michael van horenbeeck – securing your office 365 deployment with acronyms: how to leverage edp,...
TRANSCRIPT
SECURING YOUR OFFICE 365 DEPLOYMENT WITH ACRONYMS HOW TO LEVERAGE EDPWIP, EMS, RMS AND AADMichael Van HorenbeeckVH Consulting & TrainingIndependent Solution Architect
www.vanhybrid.com
@vanhybridwww.vhct.be
Solution Architect / Owner @ VH Consulting & Training
Office Servers & Services MVP
MCSM | Messaging
Office 365, Exchange, (Azure) AD, Security
Goodies for today
Securing for a new eraA quick overview of how to protect one self from new and emerging threats
Windows Information ProtectionA look inside Microsoft’s Win10feature and how it can (potentially) help further protect data inside corporate environments such as Office 365
Enterprise Mobility + SecurityLeverage EM+Security to protect access to (sensitive) data inside your Office 365 environment.
Encrypting data through RMSTaking it to the next level with Azure RMS.
Password guessing Password
cracking
Hijacking
Packet Spoofing & Forging
Specialized tools + malware(Slammer, Stuxnet, Red October, Flame…)
Social Engineering / Spear Phishing
ExploitsExploiting (known) vulnerabilities
Backdoors
Browser pop-ups, VBA, Flash, PTH, PTT
Bot nets Next-gen attacks?
Early 90‘s Mid 90‘s 2000 2004 2005 2006 2008 2013 2014 2016 20xx?
Source: Microsoft
Focus is on securing the (data) container. This approach is very ineffective once someone manages to obtain unauthorized access.
Securing the container
Passwords are merely a first line of defense and bound to be hacked/stolen/cracked at some point. More complex passwords lead to other problems as humans aren’t capable of remembering them!
Focus on password (complexity) By focusing on just a subset of
the threats, a large part attack surface remains unprotected. Logically, this increases the odds of being hacked/lose data.i.e. Disk encryption alone does not prevent data leakage.
Mismatch w/ threats
Challenges with “traditional” security
“There are two kinds of organizations: those who have been hacked and
those who don’t know it yet…”
“The best security strategy is one that assumes the network is inherently insecure, devices can be
hacked or stolen, and that access to the (network) services will be compromised at some point.”
Secure data at rest (on the device) Ensure/enforce data security/integrity,
even if the device is stolen, lost or otherwise breached.
Device
Prevent data from being transferred in an unauthorized way.
Prevent data from being copied to non-corporate locations such as e.g. public (social) networks)
Only allow specific applications to consume corporate data.
(Accidental) Leak Protection
Distinguish personal from corporate data
Can be challenging with public cloud services
Data Separation
Enable the authorized sharing of corporate data, in a controlled, secure and monitored way; inside and outside of the organization.
Sharing Protection
Defining a security policy
Azure Information Protection(formerly known as Azure RMS)
04 Unlike earlier implementations of RMS, AIP enables easier management through a variety of policies which allow you to modify a plethora of options.
Manageable
06 Although functionality is somewhat limited if you choose to do this, you can even “Bring your own Key” to further secure the encryption process.
Flexible
01 Protect data through (automatic) classification and labeling. Classification can happen automatically based on content, or manually by a user tagging a document.
Categorization
02 Data remains protected, regardless of its protection (RMS). It can be stored in any service, and shared with anyone without compromising the data security.
Location-independent
03 You can control who can view/edit/forward data based on available actions.
Granular Control
What is Azure Information Protection?
05 You can track and report on activity at various levels: per user, per document, etc. You can revoke permissions “on the spot” etc.
Visibility & Control
#ITDevConnections
Deploying Azure Information Protection
01 Define what RMS templates you would like to use...(tip: write down your requirements)
Define Azure RMS Templates
02 Add sensitivity levels and link the appropriate RMS templates to the correct levels. Then setup classification rules and how classifications should be shown (colors, anyone?).
Create a policy and link templates
03 You must deploy the AIP client to any client who wants to “use” protected content.
Deploy the AIP Client
#ITDevConnections
01 Azure RMS only works (natively) with a limited amount of document types and applications (mostly Office, and PDF). Other file types can be protected using a wrapper application.
Client Support
02 The RMS flows described earlier can vary depending on the type of document and the device/OS trying to protect or consume content.
Mobile Devices / Other platforms
04 Azure Information Protection is not the goal by itself, but just a piece of the puzzle in a grander scheme to protect content across your organization.
Piece of the puzzle
03 Implementing Azure Information Protection can be a bit challenging because it is more than “just” encryption. If done right, it can be smart about what to encrypt (automatically) and what not. But it requires an understanding of the (type of) content and how it’s used in the organization.
ImplementationCaveats!
DEMOAzure Information Protection
Enterprise Mobility + Security
Source: Microsoft
04Privileged Identity Management
06 Protect information at rest and on the go.Information Protection
01 Using Azure MFA you can extend the MFA platform to your on-premises organization and other cloud-platforms.
Extended MFA
02 Whether it’s device, or identity-based, you can granularly control how someone should access the Office 365 (and other) services.
Conditional Access
03 Assess risk and potential vulnerabilities affecting your corporate identities. E.g. automatically detect malicious login attempts / attacks through Azure’s Activity Reports.
Identity Protection
What is in Enterprise Mobiliy + Security?
05 Monitoring your on-premises Active Directory for potentially malicious activity and report on it in near real-time.
Threat Analytics
Manage & Control (administrative) access to your organization. E.g. enable “Just-in-Time” access for administrators.
#ITDevConnections
01 If you are not using Modern Auth, you have to leverage capabilities within AD FS (claim rules) to disallow certain traffic (e.g. ActiveSync). This increases complexity by quite a bit!
Only really effective with Modern Auth
02 You can choose to apply conditions to users (Identity-based) or devices. Options are not the same though. Identity-based includes e.g. risk profile/location whereas device-based assesses the devices’ (health) state.
Identity vs. Device
03 Today, Conditional Access is managed from both the old and new Azure Management Portal. Identity-driven conditions can be found in the new portal whereas device-based conditions have to be configured in the old one…
Split management
ConditionalAccess
#ITDevConnections
01 …but be cautious, because they can do harm if implemented incorrectly. Hence why you can see who’s impacted before you apply them!
Automated policies can help…
02 Although the automated policies can help, and you can receive (automated) alerts, there can still be a lot of events to comb through; especially when you first start using the feature!
Still a lot of (manual) work
03 Today, Conditional Access is managed from both the old and new Azure Management Portal. Identity-driven conditions can be found in the new portal whereas device-based conditions have to be configured in the old one…
Split management
Identity Protection
#ITDevConnections
EMS in the real world?
I would like to restrict access to my organization’s data in Office
365 to only users inside my organization.
Potential solution:• Enable conditional access based on
corporate IP addresses (Azure or AD FS claim rules)
• Use “micro-VPNs” to enable external clients to connect (mimic as if they were part of the internal network)
What would be the easiest way to (further) secure the
authentication process beyond simple passwords?
Potential solution:Enable Multi-Factor Authentication. If only for Office 365, leverage the free O365 MFA. If not, use Azure MFA.
Caveat:• Ensure your users are using modern clients
which leverage the new ADAL-based auth. mechanism.
I want to ensure that external users always authenticate with more than just their password.
Potential solution:• Enable (Azure) MFA• Enable Conditional Access to setup a policy
that external connections must go through MFA flow.
Additional:• You could integrate an on-premises MFA
provider if it supports the MFA flow (can be configured on the Domain settings in Azure AD)
We have a business partner with whom we regularly have to exchange documents with. However, because of the confidentiality of those
documents, we don’t want to lose track of who can access them or
where they are.
Potential solution: • Use Conditional Access (e.g. force external
parties to use MFA)• Enable Information Protection (RMS)• Leverage RMS in SharePoint Online• Enable external user (internal account) >
prevent data to be downloaded form e.g. SharePoint.
What is your use case?Let’s discuss and see if we can find a solution
to your problem challenge.
Windows Information Protection(formerly known as
Enterprise Data Protection)
#ITDevConnections
01 Corporate data is automatically encrypted using EFS on the device.
Protect Data at Rest
02 Policies define which data is automatically categorized as corporate. Categorization can be based on location, type, etc...
Segregation of data
03 Policies define which applications can consume protected data. These are so-called enlightened applications. Blocked applications are not allowed to access/consume protected (corporate) data.
Prevent data leakage
What is Windows
Information Protection?
DEMOSetting up a Windows Information Protection policy
01 Today, only the Windows platform can leverage the WIP framework. This means that people using mobile devices such as iPhones, iPads must seek alternatives to achieve the same.
Not (yet?) cross-platform
02 As with a lot of new features that Microsoft releases, there are a lot of (unexpected) caveats. I suspect subsequent versions to become a lot better. Until then, this version is great to explore its capabilities.
First version
03 A lot of the effectiveness of Windows Information Protection depends on the client that is used to access corporate data. For example, Office (still) is not supported and thus seriously hampers the usability/effectiveness of WIP. Applications that do not adhere to certain rules might be able to “bypass” protection.
Client support
Caveats!
THANK YOU