Upload
diwug
View
227
Download
1
Embed Size (px)
Citation preview
Securing Office 365 and Microsoft Azure like a rock star (or groupie)
Jussi Roine @JussiRoine
JUSSI LIVES HERE
WTF!
Agenda and takeaways
Security building blocks The Big Picture
Azure AD Premium
External threats
Internal threats
How to protect
Azure and Office 365
How to protect On-
Premises services
Licenses Wait whattt?
Security building blocks
Office 365: Core services
Azure AD
Office 365: All major services
Azure AD
Office 365: With extensibility
Azure AD
Office 365: With Azure-related services
MFA
Stream
OMS
Azure AD
Wait, what? Hold on!
Do I have to manage security on all these AND on-premises too?
A starting point: ”We are in the cloud!”This is the common, kind-of hybrid architecture model.
Microsoft Azure
Office 365
Site-to Site VPN
Azure AD Connect
ADFS
Proxy
On-premises
The heart of security: Azure Active Directory
The core of each Azure subscription You can have multiple AAD tenants
within the same Azure subscription
Users, groups, licenses, permissions, apps, app proxies, domains.. all here!
Managed through Azure Portal, some tiny things are still only available in the Classic Portal
It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS)
Identities, management and security
Your mission
Protect the identities in the cloud – it is the new perimeter!
Azure Active Directory: Free, Basic, Premium
Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2
SSO support 10 apps/user 10 apps/user No limit No limit
Security reports 3 (basic) 3 (basic) Advanced Advanced
Self-Service password reset
Application Proxy
Multi-Factor Authentication
Connect Health
Cloud App Discovery
Privileged Identity Management
Identity Protection
Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month
A few highlighted features of AAD and a comparison between licenses
(cloud users)(cloud users)
Security building blocks in Azure
Role-Based Access Control
Key Vault
Microsoft anti-malware
Rights Management/Information Protection
Cloud App Discovery
Security Center
Infrastructure
Network Security Groups (NSG)
Site-to-Site VPN
Point-to-Site VPN
ExpressRoute
Network Security Appliances
Host-based & NextGen firewalls
Azure Active Directory
Connect Health
Identity Protection
Privileged Identity Management
OMS Security & Audit
Multi-Factor Authentication
Security
Analogy to cloud security
18
Rancilio SilviaBest. Espresso. Ever.
(This is what I got)
Customized Rancilio Silvia
(This is what you think you need)
Rancilio Silvia with the
Rocky grinder and steel base
(This is what you should end up with)
External threats
Securing authentication for users with Multi-Factor Authentication
Enforces security beyond username and password User must possess something – typically a mobile device
Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call
Users must enroll through https://aka.ms/mfauserhowto
Available as Office 365 MFA, Azure MFA for Admins and Azure MFA
Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal This tends to be challenging for non-technical users
Multi-Factor Authentication for on-premises with Azure MFA Server
Enables easy securing of VPNs, IIS web apps & Remote Desktop Maybe not the most logical to set up..
Supports RADIUS so fairly easy to integrate with legacy systems ;-)
Strong and secure authentication for on-premises, hybrid & the cloud
Baseline your security in Office 365 with Secure Score
A free service at https://securescore.office.com
After initial scoring you can select a new baseline Provides a list of actions for things to fix, in order
to achieve a new baseline
Max score is 432 Office 365 average is 29 I have 72!
You get to 111 just by enabling MFA for global admins
Automated scan of your Office 365 subscription settings and general security
A dashboard for Azure security with Security Center
A simple way to view what’s secured and what’s not in Azure
Includes behavioral analytics and incident reporting
Standard license gives advanced threat detection & intelligence
Provides an overview on security for cloud resources
Securing and monitoring Azure AD Connect, ADFS and on-
premises AD configuration with Azure AD Connect Health
Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status
Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues
Deploying is easy: Install agents for AD FS, AAD Connect and AD DS servers
Verify configuration on AAD CH blade in Azure Portal
Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH
Agent-based service to monitor your AD domain controllers and ADFS infrastructure
Safeguarding for users who log in from weird countries with
Azure AD Identity Protection
Watchdog for user sign-ins, can associate individual logins with risk factors
Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity)
Enforces additional policies based on low/high risk factors Enforce MFA for the duration of the login
Enforce self-service password reset (which subsequently enforces MFA)
Weekly email digest of findings and things to lose your sleep over
Monitoring for risk events, vulnerabilities and automatic policy changes
Getting rid of static admin roles with Azure AD
Privileged Identity Management (PIM)
Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles
Users can request for new privileges for predefined duration
Scans for fixed admin roles and changes them to temporary roles
Admin roles become non-permanent
Duration can be set from 1 hour to 72 hours
Can enforce MFA during role grant
In preview: Approval workflows for new privilege requests
Central view & management for all admins roles throughout Azure and Office 365
”Just-in-time” administration privileges for users on request
Tracking botnet and brute force attacks
OMS provides System Center-like capabilities in the cloud
Capable of tracking hybrid deployments, including Office 365 and Azure
Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data
Operations Management Suite (OMS) is the Swiss Army knife you need
Protecting from external threats with Office 365
Provides a 360ᴼ view on external threats against users
Insights and analysis based on evidence, act accordingly
Allows for custom policies and reactions
Threat Intelligence uses evidence-based knowledge on threats
Publishing internal services securely
Enforce authentication at Azure AD, before allowing access to internal resources
Configuration is simple, and support high availability deployments
Internal services do not require changes
Dual-authentication also supports:
First on Azure AD, then in on-premises against local AD/service
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises
DemoSecuring for external threats
Internal threats
Securing Edge network & cloud app usage with Advanced Security
Management
Similar to OMS, but directly aimed for Office 365 workloads
Records all activities of users, including external users
Supports on-premises edge router log analysis
Discover activity and incidents in Office 365
Monitoring what admins and developers are doing with Azure resources
Query against Azure backends to see operations against services
Connect with
Log Analytics (for further analysis)
Power BI (for reports)
Application Insights (for wisdom)
Azure Monitor provides monitoring throughout tenants and resource groups
Finding Shadow IT within the organization with Cloud App Discovery
Works by dropping an agent on workstations
Consent can be requested; or just install silently..
Discover apps, amount of data transferred and who uses what
Based on reports, act accordingly
Discover unmanaged (and managed) cloud apps in use
Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
Captures all authentication traffic to-and-from Domain Controllers
Uses Machine Learning to identify issues and unauthorized usage
Fully automatic, install & forget! Almost like SharePoint ;-)
Can connect with OMS to provide hybrid reporting in the cloud
Aggressive auditing and analytics for on-premises Active Directory requests
Don’t worry, security will keep you busy
Don’t worry, security will keep you busy
Don’t worry, security will keep you busy
Don’t worry, security will keep you busy
DemoSecuring for internal threats
Licenses
Onsight
Enterprise Mobility + Security (EMS)
Used to be known as Enterprise Mobility Suite
A bundled collection of licenses for Azure-based services
Available as E3 and E5
(Source: Microsoft)
Security-related services and licenses
Advanced Threat Analytics
Active Directory Azure MFA Server
Advanced Security Management
Threat Intelligence Secure Score IntuneAzure MFA for
Admins
Azure AD
Azure AD Premium
Security Center
Cloud App Discovery
Privileged Identity Management
Identity Protection
Azure MFAConnect HealthNetwork Security
Groups
Next-Gen FirewallsInformation Protection
Operations Management Suite
No extra license needed
EMS E3/Office 365 E3
EMS E5/Office 365 E5
Additional licensing
Recommendations & recapFollow current practices and patterns: http://bit.ly/azuresecpnp
Get the book!
http://bit.ly/azuresecbook
Get the guidance!
http://bit.ly/perimeterbook
Deploy the free services
Azure Security Center
Office 365 Secure Score
Azure MFA for Admins
OMS Security (AAD+O365)
Go for AAD Premium
Either with EM+S or
separately
Deploy ATA
Enable PIM and Identity Protection
Thanks for attendingWTF!