SECURING OFFICE 365 AND MICROSOFT AZURE LIKE A ROCK STARJussi Roine

Sulava, FINLAND

Add Speaker

Photo here

@JussiRoine

JUSSI LIVES HERE

WTF!

Agenda and takeaways

Security building blocks

External threats

Internal threats

Licenses

The Big Picture

How to protect Azure and

Office 365

How to protect On-

Premises services

Super-exciting!

SECURITY BUILDING BLOCKSIt’s like LEGO but not really at all

Office 365: Core services

Azure AD

Office 365: All major services

Azure AD

Office 365: All major services with extensibility

Azure AD

Office 365: With major Azure-related services

MFA

Stream

OMS

Azure AD

Wait, what? Hold on!

Do I have to learn and manage ALL this?

A traditional approach to embracing the cloudThis is the common, kind-of hybrid architecture model.

Microsoft Azure

Office 365

Site-to Site VPN

Azure AD Connect

ADFS

Proxy

On-premises

The heart of security: Azure Active Directory

The core of each Azure subscription You can have multiple AAD tenants within

the same Azure subscription

Users, groups, licenses, permissions, apps, app proxies, domains.. all here!

Managed through Azure Portal, some tiny things are still only available in the Classic Portal

It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS)

Identities, management and security

Your mission

Protect the identities in the cloud – it is the new perimeter!

Azure Active Directory: Free, Basic, Premium

Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2

SSO support 10 apps/user 10 apps/user No limit No limit

Security reports 3 (basic) 3 (basic) Advanced Advanced

Self-Service password reset

Application Proxy

Multi-Factor Authentication

Connect Health

Cloud App Discovery

Privileged Identity Management

Identity Protection

Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month

A few highlighted features of AAD and a comparison between licenses

(cloud users)(cloud users)

Security building blocks in Azure

Role-Based Access Control

Key Vault

Microsoft anti-malware

Rights Management/Information Protection

Cloud App Discovery

Security Center

Infrastructure

Network Security Groups (NSG)

Site-to-Site VPN

Point-to-Site VPN

ExpressRoute

Network Security Appliances

Host-based & NextGen firewalls

Azure Active Directory

Connect Health

Identity Protection

Privileged Identity Management

OMS Security & Audit

Multi-Factor Authentication

Security

Analogy to cloud security

Rancilio SilviaBest. Espresso. Ever.

Customized Rancilio SilviaRancilio Silvia with the

Rocky grinder and steel base

PROTECTING AGAINST EXTERNAL THREATSAuthentication with social security numbers

Securing authentication for users with Multi-Factor Authentication

Enforces security beyond username and password User must possess something – typically a mobile device Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call Users must enroll through https://aka.ms/mfauserhowto

Available as Office 365 MFA, Azure MFA for Admins and Azure MFA

Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal

Multi-Factor Authentication for on-premises with Azure MFA Server

Enables easy securing of VPNs, IIS web apps & Remote Desktop Maybe not the most logical to set up..

Supports RADIUS so fairly easy to integrate with legacy systems

Strong and secure authentication for on-premises, hybrid & the cloud

Baseline your security in Office 365 with Secure Score

Free service at https://securescore.office.com Security IQ for the organization

After initial scoring you can select a new baseline Provides a list of actions for things to fix, in order

to achieve a new baseline

Max score is 452 Office 365 average is 55 You get to >100 just by enabling MFA for global

admins

Automated scan of your Office 365 subscription settings and general security

A dashboard for Azure security with Security Center

A simple way to view what’s secured and what’s not in Azure

Includes behavioral analytics and incident reporting

Standard license gives advanced threat detection & intelligence

Provides an overview on security for cloud resources

Securing and monitoring Azure AD Connect, ADFS and on-premises AD configuration with Azure AD Connect Health

Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status

Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues

Deploying is easy: Install agents for AD FS, AAD Connect and AD DS servers Verify configuration on AAD CH blade in Azure Portal

Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH

Agent-based service to monitor your AD domain controllers and ADFS infrastructure

Safeguarding for users who log in from weird countries with Azure AD Identity Protection

Watchdog for user sign-ins, can associate individual logins with risk factors

Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity)

Enforces additional policies based on low/high risk factors Enforce MFA for the duration of the login Enforce self-service password reset (which subsequently

enforces MFA)

Weekly email digest of findings and things to lose your sleep over

Monitoring for risk events, vulnerabilities and automatic policy changes

Getting rid of static admin roles with Azure AD Privileged Identity Management (PIM)

Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles Users can request for new privileges for predefined duration

Scans for fixed admin roles and changes them to temporary roles

Admin roles become non-permanent Duration can be set from 1 hour to 72 hours

Can enforce MFA during role grant

In preview: Approval workflows for new privilege requests

Central view & management for all admins roles throughout Azure and Office 365

”Just-in-time” administration privileges for users on request

Tracking botnet and brute force attacks

OMS provides System Center-like capabilities in the cloud

Capable of tracking hybrid deployments, including Office 365 and Azure

Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data

Operations Management Suite (OMS) is the Swiss Army knife you need

Protecting from external threats with Office 365

Provides a 360ᴼ view on external threats against users

Insights and analysis based on evidence, act accordingly

Allows for custom policies and reactions

Threat Intelligence uses evidence-based knowledge on threats

Publishing internal services securely

Enforce authentication at Azure AD, before allowing access to internal resources

Configuration is simple, and support high availability deployments

Internal services do not require changes

Dual-authentication also supports: First on Azure AD, then in on-premises against local AD/service

Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises

DEMO

PROTECTING AGAINST INTERNAL THREATSTrust noone

Securing Edge network & cloud app usage with Cloud App Security (used to be Advanced Security Management)

Similar to OMS, but directly aimed for Office 365 workloads

Records all activities of users, including external users

Supports on-premises edge router log analysis

Discover activity and incidents in Office 365

Monitoring what admins and developers are doing with Azure resources

Query against Azure backends to see operations against services

Connect with Log Analytics (for further analysis)

Power BI (for reports)

Application Insights (for wisdom)

Azure Monitor provides monitoring throughout tenants and resource groups

Finding Shadow IT within the organization with Cloud App Discovery

Works by dropping an agent on workstations Consent can be requested; or just install silently..

Discover apps, amount of data transferred and who uses what

Based on reports, act accordingly

Discover unmanaged (and managed) cloud apps in use

Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)

Captures all authentication traffic to-and-from Domain Controllers

Uses Machine Learning to identify issues and unauthorized usage

Fully automatic, install & forget! Almost like SharePoint ;-)

Can connect with OMS to provide hybrid reporting in the cloud

Aggressive auditing and analytics for on-premises Active Directory requests

Compliance Manager

A new service in Office 365 Preview available November 16

(that’s Thursday!)

Centralized compliance view to GDPR, ISO 27001 certifications and other frameworks

Sign up for preview https://aka.ms/compliance-manager-preview

Customer Key

Announced at Ignite

Encrypt data-at-rest with your own keys Includes protection if you lose your

keys

Uses Azure Key Vault to hold keys – can be HSM (Hardware Security Module) backed

Don’t worry, security will keep you busy

DEMO

I’m lost – too many services and options

Active Directory

Advanced Threat Analytics

Firewall, proxy, VLANs etc.

Microsoft Identity Manager

On-premises Office 365

Data Loss Prevention

Threat Intelligence

Secure Score

Compliance Manager

Microsoft Azure

Connect Health

Cloud App Discovery

Network Security Group

Cloud App Security

Identity Protection

Privileged Identity Management

Azure Active Directory

Conditional Access

Operations Management Suite

Security Center

Azure MFA

Azure Information Protection

Intune

Customer Key (through Key Vault)

LicensesIt depends.

Onsight

Enterprise Mobility + Security (EMS)

Used to be known as Enterprise Mobility Suite

E3

E5

What about Microsoft 365?

Microsoft 365 Enterprise

Microsoft 365 Business

Office 365 EnterpriseWindows 10 Enterprise

Enterprise Mobility + Security

IntuneOffice 365 for Business

Win

do

ws

10

Pro

3001

E5

E3

Security-related services and licenses

Advanced Threat Analytics

Active Directory Azure MFA Server

Advanced Security Management

Threat Intelligence Secure Score IntuneAzure MFA for

Admins

Azure AD

Azure AD Premium

Security Center

Cloud App Discovery

Privileged Identity Management

Identity Protection

Azure MFAConnect HealthNetwork Security

Groups

Next-Gen FirewallsInformation Protection

Operations Management Suite

No extra license needed

EMS E3/Microsoft 365 E3

EMS E5/Microsoft 365 E5

Additional licensing

Recommendations & recap

Follow current practices and patterns: http://bit.ly/azuresecpnp

Get the book!

http://bit.ly/azuresecbook

Get the guidance!

http://bit.ly/perimeterbook

Deploy the free services

Azure Security Center

Office 365 Secure Score

Azure MFA for Admins

OMS Security (AAD+O365)

Go for AAD Premium

Either with EM+S or

separately

Deploy ATA

Enable PIM and Identity Protection

Thank you! @JussiRoine