securing office 365 and microsoft azure like a rock star
Post on 22-Jan-2018
384 Views
Preview:
TRANSCRIPT
SECURING OFFICE 365 AND MICROSOFT AZURE LIKE A ROCK STARJussi Roine
Sulava, FINLAND
Add Speaker
Photo here
@JussiRoine
JUSSI LIVES HERE
WTF!
Agenda and takeaways
Security building blocks
External threats
Internal threats
Licenses
The Big Picture
How to protect Azure and
Office 365
How to protect On-
Premises services
Super-exciting!
SECURITY BUILDING BLOCKSIt’s like LEGO but not really at all
Office 365: Core services
Azure AD
Office 365: All major services
Azure AD
Office 365: All major services with extensibility
Azure AD
Office 365: With major Azure-related services
MFA
Stream
OMS
Azure AD
Wait, what? Hold on!
Do I have to learn and manage ALL this?
A traditional approach to embracing the cloudThis is the common, kind-of hybrid architecture model.
Microsoft Azure
Office 365
Site-to Site VPN
Azure AD Connect
ADFS
Proxy
On-premises
The heart of security: Azure Active Directory
The core of each Azure subscription You can have multiple AAD tenants within
the same Azure subscription
Users, groups, licenses, permissions, apps, app proxies, domains.. all here!
Managed through Azure Portal, some tiny things are still only available in the Classic Portal
It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS)
Identities, management and security
Your mission
Protect the identities in the cloud – it is the new perimeter!
Azure Active Directory: Free, Basic, Premium
Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2
SSO support 10 apps/user 10 apps/user No limit No limit
Security reports 3 (basic) 3 (basic) Advanced Advanced
Self-Service password reset
Application Proxy
Multi-Factor Authentication
Connect Health
Cloud App Discovery
Privileged Identity Management
Identity Protection
Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month
A few highlighted features of AAD and a comparison between licenses
(cloud users)(cloud users)
Security building blocks in Azure
Role-Based Access Control
Key Vault
Microsoft anti-malware
Rights Management/Information Protection
Cloud App Discovery
Security Center
Infrastructure
Network Security Groups (NSG)
Site-to-Site VPN
Point-to-Site VPN
ExpressRoute
Network Security Appliances
Host-based & NextGen firewalls
Azure Active Directory
Connect Health
Identity Protection
Privileged Identity Management
OMS Security & Audit
Multi-Factor Authentication
Security
Analogy to cloud security
Rancilio SilviaBest. Espresso. Ever.
Customized Rancilio SilviaRancilio Silvia with the
Rocky grinder and steel base
PROTECTING AGAINST EXTERNAL THREATSAuthentication with social security numbers
Securing authentication for users with Multi-Factor Authentication
Enforces security beyond username and password User must possess something – typically a mobile device Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call Users must enroll through https://aka.ms/mfauserhowto
Available as Office 365 MFA, Azure MFA for Admins and Azure MFA
Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal
Multi-Factor Authentication for on-premises with Azure MFA Server
Enables easy securing of VPNs, IIS web apps & Remote Desktop Maybe not the most logical to set up..
Supports RADIUS so fairly easy to integrate with legacy systems
Strong and secure authentication for on-premises, hybrid & the cloud
Baseline your security in Office 365 with Secure Score
Free service at https://securescore.office.com Security IQ for the organization
After initial scoring you can select a new baseline Provides a list of actions for things to fix, in order
to achieve a new baseline
Max score is 452 Office 365 average is 55 You get to >100 just by enabling MFA for global
admins
Automated scan of your Office 365 subscription settings and general security
A dashboard for Azure security with Security Center
A simple way to view what’s secured and what’s not in Azure
Includes behavioral analytics and incident reporting
Standard license gives advanced threat detection & intelligence
Provides an overview on security for cloud resources
Securing and monitoring Azure AD Connect, ADFS and on-premises AD configuration with Azure AD Connect Health
Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status
Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues
Deploying is easy: Install agents for AD FS, AAD Connect and AD DS servers Verify configuration on AAD CH blade in Azure Portal
Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH
Agent-based service to monitor your AD domain controllers and ADFS infrastructure
Safeguarding for users who log in from weird countries with Azure AD Identity Protection
Watchdog for user sign-ins, can associate individual logins with risk factors
Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity)
Enforces additional policies based on low/high risk factors Enforce MFA for the duration of the login Enforce self-service password reset (which subsequently
enforces MFA)
Weekly email digest of findings and things to lose your sleep over
Monitoring for risk events, vulnerabilities and automatic policy changes
Getting rid of static admin roles with Azure AD Privileged Identity Management (PIM)
Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles Users can request for new privileges for predefined duration
Scans for fixed admin roles and changes them to temporary roles
Admin roles become non-permanent Duration can be set from 1 hour to 72 hours
Can enforce MFA during role grant
In preview: Approval workflows for new privilege requests
Central view & management for all admins roles throughout Azure and Office 365
”Just-in-time” administration privileges for users on request
Tracking botnet and brute force attacks
OMS provides System Center-like capabilities in the cloud
Capable of tracking hybrid deployments, including Office 365 and Azure
Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data
Operations Management Suite (OMS) is the Swiss Army knife you need
Protecting from external threats with Office 365
Provides a 360ᴼ view on external threats against users
Insights and analysis based on evidence, act accordingly
Allows for custom policies and reactions
Threat Intelligence uses evidence-based knowledge on threats
Publishing internal services securely
Enforce authentication at Azure AD, before allowing access to internal resources
Configuration is simple, and support high availability deployments
Internal services do not require changes
Dual-authentication also supports: First on Azure AD, then in on-premises against local AD/service
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises
DEMO
PROTECTING AGAINST INTERNAL THREATSTrust noone
Securing Edge network & cloud app usage with Cloud App Security (used to be Advanced Security Management)
Similar to OMS, but directly aimed for Office 365 workloads
Records all activities of users, including external users
Supports on-premises edge router log analysis
Discover activity and incidents in Office 365
Monitoring what admins and developers are doing with Azure resources
Query against Azure backends to see operations against services
Connect with Log Analytics (for further analysis)
Power BI (for reports)
Application Insights (for wisdom)
Azure Monitor provides monitoring throughout tenants and resource groups
Finding Shadow IT within the organization with Cloud App Discovery
Works by dropping an agent on workstations Consent can be requested; or just install silently..
Discover apps, amount of data transferred and who uses what
Based on reports, act accordingly
Discover unmanaged (and managed) cloud apps in use
Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
Captures all authentication traffic to-and-from Domain Controllers
Uses Machine Learning to identify issues and unauthorized usage
Fully automatic, install & forget! Almost like SharePoint ;-)
Can connect with OMS to provide hybrid reporting in the cloud
Aggressive auditing and analytics for on-premises Active Directory requests
Compliance Manager
A new service in Office 365 Preview available November 16
(that’s Thursday!)
Centralized compliance view to GDPR, ISO 27001 certifications and other frameworks
Sign up for preview https://aka.ms/compliance-manager-preview
Customer Key
Announced at Ignite
Encrypt data-at-rest with your own keys Includes protection if you lose your
keys
Uses Azure Key Vault to hold keys – can be HSM (Hardware Security Module) backed
Don’t worry, security will keep you busy
DEMO
I’m lost – too many services and options
Active Directory
Advanced Threat Analytics
Firewall, proxy, VLANs etc.
Microsoft Identity Manager
On-premises Office 365
Data Loss Prevention
Threat Intelligence
Secure Score
Compliance Manager
Microsoft Azure
Connect Health
Cloud App Discovery
Network Security Group
Cloud App Security
Identity Protection
Privileged Identity Management
Azure Active Directory
Conditional Access
Operations Management Suite
Security Center
Azure MFA
Azure Information Protection
Intune
Customer Key (through Key Vault)
LicensesIt depends.
Onsight
Enterprise Mobility + Security (EMS)
Used to be known as Enterprise Mobility Suite
E3
E5
What about Microsoft 365?
Microsoft 365 Enterprise
Microsoft 365 Business
Office 365 EnterpriseWindows 10 Enterprise
Enterprise Mobility + Security
IntuneOffice 365 for Business
Win
do
ws
10
Pro
3001
E5
E3
Security-related services and licenses
Advanced Threat Analytics
Active Directory Azure MFA Server
Advanced Security Management
Threat Intelligence Secure Score IntuneAzure MFA for
Admins
Azure AD
Azure AD Premium
Security Center
Cloud App Discovery
Privileged Identity Management
Identity Protection
Azure MFAConnect HealthNetwork Security
Groups
Next-Gen FirewallsInformation Protection
Operations Management Suite
No extra license needed
EMS E3/Microsoft 365 E3
EMS E5/Microsoft 365 E5
Additional licensing
Recommendations & recap
Follow current practices and patterns: http://bit.ly/azuresecpnp
Get the book!
http://bit.ly/azuresecbook
Get the guidance!
http://bit.ly/perimeterbook
Deploy the free services
Azure Security Center
Office 365 Secure Score
Azure MFA for Admins
OMS Security (AAD+O365)
Go for AAD Premium
Either with EM+S or
separately
Deploy ATA
Enable PIM and Identity Protection
Thank you! @JussiRoine
top related