Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) Jussi Roine, Chief Research Officer @ Sulava @JussiRoine.

Published byOphelia Curtis Modified over 6 years ago

Similar presentations

Presentation on theme: "Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) Jussi Roine, Chief Research Officer @ Sulava @JussiRoine."— Presentation transcript:

1 Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie)
Jussi Roine, Chief Research Sulava @JussiRoine

2

3

4 Agenda and takeaways Security building blocks External threats
The Big Picture How to protect Azure and Office 365 External threats Agenda and takeaways How to protect On-Premises services Internal threats Licenses Super-exciting!

5 Jussi lives here

6 WTF!

7 Security Building blocks
It’s like LEGO but not really at all

8 Office 365: Core services Azure AD Joonas

9 Office 365: All major services
Azure AD Joonas

10 Office 365: All major services with extensibility
Azure AD Joonas

11 Office 365: With major Azure-related services
Stream Azure AD MFA OMS Joonas

12

13 Do I have to learn and manage ALL this?
Wait, what? Hold on! Do I have to learn and manage ALL this? Joonas

14 A traditional approach to embracing the cloud
This is the common, kind-of hybrid architecture model. Office 365 On-premises Microsoft Azure Proxy Site-to Site VPN ADFS Azure AD Connect Joonas

15 The heart of security: Azure Active Directory
Identities, management and security The core of each Azure subscription You can have multiple AAD tenants within the same Azure subscription Users, groups, licenses, permissions, apps, app proxies, domains.. all here! Managed through Azure Portal, some tiny things are still only available in the Classic Portal It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS) Joonas

16 Your mission Protect the identities in the cloud – it is the new perimeter! Joonas

17 Azure Active Directory: Free, Basic, Premium
A few highlighted features of AAD and a comparison between licenses Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2 SSO support 10 apps/user No limit Security reports 3 (basic) Advanced Self-Service password reset Application Proxy Multi-Factor Authentication Connect Health Cloud App Discovery Privileged Identity Management Identity Protection Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month (cloud users) (cloud users) Joonas

18 Security building blocks in Azure
Infrastructure Network Security Groups (NSG) Site-to-Site VPN Point-to-Site VPN ExpressRoute Network Security Appliances Host-based & NextGen firewalls Security Azure Active Directory Connect Health Identity Protection Privileged Identity Management OMS Security & Audit Multi-Factor Authentication Role-Based Access Control Key Vault Microsoft anti-malware Rights Management/Information Protection Cloud App Discovery Security Center Joonas

19 Analogy to cloud security
Rancilio Silvia Best. Espresso. Ever. (This is what I got) Rancilio Silvia with the Rocky grinder and steel base (This is what you should end up with) Customized Rancilio Silvia (This is what you think you need)

20 Protecting against external threats
Authentication with social security numbers

21 Securing authentication for users with Multi-Factor Authentication
Strong and secure authentication for on-premises, hybrid & the cloud Enforces security beyond username and password User must possess something – typically a mobile device Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call Users must enroll through Available as Office 365 MFA, Azure MFA for Admins and Azure MFA Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal This tends to be challenging for non-technical users Multi-Factor Authentication for on-premises with Azure MFA Server Enables easy securing of VPNs, IIS web apps & Remote Desktop Maybe not the most logical to set up.. Supports RADIUS so fairly easy to integrate with legacy systems ;-) Joonas

22 Baseline your security in Office 365 with Secure Score
Automated scan of your Office 365 subscription settings and general security A free service at After initial scoring you can select a new baseline Provides a list of actions for things to fix, in order to achieve a new baseline Max score is 432 Office 365 average is 29  I have 71! You get to 111 just by enabling MFA for global admins Joonas

23 A dashboard for Azure security with Security Center
Provides an overview on security for cloud resources A simple way to view what’s secured and what’s not in Azure Includes behavioral analytics and incident reporting Standard license gives advanced threat detection & intelligence Joonas

24 Securing and monitoring Azure AD Connect, ADFS and on-premises AD configuration with Azure AD Connect Health Agent-based service to monitor your AD domain controllers and ADFS infrastructure Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues Deploying is easy: Install agents for AD FS, AAD Connect and AD DS servers Verify configuration on AAD CH blade in Azure Portal Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH Joonas

25 Safeguarding for users who log in from weird countries with Azure AD Identity Protection
Monitoring for risk events, vulnerabilities and automatic policy changes Watchdog for user sign-ins, can associate individual logins with risk factors Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity) Enforces additional policies based on low/high risk factors Enforce MFA for the duration of the login Enforce self-service password reset (which subsequently enforces MFA) Weekly digest of findings and things to lose your sleep over Joonas

26 Getting rid of static admin roles with Azure AD Privileged Identity Management (PIM)
”Just-in-time” administration privileges for users on request Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles Users can request for new privileges for predefined duration Scans for fixed admin roles and changes them to temporary roles Admin roles become non-permanent Duration can be set from 1 hour to 72 hours Can enforce MFA during role grant In preview: Approval workflows for new privilege requests Central view & management for all admins roles throughout Azure and Office 365 Joonas

27 Tracking botnet and brute force attacks
Operations Management Suite (OMS) is the Swiss Army knife you need OMS provides System Center-like capabilities in the cloud Capable of tracking hybrid deployments, including Office 365 and Azure Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data 

28 Protecting from external threats with Office 365
Threat Intelligence uses evidence-based knowledge on threats Provides a 360ᴼ view on external threats against users Insights and analysis based on evidence, act accordingly Allows for custom policies and reactions Joonas

29 Publishing internal services securely
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises Enforce authentication at Azure AD, before allowing access to internal resources Configuration is simple, and support high availability deployments Internal services do not require changes Dual-authentication also supports: First on Azure AD, then in on-premises against local AD/service

30

31 Protecting against internal threats
Trust noone

32 Discover activity and incidents in Office 365
Securing Edge network & cloud app usage with Cloud App Security (used to be Advanced Security Management) Discover activity and incidents in Office 365 Similar to OMS, but directly aimed for Office 365 workloads Records all activities of users, including external users Supports on-premises edge router log analysis Joonas

33 Monitoring what admins and developers are doing with Azure resources
Azure Monitor provides monitoring throughout tenants and resource groups Query against Azure backends to see operations against services Connect with Log Analytics (for further analysis) Power BI (for reports) Application Insights (for wisdom) Joonas

34 Finding Shadow IT within the organization with Cloud App Discovery
Discover unmanaged (and managed) cloud apps in use Works by dropping an agent on workstations Consent can be requested; or just install silently.. Discover apps, amount of data transferred and who uses what Based on reports, act accordingly Joonas

35 Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
Aggressive auditing and analytics for on-premises Active Directory requests Captures all authentication traffic to-and-from Domain Controllers Uses Machine Learning to identify issues and unauthorized usage Fully automatic, install & forget! Almost like SharePoint ;-) Can connect with OMS to provide hybrid reporting in the cloud Joonas

36 Compliance Manager A new service in Office 365
Coming in November Centralized compliance view to GDPR, ISO certifications and other frameworks Sign up for preview

37 Customer Key Announced at Ignite 2017 last week
Use customer-managed encryption keys Includes protection if you lose your keys Uses Azure Key Vault to hold keys – can be HSM (Hardware Security Module) backed

38 Don’t worry, security will keep you busy

39 Don’t worry, security will keep you busy

40 Don’t worry, security will keep you busy

41 Don’t worry, security will keep you busy

42

43 Licenses It depends.

44 Enterprise Mobility + Security (EMS)
Used to be known as Enterprise Mobility Suite A bundled collection of licenses for Azure-based services Available as E3 and E5 (Source: Microsoft)

45 Security-related services and licenses
No extra license needed Active Directory Advanced Threat Analytics Azure MFA Server EMS E3 EMS E5 Additional licensing Advanced Security Management Threat Intelligence Secure Score Intune Azure MFA for Admins Azure AD Security Center Identity Protection Privileged Identity Management Information Protection Next-Gen Firewalls Azure AD Premium Operations Management Suite Connect Health Cloud App Discovery Azure MFA Network Security Groups Joonas

46 Enterprise Mobility + Security
What about Microsoft 365? Microsoft 365 Enterprise Office 365 Enterprise Windows 10 Enterprise Enterprise Mobility + Security E5 E3 Windows 10 Pro Microsoft 365 Business Intune Office 365 for Business 1 300

47 Recommendations & recap
Follow current practices and patterns: Deploy the free services Go for AAD Premium Azure Security Center Office 365 Secure Score Azure MFA for Admins OMS Security (AAD+O365) Either with EM+S or separately Deploy ATA Enable PIM and Identity Protection Get the book! Get the guidance! Joonas

48 @JussiRoine

Download ppt "Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) Jussi Roine, Chief Research Officer @ Sulava @JussiRoine."

Similar presentations

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.

Security that is... Ergonomic, Economical and Efficient! In every way! Stonesoft SSL VPN SSL VPN.
4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/17/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.

FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.
Manage and secure identities in a cloud and mobile world

Manage and secure identities in a cloud and mobile world
Craig Pringle & Derek Moir

Craig Pringle & Derek Moir
Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.

Why EMS? What benefit does EMS provide O365 customers Manage Mobile Productivity Increase IT ProductivitySimplify app delivery and deployment LOB Apps.
Enterprise Mobility Suite: Simplify security, stay productive Protect data and empower workers Unsecured company data can cost millions in lost research,

Enterprise Mobility Suite: Simplify security, stay productive Protect data and empower workers Unsecured company data can cost millions in lost research,
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries

EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
SaaS apps.

SaaS apps.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Today’s challenges Data Users Apps Devices

Today’s challenges Data Users Apps Devices
Implementing and Managing Azure Multi-factor Authentication

Implementing and Managing Azure Multi-factor Authentication
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data.
Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.

Barracuda SSL VPN Remote, Authenticated Access to Applications and Data Version 2.6 | July 2014.
The time to address enterprise mobility is now

The time to address enterprise mobility is now
Deployment Planning Services

Deployment Planning Services
Cloud App Security vs. O365 Advanced Security Management

Cloud App Security vs. O365 Advanced Security Management

Similar presentations

Ads by Google