SECURING YOUR OFFICE 365 DEPLOYMENT WITH ACRONYMS HOW TO LEVERAGE EDPWIP, EMS, RMS AND AADMichael Van HorenbeeckVH Consulting & TrainingIndependent Solution Architect

www.vanhybrid.com

@vanhybridwww.vhct.be

Solution Architect / Owner @ VH Consulting & Training

Office Servers & Services MVP

MCSM | Messaging

Office 365, Exchange, (Azure) AD, Security

Goodies for today

Securing for a new eraA quick overview of how to protect one self from new and emerging threats

Windows Information ProtectionA look inside Microsoft’s Win10feature and how it can (potentially) help further protect data inside corporate environments such as Office 365

Enterprise Mobility + SecurityLeverage EM+Security to protect access to (sensitive) data inside your Office 365 environment.

Encrypting data through RMSTaking it to the next level with Azure RMS.

Password guessing Password

cracking

Hijacking

Packet Spoofing & Forging

Specialized tools + malware(Slammer, Stuxnet, Red October, Flame…)

Social Engineering / Spear Phishing

ExploitsExploiting (known) vulnerabilities

Backdoors

Browser pop-ups, VBA, Flash, PTH, PTT

Bot nets Next-gen attacks?

Early 90‘s Mid 90‘s 2000 2004 2005 2006 2008 2013 2014 2016 20xx?

Source: Microsoft

Focus is on securing the (data) container. This approach is very ineffective once someone manages to obtain unauthorized access.

Securing the container

Passwords are merely a first line of defense and bound to be hacked/stolen/cracked at some point. More complex passwords lead to other problems as humans aren’t capable of remembering them!

Focus on password (complexity) By focusing on just a subset of

the threats, a large part attack surface remains unprotected. Logically, this increases the odds of being hacked/lose data.i.e. Disk encryption alone does not prevent data leakage.

Mismatch w/ threats

Challenges with “traditional” security

“There are two kinds of organizations: those who have been hacked and

those who don’t know it yet…”

“The best security strategy is one that assumes the network is inherently insecure, devices can be

hacked or stolen, and that access to the (network) services will be compromised at some point.”

Secure data at rest (on the device) Ensure/enforce data security/integrity,

even if the device is stolen, lost or otherwise breached.

Device

Prevent data from being transferred in an unauthorized way.

Prevent data from being copied to non-corporate locations such as e.g. public (social) networks)

Only allow specific applications to consume corporate data.

(Accidental) Leak Protection

Distinguish personal from corporate data

Can be challenging with public cloud services

Data Separation

Enable the authorized sharing of corporate data, in a controlled, secure and monitored way; inside and outside of the organization.

Sharing Protection

Defining a security policy

Azure Information Protection(formerly known as Azure RMS)

04 Unlike earlier implementations of RMS, AIP enables easier management through a variety of policies which allow you to modify a plethora of options.

Manageable

06 Although functionality is somewhat limited if you choose to do this, you can even “Bring your own Key” to further secure the encryption process.

Flexible

01 Protect data through (automatic) classification and labeling. Classification can happen automatically based on content, or manually by a user tagging a document.

Categorization

02 Data remains protected, regardless of its protection (RMS). It can be stored in any service, and shared with anyone without compromising the data security.

Location-independent

03 You can control who can view/edit/forward data based on available actions.

Granular Control

What is Azure Information Protection?

05 You can track and report on activity at various levels: per user, per document, etc. You can revoke permissions “on the spot” etc.

Visibility & Control

#ITDevConnections

Deploying Azure Information Protection

01 Define what RMS templates you would like to use...(tip: write down your requirements)

Define Azure RMS Templates

02 Add sensitivity levels and link the appropriate RMS templates to the correct levels. Then setup classification rules and how classifications should be shown (colors, anyone?).

Create a policy and link templates

03 You must deploy the AIP client to any client who wants to “use” protected content.

Deploy the AIP Client

#ITDevConnections

01 Azure RMS only works (natively) with a limited amount of document types and applications (mostly Office, and PDF). Other file types can be protected using a wrapper application.

Client Support

02 The RMS flows described earlier can vary depending on the type of document and the device/OS trying to protect or consume content.

Mobile Devices / Other platforms

04 Azure Information Protection is not the goal by itself, but just a piece of the puzzle in a grander scheme to protect content across your organization.

Piece of the puzzle

03 Implementing Azure Information Protection can be a bit challenging because it is more than “just” encryption. If done right, it can be smart about what to encrypt (automatically) and what not. But it requires an understanding of the (type of) content and how it’s used in the organization.

ImplementationCaveats!

DEMOAzure Information Protection

Enterprise Mobility + Security

Source: Microsoft

04Privileged Identity Management

06 Protect information at rest and on the go.Information Protection

01 Using Azure MFA you can extend the MFA platform to your on-premises organization and other cloud-platforms.

Extended MFA

02 Whether it’s device, or identity-based, you can granularly control how someone should access the Office 365 (and other) services.

Conditional Access

03 Assess risk and potential vulnerabilities affecting your corporate identities. E.g. automatically detect malicious login attempts / attacks through Azure’s Activity Reports.

Identity Protection

What is in Enterprise Mobiliy + Security?

05 Monitoring your on-premises Active Directory for potentially malicious activity and report on it in near real-time.

Threat Analytics

Manage & Control (administrative) access to your organization. E.g. enable “Just-in-Time” access for administrators.

#ITDevConnections

01 If you are not using Modern Auth, you have to leverage capabilities within AD FS (claim rules) to disallow certain traffic (e.g. ActiveSync). This increases complexity by quite a bit!

Only really effective with Modern Auth

02 You can choose to apply conditions to users (Identity-based) or devices. Options are not the same though. Identity-based includes e.g. risk profile/location whereas device-based assesses the devices’ (health) state.

Identity vs. Device

03 Today, Conditional Access is managed from both the old and new Azure Management Portal. Identity-driven conditions can be found in the new portal whereas device-based conditions have to be configured in the old one…

Split management

ConditionalAccess

#ITDevConnections

01 …but be cautious, because they can do harm if implemented incorrectly. Hence why you can see who’s impacted before you apply them!

Automated policies can help…

02 Although the automated policies can help, and you can receive (automated) alerts, there can still be a lot of events to comb through; especially when you first start using the feature!

Still a lot of (manual) work

03 Today, Conditional Access is managed from both the old and new Azure Management Portal. Identity-driven conditions can be found in the new portal whereas device-based conditions have to be configured in the old one…

Split management

Identity Protection

#ITDevConnections

EMS in the real world?

I would like to restrict access to my organization’s data in Office

365 to only users inside my organization.

Potential solution:• Enable conditional access based on

corporate IP addresses (Azure or AD FS claim rules)

• Use “micro-VPNs” to enable external clients to connect (mimic as if they were part of the internal network)

What would be the easiest way to (further) secure the

authentication process beyond simple passwords?

Potential solution:Enable Multi-Factor Authentication. If only for Office 365, leverage the free O365 MFA. If not, use Azure MFA.

Caveat:• Ensure your users are using modern clients

which leverage the new ADAL-based auth. mechanism.

I want to ensure that external users always authenticate with more than just their password.

Potential solution:• Enable (Azure) MFA• Enable Conditional Access to setup a policy

that external connections must go through MFA flow.

Additional:• You could integrate an on-premises MFA

provider if it supports the MFA flow (can be configured on the Domain settings in Azure AD)

We have a business partner with whom we regularly have to exchange documents with. However, because of the confidentiality of those

documents, we don’t want to lose track of who can access them or

where they are.

Potential solution: • Use Conditional Access (e.g. force external

parties to use MFA)• Enable Information Protection (RMS)• Leverage RMS in SharePoint Online• Enable external user (internal account) >

prevent data to be downloaded form e.g. SharePoint.

What is your use case?Let’s discuss and see if we can find a solution

to your problem challenge.

Windows Information Protection(formerly known as

Enterprise Data Protection)

#ITDevConnections

01 Corporate data is automatically encrypted using EFS on the device.

Protect Data at Rest

02 Policies define which data is automatically categorized as corporate. Categorization can be based on location, type, etc...

Segregation of data

03 Policies define which applications can consume protected data. These are so-called enlightened applications. Blocked applications are not allowed to access/consume protected (corporate) data.

Prevent data leakage

What is Windows

Information Protection?

DEMOSetting up a Windows Information Protection policy

01 Today, only the Windows platform can leverage the WIP framework. This means that people using mobile devices such as iPhones, iPads must seek alternatives to achieve the same.

Not (yet?) cross-platform

02 As with a lot of new features that Microsoft releases, there are a lot of (unexpected) caveats. I suspect subsequent versions to become a lot better. Until then, this version is great to explore its capabilities.

First version

03 A lot of the effectiveness of Windows Information Protection depends on the client that is used to access corporate data. For example, Office (still) is not supported and thus seriously hampers the usability/effectiveness of WIP. Applications that do not adhere to certain rules might be able to “bypass” protection.

Client support

Caveats!

THANK YOU