Enterprise Mobility + Security Overviewtechtuesday.azurewebsites.net/.../02/...Enterprise.pdf · Enterprise Mobility + Security Basic identity mgmt. via Azure AD for O365: •Single

Creating a Secure Productive Enterprise with Enterprise

Mobility + Security, Office 365, and Windows 10

Chris Clark, Cloud Solutions Specialist

#TechTuesday2017

OnlineOn Premises

Hybrid

Cloud on your terms

MessagingVoice

& Video

Content

Management

Enterprise

Social

Data

& Analytics

Best experience across devices

Integrated best-of-breed solutions

Microsoft’s Productivity Vision

Office 365 Enterprise Plans

6

• Office 365 Enterprise E1: $8.00 user/month– Exchange Online Plan 1

– SharePoint Online Plan 1

– Skype for Business Online Plan 2

– Office Online

– OneDrive

– Yammer

– Office 365 Video

– Microsoft Teams

– Sway

• Office 365 Enterprise E3: $20.00 user/month– Exchange Online Plan 2

– SharePoint Online Plan 2

– Skype for Business Online Plan 2

– Office Online

– Office 365 Pro Plus

– OneDrive

– Yammer

– Azure Rights Management

– Office 365 Video

– Microsoft Teams

– Sway

• Office 365 Enterprise E5: $35.00 user/month

– Same as E3

– Power Bi Pro

– Customer Lockbox

– Delve Analytics

– Advanced E-Discovery

– Advanced Threat Protection

– Advanced Security Management

– Cloud PBX

– PSTN Conferencing

7

Identity

Identity and Access Management Tools

8

Azure Active Directory

Synchronization Tool


Connect Tool

Forefront Identity Manager

Microsoft Identity Manager

AD ConnectDirSync FIM / MIM

On-premises

Firewall

Corp email, business apps

• Open access for users – any device, any network

• Unrestricted sharing methods – users decide how to share

• Cloud app ecosystem

• Limited visibility and control

• Access via managed devices and networks

• Layers of defense protecting internal apps

• Known security perimeter

LIFE AFTER CLOUD AND MOBILITYLIFE BEFORE CLOUD AND MOBILITY

Office 365

Shadow

IT

Data breach

IDENTITY – DRIVEN SECURITY

Employees

Partners

Customers

Cloud apps

Identity Devices Apps & Data

Transition tocloud & mobility

New attack landscape

Current defenses not sufficient

Identity breach On-premises apps

SaaS

Azure

Mobile-first, cloud-first reality

Data breaches

63% of confirmed data breaches

involve weak, default, or stolen

passwords.

63% 0.6%IT Budget growth

Gartner predicts global IT spend

will grow only 0.6% in 2016.

Shadow IT

More than 80 percent of employees

admit to using non-approved

software as a service (SaaS)

applications in their jobs.

80%

Is it possible to keep up?

Employees

Business partners

Customers

Is it possible to stay secure?

Apps

Devices

Data

Users

Data leaks

Lost device

Compromised identity

Stolen credentials

Is it possible to keep up?

Employees Business partners Customers

The Microsoft vision

Secure and protect against new threats

Maximum productivity experience

Comprehensive and integratedApps

Devices

Data

Users

User freedomSecure against new threats Do more with less

Customers need

Identity – driven security Productivity without

compromise

Comprehensive

solutions

Microsoft solution

ENTERPRISE MOBILITY + SECURITY

Identity-drivensecurity

Comprehensive solution

Managed mobile productivity





Identity-driven Security

Data Breaches 63%

Identity is the foundation for enterprise mobility


Single sign-onSelf-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaS

Azure

Publiccloud

CloudMicrosoft Azure Active Directory

PROTECT AT THE FRONT DOOR

Identity Protection at its best

Risk severity calculation

Remediation recommendations

Risk-based conditional access automatically protects against suspicious logins and compromised credentials

Gain insights from a consolidated view of machine learning-based threat detection

Leaked credentials

Infected devices Configuration

vulnerabilities Risk-based

policies

MFA Challenge risky logins

Block attacks

Change bad credentials

Machine-Learning Engine

Brute force attacks

Suspicious sign-in activities

PROTECT AT THE FRONT DOOR

Discover, restrict, and monitor privileged identities

Audit

SECURITY ADMIN

Configure Privileged

Identity Management

USER

PRIVILEGED IDENTITY MANAGEMENT

Identity

verificationMonitor

Access reports

MFA

ALERT

Read only

ADMIN PROFILES

Billing Admin

Global Admin

Service Admin

MFA enforced during activation process

Alerts inform administrators about out-of-band changes

Users need to activate their privileges to perform a task

Users retain privileges for a pre-configured amount of time

Security admins can discover all privileged identities, view audit reports, and review everyone who is eligible to activate via access reviews

Azure AD Connect

On-premises applications

Microsoft AzureActive Directory

Username

?

Forgot your password?

MFA Challenge

“I need to enable my users to securely reset their own password”

Azure Active Directory Premium

Web apps

(Azure Active Directory Application Proxy)

Integrated

custom appsSaaS apps

OTHER DIRECTORIES

2500+ pre-integrated popular

SaaS apps and self-service integration via

templates

Connect and sync on-premises directories

with Azure

Easily publish on-premises web apps via

Application Proxy + custom apps

Microsoft Azure

“I need to make it easy for my users to access my company’s apps”

Azure Active Directory Premium

PROTECT YOUR DATA AGAINST USER MISTAKES

• Discover 13,000+ cloud apps in use—no agents required

• Identify all users, IP addresses, top apps, top users

• Get an automated risk score driven by 60+ parameters

• See each app’s risk assessment based on its security mechanisms and compliance regulations

• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions

• Ongoing anomaly detection for discovered apps

Risk scoringShadow IT discovery Ongoing analytics

PROTECT YOUR DATA AGAINST USER MISTAKES

• Set granular-control security policies for your approved apps

• Use out-of-the-box policies or customize your own

• Prevent data loss both inline and at rest

• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps

• Use pre-defined templates or extend existing DLP policies

• Identify policy violations, investigate on a user, file, activity level

• Enforce actions such as quarantine and permissions removal

• Block sensitive transactions, limit sessions for unmanaged devices

DLP and data sharingPolicy definition Policy enforcement


1. Protect at the front doorSafeguard your resources at the front door with innovative

and advanced risk-based conditional accesses

2. Protect your data against user mistakesGain deep visibility into user, device, and data activity on-

premises and in the cloud.

3. Detect attacks before they cause damageUncover suspicious activity and pinpoint threats with deep

visibility and ongoing behavioral analytics.

Conditions

Allow access

Or

Block access

Actions

Enforce MFA

per user/per

app

Location

Device state

User/Application

MFA

Risk

User



Azure Information Protection

Classify & Label

Protect

How do I control data on-premises and in the cloud

Monitor and Respond

Microsoft Intune

How do I prevent data leakage from my mobile apps?

LOB app protection

DLP for Office 365 mobile apps

Optional device management

Cloud App Security

Risk scoring

Shadow IT Discovery

Policies for data control

How do I gain visibility and control of my cloud apps?


Microsoft Advanced Threat Analytics (ATA)

Behavioral Analytics

Detection of known malicious attacks

Detection of known security issues

On-premises detection

Cloud App Security + Azure Active Directory Premium

Behavioral analytics

Detection in the cloud

Anomaly detection

Security reporting and monitoring

Microsoft Advanced Threat Analytics

brings the behavioral analytics concept

to IT and the organization’s users.

An on-premises platform to identify advanced security attacks and insider threats before they cause damage

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE

Behavioral

Analytics

Detection of advanced

attacks and security risks

Advanced Threat

Detection






Unsecuredapps 80%

Manage and secure devices

Office mobile apps

Data-level protection

User self-service

MANAGED MOBILE PRODUCTIVITY


• Conditional access

• Device settings & Compliance enforcement

• Multi-identity support

Access management

• Mobile app management (w & w/o a device enrollment)

• File level classification, labeling, and encryption

Built-in security

• Office mobile apps

• Familiar and trusted

Goldstandard


Managed apps

Personal apps

Personal apps

Managed appsCorporate data

Personaldata

Multi-identity policy

Personal apps

Managed apps

Copy Paste Save

Save to

personal storage

Paste to

personal

app

Email attachment

Empower users to

make right decisions

Enable safe sharing

internally and externally

Maintain visibility and

control


Protect your data at all

times

DOCUMENT

TRACKING

DOCUMENT

REVOCATION

Monitor &

respond

LABELINGCLASSIFICATION

Classification

& labeling

ENCRYPTION

Protect

ACCESS

CONTROLPOLICY

ENFORCEMENT


STRICTLY CONFIDENTIAL

CONFIDENTIAL

INTERNAL

NOT RESTRICTED

IT admin sets policies,

templates, and rules

FINANCE

CONFIDENTIAL

Add persistent labels defining sensitivity to filesClassify data according to policies – automatically or by user

Manage your account, apps and groups

Company branded, personalized application Access Panel:

http://myapps.microsoft.com

+ iOS and Android Mobile Apps

Self-service password reset

Application access requests

Integrated Office 365 app launching






Enterprise Mobility +SecurityIDENTITY - DRIVEN SECURITY

Microsoft

Intune

Azure Information

Protection

Protect your users, devices, and apps

Detect threats early with visibility and threat analytics

Protect your data, everywhere

Extend enterprise-grade security

to your cloud and SaaS apps

Manage identity with hybrid

integration to protect application

access from identity attacks

Microsoft

Advanced Threat Analytics

Microsoft Cloud App Security


Premium

COMPREHENSIVE SOLUTION

Integrates with what you have

Simple to set up

Easy to maintain

Saves you money


Employees Business partners Customers

Secure and protect against new threats

Maximum productivity experience

Comprehensive and integrated

Apps DevicesDataUsers

Always

up to date

• Real-time updates

• Keep up with new apps and devices

Works with

what you have

• Support multiple platforms

• Use existing investments

Simple to set

up and connect

• Easy, secure connections

• Simplified management


$15

Information protection

User and Entity Behavioral Analysis

Cloud Access Security Broker

Identity and access management

Mobile device and application management

Total cost (per user/month)


For the cost of Identity & Access Management and MDM/ MAM from other vendors, EMS provides advanced

security capabilities to protect users, devices, apps and data.

1. Individual pricing not currently available. 2. Okta Enterprise Edition as of 3/1/2015. 3. AirWatch Orange Management Suite Cloud as of 3/1/2015.

Included with

Microsoft EMS E5

$82

$18+

Available separately

from other vendors

$$1

$102


Holistic, intelligent,

innovative security to keep

up with new threats.


Secure your enterprise fast –

while keeping what you have

and saving money.


Encourage secure work habits

by providing the best apps

with built-in security.



Identity-driven security



Azure Information

Protection Premium P2

Intelligent classification and

encryption for files shared

inside and outside your

organization

(includes all capabilities in P1)

Azure Information

Protection Premium P1

Encryption for all files and

storage locations

Cloud-based file tracking

Microsoft Cloud

App Security

Enterprise-grade visibility,

control, and protection for

your cloud applications

Microsoft Advanced

Threat Analytics

Protection from advanced

targeted attacks leveraging

user and entity behavioral

analytics

Microsoft Intune

Mobile device and app

management to protect

corporate apps and data on

any device


Premium P2

Identity and access

management with advanced

protection for users and

privileged identities

(includes all capabilities in P1)


Premium P1

Secure single sign-on to

cloud and on-premises apps

MFA, conditional access, and

advanced security reporting

EMS

E3

EMS

E5

IntelligenceCollaborationTrust Mobility

Empower your employees by creating a secure productive enterprise

Always up to date

More productivePowerful, modern

devicesMore personalSafer and more secure

Windows Information Protection

Windows Hello

Credential Guard

Device Guard

AppLocker

Windows Defender Advanced Threat Protection

Azure Active Directory Join

Mobile Device Management

Application Virtualization

(App-V)

Windows Ink

Windows Store for Business

Cortana Management

Managed User Experience

User Experience Virtualization (UX-V)

Windows 10 for Industry Devices

Innovative designs

New experiences

Best in class performance

The most trusted platform The most versatile devices

Office 365

Enterprise Mobility + Security

Windows 10 Enterprise

Delivered through enterprise cloud services

Enterprise Mobility + Security

Basic identity mgmt.

via Azure AD for O365:

• Single sign-on for O365

• Basic multi-factor

authentication (MFA) for O365

Basic mobile device

management

via MDM for O365

• Device settings management

• Selective wipe

• Built into O365 management

console

RMS protection

via RMS for O365

• Protection for content stored in

Office (on-premises or O365)

• Access to RMS SDK

• Bring your own key

Azure AD for O365+

• Advanced security reports

• Single sign-on for all apps

• Advanced MFA

• Self-service group management

& password reset & write back

to on-premises,

• Dynamic Groups, Group based

licensing assignment

MDM for O365+

• PC management

• Mobile app management

(prevent cut/copy/paste/save as

from corporate apps to

personal apps)

• Secure content viewers

• Certificate provisioning

• System Center integration

RMS for O365+ • Automated intelligent

classification and labeling of

data

• Tracking and notifications for

shared documents

• Protection for on-premises

Windows Server file shares

Advanced Security

Management

• Insights into suspicious activity in

Office 365

Cloud App Security

• Visibility and control for all cloud

apps


• Identify advanced threats in on

premises identities

Azure AD Premium P2

• Risk based conditional access





Windows 10

Enterprise Mobility +Security

• Single sign-on for business

cloud apps

• Device setup and registration

for Windows devices

• Windows Store for Business

• Traditional domain join

manageability

• Manageability via MDM and

MAM

• Encryption for data at rest and

generated on device

• Encryption for data included in

roaming settings

• Conditional access policies for

secure single sign-on

• MDM auto-enrollment

• Self-Service Bitlocker recovery

• Password reset with write back

to on-premises

• Cloud-based advanced security

reports and monitoring

• Enterprise State-Roaming

• Mobile device management

• Mobile app management

• Secure content viewer

• Certificate, Wi-Fi, VPN, email

profile provisioning

• Agent-based management of

Windows devices (domain-

joined via ConfigMgr and

internet-based via Intune)

• Automated intelligent

classification and labeling of

data

• Tracking and notifications for

shared documents

• Protection for content stored in

Office and Office 365 &

Windows Server on premises

Windows Defender Advanced

Threat Protection

• Identify advanced threats focused

on Windows 10 behavioral sensors

Cloud App Security

• Visibility and control for all cloud

apps


• Behavioral analytics for advanced

threat detection

Azure AD Premium

• Risk based conditional access





Documents

Enterprise Mobility + Security Overviewtechtuesday.azurewebsites.net/.../02/...Enterprise.pdf · Enterprise Mobility + Security Basic identity mgmt. via Azure AD for O365: •Single