Securing Office 365 and Microsoft Azure like a rock star (or groupie)

Jussi Roine @JussiRoine

JUSSI LIVES HERE

WTF!

Agenda and takeaways

Security building blocks The Big Picture

Azure AD Premium

External threats

Internal threats

How to protect

Azure and Office 365

How to protect On-

Premises services

Licenses Wait whattt?

Security building blocks

Office 365: Core services

Azure AD

Office 365: All major services

Azure AD

Office 365: With extensibility

Azure AD

Office 365: With Azure-related services

MFA

Stream

OMS

Azure AD

Wait, what? Hold on!

Do I have to manage security on all these AND on-premises too?

A starting point: ”We are in the cloud!”This is the common, kind-of hybrid architecture model.

Microsoft Azure

Office 365

Site-to Site VPN

Azure AD Connect

ADFS

Proxy

On-premises

The heart of security: Azure Active Directory

The core of each Azure subscription You can have multiple AAD tenants

within the same Azure subscription

Users, groups, licenses, permissions, apps, app proxies, domains.. all here!

Managed through Azure Portal, some tiny things are still only available in the Classic Portal

It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS)

Identities, management and security

Your mission

Protect the identities in the cloud – it is the new perimeter!

Azure Active Directory: Free, Basic, Premium

Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2

SSO support 10 apps/user 10 apps/user No limit No limit

Security reports 3 (basic) 3 (basic) Advanced Advanced

Self-Service password reset

Application Proxy

Multi-Factor Authentication

Connect Health

Cloud App Discovery

Privileged Identity Management

Identity Protection

Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month

A few highlighted features of AAD and a comparison between licenses

(cloud users)(cloud users)

Security building blocks in Azure

Role-Based Access Control

Key Vault

Microsoft anti-malware

Rights Management/Information Protection

Cloud App Discovery

Security Center

Infrastructure

Network Security Groups (NSG)

Site-to-Site VPN

Point-to-Site VPN

ExpressRoute

Network Security Appliances

Host-based & NextGen firewalls

Azure Active Directory

Connect Health

Identity Protection

Privileged Identity Management

OMS Security & Audit

Multi-Factor Authentication

Security

Analogy to cloud security

18

Rancilio SilviaBest. Espresso. Ever.

(This is what I got)

Customized Rancilio Silvia

(This is what you think you need)

Rancilio Silvia with the

Rocky grinder and steel base

(This is what you should end up with)

External threats

Securing authentication for users with Multi-Factor Authentication

Enforces security beyond username and password User must possess something – typically a mobile device

Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call

Users must enroll through https://aka.ms/mfauserhowto

Available as Office 365 MFA, Azure MFA for Admins and Azure MFA

Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal This tends to be challenging for non-technical users

Multi-Factor Authentication for on-premises with Azure MFA Server

Enables easy securing of VPNs, IIS web apps & Remote Desktop Maybe not the most logical to set up..

Supports RADIUS so fairly easy to integrate with legacy systems ;-)

Strong and secure authentication for on-premises, hybrid & the cloud

Baseline your security in Office 365 with Secure Score

A free service at https://securescore.office.com

After initial scoring you can select a new baseline Provides a list of actions for things to fix, in order

to achieve a new baseline

Max score is 432 Office 365 average is 29 I have 72!

You get to 111 just by enabling MFA for global admins

Automated scan of your Office 365 subscription settings and general security

A dashboard for Azure security with Security Center

A simple way to view what’s secured and what’s not in Azure

Includes behavioral analytics and incident reporting

Standard license gives advanced threat detection & intelligence

Provides an overview on security for cloud resources

Securing and monitoring Azure AD Connect, ADFS and on-

premises AD configuration with Azure AD Connect Health

Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status

Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues

Deploying is easy: Install agents for AD FS, AAD Connect and AD DS servers

Verify configuration on AAD CH blade in Azure Portal

Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH

Agent-based service to monitor your AD domain controllers and ADFS infrastructure

Safeguarding for users who log in from weird countries with

Azure AD Identity Protection

Watchdog for user sign-ins, can associate individual logins with risk factors

Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity)

Enforces additional policies based on low/high risk factors Enforce MFA for the duration of the login

Enforce self-service password reset (which subsequently enforces MFA)

Weekly email digest of findings and things to lose your sleep over

Monitoring for risk events, vulnerabilities and automatic policy changes

Getting rid of static admin roles with Azure AD

Privileged Identity Management (PIM)

Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles

Users can request for new privileges for predefined duration

Scans for fixed admin roles and changes them to temporary roles

Admin roles become non-permanent

Duration can be set from 1 hour to 72 hours

Can enforce MFA during role grant

In preview: Approval workflows for new privilege requests

Central view & management for all admins roles throughout Azure and Office 365

”Just-in-time” administration privileges for users on request

Tracking botnet and brute force attacks

OMS provides System Center-like capabilities in the cloud

Capable of tracking hybrid deployments, including Office 365 and Azure

Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data

Operations Management Suite (OMS) is the Swiss Army knife you need

Protecting from external threats with Office 365

Provides a 360ᴼ view on external threats against users

Insights and analysis based on evidence, act accordingly

Allows for custom policies and reactions

Threat Intelligence uses evidence-based knowledge on threats

Publishing internal services securely

Enforce authentication at Azure AD, before allowing access to internal resources

Configuration is simple, and support high availability deployments

Internal services do not require changes

Dual-authentication also supports:

First on Azure AD, then in on-premises against local AD/service

Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises

DemoSecuring for external threats

Internal threats

Securing Edge network & cloud app usage with Advanced Security

Management

Similar to OMS, but directly aimed for Office 365 workloads

Records all activities of users, including external users

Supports on-premises edge router log analysis

Discover activity and incidents in Office 365

Monitoring what admins and developers are doing with Azure resources

Query against Azure backends to see operations against services

Connect with

Log Analytics (for further analysis)

Power BI (for reports)

Application Insights (for wisdom)

Azure Monitor provides monitoring throughout tenants and resource groups

Finding Shadow IT within the organization with Cloud App Discovery

Works by dropping an agent on workstations

Consent can be requested; or just install silently..

Discover apps, amount of data transferred and who uses what

Based on reports, act accordingly

Discover unmanaged (and managed) cloud apps in use

Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)

Captures all authentication traffic to-and-from Domain Controllers

Uses Machine Learning to identify issues and unauthorized usage

Fully automatic, install & forget! Almost like SharePoint ;-)

Can connect with OMS to provide hybrid reporting in the cloud

Aggressive auditing and analytics for on-premises Active Directory requests

Don’t worry, security will keep you busy

Don’t worry, security will keep you busy

Don’t worry, security will keep you busy

Don’t worry, security will keep you busy

DemoSecuring for internal threats

Licenses

Onsight

Enterprise Mobility + Security (EMS)

Used to be known as Enterprise Mobility Suite

A bundled collection of licenses for Azure-based services

Available as E3 and E5

(Source: Microsoft)

Security-related services and licenses

Advanced Threat Analytics

Active Directory Azure MFA Server

Advanced Security Management

Threat Intelligence Secure Score IntuneAzure MFA for

Admins

Azure AD

Azure AD Premium

Security Center

Cloud App Discovery

Privileged Identity Management

Identity Protection

Azure MFAConnect HealthNetwork Security

Groups

Next-Gen FirewallsInformation Protection

Operations Management Suite

No extra license needed

EMS E3/Office 365 E3

EMS E5/Office 365 E5

Additional licensing

Recommendations & recapFollow current practices and patterns: http://bit.ly/azuresecpnp

Get the book!

http://bit.ly/azuresecbook

Get the guidance!

http://bit.ly/perimeterbook

Deploy the free services

Azure Security Center

Office 365 Secure Score

Azure MFA for Admins

OMS Security (AAD+O365)

Go for AAD Premium

Either with EM+S or

separately

Deploy ATA

Enable PIM and Identity Protection

Thanks for attendingWTF!