has disappeared and securing your environment can no longer be achieved by locking down the perimeter.
To compound this problem, the amount of data produced and consumed has exploded and IT can no longer have every single piece of data first pass though their own hands before users are allowed to consume it. Employees, Customers, Partners, Distributors, Suppliers and Devices want of often need access to your data. Perimeter based security just does not cut in any more.
We need a new approach; and Microsoft 365 has the answer.
Microsoft’s Modern Workplace solution, Microsoft 365 consists of Windows 10 Enterprise, Microsoft Enterprise Mobility and Security and Office 365 Enterprise and helps you solve this complex puzzle by providing your users with in integrated security solution across all the components of a Modern Workplace environment.
Security is about TRUST and to know you are secure, you need to be able to trust five elements, namely:
A trusted USER,
A TRUSTED USER means you can be 100% sure, without any doubt, that it really is your employee using his or her own login credentials and that they have not been compromised somehow to allow use of their credentials by a third party.
Azure Active Directory (“AAD”) Premium is used as Identity and Access Management (“IAM“) layer in the Microsoft Cloud, employing tools such as Risked Based Conditional Access, Multi Factor Authentication and Mobile Device and Application Management integration. AAD further integrates with the Microsoft Intelligent Security Graph in order to dynamically detect unusual usage patterns (like impossible travel), enable Breach Replay prevention, and much more.
AAD Premium, if you follow best practices, is MORE SECURE than your complex, multi-server, load balanced, highly redundant, reverse proxied, GEO redundant ADFS deploymeet on premise … but more on that later.
AAD, as IAM “front door” service is further deeply integrated with all other layers of Microsoft 365, including Intune Mobile Device Management (trusted device) and Mobile Application Management (trusted app), and into backend services such as SharePoint and OneDrive by triggering the enforcement of “App Enforced Restrictions“, where AAD for example, requests SharePoint to limit the user’s possibilities (like preventing download of documents to the device) to limit risk and exposure.
When you use AAD in conjunction with Windows 10, you can take another huge step forward in securing your environment by going completely password less and using Windows Hello for login. This allows you to unlock your device using a DEVICE SPECIFIC PIN and Bio Metrics (e.g. Facial Recognition or Fingerprint) and even dynamically lock your device automatically when you walk away). I won’t go into the details here (maybe in a future post. HERE is an explanation of why and how a device pin is more secure than a passwords for you to read in the mean time). In short, if your PIN is stolen an attacker potentially has access to that one, specific device ONLY (which we can of course revoke remotely) but your account password is still not compromised and it still cannot be used to steal your identity online.
In addition to your own users, TRUSTED USERS also means you need to be able to trust external suppliers, partners and eventually your customers/consumers. AAD B2B and B2C provide the same rich set of security tooling to secure external access from these users as it does for your own, internal employees. Lastly you also need to take your own responsibility in ensuring your partners can TRUST YOU. In order words by ensuring your users’ identities are secure, you are also helping you customers and partners.
For more complex environments, Azure Advanced Threat Protection provides integration with your on-premise Active Directory to Analyse Threat Intelligence both from the cloud and on-premises and protect user identities and credentials stored in Active Directory
on a trusted DEVICE,
Windows 10 Enterprise, as part of Microsoft 365, is more than just and Operating System but provides a full-stack, secure, cloud-enabled and cloud-serviced working environment. Windows 10 is firstly integrated with AAD, meaning you take your authentication and authorisation services with you, anywhere and any time. AAD subsequently ensures Intune MDM is automatically installed on your device and MAM polices are automatically applied. This allows both your device and your applications to be configured and managed from the cloud and fully integrates with your AAD front door service to ensure AAD is aware of the compliance state of the device before allowing access to your organisation and data. This means you can provide users with a secure, centrally manged and compliant device from the cloud ONLY, without needing any complex on-premise tooling such as AD and SCCM.
Windows 10 Enterprise has gone much further than just securing your cloud apps however. Security has been built into all areas, with a section of key features being:
- GO PASSWORD LESS! Windows Hello, which we discussed briefly in the previous section,
- Secure Boot and BitLocker (cloud managed of course, with no on premise tooling needed),
- Device Guard, which prevents Malware from running (and supplemented by AppLocker if you really need it),
- Windows Defender Credential Guard, which ensures your credentials are secure (where you have not yet fully integrated your apps with AAD, at which point you no longer actually need those credentials),
- Windows Update for Business, which keeps your device up to date from the cloud, without any on premise tooling required,
- Windows Defender Advanced Threat Protection. Defender ATP deserves an entire article on it’s own as it is not just an anti-malware app but is an extremely sophisticated security suite, built into Windows 10, bringing datacenter ops like tooling to each and every individual device. In short it provides:
- Protection against emerging threats and zero-day attacks,
- Detection of behavioural differences (i.e. “this is not normal for this user”),
- Attack surface reduction (the smaller the target the hard it is to hit),
- Auto investigation and remediation,
- Agent less, up-to-date operation (built into Windows 10 and updated automatically from the cloud),
- Integration into AAD, Intune and the Microsoft Intelligent Security Graph for full cloud management and centralised reporting and alerting.
- If you really need to run Hybrid (why?) and need an on-premise footprint, Defender ATP is integrated with Azure Advanced Threat Protection for centralised governance and control, integrated into your on-premise Active Directory.
Of course this story is not only about Windows. In a typical environment we need to support both Windows and MacOS devices, as well as mobile devices running iOS and Android. The same management solution we employ for Windows, namely Intune, also supports these third-party desktop and mobile operating systems. As we can expect from Microsoft, this remains integrated with other services like AAD and is fully cloud manged.
I will not go into a full explanation of what Intune can do for you here but some key features include:
- Automatic device COMPLIANCE, with enforcement of security policy, for example by enabling storage encryption, startup password, unlock PIN, auto device lock and remote wipe of corporate data when needed;
- Automatic INSTALLATION and configuration of corporate software (now also supports Win32 apps!), ensuring software is kept up to date, and a company portal where users can find additional apps using self-service;
- Automatic device CONFIGURATION, for example setting Wi-Fi profiles, SSL certificates, VPN profiles and more.
By ensuring your users use TRUSTED DEVICES you can ensure security and compliance is guaranteed while still providing your users optimal freedom to do their work when, where and more importantly how they feel comfortable.
using a trusted APP,
Even if your user’s identity has been proven to not be compromised and your device is optimally secure, you still want to be sure the applications themselves stick to the rules you set down in terms of what is allowed and what should not be done with your data. This is where Intune MAM and MAM-WE come in.
Intune MAM is used to configure your applications on MDM manged devices using APP PROVISIONING policies. However more importantly is ensuring that APP PROTECTION policies are applied, which governs what an app is allowed to do and how apps are allowed to of blocked from interacting with other apps and with the device itself. These policies can be applied to both managed (MDM) or unmanaged (e.g. BYOD) devices, in the latter case by making use of Mobile Application Management “Without Enrolment” (“MAM-WE”). As you don’t actually mange the device itself in a BYOD scenario, Microsoft has built the management layer into each of their individual applications themselves. This means that we can guarantee the same level of (AAD integrated) compliance withing the apps themselves as we do with fully managed devices, including:
- Ensuring data is stored on protected, encrypted storage which can be wiped remotely when needed and ensuring your data can only be stored in allowed, trusted locations (for example by preventing a managed app to store corporate data on the unmanaged local device storage, on Google Drive, or email it via a personal unmanaged emails account or pasting it into an unmanaged notes app. This could (should) also include preventing the users from backing up corporate data to iCloud, Samsung, Google etc. during phone backup),
- Access to applications is secured by requiring a PIN or Bio Metrics on the application ITSELF if the device does not yet have one,
- Ensuring apps on the device can interact safely, by blocking any interaction between personal and corporate apps that may compromise security,
- Ensuring only apps that can be guaranteed to adhere to your Information Protection polices, for example honouring (screen-) printing, external sharing or forwarding restrictions.
If you can TRUST THE APP, it means you can trust the data in the app and ensure the backend platform is not compromised when the app connects to it. Microsoft Cloud Apps are built with a cloud-first mindset meaning they remain secure and up to date independently of any legacy, on-premise environments you may still be running. Microsoft “trusted apps” are available for Windows, MacOS, iOS and Android.
connecting to a trusted PLATFORM (or server, or back-end application),
Microsoft 365 and Dynamics 365 are built on trust and with security and compliance playing a key role. Backend platforms have been architected in such a way to allow the control you need, both at the access layer, by integrating AAD Conditional Access and on the endpoint by integrating into the Client Applications (such as Office ProPlus) used to access the platform.
Once a user, device and/or client app have been “proven”, you want the platform itself to ensure your data is treated in a secure and compliant manner. Some of the capabilities of Microsoft 365 in this area include:
- Built-in data classification, labelling, retention (yes, you do have long term data retention, despite what the third-party backup vendors tell you!) and DLP. With Microsoft Information Protection this is fully integrated, right from the front-door AAD user access, through to the Intune manged device and app, to the Office 365 platform and right into the document itself. This includes both manual, user-defined classification as well as automated classification based on contents … more on this in the next section.
- Built-in extensive sharing controls and app enforced restrictions, allowing you to provide just the right level of access depending on the situation, from sharing a file with employees for co-authoring to sharing read-only access to external (ad-hoc, B2B and B2C) users, with the data itself never actually leaving the platform. The integration with AAD goes as far as limiting users to only opening and reading documents in Office Online, preventing local processing or downloading on an unmanaged device or app, preventing printing, sharing, screen capturing and copy-paste if you need to make sensitive data accessible to external users but need to retain control. This also includes preventing sharing when documents are either marked as “internal only” or contain predefined sensitive information types.
- Built-in document encryption. This includes both encrypting an entire SharePoint document library at reat and encrypting an individual, sensitive document the moment it leaves the SharePoint platform. This further includes automatic message encryption of emails or email attachments, again either based on a label applied by the end user or based on automatically detected contents. As with sharing, this also includes preventing documents from being downloaded or emailed if prohibited by it’s sensitivity label or contents. This “platform-driven” encryption, SharePoint Information Rights Management (“IRM”) is not to be confused with document encryption living with the document itself, independent of the platform, which we will look at in the next section.
- As Dynamics 365 makes use AAD for authentication and Office 365 for document storage and messaging, it automatically also benefits from all these security and compliance benefits.
These features are all good and well for Office 365 and Dynamics 365, but what if you need to make of third-party SaaS or Web Applications, or traditional on-premise web based systems (like an on-premise SharePoint site or HR portal)?
Apart from the USER, DEVICE and APP controls mentioned above being applicable to ALL your Web and SaaS Apps, Microsoft 365 provides Microsoft Cloud App Security (“MCAS”). MCAS lets you discover and assess risks (by analysing your firewall logs, proxy logs, end endpoint logs from Windows Defender ATP) and subsequently protect ALL your cloud and web apps by proxying all traffic via the MACS service. MCAS is capable of exercising the same tight control over accessing, storing, downloading, forwarding or otherwise processing your sensitive data as you get integrated in all Microsoft Cloud platforms. This means if you make use of, for example, Salesforce, Box or Gmail, the same rules you defined in the preceding security layers (AAD Identity and CA, Device, App and Platform) for Microsoft applications, are applied to accessing and working within Salesforce. If either sensitive content or untrusted access is detected, MCAS can intervene and prevent, for example, downloading a document to an unmanaged endpoint, or prevent forwarding an “internal only” document to an external recipient.
If you only had MCAS when your employee opened that Crypto Locker infected PDF from his personal Gmail on his work device… ALL MCAS functionality in included in Microsoft 365 (E5).
consuming trusted DATA, even after it leaves your own organisation.
Sometimes having data trusted only while on the platform just is not enough. Sometimes you may even need to protect that data from the platform itself. Think of cases where your information is top secret, of where you want to send moderately sensitive information to an external, third-party but they really need the flexibility of working with it on their own local devices, not managed by your security stack and thus not stored in your “trusted platform”. In such a case you need security to be built into and live with the document itself.
To protect your data independently of all other factors, Microsoft 365 provides Microsoft Information Protection (“MIP”). MIP has evolved from thee existing, mature protection platforms, namely Office 365 Information Protection (targeted specifically at Office 365), Windows Information Protection (targeted specifically at your devices) and Azure Information Protection (protecting your datacenter operations and on-premise workloads). The recently launched, integrated MIP solution allows you to:
- Discover and label sensitive information, either manually or automatically.
- Apply and ENFORCE usage restrictions on the document itself, such as “do not print”, “internal use only” or “do not forward”.
- Encrypt documents at rest, irrespective of the storage location (e.g. Office 365, user device, file server or third party application) and the medium (e.g. cloud storage, local hard disk, USB disk or in an email).
- Monitor and optionally REVOKE document usage, even when the document has left your environment, platform, devices and users. This is done by requiring a decryption key to be requested when the document is opened. This allows you to know when and by whom the external document is opened and revoke access if the external party no longer needs access, rendering the encrypted document unusable.
- MIP supports not only Microsoft document formats but also provides support for text files, images, Adobe document formats, CAD drawings and more. If you develop your own software, Microsoft allows you to extend MIP to your own app as well!
While I am a firm believer in securing data at the source, and thus “at rest” (i.e. securing the PLATFORM where the data is stored), this only brings you halfway as you very often need to store data on your local device, either for performance or offline use, or to enable processing the data with local applications. You further need to share data with other parties, often outside your organisation, meaning the data leaves your secured platform. Requiring them to come to your system and viewing the data there, without it leaving your servers is not always realistic; they often need a copy they can use in their own environment or on their own devices. We thus need protection across the entire life cycle or our data; user, device, app, platform and data itself. Take care of these 5 trust elements by deploying Microsoft 365 and you have a huge advantage over the attackers out there.
One last thought: Microsoft 365 is available in two versions, E3 and E5. Many of the more advanced and especially the machine learning assisted features require the E5 version. Some E5 specific security features include: Identity Protection, adding Risk evaluation to Conditional Access, Privileged Identity Management, Cloud App Security and Automatic Classification of documents. In addition, you receive Office 365 Advanced Threat Protection, Windows Defender Advanced Threat Protection and Azure Advanced Threat Protection (for which you now probably buy expensive third-party software).
If you consider the fact that Office 365 E5 provides a COMPLETE solution (all YOU need to add is your business software like ERP and CRM (Dynamics 365) and maybe some industry specific apps built on Azure PaaS services), I am convinced you will find that the TCO of Microsoft 365 is LOWER than any existing on-premise solution. If you further look at the added value of Microsoft 365 over more traditional solutions, the RIO is just simply amazing. Microsoft is really giving you value for money here!
Through the course of the next 5 articles we will be looking into each of the 5 elements listed in this article in more details, so stay tuned.
- PART 1: (this article), Introduction to Microsoft 365,
- PART 2: Ensuring you have TRUSTED USERS,
- (coming soon) PART 3: Ensuring your users use TRUSTED DEVICES,
- (coming soon) PART 4: Ensuring only TRUSTED APPS can access your data,
- (coming soon) PART 5: Making sure you have a TRUSTED PLATFORM,
- (coming soon) PART 6: Ensuring TRUSTED DATA, independents of any other factors.
* All slides used in this article are property of Microsoft, mostly from different deep-dive sessions at Ignite.