Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) - Jussi Roine

Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.

  • Login to see the comments

  • Be the first to like this

I1 - Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) - Jussi Roine

  1. 1. Securing Office 365 and Microsoft Azure like a rockstar (or like a groupie) Jussi Roine 14 octobre 2017 #SPSParis @JussiRoine
  2. 2. Merci pour votre soutien
  3. 3. France Finland
  4. 4. Agenda and takeaways Security building blocks External threats Internal threats Licenses The Big Picture How to protect Azure and Office 365 How to protect On- Premises services Super-exciting!
  5. 5. Security Building blocks It’s like LEGO but not really at all
  6. 6. Office 365: Core services Azure AD
  7. 7. Office 365: All major services Azure AD
  8. 8. Office 365: All major services with extensibility Azure AD
  9. 9. Office 365: With major Azure-related services MFA Stream OMS Azure AD
  10. 10. Wait, what? Hold on! Do I have to learn and manage ALL this?
  11. 11. A traditional approach to embracing the cloud This is the common, kind-of hybrid architecture model. Microsoft Azure Office 365 Site-to Site VPN Azure AD Connect ADFS Proxy On-premises
  12. 12. The heart of security: Azure Active Directory  The core of each Azure subscription  You can have multiple AAD tenants within the same Azure subscription  Users, groups, licenses, permissions, apps, app proxies, domains.. all here!  Managed through Azure Portal, some tiny things are still only available in the Classic Portal  It’s important to understand the difference between AAD, AD and AAD Connect (and AAD DS) Identities, management and security
  13. 13. Your mission Protect the identities in the cloud – it is the new perimeter!
  14. 14. Azure Active Directory: Free, Basic, Premium Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2 SSO support 10 apps/user 10 apps/user No limit No limit Security reports 3 (basic) 3 (basic) Advanced Advanced Self-Service password reset Application Proxy Multi-Factor Authentication Connect Health Cloud App Discovery Privileged Identity Management Identity Protection Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month A few highlighted features of AAD and a comparison between licenses (cloud users)(cloud users)
  15. 15. Security building blocks in Azure Role-Based Access Control Key Vault Microsoft anti-malware Rights Management/Information Protection Cloud App Discovery Security Center Infrastructure Network Security Groups (NSG) Site-to-Site VPN Point-to-Site VPN ExpressRoute Network Security Appliances Host-based & NextGen firewalls Azure Active Directory Connect Health Identity Protection Privileged Identity Management OMS Security & Audit Multi-Factor Authentication Security
  16. 16. Analogy to cloud security Rancilio Silvia Best. Espresso. Ever. Customized Rancilio Silvia Rancilio Silvia with the Rocky grinder and steel base
  17. 17. Protecting against external threats Authentication with social security numbers
  18. 18. Securing authentication for users with Multi-Factor Authentication  Enforces security beyond username and password  User must possess something – typically a mobile device  Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call  Users must enroll through  Available as Office 365 MFA, Azure MFA for Admins and Azure MFA  Certain non-browser apps do not support MFA -- users have to provision separate App Passwords (one or more) through the MyApps portal  This tends to be challenging for non-technical users Multi-Factor Authentication for on-premises with Azure MFA Server  Enables easy securing of VPNs, IIS web apps & Remote Desktop  Maybe not the most logical to set up..  Supports RADIUS so fairly easy to integrate with legacy systems ;-) Strong and secure authentication for on-premises, hybrid & the cloud
  19. 19. Baseline your security in Office 365 with Secure Score  Free service at  After initial scoring you can select a new baseline  Provides a list of actions for things to fix, in order to achieve a new baseline  Max score is 432..452  Office 365 average is 29  I have 71!  You get to >100 just by enabling MFA for global admins Automated scan of your Office 365 subscription settings and general security
  20. 20. A dashboard for Azure security with Security Center  A simple way to view what’s secured and what’s not in Azure  Includes behavioral analytics and incident reporting  Standard license gives advanced threat detection & intelligence Provides an overview on security for cloud resources
  21. 21. Securing and monitoring Azure AD Connect, ADFS and on- premises AD configuration with Azure AD Connect Health  Monitors your AD FS, AD FS Proxy, AAD Domain Services and AAD Connect status  Can alert you when things break down – useful for many directory-related services, and especially for Azure AD Connect issues  Deploying is easy:  Install agents for AD FS, AAD Connect and AD DS servers  Verify configuration on AAD CH blade in Azure Portal  Somewhat sadly this feature requires AAD Premium license – all users must be licensed in the scope of AAD CH Agent-based service to monitor your AD domain controllers and ADFS infrastructure
  22. 22. Safeguarding for users who log in from weird countries with Azure AD Identity Protection  Watchdog for user sign-ins, can associate individual logins with risk factors  Automatically flags suspicious events, such as users who perform impossible travel times (typically with VPN connectivity)  Enforces additional policies based on low/high risk factors  Enforce MFA for the duration of the login  Enforce self-service password reset (which subsequently enforces MFA)  Weekly email digest of findings and things to lose your sleep over Monitoring for risk events, vulnerabilities and automatic policy changes
  23. 23. Getting rid of static admin roles with Azure AD Privileged Identity Management (PIM)  Instead of granting permanent admin privileges, PIM allows ad-hoc & just-in-time admin roles  Users can request for new privileges for predefined duration  Scans for fixed admin roles and changes them to temporary roles  Admin roles become non-permanent  Duration can be set from 1 hour to 72 hours  Can enforce MFA during role grant  In preview: Approval workflows for new privilege requests  Central view & management for all admins roles throughout Azure and Office 365 ”Just-in-time” administration privileges for users on request
  24. 24. Tracking botnet and brute force attacks  OMS provides System Center-like capabilities in the cloud  Capable of tracking hybrid deployments, including Office 365 and Azure  Gathers logs (also custom ones), configuration data, update status, availability, backup info and even Surface Hub data  Operations Management Suite (OMS) is the Swiss Army knife you need
  25. 25. Protecting from external threats with Office 365  Provides a 360ᴼ view on external threats against users  Insights and analysis based on evidence, act accordingly  Allows for custom policies and reactions Threat Intelligence uses evidence-based knowledge on threats
  26. 26. Publishing internal services securely  Enforce authentication at Azure AD, before allowing access to internal resources  Configuration is simple, and support high availability deployments  Internal services do not require changes  Dual-authentication also supports:  First on Azure AD, then in on-premises against local AD/service Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises
  27. 27. Demo
  28. 28. Protecting against internal threats Trust noone
  29. 29. Securing Edge network & cloud app usage with Cloud App Security (used to be Advanced Security Management)  Similar to OMS, but directly aimed for Office 365 workloads  Records all activities of users, including external users  Supports on-premises edge router log analysis Discover activity and incidents in Office 365
  30. 30. Monitoring what admins and developers are doing with Azure resources  Query against Azure backends to see operations against services  Connect with  Log Analytics (for further analysis)  Power BI (for reports)  Application Insights (for wisdom) Azure Monitor provides monitoring throughout tenants and resource groups
  31. 31. Finding Shadow IT within the organization with Cloud App Discovery  Works by dropping an agent on workstations  Consent can be requested; or just install silently..  Discover apps, amount of data transferred and who uses what  Based on reports, act accordingly Discover unmanaged (and managed) cloud apps in use
  32. 32. Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)  Captures all authentication traffic to- and-from Domain Controllers  Uses Machine Learning to identify issues and unauthorized usage  Fully automatic, install & forget! Almost like SharePoint ;-)  Can connect with OMS to provide hybrid reporting in the cloud Aggressive auditing and analytics for on-premises Active Directory requests
  33. 33. Compliance Manager  A new service in Office 365  Coming in November  Centralized compliance view to GDPR, ISO 27001 certifications and other frameworks  Sign up for preview manager-preview
  34. 34. Customer Key  Announced at Ignite 2017 last week  Use customer-managed encryption keys  Includes protection if you lose your keys  Uses Azure Key Vault to hold keys – can be HSM (Hardware Security Module) backed
  35. 35. Don’t worry, security will keep you busy
  36. 36. Demo
  37. 37. I’m lost – too many services and options Active Directory Advanced Threat Analytics Firewall, proxy, VLANs etc. Microsoft Identity Manager On-premises Office 365 Data Loss Prevention Threat Intelligence Secure Score Compliance Manager Microsoft Azure Connect Health Cloud App Discovery Network Security Group Cloud App Security Identity Protection Privileged Identity Management Azure Active Directory Conditional Access Operations Management Suite Security Center Azure MFA Azure Information Protection Intune
  38. 38. Licenses It depends.
  39. 39. Onsight Enterprise Mobility + Security (EMS) Used to be known as Enterprise Mobility Suite E3E5
  40. 40. What about Microsoft 365? Microsoft 365 Enterprise Microsoft 365 Business Office 365 Enterprise Windows 10 Enterprise Enterprise Mobility + Security Intune Office 365 for Business Windows10Pro 3001 E5 E3
  41. 41. Security-related services and licenses Advanced Threat Analytics Active Directory Azure MFA Server Advanced Security Management Threat Intelligence Secure Score Intune Azure MFA for Admins Azure AD Azure AD Premium Security Center Cloud App Discovery Privileged Identity Management Identity Protection Azure MFAConnect Health Network Security Groups Next-Gen FirewallsInformation Protection Operations Management Suite No extra license needed EMS E3/Microsoft 365 E3 EMS E5/Microsoft 365 E5 Additional licensing
  42. 42. Recommendations & recap Follow current practices and patterns: Get the book! Get the guidance! Deploy the free services  Azure Security Center  Office 365 Secure Score  Azure MFA for Admins  OMS Security (AAD+O365) Go for AAD Premium  Either with EM+S or separately  Deploy ATA  Enable PIM and Identity Protection
  43. 43. Thank you, for your for #SPSParis @JussiRoine