Microsoft Enterprise Mobility + Security (EMS)

Slide 1

Microsoft Enterprise Mobility + Security (EMS)

Microsoft Enterprise Mobility + Security (EMS)

As companies strive to keep up in a world where cloud and mobility are prioritized, security and compliance take on a vital position.

Therefore, as mobile work becomes an integral part of the business, employee devices and applications become the first line of defense against a host of increasingly advanced threats. In fact, these malicious attacks are an unacceptable risk for companies both for security and legality reasons, since, in addition to the serious problems associated with the leakage of confidential data, after the arrival of the GDPR, companies face considerable economic sanctions and the inherent penalty on the part of its clients and the market.

To address these security challenges, Microsoft offers us Enterprise Mobility + Security (hereinafter EMS), an identity-based security platform designed to help companies manage and protect their corporate devices, applications and data.

Specifically, EMS offers companies security capabilities through different lines of defense (the so-called ” defense in depth ” principle), so that all lines complement each other (and if for any reason one is overcome by a threat, the next line may be the one that avoids disaster for us).

EMS is made up of 4 protection areas that will help you to continue with the digital transformation of your organization, safely:

Identity and access management

With the growing popularity of cloud applications, social networks and web portals, which we use in our day to day accessing with different credentials (user) but often, reusing the same password (avoiding having to remember so many). This way of acting of the users in their personal life carries a huge risk. Why? To begin with, the number of (known) leaks of data from users of large social networks and consumer services in the last 12 months are extremely high (“Facebook”, “Movistar”, “IESE”, “Adidas” , “Job Talent”, “Ticketmaster” among many others), so the security threat For companies it is enormous since cybercriminals, once they have a personal username and password, easily find out where that person works and then try with the same password to access the sensitive information of the companies where they work, succeeding in many cases. At the same time, cybercriminals also use massive campaigns to send fake emails asking our users (to their corporate or personal email) to enter any site in order to steal a password. And every time they do it better.

To avoid the risk that all this entails, it is necessary to protect the identity of our corporate users and for this EMS includes Azure Active Directory Premium (AAD Premium), which helps guarantee access to applications and data only to people who really are who they claim to be.

In addition, it offers us the ability to apply smarter restrictions through three key features:

” Conditional access “: Before, companies could only ask for things like: “That users can only access from within the company!”, But now … they can ask us: “That users can access from outside the company, but establishing conditions as needed “(only from authorized corporate or personal devices, only from known locations, forcing the use of multi-factor and / or preventing the extraction of information, among other requirements). Doing a simile, you can think of Azure AD conditional access as the security doorman of a building Well, he welcomes good neighbors while challenging others to confirm his identity and deny entry to completely strangers, or … perhaps he will let them pass, telling us that he is coming up and accompanying him.

” Identity Protection “: Criminals try almost 100 million fraudulent logins a day and we should know if any of them impact us. For this, the “Identity Protection” reports offer us intelligence to detect and inform IT of suspicious logins such as those that would imply a trip to a strange place to date or impossible due to the time between a login and another (detecting the intrusion by the probability that they may actually be different people) or locating user passwords for sale online. Also, next to ” Conditional Access“, offers us the power to allow users to connect as long as there is no risk in their session (for example, if they did it from a computer with viruses or malware) or only letting them connect if they change their password when the system know that it has been stolen. Making a simile, this feature would be like a lookout who observes and provides relevant information about what is happening in the environment, so that you can act accordingly.

” Managing privileged identities “: Compromising an account is always a possibility and the best way to reduce risk is to assume that there has been or will be a breach. But, if a compromised user account is a problem, if the user has administrative privileges the situation becomes catastrophic., so it is critical to minimize the possibility that a compromised account will end up with uncontrolled administrative permissions. This tool precisely offers us to ensure that we have the minimum number of administrator users, being able to offer administrative permissions from time to time, when required, only temporarily and even automatically (under certain circumstances). Making a simile, it would be like when a smart card is given to enter the hotel’s Spa, but once our stay is over, the card stops working.

Features Summary:

· Two-step authentication.	· Conditional access: Real-time, risk-based control
· Validation without password (using mobile).	· Identity protection (alerts of anomalous behavior, compromised credentials and vulnerabilities).
· Single sign-on for all apps (even non-Microsoft apps).	· Privileged identity management (Enable temporary administrator permissions on demand for specific tasks).

Information protection

Although we are able to ensure that the person accessing our data is who they say they are and also that they do so from a secure device, the risk continues because the user may share a document with someone external who may not be so well protected (or potentially may make inappropriate use of the information provided).

For this, EMS includes Azure Information Protection, a Microsoft cloud service that allows companies to protect their confidential data through encryption (whether local or in the cloud), ensuring that, even if the document leaves the organization to a non-environment secure, only authorized users will be able to access it. In addition, we will be able to define the actions that authorized persons may carry out and continue to have the document (and its copies), always under our control, wherever it is, even if we do not physically have access to it.

Features Summary:

· Data protection through encryption, authentication and rights of use.	· Intelligent classification and automated labeling of data.
· View where documents are being opened from and by whom (wherever the document is).	· Helps to comply with the GDPR by facilitating the detection and protection of personal data.
· Revoke access to all copies of a document (even if they are physically outside the organization).

Smart security

EMS offers visibility into everything that happens with our data in the cloud (wherever it is), threat detection and attack prevention through solutions: Microsoft Cloud App Security , Advanced Threat Analytics (ATA) and Azure Advanced Threat Protection ( Azure ATP).

Microsoft Cloud App Security (MCAS)

What happens if an employee, correctly identified and authenticated, does something wrong with your data? What’s more … What if that employee is no longer loyal or acts under duress? or .. What if your computer was not properly protected and a malware was reading data on your behalf? This is where Cloud App Security would step in.

Specifically, Cloud App Security provides IT departments with visibility and control over the applications in the cloud used by the users of your organization (those allowed and … those not allowed). In this way, on the one hand, you can restrict access to those that you do not authorize and, on the other, you can observe the activity carried out by users with the data of the allowed applications, identifying suspicious activities and possible threats before they become reality. For example, Microsoft Cloud App Security may indicate that there is a certain user who is downloading a large amount of information outside the company (even if the situation is too abnormal, it may close the session), or you can limit that it is not possible to access depending on which applications from outside your organization or from unknown computers.

MCAS, apart from Office 365 and Azure, provides activity visibility for popular cloud applications such as Dropbox, G Suite, AWS, Salesforce, and many more.

Microsoft Cloud App Security includes:

· Cloud application discovery for ShadowIT control	· Information protection through data loss prevention (DLP) policies
· Visibility of user activity in cloud applications.	· Application risk assessment.

Mobility protection

Although we are sure that an identity has not been compromised and that the person accessing our data is who they claim to be, there is always the possibility that a user will download information on an insecure device (without encryption and / or without a pin) or worse. still, already engaged.

For example, if a user is syncing corporate email on their personal phone and it doesn’t have a PIN, anyone who picks up that phone will have full access to the company’s mailbox. Or, if the user has downloaded a document with very sensitive content (contracts, payroll excel, …) on their personal device and laptop (or phone), it is lost or stolen, those documents will fall into the wrong hands. What’s more, currently many devices are used as a security validation factor, so having them unprotected and with malware that is capable of intercepting the user’s credentials every time they connect to a service is a great threat.

For all these reasons, as one of the access points to corporate resources is through both company and employee devices (mobile phones, tablets or laptops), the management of said devices to ensure compliance with certain parameters ( as they have a pin, are encrypted or do not have viruses or malware), maintaining control in case of loss or theft together with the ability to decide the applications that can be used from them (and how and from where), is an essential part of the company’s security strategy to prevent information leaks. All of this is what EMS offers us within Microsoft Intune.

Microsoft Intune includes among other features:

· Administration of which applications and how they can be used on mobile devices.	· Isolation of corporate data and personal data within the same application (Both in the same application and in other non-company applications)
· Selective erasure of corporate data on lost or stolen mobile devices.	· Management of mobile devices (iOS, Android, MacOS and W10).

Using another analogy, you might think that Intune guarantees the integrity of our briefcase and its lock, helping to protect the security of what is inside.

How is EMS licensed?

This product has two versions:

EMS E3:Includes Azure Active Directory Premium P1, Intune, Azure Information Protection P1, Advanced Threat Analytics, and entitlements for Windows Server CAL.
EMS E5: Includes Azure Active Directory Premium P2, Intune, Azure Information Protection P2, Microsoft Cloud App Security, Azure Advanced Threat Protection, and entitlements for Windows Server CAL.

Likewise, EMS is included in the following suites:

MICROSOFT 365 E3:Includes EMS E3, Office 365 E3 and Windows 10 E3.
MICROSOFT 365 E5:Includes EMS E5, Office 365 E5 and Windows 10 E5.

Conclusions

The harsh truth is that the speed and sophistication of attacks is increasing and together with the risks derived from human errors (in passwords or sharing information), it provides the enemy with multiple ways to access our data. Yes, the enemy is out there or … maybe already inside, so our recommendation is to follow a strategy that assumes that we have a breach and think that no defense will suffice.