How to Protect Identity, Devices and Content in the Cloud

How to Protect Identity, Devices and Content in the Cloud with Microsoft Enterprise Mobility + Security (EM+S) Introduction The proliferation of mobile devices in the workplace has meant employees are able to boost productivity by working on the go, anywhere, any time, and workers often want to use their own laptops, tablets and smartphones to do it.

But what are the pitfalls for organisations, and how can they be overcome?

With data often referred to as “the new oil”, protecting company and consumer data is of the highest importance. Data can enable a company to thrive. Put it at risk, and business could suffer untold damage to both finances and reputation.

It’s also crucial that companies execute a sound app strategy, as well as find a way to keep communications compliant and consistent across any channel.

This eBook explains how organisations can fully manage their expanding number of mobile devices in a secure fashion, using the new Microsoft Enterprise Mobility + Security (EM+S).

The three key pillars of EM+S are:

Identity protection Device protection Content protection

Traditionally, identity, device and content protection was provisioned via software that ran inside an organisation. This was a satisfactory solution when identities, devices and information were also largely held inside the organisation.

But, today employees take their mobile devices everywhere, and those devices are used to access both on-premise and software-as-a-service (SaaS) applications. These employees also want access to custom applications running on cloud platforms, such as Microsoft Azure and Amazon Web Services (AWS). And they want to do all this from their Windows 10, iOS and Android devices.

This is a cloud-centric, device-centric world, and the modern workforce expects this easy, convenient access – and on-premise solutions for identity, device and information management cannot effectively address the new way of working. Microsoft says the control plane for all these services needs to move from an organisation’s own data centre to the cloud. Doing this with Microsoft EM+S enables provision of everything users expect, while organisations retain the protection and control they need.

EM+S includes Azure Active Directory, Azure Rights Management, Microsoft Intune, and Advanced Threat Analytics to provide organizations with cost-effective, comprehensive security for users, devices, applications, and data.

2 Enterprise Mobility + Security

Identity and access Managed mobile Information Identity-driven management productivity protection security

Azure Active Directory Azure Information Microsoft Cloud App Premium P2 Protection Premium P2 Security Identity and access Intelligent classification and Enterprise-grade visibilty, EMS management with advanced encryption for files shared control, and protection for E5 protection for users and inside and outside your your cloud applications privileged identities organization (includes all capabilities in P1) (includes all capabilities in P1)

Azure Active Directory Microsoft Intune Azure Information Microsoft Advanced Premium P1 Mobile device and app Protection Premium P1 Threat Analytics EMS Secure single sign-on to management to protect Encryption for all files and Protection from advanced E3 cloud and on-premises apps corporate apps and data on emails across cloud and on targeted attacks leveraging any device premises storage locations user and entity behavioural MFA, conditional access, and analytics advanced security reporting Cloud-based file tracking Identity Management As part of an efficient identity access SaaS application connects directly to every management (IAM) platform, organisations enterprise’s on-premise identity management should be able to choose and deploy single technology, it becomes difficult to manage. sign-on systems, to allow staff to use a single set of security steps for multiple gadgets, and A more effective approach is to use a cloud to make secure mobile working an solution for identity management. Azure Active easier experience. Directory (AD) Premium is part of Microsoft EM+S. With this solution, an on-premise Most users want single sign-on (SSO) for directory service is still essential, but now multiple applications – few like having to connects only to Azure AD. Azure AD then remember a number of sign-on names and connects directly to each SaaS application, passwords – and so organisations have long reducing the chaos. been using on-premise identity management technologies such as Microsoft Active Directory. Users’ identities can still come from the owned directory service – the business is still in However, with the increasing popularity control – but, by exploiting the power of the of SaaS applications, relying on identity cloud, users have easy access to both local and management on-premise is no longer enough. SaaS applications with a single sign-on. Life is To provide SSO, an on-premise technology, better for users and simpler for such as Active Directory, has to connect to each IT administrators. of the applications users wish to access.

If all these applications are in an organisation’s Azure AD currently provides SSO to more own data centre, that’s easy, as each than 2,000 cloud applications, including application connects to its local instance of Office 365, Salesforce.com, Dropbox, Active Directory. But, as more applications Workday and ServiceNow. move to the cloud, problems arise. If every

3 Device Protection

Compromised Devices

The number of enterprises with compromised mobile devices grew by 42 percent in the “ A single compromised device fourth quarter of 2015, according to mobile can introduce malware into management firm MobileIron. the corporate network or The company reports in Q4 2015 Mobile enable the theft of sensitive Security and Risk Review that one in ten corporate data that resides enterprises have at least one compromised behind the firewall. mobile device on their network. “ Whether a company loses MobileIron uncovered numerous variants of millions of records or just anti-detection tools that hide that a device one record it’s still a breach. is compromised, creating a “false sense of For all companies, but security” at companies. The study also found particularly ones in highly that more than half of enterprises have at least regulated industries, this is one non-compliant device, including devices a huge problem.” with PIN protection, disabled or devices that lack up-to-date security policies. Michael Raggo Director MobileIron says that less than 10 percent of MobileIron Security Labs companies enforce device patching, while more than 95 percent of companies have no protection against mobile malware.

Key to an efficient and secure mobile strategy is a comprehensive mobile device management (MDM) and mobile app management solution (MAM). Essential features in any system include provision to allow corporate administrators to be able to remotely configure, manage and secure devices.

With remote configuration administrators can set up email accounts on multiple devices without individual users having to come into the office for it to be done. The team responsible for IT should be able to do it all with a few clicks of a mouse, without bothering staff in the field, or affecting productivity.

4 Device Protection

Administrators should also have full control over corporate email, without affecting the What Chief Information Security Officers user’s personal emails. The system should allow care about companies to remotely delete all corporate Top questions for a CISO: Will cloud emails and other business data when an computing meet my specific needs? employee leaves the company – again, without Where is my data, who has access, and them having to come into the office with the what level of control will I have over relevant device/s. Companies should have the the data? ability to do the same when that device is lost or stolen. Securing productivity: CISOs have And companies must have the power to ensure responsibility for personnel, physical all devices adhere to company security policies. assets, and information in both physical Enforcing corporate password policies and and digital form. CISOs are often pushing out policies across all devices on the responsible for all the layers of an network should be simple. For example, admin organisation’s technology stack (network, managers should be able to set the minimum application, mobile, and data security). password length, the time lapse before the Agile management: the changing landscape device auto-locks, and a maximum number of of today’s enterprise means that potential failed password attempts. exposure points are growing exponentially, thereby posing new and more complex security challenges. Gaining control and focusing on cybersecurity is an imperative. CISOs: • Need greater insight into cybersecurity threats. • Need to demonstrate to the larger C-suite how vital it is to properly secure the network and illustrate the importance of effective cybersecurity investments. • Seek to understand the complexities that influence the true cost of security risks to business and how to determine the best security investments to protect the company’s assets.

Transparency: moving to the cloud requires trust. CISOs want to understand how Microsoft operates in the cloud, handles data, and responds to law enforcement demands. Being transparent builds trust.

5 Device Protection

Microsoft Intune Mobile devices became popular well before the rise of cloud computing, and so traditional MDM and MAM solutions were run on-premise. As long as the remote applications accessed from these mobile devices also ran on-premises, that made sense. Today, however, these remote applications are at least as likely to run in the cloud, and if a company’s device management solution still runs on premise, communications are commonly required to be routed between devices and applications through on-premise servers. This approach raises some obvious concerns, including surrounding performance and scalability. • Why limit the speed of interaction between device and cloud applications to what an on-premise device management solution can handle? • Why require internal IT to worry about scaling? Moving device management—both MDM and MAM—to the cloud makes sense. With this approach, using EMS’s Intune, mobile devices receive policies through a cloud-based device management solution. Once these policies are in place, apps on the mobile devices can communicate directly with both on-premise and cloud applications. The on-premise bottleneck has gone.

6 Device Protection

Moving device management to the cloud has other benefits too. For example, rather than requiring organisations to run and manage their own servers and software for device management, Microsoft Intune does this. Similarly, think about the challenge of updating the device management software. iOS, Android and Windows 10 are all updated frequently, often in ways that affect how those devices are managed, and which requires updates to the device management software. And with on-premise device management, MDM and MAM vendors must ship new patches to every customer, which takes time. Each customer must then install and test these patches, which requires more time. Multiply this by the number of different mobile operating systems supported, and the result is clear: a business will probably never be current, as Microsoft, says. With device management in the cloud these problems disappear. When a new version of iOS, for instance, rolls out, Microsoft itself updates Intune to support the changes this update brings. The business is always up to date, and need never worry about installing patches. Microsoft Intune also provides the ability to remotely delete all corporate information from a user’s device while leaving personal data intact. This may have to be done, for example, when an employee leaves an organisation or if their device falls out of compliance. Microsoft Intune is a unified endpoint management solution that supports management of mobile devices and desktop PCs from the same administrative environment. This relies on the tight integration Microsoft has created between Intune and Microsoft System Center Configuration Manager.

7 Content Protection

Who is allowed to access a document? What kind of access is permitted: reading, Chief Information Security Officer editing, or some other function? Conversation starter How can data be protected from birth, A suggested conversation starter with and that protection travel with the data CISOs: focus on the business challenges wherever it goes? around managed mobile productivity Providing the ability to control the above and security. was important even before the advent of 1. Understand the needs of the customer mobile devices and cloud computing. But in and concerns about BYOD/mobility. a mobile-first, cloud-first world, with users Depending on the industry, CISOs and applications spread across the planet, will have differing types of assets to it matters even more. be secured.

This style of information protection was 2. Address the challenge of identity and traditionally provided by on-premise unstructured data security in a cloud solutions. For example, Microsoft has offered and mobile-first world. EM+S is a what’s now called Active Directory Rights good starting point to help simplify Management Service for a number of years. conversations. Yet addressing these access and content protection issues in today’s environment with 3. Help shift the security conversation to an on-premise solution has limitations. a business conversation. CISOs need to be able to translate the importance of Suppose two organisations wish to share a security into business terms, and make protected document. Possibly, only a certain security part of the broader business group of people in each company is allowed to strategy. read this document, so attempts to open it must be verified by an information protection service. 4. Make it real with customer stories. On-premise information protection technology Demonstrate awareness of the would require the setting up of a point-to-point challenges unique to the CISO relationship between the identity management role/industry. solutions that the information protection 5. Keep the messaging strategic. technologies relied on. • Talk about solutions, not products With organisations reluctant to go to so much trouble to share documents via such • Identify the problem, walk through an unpractical process, sharing across the solution organisational boundaries hasn’t been as • Refer to protecting the “security secure as it should have been. With cloud of users and data”, for example, solutions, however, cross-organisation improving the “security footprint” sharing becomes easier and simpler. and plugging “gaps”.

8 Content Protection

The two organisations are no longer required to set up direct connections between each other. Instead, they each connect just once to the cloud services Azure AD and Azure Rights Management Service (RMS), part of Microsoft EM+S. No matter how many other organisations with which they might wish to share documents, each organisation need only connect once to these cloud services. Azure RMS provides other benefits, including support for custom policy templates, which enables defining policies for sharing protected documents. For example, an organisation might create a template that restricts access to a particular document to a marketing group. RMS also provides document tracking to monitor successful and unsuccessful access attempts by recipients of a protected document, giving document owners insight into how the document is used (or abused). It also provides the ability to revoke access to a document, and there is option to encrypt documents using an organisation’s own key rather than one provided by Microsoft.

9 Content Protection

Azure Information Protection

In 2015 Microsoft acquired Secure Islands, a specialist in advanced information protection solutions.

Microsoft said at the time of the deal: “To work effectively, organisations must share information with partners, vendors and customers. These realities make it more critical than ever to have solutions that prevent data loss and track information regardless of where it resides.”

Microsoft said the acquisition would “accelerate” its ability to help customers secure their business data “no matter where it is stored” – across on-premise systems, Microsoft cloud services like Azure and Office 365, third-party services, and any Windows, iOS or Android device. The technology would be used to provide a flexible architecture able to meet “the most rigorous protection and compliance requirements”, Microsoft said.

Secure Islands’ technology was added to the data protection capabilities of the Azure Rights Management Service, and the combined products are known as Azure Information Protection (AIP). AIP helps with the classification, labelling and protection of documents and emails shared outside an organisation. Documents are categorised according to sensitivity, manually by individual users, or automatically based on rules and conditions defined by nominated administrators – or via a combination of the two. (Controls are integrated into Microsoft Office applications – including in-product notifications – so users can secure the data on which they’re working with a single click.) A business can, therefore, safely share data not only with co-workers, but with customers, partners and any third parties, determining who has access to the data, and what those with access can do with it. For example, restrictions could be defined to allow a document to be viewed and edited, but not printed or forwarded. In addition, the business’s IT team can monitor and track actions applied to shared data, and remove access rights if necessary.

10 Advanced Threat Analytics and Cloud App Security

Microsoft Advanced Threat Analytics (ATA) and Cloud App Security enables businesses to identify attackers within an organisation, detecting suspicious user and device activity via built-in intelligence and through provision of threat information on a simple attack timeline. Using deep packet inspection technology, ATA analyses all Active Directory traffic, to compile incidents of relevant events from SIEM and other sources. ATA then automatically starts learning and profiling behaviour, looking for anomalies that raise a red flag. Set-up is simple, without requirement for creation of rules, baselines or thresholds. Once suspicious activity is detected, an attack timeline discloses exactly what happened, when. The use of unapproved applications – ‘shadow IT’ – is commonplace. Microsoft puts the figure at an estimated 80 percent of employees using non-approved SaaS apps in their jobs (see the graphic on page 12). As a result, a business’s data could be at risk, with employees sharing files and putting sensitive company data outside company control. Microsoft Cloud App Security is designed to help an organisation extend the visibility and auditing of and control over on-premise applications to cloud applications. Cloud App Security addresses the issue through the identification of a potential 13,000 cloud applications that could be running on a network, delivering risk scoring and ongoing assessment and analytics. In a simple process, requiring no agents as information is collected directly from firewalls and proxies, a business can see cloud and application use on its network.

11 Source Microsoft

12 Conclusion

Mobile technology supports flexible working and helps to increase productivity, and workers often want to use their own devices for business purposes, which many companies allow. But whether work devices are supplied by the employee or the firm, in the face of widespread and increasing risks, organisations have to try harder to secure those devices. It’s imperative that these devices, and the numerous apps and content that are used with them, are managed and secured efficiently. Microsoft says businesses continue to face challenges protecting data where information travels beyond the boundary of the corporate network, and across many devices outside company control. Cloud-based MDM and MAM products and services can play a major part in successfully delivering and supporting a secure mobile strategy for organisations, but companies must carefully go through the features offered by potential solutions to make sure they are fully covered. Andrew Conway, Microsoft senior director, EM+S product marketing, says of the EM+S solution: “Securing productivity, collaboration and enterprise data is critically important as organisations digitally transform. And it’s worth bearing in mind that the cost of EM+S is up to 50 percent less than that for stand-alone solutions from other vendors “Enterprise Mobility + Security provides an identity-driven security solution that offers a holistic approach to the security challenges in this mobile-first, cloud-first era,” continues Andrew Conway. “Our technologies not only help you protect your organisation but also identify breaches before they cause damage.”

13 visit our website today https://www.midirasolutions.co.uk or email us at [email protected]