Ed Baker – Are YOU Intune with your Enterprise Devices

Classified as Microsoft General

ARE YOU INTUNE WITH YOUR ENTERPRISE DEVICES?Ed Baker

Microsoft UK

Technical Evangelist

@edbaker1965

ed-baker.com


Who Am I?

I am Ed Baker– Technical Evangelist

@ Microsoft UK

I tweet from @edbaker1965

I blog at ed-baker.com

Email me [email protected]

When not tweeting/blogging/presenting

I like to bake and ride motorbikes, not normally at the same time though.


AGENDA

Security Landscape

Identity is the new control plane

Enterprise Mobility & Security

Mobile Application Management – Intune

Cloud App Security

Demonstrations


SECURITY LANDSCAPE

Mobile-first, cloud-first reality

Data breaches

63% of confirmed data breaches

involve weak, default, or stolen

passwords.

63% 0.6%IT budget growth

Gartner predicts global IT spend

will grow only 0.6% in 2016.

Shadow IT

More than 80 percent of employees

admit to using non-approved

software as a service (SaaS)

applications in their jobs.

80%

Enterprise Mobility + Security The Microsoft vision

Identity Driven Security

Managed Mobile Productivity

Comprehensive Solution

AppsDevices DataUsers


IDENTITY IS THE NEW CONTROL PLANE

Identity as the control plane

On-premises

Windows ServerActive Directory


On-premises


VPN

BYO

SaaSAzure

Cloud

Publiccloud

Customers

Partners


On-premises


VPN

BYO

Microsoft Azure Active Directory

Azure

Cloud

Publiccloud

Customers

Partners

Customers

Azure AD as the control plane

On-premises

Partners

Azure

Cloud

Publiccloud

Microsoft Azure Active Directory

BYO


33,000Enterprise Mobility +

Security | Azure AD

Premium enterprise

customers

>110kthird-party

applications used

with Azure AD

each month

>1.3

billion authentications every

day on Azure AD

More than

750 Muser accounts on

Azure AD

Azure AD

Directories

>10 M

85% of Fortune 500

companies use

Microsoft Cloud

(Azure, O365, CRM Online, and PowerBI)

Every Office 365 and Microsoft Azure customer uses Azure Active Directory

• Microsoft “Identity Management as a Service

(IDaaS)” for organizations.

• Millions of independent identity systems

controlled by enterprise and government “tenants.”

• Information is owned and used by the controlling

organization—not by Microsoft.

• Born-as-a-cloud directory for Office 365. Extended

to manage across many clouds.

• Evolved to manage an organization’s relationships

with its customers/citizens and partners (B2C and

B2B).

Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps

Manage access at scale

Manage identities and access at scale in the cloud

and on-premises

Ensure user and admin accountability with better security and governance

Enable business without borders

Stay productive with universal access to every app and collaboration capability

Azure Active Directory. Identity at the core of your business

1000s of apps, 1 identity

Cloud-powered protection


ENTERPRISE MOBILITY & SECURITY

The network

perimeter has

vanished

Attacks have

become organized,

targeted, and

persistent

More than 1,000

businesses

affected by cyber

attacks

Another major

retailer hacked

With mobility come new security challenges

You want to

have visibility

and control in

the cloud

• User chooses apps (unsanctioned, shadow IT)

• User can access resources from anywhere

• Data is shared by user and cloud apps

• IT has limited visibility and protection

• Only sanctioned apps are installed

• Resources accessed via managed devices/networks

• IT had layers of defense protecting internal apps

• IT has a known security perimeter

Life with cloudLife before cloud

On-premises

Storage, corp data Users

Is it possible to keep up?

Employees Business partners Customers

Microsoft’s vision

Apps DevicesUsers Data

Is it possible to keep up?

Employees Business partners Customers

Microsoft’s vision

Apps DevicesUsers Data

This is why the solution needs to be comprehensive

The problem is complex

75%Exploited credentials

“I can log in with Matt’s credentials and lay low in the network.” Hacker

Mobility60%

“I would like to send this customer file to one of our vendors so they can take a look.” Matt

“I’ll save the file to my cloud storage app so I can work on it from home.” Matt

“I would work on this file on my tablet while I am waiting for my flight at the airport.” Matt

88%Losing control of data

80%Non-approved SaaS app use

Access to everything

from everythingSecure devices, apps,

and data

Preserve existing

invesments

Customer’s needs

Integrated,

secure identity

It protects

Office betterIt just works

Microsoft’s Solution

Empower Enterprise Mobility

Identity-drivensecurity

Comprehensive solution

Managed mobile productivity

Intune

Azure Rights

Management and

Secure IslandsProtect your users, devices, and apps

Detect problems early with visibility

and threat analytics

Protect your data, everywhere

Extend enterprise-grade security to your cloud and SaaS apps

Manage identity with hybrid integration to protect application

access from identity attacks

Advanced Threat Analytics

Microsoft Cloud App Security

Azure Active Directory

Identity Protection

Enterprise Mobility Suite

Identity and access

management

Azure Active

Directory

Mobile device and

app management

Intune

Information

protection

Azure Rights

Management

User and entity

behavioral analytics

Advanced Threat

Analytics

Cloud and SaaS

app security

Cloud App Security

Bring enterprise-grade

visibility, control, and

protection to your

cloud applications.


MOBILE APPLICATION MANAGEMENT – INTUNE

Protect your data

Devices DataApps

Enable your users Unify your environment

Help organizations enable their users to be productive on the

devices they love while keeping corporate assets secure.

ITUser

DMZ InternetCorporate network

Policies• Filter EAS• Filter web access• Filter or block mobile app access• Block unmanaged devices• Prevent downloads• Force multifactor authentication• Require domain joined• Force traffic via proxy/VPN

Active

Directory

PCs

SharePointServer

Exchange Server

Traditional access control to corporate data

Mobile

devices

Browsers

The current reality…

On-premise data

Controlling access to data

App

Mobile app is managed

Mobile app reputation

SaaS app sensitivity

Other

Network location

Breach detected

Device

Managed (Intune or CM)

Compliant

Risky behavior

User

Group memberships

Auth strength (MFA)

Risky behavior

Conditional access with EMS

Containing data after it has been accessed

Managed apps

Personal appsPersonal apps

Managed apps Corporate data

Personaldata

Protect corp data

Control sharing and

downloading

ITMonitor andrestrict activity

• Enrolling corporate devices for

management

• Enrolling personal devices for

management

• Provisioning settings, certs, profiles

• Reporting device inventory

• Measuring device compliance

• Removing corporate data from devices

• All of the above using OS standards

Mobile Device

Management

• Publishing mobile apps to users

• Configuring mobile apps

• Securing corporate data in mobile apps

• Removing corporate data from mobile

apps

• Updating mobile apps

• Reporting app inventory and usage

• All of the above with or without MDM

Mobile App

Management

IT managed

• Information worker

• Shared

Employee managed

• Companion

• Primary

Foreign managed

• Contractor

• Public kiosk


CLOUD APP SECURITY

of enterprises indicated security as a top challenge holding back SaaS adoption*

73%

SaaS adoption challenge

• Cloud Security Alliance (CSA) survey, Cloud Adoption, Practices and Priorities Survey Report 2015** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report

>80% of employees admit to using non-approved SaaS apps in their jobs**

80%

How do I know what apps

are used in my environment?

Shadow IT

How do I ensure appropriate

access to my cloud apps?

Access control

Visibility/reporting

How do I gain visibility into

cloud apps and usage?

How do I prevent

data leakage?

Data protectionThreat prevention

How do I know if my users

have been breached?

How do I address

regulatory mandates?

Compliance

Based on Adallom acquisition

Cloud-delivered service bringing

visibility and control to cloud apps

Comprehensive and proven protection

Committed to supporting third-party

cloud applications

No agents required on

user devices for discovery

Comprehensive controls

for your sanctioned apps

Enterprise-grade: simple

to deploy and manage

Builds on broader Microsoft

security platform

Deeply integrated with

Office 365

Threat detection draws from

Microsoft’s security intelligence

DiscoveryGain complete visibility and

context for cloud usage and

shadow IT—no agents required

Data controlShape your cloud environment with

granular controls and policy setting

for access, data sharing, and DLP

Threat protectionIdentify high-risk usage and security

incidents, detect abnormal user

behavior, and prevent threats

Integrate with existing security, mobility, and encryption solutions

Integrate with existing security, mobility, and encryption solutions

Discovery

• Discover 13,000+ cloud apps in use—no agents required

• Identify all users, IP addresses, top apps, top users

Shadow IT discovery Risk scoring

• Get an automated risk score driven by 60+ parameters

• See each app’s risk assessment based on its security mechanisms and compliance regulations

• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions

• Ongoing anomaly detection for discovered apps

Ongoing analytics

DLP and data sharingPolicy definition

• Set granular-control security policies for your approved apps

• Use out-of-the-box policies or customize your own

• Prevent data loss both inline and at rest

• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps

• Use pre-defined templates or extend existing DLP policies

Policy enforcement

• Identify policy violations, investigate on a user, file, activity level

• Enforce actions such as quarantine and permissions removal

• Block sensitive transactions, limit sessions for unmanaged devices

Data control

• Identify anomalies in your cloud environment which may be indicative of a breach

• Leverage behavioral analytics (each user’s interaction with SaaS apps) to assess risk in each transaction

Behavioral analytics Attack detection

• Identify and stop known attack pattern activities originating from risky sources with threat prevention enhanced with vast Microsoft threat intelligence

• Coming soon: send any file through real-time behavioral malware analysis

Threat prevention

Shadow IT

Sanctioned

App Security

Visibility and

control

Compliance and

regulations

Integration with

existing systems and

workflows

Cloud security

expertise

Cloud Discovery

Discover

Investigate

Alerts

Control

Discover

Investigate

Alerts

Control

Alerts

Discover

Investigate

Control

Discover

Investigate

Alerts

Control

Cloud App Security portal demoMechanics video

https://youtu.be/iGNJJoQ3Lus

Discovery

• Use traffic logs to discover and analyze which cloud apps are in use

• Manually or automatically upload log files for analysis from your firewalls and proxies

Sanctioning and un-sanctioning

• Sanction or block apps in your organization using the cloud app catalog

App connectors

• Leverage APIs provided by various cloud app providers

• Connect an app and extend protection by authorizing access to the app. Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content

App connectors

Cloud discoveryProtected

Cloud apps

Cloud traffic

Cloud traffic logs

Firewalls

Proxies

Your organization from any location

API

Cloud App Security

Ed Baker – Are YOU Intune with your Enterprise Devices

Presentations & Public Speaking