Classified as Microsoft General ARE YOU INTUNE WITH YOUR ENTERPRISE DEVICES? Ed Baker Microsoft UK Technical Evangelist @edbaker1965 ed-baker.com
Jan 23, 2018
Classified as Microsoft General
ARE YOU INTUNE WITH YOUR ENTERPRISE DEVICES?Ed Baker
Microsoft UK
Technical Evangelist
@edbaker1965
ed-baker.com
Classified as Microsoft General
Who Am I?
I am Ed Baker– Technical Evangelist
@ Microsoft UK
I tweet from @edbaker1965
I blog at ed-baker.com
Email me [email protected]
When not tweeting/blogging/presenting
I like to bake and ride motorbikes, not normally at the same time though.
Classified as Microsoft General
AGENDA
Security Landscape
Identity is the new control plane
Enterprise Mobility & Security
Mobile Application Management – Intune
Cloud App Security
Demonstrations
Classified as Microsoft General
SECURITY LANDSCAPE
Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%IT budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
Enterprise Mobility + Security The Microsoft vision
Identity Driven Security
Managed Mobile Productivity
Comprehensive Solution
AppsDevices DataUsers
Classified as Microsoft General
IDENTITY IS THE NEW CONTROL PLANE
Identity as the control plane
On-premises
Windows ServerActive Directory
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
SaaSAzure
Cloud
Publiccloud
Customers
Partners
Identity as the control plane
On-premises
Windows ServerActive Directory
VPN
BYO
Microsoft Azure Active Directory
Azure
Cloud
Publiccloud
Customers
Partners
Customers
Azure AD as the control plane
On-premises
Partners
Azure
Cloud
Publiccloud
Microsoft Azure Active Directory
BYO
Windows ServerActive Directory
33,000Enterprise Mobility +
Security | Azure AD
Premium enterprise
customers
>110kthird-party
applications used
with Azure AD
each month
>1.3
billion authentications every
day on Azure AD
More than
750 Muser accounts on
Azure AD
Azure AD
Directories
>10 M
85% of Fortune 500
companies use
Microsoft Cloud
(Azure, O365, CRM Online, and PowerBI)
Every Office 365 and Microsoft Azure customer uses Azure Active Directory
• Microsoft “Identity Management as a Service
(IDaaS)” for organizations.
• Millions of independent identity systems
controlled by enterprise and government “tenants.”
• Information is owned and used by the controlling
organization—not by Microsoft.
• Born-as-a-cloud directory for Office 365. Extended
to manage across many clouds.
• Evolved to manage an organization’s relationships
with its customers/citizens and partners (B2C and
B2B).
Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps
Manage access at scale
Manage identities and access at scale in the cloud
and on-premises
Ensure user and admin accountability with better security and governance
Enable business without borders
Stay productive with universal access to every app and collaboration capability
Azure Active Directory. Identity at the core of your business
1000s of apps, 1 identity
Cloud-powered protection
Classified as Microsoft General
ENTERPRISE MOBILITY & SECURITY
The network
perimeter has
vanished
Attacks have
become organized,
targeted, and
persistent
More than 1,000
businesses
affected by cyber
attacks
Another major
retailer hacked
With mobility come new security challenges
You want to
have visibility
and control in
the cloud
• User chooses apps (unsanctioned, shadow IT)
• User can access resources from anywhere
• Data is shared by user and cloud apps
• IT has limited visibility and protection
• Only sanctioned apps are installed
• Resources accessed via managed devices/networks
• IT had layers of defense protecting internal apps
• IT has a known security perimeter
Life with cloudLife before cloud
On-premises
Storage, corp data Users
Is it possible to keep up?
Employees Business partners Customers
Microsoft’s vision
Apps DevicesUsers Data
Is it possible to keep up?
Employees Business partners Customers
Microsoft’s vision
Apps DevicesUsers Data
This is why the solution needs to be comprehensive
The problem is complex
75%Exploited credentials
“I can log in with Matt’s credentials and lay low in the network.” Hacker
Mobility60%
“I would like to send this customer file to one of our vendors so they can take a look.” Matt
“I’ll save the file to my cloud storage app so I can work on it from home.” Matt
“I would work on this file on my tablet while I am waiting for my flight at the airport.” Matt
88%Losing control of data
80%Non-approved SaaS app use
Access to everything
from everythingSecure devices, apps,
and data
Preserve existing
invesments
Customer’s needs
Integrated,
secure identity
It protects
Office betterIt just works
Microsoft’s Solution
Empower Enterprise Mobility
Identity-drivensecurity
Comprehensive solution
Managed mobile productivity
Intune
Azure Rights
Management and
Secure IslandsProtect your users, devices, and apps
Detect problems early with visibility
and threat analytics
Protect your data, everywhere
Extend enterprise-grade security to your cloud and SaaS apps
Manage identity with hybrid integration to protect application
access from identity attacks
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Identity Protection
Enterprise Mobility Suite
Identity and access
management
Azure Active
Directory
Mobile device and
app management
Intune
Information
protection
Azure Rights
Management
User and entity
behavioral analytics
Advanced Threat
Analytics
Cloud and SaaS
app security
Cloud App Security
Bring enterprise-grade
visibility, control, and
protection to your
cloud applications.
Classified as Microsoft General
MOBILE APPLICATION MANAGEMENT – INTUNE
Protect your data
Devices DataApps
Enable your users Unify your environment
Help organizations enable their users to be productive on the
devices they love while keeping corporate assets secure.
ITUser
DMZ InternetCorporate network
Policies• Filter EAS• Filter web access• Filter or block mobile app access• Block unmanaged devices• Prevent downloads• Force multifactor authentication• Require domain joined• Force traffic via proxy/VPN
Active
Directory
PCs
SharePointServer
Exchange Server
Traditional access control to corporate data
Mobile
devices
Browsers
The current reality…
On-premise data
Controlling access to data
App
Mobile app is managed
Mobile app reputation
SaaS app sensitivity
Other
Network location
Breach detected
Device
Managed (Intune or CM)
Compliant
Risky behavior
User
Group memberships
Auth strength (MFA)
Risky behavior
Conditional access with EMS
Containing data after it has been accessed
Managed apps
Personal appsPersonal apps
Managed apps Corporate data
Personaldata
Protect corp data
Control sharing and
downloading
ITMonitor andrestrict activity
• Enrolling corporate devices for
management
• Enrolling personal devices for
management
• Provisioning settings, certs, profiles
• Reporting device inventory
• Measuring device compliance
• Removing corporate data from devices
• All of the above using OS standards
Mobile Device
Management
• Publishing mobile apps to users
• Configuring mobile apps
• Securing corporate data in mobile apps
• Removing corporate data from mobile
apps
• Updating mobile apps
• Reporting app inventory and usage
• All of the above with or without MDM
Mobile App
Management
IT managed
• Information worker
• Shared
Employee managed
• Companion
• Primary
Foreign managed
• Contractor
• Public kiosk
Classified as Microsoft General
CLOUD APP SECURITY
of enterprises indicated security as a top challenge holding back SaaS adoption*
73%
SaaS adoption challenge
• Cloud Security Alliance (CSA) survey, Cloud Adoption, Practices and Priorities Survey Report 2015** http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
>80% of employees admit to using non-approved SaaS apps in their jobs**
80%
How do I know what apps
are used in my environment?
Shadow IT
How do I ensure appropriate
access to my cloud apps?
Access control
Visibility/reporting
How do I gain visibility into
cloud apps and usage?
How do I prevent
data leakage?
Data protectionThreat prevention
How do I know if my users
have been breached?
How do I address
regulatory mandates?
Compliance
Based on Adallom acquisition
Cloud-delivered service bringing
visibility and control to cloud apps
Comprehensive and proven protection
Committed to supporting third-party
cloud applications
No agents required on
user devices for discovery
Comprehensive controls
for your sanctioned apps
Enterprise-grade: simple
to deploy and manage
Builds on broader Microsoft
security platform
Deeply integrated with
Office 365
Threat detection draws from
Microsoft’s security intelligence
DiscoveryGain complete visibility and
context for cloud usage and
shadow IT—no agents required
Data controlShape your cloud environment with
granular controls and policy setting
for access, data sharing, and DLP
Threat protectionIdentify high-risk usage and security
incidents, detect abnormal user
behavior, and prevent threats
Integrate with existing security, mobility, and encryption solutions
Integrate with existing security, mobility, and encryption solutions
Discovery
• Discover 13,000+ cloud apps in use—no agents required
• Identify all users, IP addresses, top apps, top users
Shadow IT discovery Risk scoring
• Get an automated risk score driven by 60+ parameters
• See each app’s risk assessment based on its security mechanisms and compliance regulations
• Ongoing risk detection, powerful reporting, and analytics on users, usage patterns, upload/download traffic, and transactions
• Ongoing anomaly detection for discovered apps
Ongoing analytics
DLP and data sharingPolicy definition
• Set granular-control security policies for your approved apps
• Use out-of-the-box policies or customize your own
• Prevent data loss both inline and at rest
• Govern data in the cloud, such as files stored in cloud drives, attachments, or within cloud apps
• Use pre-defined templates or extend existing DLP policies
Policy enforcement
• Identify policy violations, investigate on a user, file, activity level
• Enforce actions such as quarantine and permissions removal
• Block sensitive transactions, limit sessions for unmanaged devices
Data control
• Identify anomalies in your cloud environment which may be indicative of a breach
• Leverage behavioral analytics (each user’s interaction with SaaS apps) to assess risk in each transaction
Behavioral analytics Attack detection
• Identify and stop known attack pattern activities originating from risky sources with threat prevention enhanced with vast Microsoft threat intelligence
• Coming soon: send any file through real-time behavioral malware analysis
Threat prevention
Shadow IT
Sanctioned
App Security
Visibility and
control
Compliance and
regulations
Integration with
existing systems and
workflows
Cloud security
expertise
Cloud Discovery
Discover
Investigate
Alerts
Control
Discover
Investigate
Alerts
Control
Alerts
Discover
Investigate
Control
Discover
Investigate
Alerts
Control
Cloud App Security portal demoMechanics video
Discovery
• Use traffic logs to discover and analyze which cloud apps are in use
• Manually or automatically upload log files for analysis from your firewalls and proxies
Sanctioning and un-sanctioning
• Sanction or block apps in your organization using the cloud app catalog
App connectors
• Leverage APIs provided by various cloud app providers
• Connect an app and extend protection by authorizing access to the app. Cloud App Security queries the app for activity logs and scans data, accounts, and cloud content
App connectors
Cloud discoveryProtected
Cloud apps
Cloud traffic
Cloud traffic logs
Firewalls
Proxies
Your organization from any location
API
Cloud App Security