Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Best of IgniteIdentity & Access Management / EMS
Best of IgniteIdentity & Access Management / EMS
Kay [email protected]@kaysellenrode
Identity is the control plane
Identity System
On-premises /Private cloud
Password-less authentication (99.9%)
• Solves a lot of problems related to the use of passwords• How passwords are used makes them inherently insecure (post-its, etc).
• How passwords work, makes them inherently insecure (pass-the-hash, man-in-the-middle, ...)
• Leverage “new” techniques (cryptography) to overcome the issues above• Built-in MFA (What you have + confirmation thereof)
• Requires device registration (to secure the “what you have”)
Microsoft Authenticator app
• Apple Watch
• Password-less authentication (Azure AD)
(some) (other) highlights
• Passwordless authentication + future thereof
• What’s new in Azure AD
• Conditional Access
• What’s new in AD FS
• What’s new for Azure Information Protection & OME
Governance is a journey, not a destination
Identity lifecycle
facilities collaboration
Access lifecycle
provides seamless and
efficient access
Privileged access
lifecycle addresses
risks inherent in
administration
Productivity
Security
Timely access to the
right resources
The right people have
the right access to
resources
The right controls that
ensure secure
productivity
Identity Access Admin rights
Comprehensive Enterprise Mobility+Security capabilities
Identity lifecycle
Entitlement management
Access requests
Workflow
Policy Conditional Access, Identity Protection, Entitlement access policies
Access certification Recurring access reviews for group membership, app access, admin role assignments
Fulfillment Automatic provisioning for groups, SaaS and on-premises apps (SCIM), SharePoint Online
Password management Self-services password management
Device management Azure AD join, Intune, per-device terms of use
UEBA and CASB Azure ATP, Cloud App Security
Data Governance Azure Information Protection
Privileged Access Time-limited and scoped access with Azure AD PIM (and Office 365 PAM)
Microsoft Intune
Office Threat
Intelligence
Windows Defender
Advanced Threat
Protection
Azure Active
Directory
Office Advanced
Threat Protection
Microsoft Cloud
App Security
Azure Security
Center
Azure Advanced
Threat Protection
Windows 10
Identities: Validating, verifying and
protecting both user and admin
accounts
User Data: evaluating email messages
and documents for malicious content
Endpoints: protecting user devices and
signals from sensors
Infrastructure: protecting servers,
virtual machines, databases and
networks across cloud and on-
premises locations
Cloud Apps: protecting SaaS applications
and their associated data stores
1
3
2
5
4
Microsoft Threat Protection
Exchange Online
Protection
SQL ServerWindows Server
Linux
Require MFA
Allow access
Deny access
Force password reset******
Limit access
Controls
On-premises apps
Web apps
Users
Devices
Location
Apps
Conditions
Policies
Real timeEvaluationEngine
SessionRisk
3
40TB
Effectivepolicy
Azure AD conditional access
Machinelearning
CONDITIONAL ACCESS APP CONTROL
Microsoft AzureActive Directory
Analyze Session Risk Check device compliance with Intune
Check location
Check user behavior
Check user organization
Enforce Relevant Policies with Conditional Access App Control
Protect downloads from unmanaged devices with AIP
Monitor and alert on actions when user
activity is suspicious
Enforce read-only mode in applications for partner (B2B) users
Require MFA and define session timeouts for unfamiliar locations
BOX.US.CAS.MS
Cloud App Security integrates with:
• Azure Active Directory
• Azure Information Protection
• Microsoft Intuneto protect any app in your organization.
Microsoft Cloud App Security
Native Support for OAUTH tokens
• Allows you to use OAUTH tokens natively in Azure AD (no more requirements for AD FS)
• Great for situations where you cannot have a cell-phone (more common than you would expect)
Windows Hello for Business)
• Windows 10 - v1803• Third Party Management and Certificate Enrollment APIs
• Wi-Fi Support as a Trusted Signal for Multifactor Unlock
• Windows 10 - v1809• Remote Desktop using Biometrics
• Password-less Azure AD Join
• Windows Hello Security Keys (Shared PCs)
Azure B2B
• Works natively with Azure AD; Google Federation is in public preview
• Direct Federation coming!• Using 3rd-party federation services (e.g. Other vendors/corporate-owned
etc.)
• Now support for One Time Passwords with anyone that has an email addresshttps://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-makes-sharing-and-collaboration-seamless-for-any-user/ba-p/325949
Microsoft Graph
aka.ms/graph
Managed Identity API keys checked into GitHub
This could happen to you!
Oops!
Azure VM
Azure AD
Azure’s roleCreate Service Principal in Azure AD.
Provision resource credentials under covers.
Making Service to Service Authentication easier with Managed Identity
AzureBlob Storage
Your Code
Azure Infrastructure
Service-to-Service Authentication with Managed IdentityManaged Identity is available for:
Virtual Machines
Virtual Machine Scale Sets
App Services
Functions
We’re working on enabling Managed Identity across Azure
More to come!
AzureVirtual Machines
Azure VM Scale Sets
AzureApp Services
Azure Functions
AzureResource Manager
AzureStorage
AzureSQL
AzureService Bus
AzureEvent Hubs
AzureData Lake
AzureKey Vault
Microsoft Graph
Your Service
Generally available
Public preview
Conditional Access Enhancements
Identity Secure Score
• Identity Secure Score (Identity-pilar of the Secure Score feature)• http://aka.ms/MyIdentitySecureScore
• Highlight issues related to identities• Enable MFA
• Reduce Attack Surface (e.g. block legacy protocols, use PIM, …)
• Data available through an API• https://aka.ms/SecureScore_APIBlog
ADFS
• Password-less authentication coming to AD FS 2019
• 3rd-party primary authentication
• Extranet Smart Lockout enhancements• New ‘audit’ mode that is combined with classic AD based extranet lockout• Independent lockout for familiar locations to handle password changes across multi-node
apps
• Banned IP list• Directly block malicious IPs in ADFS (also available in 2016 QFE)
• HTTP Header Customization• HSTS: Conveys to compatible browsers that ADFS can only be used on HTTPS endpoints• x-frame-options: Allows specific application domains to be allowed to use iFrames to talk to
ADFS (use sparingly and carefully)• Customizable Headers: Addresses future scenarios
• Azure AD Connect Health – Risky IP report in public preview
AD FS
Request risk?
Your Code
User risk?
Azure ActiveDirectory
Identity Protection
Block / Allow
Your CodeYour Code
AD FS Pluggable Risk Assessment Model
Azure AD Password Protection
Dynamic banning of passwords based on known bad patterns and those you define.
Built for hybrid environments.
Built for secure no-internet zone domain controllers
Unified admin experience for on-premises and cloud.
Support for multi-forest environment
High availability architecture
Cloud intelligence to ensure strong passwords
https://aka.ms/aadpasswordprotectiondocs
Additional Features…• Auto pick the additional auth provider based on rules
• Helps when you have specific 2nd factor requirements during MFA migration or for security
• Smartcard support for Remote PSH • Includes multi-node cmdlets
• Restrict TLS based device auth only to applications that require it
• MFA freshness protocol support• Uses additional query parameter
• Additional fixes for supporting aggregated federation metadata documents such as InCommon
Microsoft Information Protection
MICROSOFT CLOUD APP SECURITY
Visibility into 15k+ cloud apps, data access & usage,
potential abuse
AZURE SECURITY CENTER INFORMATION PROTECTION
Classify & label sensitive structured data in Azure SQL, SQL
Server and other Azure repositories
OFFICE 365 APPS
Protect sensitive information while working in Excel, Word,
PowerPoint, Outlook
AZURE INFORMATION PROTECTION
Classify, label & protect files – beyond Office 365, including
on-premises & hybrid
OFFICE 365 DATA LOSS PREVENTION
Prevent data loss across Exchange Online, SharePoint Online,
OneDrive for BusinessSHAREPOINT & GROUPS
Protect files in libraries and lists
OFFICE 365 ADVANCED DATA GOVERNANCE
Apply retention and deletion policies to sensitive and
important data in Office 365ADOBE PDFs
Natively view and protect PDFs on Adobe Acrobat
WINDOWS INFORMATION PROTECTION
Separate personal vs. work data on Windows 10 devices,
prevent work data from traveling to non-work locations
OFFICE 365 MESSAGE ENCRYPTION
Send encrypted emails in Office 365 to anyone
inside or outside of the company
CONDITIONAL ACCESS
Control access to files based on policy, such as identity, machine
configuration, geo location
Discover | Class i fy | Protect | Monitor
SDK FOR PARTNER ECOSYSTEM & ISVs
Enable ISVs to consume labels, apply protection
DEVICE PROTECTION
DATA SEPARATION
LEAK PROTECTION
SHARING PROTECTION
DEVICE PROTECTION
BitLocker enhancements in Windows 8.1
InstantGo
3rd party adoption
DATA SEPARATION
LEAK PROTECTION
SHARING PROTECTION
BitLocker Windows Information Protection
Azure Information Protection
YOUR INFORMATION PROTECTION NEEDS
Office 365
WINDOWS INFORMATION PROTECTION
Prevents unauthorized apps from accessing business data and users from leaking data via copy and paste protection.
Seamless integration into the platform, No mode switching and use any app.
Integrated protection against accidental data leaks
Since Windows 10 Version 1607
Protects data at rest locally and on removable storage.
Common experience across all Windows 10 devices with copy and paste protection.
Corporate vs personal data identifiable wherever it rests on the device and can be wiped.
CODE SESSION DATE & TIME SESSION TYPE
THR2000 Discover what’s new and what’s coming in Office 365 Message Encryption and AIP Mon, Sept 24, 4:00 PM - 4:20 PM 20-min Theatre
THR3005 Protect your sensitive data as you migrate from on-premises to the cloud Mon, Sept 24, 4:00 PM - 4:20 PM 20-min Theatre
WRK3014 [Configuring Azure Information Protection to protect your sensitive data Mon, Sept 24, 4:00 PM - 5:15 PM
BRK3002Understanding how the latest Microsoft Information Protection (MIP) capabilities work together to protect sensitive information across devices, apps and services
Tues, Sept 25, 2:00 PM - 2:45 PM Breakout
THR2002 Keeping your sensitive data secure in Office 365 with data loss prevention Tues, Sept 25, 10:10 AM - 10:30 AM 20-min Theatre
BRK3009 Accelerate deployment and adoption of Azure Information Protection Wed, Sept 26, 9:00 AM - 10:15 AM Breakout
BRK3246Extend the power of Labeling and Protection to your own and ISV solutions with Microsoft Information Protection (MIP) SDK
Wed, Sept 26, 3:15 PM - 4:00 PM Breakout
BRK3245 Level up your organization’s security posture with Office 365 applications Wed, Sept 26, 12:45 PM - 1:30 PM Breakout
THR2005 The latest and greatest Microsoft Information Protection capabilities you should be using Wed, Sept 26, 10:45 AM - 11:05 AM 20-min Theatre
THR2003 Data discovery, Usage reporting and analytics for all your data with Microsoft Information Protection Wed, Sept 26, 9:35 AM - 9:55 AM 20-min Theatre
THR3049 Understanding encryption key management options in Azure Information Protection Wed, Sept 26, 1:05 PM - 1:25 PM 20-min Theatre
BRK3397 Protect and control your sensitive emails with Office 365 Message Encryption Thurs, Sept 27, 2:00 PM – 2:45 PM Breakout
THR3002 Extending Labeling and Protection with ISV partners with the Microsoft Information Protection SDK Thurs, Sept 27, 9:35 AM - 9:55 AM 20-min Theatre
BRK3011 Deploying and managing Windows Information Protection Fri, Sept 28, 10:45 AM - 12:00 PM Breakout
HOL3000 Configuring Azure Information Protection to protect your sensitive data n/a
HOL4000 Getting started with the Microsoft Information Protection SDK n/a
Related sessions
Windows Information Protection