Eric Wendt

USD, CSOL 560

4/10/2017Secure Deployment of Office 365

Introduction

It is increasingly common for enterprise employees to conduct business on personal mobile devices such as smartphones or tablets. This “bring your own device” (BYOD) practice is an “unstoppable trend” since it can be beneficial for employees, since they get to work on their own devices, as well as for organizations, since it can decrease or eliminate the budget for purchasing mobile devices (Messmer, 2012). But the BYOD phenomenon also introduces numerous security concerns, the most obvious of which is that the neither the devices nor their users can be relied upon one hundred percent to adhere to company security policies. The devices may be jailbroken or rooted, and they will frequently be used in environments outside the company’s control, such hotels or coffeeshops or other environments. There is also the risk of the loss or theft of the mobile devices, and the risk that sensitive or confidential data may be stolen or corrupted. There is even the possibility that a malicious user could pivot onto the company network from the mobile device.

These issues and more will need to be addressed by an organizations security team. In this paper, I will discuss some of the considerations in designing and implementing a BYOD security policy, things that employees should be aware of or educated about, systems that security teams can implement, such as Mobile Device Management Software or VPN’s, and ways to protect against specific types of attacks. Solutions will specifically discuss concerns during an Office 365 deployment, but can be applied to most scenarios in which personal mobile devices are used for company business.

Developing and Implementing a BYOD Security Policy

Network Access Control and Conditional Access

Network Access Control (NAC), especially when combined with Mobile Device Management (MDM) software, which I will discuss later, is extremely important to include when developing a BYOD policy. The concepts of Network Access Control and Conditional Access have been around for a while, but they didn’t get that much traction until the BYOD phenomena began.

The idea of Network Access Control is essentially to give the least amount of access to the least number of users, but it also includes things like checking to make sure antivirus or patch updates are in installed before users are allowed on the network (Ibid.). Network Access Control might also check to see if there's BYOD "containerization" or sandboxing in place, for instance, to make sure personal and business data is separated in some way before network access is granted.

Conditional Access is a related and equally important tool to consider. Since employees will want to access Office 365 services such as Exchange and SharePoint Online from their personal devices, IT admin needs to ensure that the access is secure. Conditional Access device policies are the solution to this dilemma. In Office 365, conditional access works in the following manner. In order to access Office 365 services from a mobile device, users must first enroll their devices with either the Azure Active Directory or Company Portal application. Then when the user requests a service, the directory or portal authenticates the user and the device and grants access to the service only when the user conforms to the specific policy set for that service. Device enrollment should be a pre-requisite for access to Office 365 services from mobile devices (Mathers, 2017).

1

Mobile Device Management (MDM) Software

Mobile Device Management software is a type of sandboxing in which the organization’s data and applications are isolated from all the other data and applications on a personal mobile device. MDM software is generally developed based on a businesses' security needs, especially where employees carrying BYOD devices with company information could expose an enterprise to risk(technopedia, 2017).

Office 365 has its own built in MDM, which you can use to create mobile device management policies with settings that can help control access to the organization’s Office 365 Exchange email and Word or Excel documents from supported mobile devices and apps (Microsoft, 2017). If a device is lost or stolen, you can also use the MDM to remotely wipe the device to remove sensitive organizational information. (We will discuss that feature in more detail in another section). There are several MDM features built into Office 365:

Help secure and manage corporate resources—Apply security policies on devices that connect to Office 365 to ensure that Office 365 corporate email and documents are synchronized only on phones and tablets that are managed by your company.

Apply mobile device settings—Set and manage security policies such as device level pin lock and jailbreak detection on devices to help prevent unauthorized users from accessing corporate email and data when a device is lost or stolen.

Perform a selective wipe of Office 365 data—Remove Office 365 corporate data from a device when an employee leaves your organization, while leaving their personal data, photos and apps intact.

Preserve Office 365 productivity experience—Unlike third-party MDM solutions that have replaced productivity apps with restrictive all-in-one apps for corporate email, calendars and documents, MDM for Office 365 is built directly into the productivity apps your employees know and love. You can set access policies to help secure company data while keeping employees productive.

Manage policies with ease—Administer mobile device policies directly from within the Office 365 administration portal, through an easy to use interface with wizard-based set up. View reports on which devices are connected to Office 365 and identify devices that have been blocked due to non-compliance. (Office 365 Team, 2014)

In order to create the most secure BYOD implementation, NAC and MDM tools should be fully integrated.

Mobile Access Management (MAM)

If the MDM software does not provide support and security for applications, which Office 365 does but not all MDM’s do, the organization should also roll in Mobile Access Management tools (Device Manager, 2016). MAM is a software-based security suite that focuses on securing access to and the actions of applications rather than focusing on the entire authenticating mobile device. Mobile Access Management monitors, updates, and removes unsafe or un-authorized applications from an employee’s device.

MAM requires that the employee install an app, or suite of apps, to their mobile device. After this point, the device is permitted secure access to the corporate network and its resources. In

2

addition to providing secure remote access, MAM suites also feature an enterprise application store where corporations can create, secure, and deliver their own mobile apps to their employees. These apps then connect to corporate resources securely so that any data sent between the network and the device is fully encrypted.

MAM suites can also scan devices for rogue apps, track applications, and warn employees of policy violations for apps that aren't allowed on their devices or inside the corporate network.

Virtual Private Networks (VPNs)

When personal mobile devices are connected to the Internet via Wi-Fi or via their cellular networks they are susceptible to man-in-the-middle attacks, where attackers can eavesdrop, intercept, and even modify communications. The use untrusted networks such as hotel, coffee shop, or even employee home networks and cellular networks can be reduced by using strong encryption technologies such as virtual private networks (VPNs) as well as using public-private key authentication mechanisms to verify the identities of both endpoints before data is transmitted. VPN’s create a sort of protected tunnel through which the mobile device user and the enterprise network can communicate. It allows companies to secure their data, including any mobile application data, as well as their network’s integrity, by replacing personal employee IP addresses with a generic IP address.

Acceptable Use Policies

A company should define Acceptable Use policies as part of the BYOD implementation. Acceptable use policies can include things policies such as not using their device to access illicit materials or harass others. But from a security perspective, some important policies might include:

Allowing a detailed list of apps, such as weather, productivity apps, or certain social media apps such as Facebook, but blocking apps through which content can be downloaded such as iTunes or Google Play (Berry, 2017). Such apps can be block while the user is connected to the network via the MDM or VPN.

Devices and Support

An IT Team will also want to develop a list of supported devices. For example, smartphones including iPhone, Android, Blackberry and Windows phones might be allowed (the list should specify models, operating systems and versions, etc.), but other devices, such as ones with known security issues, might not be supported (Ibid.). Tablets should, of course, be addressed in a similar manner.

Connectivity issues should be resolved by the enterprise IT team. Employees should/should not contact the device manufacturer or their carrier for operating system or hardware-related issues (Ibid.).

Devices should ideally be presented to the IT team for preparation and configuration of required applications, such as browsers, office productivity software and security tools, before they can access the network.

3

Remote or Selective Wipe

As mentioned previously, the Office 365 MDM supports remote wipes. This is “a powerful feature to prevent sensitive or confidential data on mobile phones from falling into the wrong hands” (Chai, 2012). The remote wipe feature is available not only to the IT team, but to all users, so that those who have lost their phone or had it stolen can perform their own remote wipes (Ibid.). If a user discovers that their phone is missing but they have no access to the Internet and, as a precautionary measure want to initiate the remote wipe immediately, they can call their IT Team and ask that an administrator execute the remote wipe for them.

Users should remember that a remote device wipe will also delete any data on the phone’s hard drive and on any storage card that's inserted in the mobile phone, so things such as family photos or their music library may be wiped in the process.

Other device security considerations

Here are a few other security considerations to consider implementing as part of a strong BYOD policy:

In order to prevent unauthorized access, devices should be password protected using the features of the device and a strong password should also be required to access the company network (Berry, 2017).

The device should lock itself with a password or PIN if it’s idle for five minutes. After five failed login attempts, the device should lock. Contact IT to regain access. Rooted (Android) or jailbroken (iOS) devices should be strictly forbidden from accessing

the network. Employees should be automatically prevented from downloading, installing and using

any app that does not appear on the company’s list of approved apps. Smartphones and tablets that are not on the company’s list of supported devices are/are

not allowed to connect to the network. Employees’ access to company data is limited based on user profiles defined by IT and

automatically enforced. And, finally, the employee’s device may be remotely wiped if 1) the device is lost, 2) the

employee terminates his or her employment, 3) IT detects a data or policy breach, a virus or similar threat to the security of the company’s data and technology infrastructure. (Berry, 2017)

Provide a list of disclaimers

Here are some disclaimers that should be included as part of the BYOD policy:

While IT will take every precaution to prevent the employee’s personal data from being lost in the event it must remote wipe a device, it is the employee’s responsibility to take additional precautions, such as backing up email, contacts, etc.

The company reserves the right to disconnect devices or disable services without notification.

Lost or stolen devices must be reported to the company within 24 hours. Employees are responsible for notifying their mobile carrier immediately upon loss of a device.

4

The employee is expected to use his or her devices in an ethical manner at all times and adhere to the company’s acceptable use policy as outlined above.

The employee is personally liable for all costs associated with his or her device. The employee assumes full liability for risks including, but not limited to, the partial or

complete loss of company and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.

Company XYZ reserves the right to take appropriate disciplinary action up to and including termination for noncompliance with this policy. (Berry, 2017)

Provide security awareness and education

The IT team should provide security awareness and education to all users. Users should be taught, for example, to identify ransomware or phishing scams. Educating users on how to react to a security incident such as if their device is infected with ransomware will make the recovery process more streamlined and reduce the risk that the infection will spread further (Berry, 2017).

Defending against attacks

Microsoft has developed a number of products to secure Office 365 such as Exchange Online Protection and Advanced Threat Prevention but none of these tools can offer perfect protection, especially when including personal mobile devices along with the Office 365 deployment. Nonetheless, these tools can help, as they provide a level of virtualization via sandboxing, as illustrated in the graphic below.

Figure 1: Microsoft Advanced Threat Protection

5

But it would be foolish to think that these products alone are enough to protect our networks. In fact, there have even been cases of ransomware getting through Advanced Threat Protection. So, clearly we need to implement other types of security. Here’

Defending against DDoS Attacks

Office 365 services such as Exchange are intentionally built to support a very high load as well as to protect and mitigate against application-level DoS and DDoS attacks. We have implemented a scaled-out architecture where services are distributed across multiple global datacenters with regional isolation and throttling features in some of the workloads (Microsoft, 2009).

It is important to include as high as possible a level of Absorption into the network, and use Advanced Threat protection and other IDS methods for Detection and Mitigation.

Remember that the calculation for determining the time to impact of a DoS is: Maximum Capacity / (Maximum Capacity X Growth Rate) = Time to Impact.

In summary, there are really only two things that can be done to defend against DoS attacks: 1. Increase capacity to raise the ceiling of maximum capacity (which in turn provides more time to detect an attack); or 2. Decrease the time to detect. (Microsoft, 2009)

Protecting against Ransomware

As mentioned Office 365 has some built-in protections against security threats such as malware and ransomware, but customers have still been infected with ransomware. So here are some suggestions:

Keep antivirus/antimalware solutions running and up to date. For Office 365, enable Microsoft Active Protection Service (MAPS) cloud-based

protection Regularly backup files Encourage the use of OneDrive for Business Keep Windows and installed software up-to-date Enable file history or system protection (Pena, 2016)

Many ransomware attacks are quite sophisticated and users can still fall victim to them, regardless of the protective measures taken. If someone in your organization falls victim to a ransomware attack, remember that there is no guarantee that paying the ransom will restore access to the organization’s files. Furthermore, paying the ransom can open the organization up to being the target of additional ransomware attacks.

ReferencesBerry, M. (2017). BYOD Policy Template. Retrieved from IT Manager Daily:

http://www.itmanagerdaily.com/byod-policy-template/

6

Chai, B. (2012, June 1). Remote wiping a mobile phone through the Office 365 Admin Console. Retrieved from IT Pro Portal: http://www.itproportal.com/2012/06/01/phone-protection-administrator/

Device Manager. (2016, March 16). What is the Difference Between MDM, MAM and EMM? Retrieved from Device Manager: https://dm.comodo.com/blog/mobile-device-management/what-is-the-difference-between-mdm-mam-and-emm/

Mathers, B. (2017, February 22). Conditional access device policies for Office 365 services. Retrieved from Microsoft Azure: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-device-policies

Messmer, E. (2012, May 8). Will BYOD revive the network-access control idea? Gartner thinks it will. Retrieved from Network World: http://www.networkworld.com/article/2188255/byod/will-byod-revive-the-network-access-control-idea--gartner-thinks-it-will.html

Microsoft. (2009, November 15). Planning to protect against denial of service flood attacks. Retrieved from Microsoft Technet: https://technet.microsoft.com/en-us/library/dd897007.aspx

Microsoft. (2017). Capabilities of built-in Mobile Device Management for Office 365. Retrieved from Microsoft: https://support.office.com/en-us/article/Capabilities-of-built-in-Mobile-Device-Management-for-Office-365-a1da44e5-7475-4992-be91-9ccec25905b0

Office 365 Team. (2014, October 28). Introducing built-in mobile device management for Office 365. Retrieved from Office Blogs: https://blogs.office.com/2014/10/28/introducing-built-mobile-device-management-office-365/

Pena, A. (2016, April 6). How to Deal with Ransomware. Retrieved from Securing Office 365: https://blogs.technet.microsoft.com/office365security/how-to-deal-with-ransomware/

technopedia. (2017). Device Management Software . Retrieved from technopedia: https://www.techopedia.com/definition/24763/device-management-software

7