Ettevõtte konfidentsiaalsed andmed kõnnivad töötajatega kaasa nii trammis-trollis, päikesepuhkusel Türgis kui konkurendi kontoris. Tahame, et andmed oleksid kättesaadavad vajalikul hetkel, kuid siiski kaitstud väärkasutamise eest. Uued meetodid seadmete haldamiseks, andmete krüpteerimiseks ja kasutusõiguste andmiseks teevad andmed töötajate kättesaadavaks ja samal kaitsevad väärkasutuse eest.
4. MICROSOFT CONFIDENTIAL
Windows with Apple and/or Android is the norm
Sources: Forrester, Mary Meeker Internet Trends 2014
1.3B
• 80% Windows PC + Android iPhone
• 20% Windows PC + iPhone
60M 45M 10M
5M
90%
5. Mobility is the new normal
of employees use personal
devices for work purposes.*
of employees that typically
work on employer premises,
also frequently work away
from their desks.***
of all software will be available
on a SaaS delivery by 2020.**
66% 25% 33%
*CEB The Future of Corporate ITL: 203-2017. 2013.
**Forrester Application Adoption Trends: The Rise Of SaaS
***CEB IT Impact Report: Five Key Findings on Driving Employee Productivity Q1 2014.
9. Advanced Threat Analytics (ATA)
Helps you identify threats using behavioral analysis and provides an actionable report on an attack timeline.
Windows Intune
Mobile device settings
management
Mobile application
management
Selective wipe
Microsoft Azure Active Directory Premium
security reports, and
audit reports, multi-
factor authentication
Self-service password
reset and group
management
Connection between
Active Directory and
Azure Active Directory
Introducing the Enterprise Mobility Suite
Microsoft Azure Rights Management service
Information protection Connection to on-
premises assets
Bring your own key
21. Enroll
• Provide a self-service Company
Portal for users to enroll devices
• Deliver custom terms and
conditions at enrollment
• Bulk enroll devices using Apple
Configurator or service account
• Restrict access to Exchange email
if a device is not enrolled
Retire
• Revoke access to corporate
resources
• Perform selective wipe
• Audit lost and stolen devices
Provision
• Deploy certificates, email, VPN,
and WiFi profiles
• Deploy device security policy
settings
• Install mandatory apps
• Deploy app restriction policies
• Deploy data protection policies
Manage and Protect
• Restrict access to corporate
resources if policies are violated
(e.g., jailbroken device)
• Protect corporate data by
restricting actions such as
copy/cut/paste/save outside of
managed app ecosystem
• Report on device and app
compliance
User IT
23. Maximize mobile productivity and protect corporate
resources with Office mobile apps
Extend these capabilities to existing line-of-business
apps using the Intune app wrapper
Enable secure viewing of content using the Managed
Browser, PDF Viewer, AV Player, and Image Viewer apps
Managed apps
Personal appsPersonal apps
Managed apps
ITUser
24. Personal apps
Managed apps
Maximize productivity while preventing leakage of company
data by restricting actions such as copy/cut/paste/save in
your managed app ecosystem
User
26. Personal apps
Managed apps Company Portal
Are you sure you want to wipe
corporate data and applications
from the user’s device?
OK Cancel
Perform selective wipe via self-service company portal or admin console
Remove managed apps and data
Keep personal apps and data intact
ITIT
31. Witnesses all authentication and
authorization to the
organizational resources within
the corporate perimeter or on
mobile devices
Mobility support Integration to SIEM Seamless deployment
Works seamlessly with SIEM
Provides options to forward
security alerts to your SIEM or to
send emails to specific people
Functions as an appliance hardware
or virtual
Utilizes port mirroring to allow
seamless deployment alongside AD
Does not affect existing
network topology
Key features
Digitization of data, products, and processes is driving incredible economic growth while giving us new ways to work. But it also increases risk from cybersecurity challenges and vulnerabilities.
Greater multichannel integration adds significantly to the customer experience but introduces many more interfaces
Closer collaboration with business partners, customers, advisers, and other third parties can enrich everything from product development to recruiting but can also result in more complex intertwined supply chains and flows of information
Digitization also increases the value of an organization’s data assets. Within the banking sector, for instance, the use of big data and analytics may greatly increase a bank’s ability to target and serve high-value clients with specific cross-selling offers. The value of the data rises as customer information is aggregated and cross-referenced—allowing companies to track names, demographics, and purchase histories (with due regard for customer privacy)—but so does the attendant risk. A breach can expose the bank and its clients to severe financial and reputational harm.
The first step to happy and productive user is a single set of credentials that can be used between an existing on-premises directory and Azure Active Directory (WAAD).
Windows Server Active Directory can be easily connected to Windows Azure with the identity sync engines that are available and the optional use of Active Directory Federation Services (ADFS). One of the available tools for synchronization, is dirsync, a downloadable component from Windows Azure. You can install it on a domain-joined Windows Server and you can quickly populate your existing users and groups into your Azure AD and keep it updated.
Besides synchronization you have two option when it comes to Authentication. You can either use ADFS or an option offered through DirSync :password hash sync (http://blogs.msdn.com/b/active_directory_team_blog/archive/2013/06/13/10423168.aspx) you don’t have all the capabilities of actual federation but is easier to setup. (See next slide for details)
As we mentioned already FIM rights are granted with Azure AD Premium and you can use FIM to sync other directories (Open LDAP, databases, etc) either to your on-premises AD and then up to Azure AD, or directly to Azure AD with the FIM Azure Connector.
In the next few months a new sync engine from Azure AD will be introduced : “Azure AD Sync”. With this engine you won’t need any other tool in order to synchronize any kind of on-premises identity repository to Azure AD.
From this point on, every application that is or will be connected to Azure AD can be accessed with a single set of credentials, the one that a user already uses now to login to his on premises active directory.
There are two methods with which we can accomplish synchronization between Windows Server Active Directory and Azure Active Directory.
The first method is the fastest one when it comes to deployment.
Dirsync + Password Hash Sync. http://blogs.msdn.com/b/active_directory_team_blog/archive/2013/06/13/10423168.aspx
In this case you can choose password hash sync as an option form Dirsync (and the future identity sync engines ) and than a hash (of the original hash) of the user password will be stored on Azure AD. From this point Authentication will take place against Azure AD. Let’s make clear that no plain text password is stored. Just a double-hashed one.
The second method is to use identity sync engines to synchronize user and group attributes to the cloud, but when it comes to authentication ADFS can be used, so user authentication will take place against the on-premises Active Directory.
This method can be the only solution for those organization with compliance issues when it comes to storing passwords in the cloud.
1200 SaaS apps are already in the application gallery and counting …
For a the most updated content of the application gallery see here http://www.windowsazure.com/en-us/gallery/active-directory
Now that we have gathered identities and applications into one identity store, the next step is to find an efficient way to handle them and their interconnections. And there is one. The Azure Management portal contains a section specifically for Azure Active Directory administration.
You can create new users/groups and delete them, You can also sync users/groups from on premises AD,
manage user access to the service, Additionally, you can view business related attributes for every user,
use the “device” tab to see which devices, platforms, browsers, IPs they are using (premium feature)
configure directory synchronization parameters,
add domains and, most important,
assign access to the applications that you have already added and connect in Azure Active Directory.
[using groups to assign access to SaaS apps is a feature of Azure AD Premium].
[Click]
Those apps can be of any kind.
Custom LoB cloud-hosted apps or purchased from a vendor, these apps can be added from the portal (application gallery) and enabled for single sign-on. Single Sign-On can be a challenging task for some applications. Azure Active Directory can make the life of an administrator easier by providing a number of popular preintegrated SaaS applications. In the previous slide we mentioned that we have chosen the most popular cloud applications, regardless of the public cloud they are hosted on, and we have preconfigured all the parameters needed to federate with them. Your cloud apps are ready when you are. Administrators simply open the Azure Management Console, navigate to Windows Azure AD, click on Applications link, choose to add a new application and pick from the application gallery the SaaS app their enterprise is using and configure the level of interaction with it.
This level of interaction can be different mainly because SaaS apps are using different standards or authentication and identity management methods. With a few SaaS applications, Federation SSO can be configured while with others only password SSO is possible [password vaulting].
However, the greatest level of interaction can be achieved with the most popular SaaS apps like Box, Salesforce, Concur and of course Office 365. These are the application gallery “Featured” apps. With those apps, single sign on through federation or password sync is one thing but, [Click] you can also create (provision) users and groups to them directly from identities already in Azure Active Directory. And the deletion (Deprovision) of users and groups is possible too with the same simple steps. In addition, if an application has different access levels, predefined roles can be assigned to users. (Groups provisioning is a Premium feature)
When a user is hired it often takes many steps to administrators to assign access to the right applications and even more steps are needed when a user is decommissioned, to revoke all his rights. This can been more difficult for cloud based applications and users accessing them from everywhere with many different sets of credentials.
User and Group provisioning and de-provisioning to SaaS apps that Azure Active Directory is offering can secure business processes by making sure that a user can access only those applications that he needs to do his job and nothing more with a few simple steps. When a new identity is created, after the synchronization with the on-premises AD, the administrator can provide access, single sign on and provision the new user to a preintegrated SaaS app in a single procedure. And when a user or a whole group is decommissioned, the removal of his identity from Azure AD will cause inability to access enterprise cloud apps from everywhere.
The rest of the SaaS apps that are not having this high level of integration, and can be found in the application gallery can be configured for single sign on once their internal user identities are manually created using the appropriate tools provided by the application owner
As you have probably noticed, Azure Active Directory is offering capabilities that does not match exactly with those of the on-premises Active Directory. But we shouldn’t expect those two versions of active directory to be exactly the same since they have to face different challenges in different environments.
Group-based access assignment and provisioning is a feature of Azure Active Directory Premium
Multi-Factor Authentication offers the additional security you demand using the phones your users already carry. Multiple phone-based authentication methods are available, allowing users to choose the one that works best for them. And, support for multiple methods ensures additional authentication is always available.
Multi-Factor Authentication apps are available for Windows Phone, iOS phones and tablets, and Android devices. Users download the free app from the device store and activate it using a code provided during set up. When the user signs in, a notification is pushed to the app on their mobile device. The user taps to approve or deny the authentication request. Cell or Wi-Fi access is required. For offline authentication, the app works like a software token to generate a one-time passcode that is entered during sign in. The one-time-passcode method is comparable to software or soft tokens solutions offered by vendors like RSA and Gemalto.
Automated phone calls are placed by the Multi-Factor Authentication service to any phone, landline or mobile. The user simply answers the call and presses # on the phone keypad to complete their sign in.
Text messages are sent by the Multi-Factor Authentication service to any mobile phone. The text message contains a one-time passcode. The user is prompted to either reply to the text message with the passcode or enter the passcode into the sign in screen.