As companies strive to stay current in a world where cloud and mobility are prioritized , security and compliance take on a critical position.
Thus, as mobile work becomes an integral part of the business, employee devices and applications become the first line of defense against a host of increasingly advanced threats. In fact, these malicious attacks are an unaffordable risk for companies due to both security and legality issues , since, in addition to the serious problems associated with the leakage of confidential data, after the arrival of the GDPR, companies face significant economic sanctions and to the inherent penalty on the part of its clients and the market .
To address these security challenges, Microsoft offers us Enterprise Mobility + Security (hereafter EMS), an identity-based security platform designed to help companies manage and protect their corporate devices, applications, and data.
Specifically, EMS offers companies security capabilities through different lines of defense (the so-called ” defense in depth ” principle), so that all lines complement each other (and if for any reason one is overcome by a threat , the next line may be the one that prevents us from disaster).
EMS is made up of 4 protection areas that will help you to continue with the digital transformation of your organization, safely:
Identity and access management
With the increasing popularity of cloud applications, social networks and web portals, which we use in our day to day accessing with different credentials (user) but often, reusing the same password (avoiding having to remember so many). This way of acting of the users in their Personal life carries enormous risk. Why? Initially, the number of (known) leaks of data from users of large social networks and consumer services in the last 12 months is extremely high (“Google Plus”, “Facebook”, “Movistar”, “IESE”, “Adidas” , “Job Talent”, “Ticketmaster”, “myHeritage”, among many others), so thesecurity threatFor companies, it is enormous since cyber criminals, once they have a personal username and password, easily find out where that person works and then try the same password to access the sensitive information of the companies where they work, being right in many cases. At the same time, cybercriminals also use massive campaigns to send false emails, asking our users (to their corporate or personal email) to enter any site in order to steal a password. And they do it better every time.
To avoid the risk that all this entails, it is necessary to protect the identity of our corporate users and for this EMS includes Azure Active Directory Premium (AAD Premium) , which helps guarantee access to applications and data only to the people who really are who they say they are .
Additionally, it offers us the ability to enforce smarter constraints through three key features:
” Conditional access “: Before, companies could only ask for things like: “That users can only access from within the company!”, But now … they can ask us: “That users can access from outside the company company, but establishing conditions as needed “(only from authorized corporate or personal devices, only from known locations, forcing the use of multi-factor and / or preventing the extraction of information, among other requirements). Making a simile, you can think of Azure AD conditional access as the security doorman of a building , as it welcomes good neighbors while challenging others to confirm their identity and deny entry to completely unfamiliar, or .. perhaps he will let them pass, letting us know he is going up and accompanying him.
” Identity Protection “: Criminals attempt nearly 100 million fraudulent login per day and we should know if any of them impact us. To do this, the “Identity Protection” reports provide us with intelligence to detect and inform IT of suspicious logins such as those that would imply making a trip to a strange place to date or impossible due to the time between a login and other (detecting the intrusion by the probability that they may actually be different people) or locating passwords of users for sale online. In addition, along with ” Conditional Access “, it offers us the power to allow users to connect as long as there is no risk in their session (for example, if they did it from a computer with viruses or malware) or only by letting them connect if your password is changed when the system knows it has been stolen. Making a simile, this benefit would be like a lookout that observes and provides relevant information about what is happening in the environment, so that you can act accordingly.
” Privileged Identity Management “: Having an account compromised is always a possibility and the best way to reduce risk is to assume that there has been or will be a gap. But, if a compromised user account is a problem, if the user has administrative privileges, the situation becomes catastrophic , so it is critical to minimize the possibility that a compromised account ends up having uncontrolled administrative permissions. This tool precisely offers us to ensure that we have the minimum number of administrator users, being able to offer administrative permissions on time, when required, only temporarily and even automatically (under certain circumstances). Making a simile, it would be like when a smart card is given to enter the hotel Spa, but once our stay is over, the card stops working.
- Two-step authentication.
- Conditional access: real-time, risk-based control
- Validation without password (using the mobile).
- Identity protection (alerts of anomalous behavior, compromised credentials and vulnerabilities).
- Single sign-on for all applications (including non-Microsoft aps).
- Management of privileged identities (Enable temporary administrator permissions on demand for specific tasks).
If you want, see all the details of Azure Active Directory Premium
Although we are able to ensure that the person who accesses our data is who they say they are and also that they do it from a secure device, the risk continues because the user can share a document with an external person who may not be as well protected (or potentially may make inappropriate use of the information provided).
For this, EMS includes Azure Information Protection , a Microsoft cloud service that allows companies to protect their confidential data through encryption (whether they are on-premises or in the cloud), ensuring that, even if the document leaves the organization for a non-environment Sure, only authorized users can access it. In addition, we can define the actions that authorized persons can carry out and continue to have the document (and its copies), always under our control, wherever it is, even if we do not physically have access to it.
- Protection of data through encryption, authentication and use rights.
- Smart classification and automated labeling of data.
- View where the documents are being opened from and by whom (wherever the document is).
- It helps to comply with the GDPR by facilitating the detection and protection of personal data.
- Revoke access to all copies of a document (even if they are physically outside the organization).
Following the analogies, you can think of Azure Information Protection as the system that ensures that our briefcase, which contains highly sensitive documentation, turns to dust in case it falls into the wrong hands.
See all the details of Azure Information Protection
EMS offers visibility into everything that happens to our data in the cloud (wherever they are), threat detection and attack prevention through the solutions: Microsoft Cloud App Security , Advanced Threat Analytics (ATA) and Azure Advanced Threat Protection ( Azure ATP).
Microsoft Cloud App Security (MCAS)
What happens if an employee, correctly identified and authenticated, does something wrong with your data? What’s more … What if that employee is no longer loyal or acting under duress? or .. What if your computer is not properly protected and malware is reading data on your behalf? This is where Cloud App Security would step in.
Specifically, Cloud App Security provides IT departments with visibility and control over cloud applications used by users in your organization (those allowed and .. not allowed). In this way, on the one hand, you will be able to restrict access to those that you do not authorize and on the other you will be able to observe the activity that users carry out with the data of the allowed applications, identifying suspicious activities and possible threats before they become reality.For example, Microsoft Cloud App Security may indicate that a certain user is downloading a large amount of information outside the company (even, if the situation is too anomalous, they may log you out), or you can limit that it is not possible to access According to applications from outside your organization or from unknown computers.
MCAS, apart from Office 365 and Azure, provides activity visibility for popular cloud applications like Dropbox, G Suite, AWS, Salesforce and many more.
Microsoft Cloud App Security includes:
- Detection of cloud applications for ShadowIT control
- Protection of information through data loss prevention policies (DLP)
- Visibility of user activity in cloud applications.
- Application risk assessment.
Microsoft Cloud App Security is, following the similes, like the bodyguard that always accompanies a person so that they do not do or suffer any damage.
Check here all the details of Microsoft Cloud App Security
Advanced Threat Analytics and Azure Advanced Threat Protection
All the lines of defense described in this article provide very effective protection for your organization. However, user behavior (for example falling into a phishing attack or reusing passwords on insecure websites), possible vulnerabilities in VPNs and server infrastructure (especially domain controllers – with their local active directory) and others Creative attacks by cybercriminals provide alternative ways for them to enter the “kitchen”.
Attackers, in those cases, move fast .. and once they obtain the credentials of any user , (often through vulnerable VPNs or without multi-factor protected authentication), they manage to assign themselves administrator privileges (with the help of log files, data residing in memory, non-encrypted files and other mechanisms), and … we already have them inside, without being able to do anything (and for a period of more than 140 days, on average, until they are discovered). What’s more, because many companies still have local infrastructure, unfortunately, when it comes to on-premises attacks, “network barriers / firewalls” that companies have to keep theoretically safe, actually prevent and for technical reasons, that smart cloud products (such as AAD Identity Protection, Azure AD Conditional Access and Cloud App Security) can be used to help keep the data physically hosted in your organization safe.
Your on-premise infrastructure represents the highest risk, so having a quick response to these intrusions is the best strategy. Fortunately, Advanced Threat Analytics (ATA) and the cloud version, Azure Advanced Threat Protection (Azure ATP), help companies quickly detect an attempt to penetrate an on-premises infrastructure by analyzing advanced attacks, mainly on our controllers. Of domain. The difference between the two products is that ATA (included in EMS E3) needs to be installed in local infrastructure requiring server and relevant storage for a lot of data, while Azure ATP (included in EMS E5), stores the data and operates entirely from the cloud, without need for local infrastructure.
ATA and Azure ATP offer among other features:
- Detection of suspicious user and device activity based on company history, machine learning, and threat intelligence.
- Monitoring of multiple company entry points through integration with Microsoft Defender ATP (Azure ATP only).
- Detection of lateral displacement routes to accounts with administrator permissions.
- Future integration with AAD (Azure ATP only)
- Alerts with clear, real-time information of attacks on the company to respond quickly.
In the end, ATA / Azure ATP is like the vigilante hidden in our house, able to quickly alert us if an attacker has broken a security barrier.
If you want to know more, you can check here the details of Azure Advanced Threat Protection
Protection in mobility
Although we are sure that an identity has not been compromised and that the person who accesses our data is who they say they are, there is always the possibility that a user will download information to an insecure device (without encryption and / or without pin) or worse still, already committed.
For example, if a user is synchronizing corporate email on their personal phone and it doesn’t have a PIN, anyone who picks up that phone will have full access to the company’s mailbox. Or, if the user has downloaded a document with very sensitive content (contracts, payroll excel, …) on their personal device and laptop (or phone), it is lost or stolen, those documents will fall into the wrong hands. What’s more, many devices are currently used as a security validation factor, so having them without protection and with malware that is capable of intercepting the user’s credentials every time they connect to a service is a great threat.
For all these reasons, as one of the points of access to corporate resources is through both company and employee devices (mobile, tablet or laptop), the management of these devices to ensure compliance with certain parameters ( such as having a pin, being encrypted or not having viruses or malware), maintaining control in case of loss or theft along with the ability to decide which applications can be used from them (and how and from where), is an essential part of the company’s security strategy to avoid information leaks. All this is what EMS offers us within Microsoft Intune .
Microsoft Intune includes among other features:
- Management of which applications and how they can be used on mobile devices.
- Isolation of corporate data and personal data within the same application (both in the same application and in other non-company applications)
- Selective deletion of corporate data on lost or stolen mobile devices.
- Management of mobile devices (iOS, Android, MacOS and W10).
Using another analogy, you may think that Intune guarantees the integrity of our briefcase and its lock , helping to protect the security of what’s inside.
Check here more details of Microsoft Intune
How is EMS licensed?
This product has two versions:
- EMS E3: Includes Azure Active Directory Premium P1, Intune, Azure Information Protection P1, Advanced Threat Analytics and rights for Windows Server CAL.
- EMS E5: Includes Azure Active Directory Premium P2, Intune, Azure Information Protection P2, Microsoft Cloud App Security, Azure Advanced Threat Protection, and rights for Windows Server CAL.
Likewise, EMS is included in the following suites:
- MICROSOFT 365 E3: Includes EMS E3, Office 365 E3 and Windows 10 E3.
- MICROSOFT 365 E5: Includes EMS E5, Office 365 E5 and Windows 10 E5.
The stark truth is that the speed and sophistication of attacks is increasing and together with the risks derived from human errors (in passwords or sharing information), it provides the enemy with multiple ways to access our data. Yes, the enemy is out there or … maybe already inside, so, our recommendation is to follow a strategy that supposes that we have a gap and think that no defense will be enough.
Do you want to know more about Enterprise Mobility + Security? Contact us!