Upload
others
View
13
Download
0
Embed Size (px)
Citation preview
Creating a Secure Productive Enterprise with Enterprise
Mobility + Security, Office 365, and Windows 10
Chris Clark, Cloud Solutions Specialist
#TechTuesday2017
OnlineOn Premises
Hybrid
Cloud on your terms
MessagingVoice
& Video
Content
Management
Enterprise
Social
Data
& Analytics
Best experience across devices
Integrated best-of-breed solutions
Microsoft’s Productivity Vision
Office 365 Enterprise Plans
6
• Office 365 Enterprise E1: $8.00 user/month– Exchange Online Plan 1
– SharePoint Online Plan 1
– Skype for Business Online Plan 2
– Office Online
– OneDrive
– Yammer
– Office 365 Video
– Microsoft Teams
– Sway
• Office 365 Enterprise E3: $20.00 user/month– Exchange Online Plan 2
– SharePoint Online Plan 2
– Skype for Business Online Plan 2
– Office Online
– Office 365 Pro Plus
– OneDrive
– Yammer
– Azure Rights Management
– Office 365 Video
– Microsoft Teams
– Sway
• Office 365 Enterprise E5: $35.00 user/month
– Same as E3
– Power Bi Pro
– Customer Lockbox
– Delve Analytics
– Advanced E-Discovery
– Advanced Threat Protection
– Advanced Security Management
– Cloud PBX
– PSTN Conferencing
7
Identity
Identity and Access Management Tools
8
Azure Active Directory
Synchronization Tool
Azure Active Directory
Connect Tool
Forefront Identity Manager
Microsoft Identity Manager
AD ConnectDirSync FIM / MIM
On-premises
Firewall
Corp email, business apps
• Open access for users – any device, any network
• Unrestricted sharing methods – users decide how to share
• Cloud app ecosystem
• Limited visibility and control
• Access via managed devices and networks
• Layers of defense protecting internal apps
• Known security perimeter
LIFE AFTER CLOUD AND MOBILITYLIFE BEFORE CLOUD AND MOBILITY
Office 365
Shadow
IT
Data breach
IDENTITY – DRIVEN SECURITY
Employees
Partners
Customers
Cloud apps
Identity Devices Apps & Data
Transition tocloud & mobility
New attack landscape
Current defenses not sufficient
Identity breach On-premises apps
SaaS
Azure
Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%IT Budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
Is it possible to keep up?
Employees
Business partners
Customers
Is it possible to stay secure?
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
Is it possible to keep up?
Employees Business partners Customers
The Microsoft vision
Secure and protect against new threats
Maximum productivity experience
Comprehensive and integratedApps
Devices
Data
Users
User freedomSecure against new threats Do more with less
Customers need
Identity – driven security Productivity without
compromise
Comprehensive
solutions
Microsoft solution
ENTERPRISE MOBILITY + SECURITY
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
ENTERPRISE MOBILITY + SECURITY
Identity-driven Security
Data Breaches 63%
Identity is the foundation for enterprise mobility
IDENTITY – DRIVEN SECURITY
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaS
Azure
Publiccloud
CloudMicrosoft Azure Active Directory
PROTECT AT THE FRONT DOOR
Identity Protection at its best
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials
Gain insights from a consolidated view of machine learning-based threat detection
Leaked credentials
Infected devices Configuration
vulnerabilities Risk-based
policies
MFA Challenge risky logins
Block attacks
Change bad credentials
Machine-Learning Engine
Brute force attacks
Suspicious sign-in activities
PROTECT AT THE FRONT DOOR
Discover, restrict, and monitor privileged identities
Audit
SECURITY ADMIN
Configure Privileged
Identity Management
USER
PRIVILEGED IDENTITY MANAGEMENT
Identity
verificationMonitor
Access reports
MFA
ALERT
Read only
ADMIN PROFILES
Billing Admin
Global Admin
Service Admin
MFA enforced during activation process
Alerts inform administrators about out-of-band changes
Users need to activate their privileges to perform a task
Users retain privileges for a pre-configured amount of time
Security admins can discover all privileged identities, view audit reports, and review everyone who is eligible to activate via access reviews
Azure AD Connect
On-premises applications
Microsoft AzureActive Directory
Username
?
Forgot your password?
MFA Challenge
“I need to enable my users to securely reset their own password”
Azure Active Directory Premium
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom appsSaaS apps
OTHER DIRECTORIES
2500+ pre-integrated popular
SaaS apps and self-service integration via
templates
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + custom apps
Microsoft Azure
“I need to make it easy for my users to access my company’s apps”
Azure Active Directory Premium
PROTECT YOUR DATA AGAINST USER MISTAKES
• Discover 13,000+ cloud apps in use—no agents required
• Identify all users, IP addresses, top apps, top users
• Get an automated risk score driven by 60+ parameters
• See each app’s risk assessment based on its security mechanisms and compliance regulations
• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions
• Ongoing anomaly detection for discovered apps
Risk scoringShadow IT discovery Ongoing analytics
PROTECT YOUR DATA AGAINST USER MISTAKES
• Set granular-control security policies for your approved apps
• Use out-of-the-box policies or customize your own
• Prevent data loss both inline and at rest
• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps
• Use pre-defined templates or extend existing DLP policies
• Identify policy violations, investigate on a user, file, activity level
• Enforce actions such as quarantine and permissions removal
• Block sensitive transactions, limit sessions for unmanaged devices
DLP and data sharingPolicy definition Policy enforcement
IDENTITY – DRIVEN SECURITY
1. Protect at the front doorSafeguard your resources at the front door with innovative
and advanced risk-based conditional accesses
2. Protect your data against user mistakesGain deep visibility into user, device, and data activity on-
premises and in the cloud.
3. Detect attacks before they cause damageUncover suspicious activity and pinpoint threats with deep
visibility and ongoing behavioral analytics.
Conditions
Allow access
Or
Block access
Actions
Enforce MFA
per user/per
app
Location
Device state
User/Application
MFA
Risk
User
IDENTITY – DRIVEN SECURITY
IDENTITY – DRIVEN SECURITY
Azure Information Protection
Classify & Label
Protect
How do I control data on-premises and in the cloud
Monitor and Respond
Microsoft Intune
How do I prevent data leakage from my mobile apps?
LOB app protection
DLP for Office 365 mobile apps
Optional device management
Cloud App Security
Risk scoring
Shadow IT Discovery
Policies for data control
How do I gain visibility and control of my cloud apps?
IDENTITY – DRIVEN SECURITY
Microsoft Advanced Threat Analytics (ATA)
Behavioral Analytics
Detection of known malicious attacks
Detection of known security issues
On-premises detection
Cloud App Security + Azure Active Directory Premium
Behavioral analytics
Detection in the cloud
Anomaly detection
Security reporting and monitoring
Microsoft Advanced Threat Analytics
brings the behavioral analytics concept
to IT and the organization’s users.
An on-premises platform to identify advanced security attacks and insider threats before they cause damage
DETECT ATTACKS BEFORE THEY CAUSE DAMAGE
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
ENTERPRISE MOBILITY + SECURITY
Managed mobile productivity
Unsecuredapps 80%
Manage and secure devices
Office mobile apps
Data-level protection
User self-service
MANAGED MOBILE PRODUCTIVITY
MANAGED MOBILE PRODUCTIVITY
• Conditional access
• Device settings & Compliance enforcement
• Multi-identity support
Access management
• Mobile app management (w & w/o a device enrollment)
• File level classification, labeling, and encryption
Built-in security
• Office mobile apps
• Familiar and trusted
Goldstandard
MANAGED MOBILE PRODUCTIVITY
Managed apps
Personal apps
Personal apps
Managed appsCorporate data
Personaldata
Multi-identity policy
Personal apps
Managed apps
Copy Paste Save
Save to
personal storage
Paste to
personal
app
Email attachment
Empower users to
make right decisions
Enable safe sharing
internally and externally
Maintain visibility and
control
MANAGED MOBILE PRODUCTIVITY
Protect your data at all
times
DOCUMENT
TRACKING
DOCUMENT
REVOCATION
Monitor &
respond
LABELINGCLASSIFICATION
Classification
& labeling
ENCRYPTION
Protect
ACCESS
CONTROLPOLICY
ENFORCEMENT
MANAGED MOBILE PRODUCTIVITY
STRICTLY CONFIDENTIAL
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
FINANCE
CONFIDENTIAL
Add persistent labels defining sensitivity to filesClassify data according to policies – automatically or by user
Manage your account, apps and groups
Company branded, personalized application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
Self-service password reset
Application access requests
Integrated Office 365 app launching
MANAGED MOBILE PRODUCTIVITY
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
ENTERPRISE MOBILITY + SECURITY
Enterprise Mobility +SecurityIDENTITY - DRIVEN SECURITY
Microsoft
Intune
Azure Information
Protection
Protect your users, devices, and apps
Detect threats early with visibility and threat analytics
Protect your data, everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Microsoft
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Premium
COMPREHENSIVE SOLUTION
Integrates with what you have
Simple to set up
Easy to maintain
Saves you money
COMPREHENSIVE SOLUTION
Employees Business partners Customers
Secure and protect against new threats
Maximum productivity experience
Comprehensive and integrated
Apps DevicesDataUsers
Always
up to date
• Real-time updates
• Keep up with new apps and devices
Works with
what you have
• Support multiple platforms
• Use existing investments
Simple to set
up and connect
• Easy, secure connections
• Simplified management
COMPREHENSIVE SOLUTION
$15
Information protection
User and Entity Behavioral Analysis
Cloud Access Security Broker
Identity and access management
Mobile device and application management
Total cost (per user/month)
COMPREHENSIVE SOLUTION
For the cost of Identity & Access Management and MDM/ MAM from other vendors, EMS provides advanced
security capabilities to protect users, devices, apps and data.
1. Individual pricing not currently available. 2. Okta Enterprise Edition as of 3/1/2015. 3. AirWatch Orange Management Suite Cloud as of 3/1/2015.
Included with
Microsoft EMS E5
$82
$18+
Available separately
from other vendors
$$1
$102
ENTERPRISE MOBILITY + SECURITY
Holistic, intelligent,
innovative security to keep
up with new threats.
Identity-drivensecurity
Secure your enterprise fast –
while keeping what you have
and saving money.
Comprehensive solution
Encourage secure work habits
by providing the best apps
with built-in security.
Managed mobile productivity
Information protection
Identity-driven security
Managed mobile productivity
Identity and access management
Azure Information
Protection Premium P2
Intelligent classification and
encryption for files shared
inside and outside your
organization
(includes all capabilities in P1)
Azure Information
Protection Premium P1
Encryption for all files and
storage locations
Cloud-based file tracking
Microsoft Cloud
App Security
Enterprise-grade visibility,
control, and protection for
your cloud applications
Microsoft Advanced
Threat Analytics
Protection from advanced
targeted attacks leveraging
user and entity behavioral
analytics
Microsoft Intune
Mobile device and app
management to protect
corporate apps and data on
any device
Azure Active Directory
Premium P2
Identity and access
management with advanced
protection for users and
privileged identities
(includes all capabilities in P1)
Azure Active Directory
Premium P1
Secure single sign-on to
cloud and on-premises apps
MFA, conditional access, and
advanced security reporting
EMS
E3
EMS
E5
IntelligenceCollaborationTrust Mobility
Empower your employees by creating a secure productive enterprise
Always up to date
More productivePowerful, modern
devicesMore personalSafer and more secure
Windows Information Protection
Windows Hello
Credential Guard
Device Guard
AppLocker
Windows Defender Advanced Threat Protection
Azure Active Directory Join
Mobile Device Management
Application Virtualization
(App-V)
Windows Ink
Windows Store for Business
Cortana Management
Managed User Experience
User Experience Virtualization (UX-V)
Windows 10 for Industry Devices
Innovative designs
New experiences
Best in class performance
The most trusted platform The most versatile devices
Office 365
Enterprise Mobility + Security
Windows 10 Enterprise
Delivered through enterprise cloud services
Enterprise Mobility + Security
Basic identity mgmt.
via Azure AD for O365:
• Single sign-on for O365
• Basic multi-factor
authentication (MFA) for O365
Basic mobile device
management
via MDM for O365
• Device settings management
• Selective wipe
• Built into O365 management
console
RMS protection
via RMS for O365
• Protection for content stored in
Office (on-premises or O365)
• Access to RMS SDK
• Bring your own key
Azure AD for O365+
• Advanced security reports
• Single sign-on for all apps
• Advanced MFA
• Self-service group management
& password reset & write back
to on-premises,
• Dynamic Groups, Group based
licensing assignment
MDM for O365+
• PC management
• Mobile app management
(prevent cut/copy/paste/save as
from corporate apps to
personal apps)
• Secure content viewers
• Certificate provisioning
• System Center integration
RMS for O365+ • Automated intelligent
classification and labeling of
data
• Tracking and notifications for
shared documents
• Protection for on-premises
Windows Server file shares
Advanced Security
Management
• Insights into suspicious activity in
Office 365
Cloud App Security
• Visibility and control for all cloud
apps
Advanced Threat Analytics
• Identify advanced threats in on
premises identities
Azure AD Premium P2
• Risk based conditional access
Information protection
Identity-driven security
Managed mobile productivity
Identity and access management
Windows 10
Enterprise Mobility +Security
• Single sign-on for business
cloud apps
• Device setup and registration
for Windows devices
• Windows Store for Business
• Traditional domain join
manageability
• Manageability via MDM and
MAM
• Encryption for data at rest and
generated on device
• Encryption for data included in
roaming settings
• Conditional access policies for
secure single sign-on
• MDM auto-enrollment
• Self-Service Bitlocker recovery
• Password reset with write back
to on-premises
• Cloud-based advanced security
reports and monitoring
• Enterprise State-Roaming
• Mobile device management
• Mobile app management
• Secure content viewer
• Certificate, Wi-Fi, VPN, email
profile provisioning
• Agent-based management of
Windows devices (domain-
joined via ConfigMgr and
internet-based via Intune)
• Automated intelligent
classification and labeling of
data
• Tracking and notifications for
shared documents
• Protection for content stored in
Office and Office 365 &
Windows Server on premises
Windows Defender Advanced
Threat Protection
• Identify advanced threats focused
on Windows 10 behavioral sensors
Cloud App Security
• Visibility and control for all cloud
apps
Advanced Threat Analytics
• Behavioral analytics for advanced
threat detection
Azure AD Premium
• Risk based conditional access
Information protection
Identity-driven security
Managed mobile productivity
Identity and access management