Move Securely to the Microsoft Cloud
•Download as PPTX, PDF•
0 likes•82 views
Sharing a secure move to the cloud services from Microsoft - Generational tech change and major improvement in our Security. How I learned to LOVE the Cloud!
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Move Securely to the Microsoft Cloud
Similar to Move Securely to the Microsoft Cloud (20)
More from Mike Brannon
More from Mike Brannon (11)
Recently uploaded
Recently uploaded (20)
Move Securely to the Microsoft Cloud
- 2. How I learned to love the cloud Our Cloud Journey – Making a SECURE Transition!
- 3. Journey of Three Essential Steps -- #1 Why do this? Who gets involved / when? “Business Drivers” Aging Tech – Not Forward Capable Company Wide ERP Integration Modern Tools & Software $ Savings From Less Old Content/Data (Less Risk / Less Processing) Which Workload/Process – Risk? Issues? Iterative Approach!
- 4. Step -- #2 Workload Planning/Details Repeat for Each Workload! SaaS is a Preference For Our Business Office 365 – Email, OneDrive, SharePoint files Client Software Deployment (Windows 10) Office Applications / Configuration Mobile Access? (Intune, Applications) ADFS and Azure AD – Rich Policies and Tools MFA tools, Conditional Access Rules
- 5. Step -- #3 Deployment & Adoption Repeat for Each Workload! Buy ONLY licenses / instances consumed - Deploy round one Take Adoption Seriously – Use Learning / Change Management Iterate! Sprints w/ Checkpoints – Adjust Course Often
- 6. Generational Tech Change: Leave IBM Mainframe • Mainframe Deployed in 1985 – Decommission in 2018 • SAP HANA (Hosted) Taking Over as System of Record • IBM Z-OS Mainframe Retired Entirely (on premise) • Shift: MF On Premise to Hosted SAP to Azure Cloud
- 7. Keeping Pace: Updated Digital Workplace • Windows7/Office2010 – OLDER Windows Servers – Perimeter Security, Firewall Protections • Win10-EMS/Mobile-Office 365 – Azure Servers – MUCH MORE SECURE By Design and Deployment • Evolution: From On Premise to Hosted to Azure Cloud • Shifting to SaaS Solutions Integrated Via SSO and more modern approaches
- 8. Make Our New Cloud MORE Secure! » Less Data And Content Means Less “Attack Surface” • Far Easier To Defend LESS Data – Also Well Defined (Labeled) • Data Classification and Access Tracking FAR Easier » Retire OLD Servers / PCs – New OSes Far MORE Secure • Azure/Server 2016 and Windows 10 Better Built/Better Defended • Microsoft Delivers Updates, Enhancements Regularly (ready or not!) » Lots of Tools – Microsoft 365 / O365-EMS-Windows 10E • Licensed All 3 Tools For Improved / Interlocked Security • Data / Endpoint / Server-Services Tightly Managed “in Cloud”
- 9. The mistakes of the past PresentDay © Copyright 2014-2017 Integro, Inc. 9
- 10. PresentDay 2009 Records Business/User Valuable ROT : Risky Outdated Trivial © Copyright 2014-2017 Integro, Inc. 10
- 11. PresentDay 20102009 © Copyright 2014-2017 Integro, Inc. 11
- 12. PresentDay 20102009 2011 © Copyright 2014-2017 Integro, Inc. 12
- 13. PresentDay 20102009 2011 2012 © Copyright 2014-2017 Integro, Inc. 13
- 14. PresentDay 20102009 2011 2012 2013 © Copyright 2014-2017 Integro, Inc. 14
- 15. PresentDay 2010 $ 2009 2011 2012 2013 2014 © Copyright 2014-2017 Integro, Inc. 15
- 16. Why is Over-Retention a Problem? d at the Direction of Counsel6
- 17. Why is Over-Retention a Problem? d at the Direction of Counsel7 Per GB Costs Collection: $125 to $6,700 $26,250 to $1.4Million Processing: $600 to $6,000 $6,000 to $60,000 Review: $1,800 to $210,000 $4,140 to $483,000 From $36,390 UP to $1.9Million!
- 18. © Copyright 2017 Integro, Inc. Delete by Default How do we get to our desired state? 18
- 19. Delete by Default 9 • All documents and email have a lifecycle, no matter where they live. • System will auto-delete items not designated as a Record or otherwise. Default lifecycle/retention periods: Email - 90 days (sent/received) Documents - 3 years (last modified) Office 365 tools: Retention Policies – set as defaults and assigned by Labels
- 20. Delete by default © Copyright 2017 Integro, Inc. 20
- 21. A better way forward. PresentDay 2013 21
- 22. PresentDay 2013 2014 © Copyright 2014-2017 Integro, Inc. 22
- 23. PresentDay 2013 2014 2015 © Copyright 2014-2017 Integro, Inc. 23
- 24. PresentDay 2014 2015 20162013 © Copyright 2014-2017 Integro, Inc. 24
- 25. PresentDay 2015 2016 201720142013 © Copyright 2014-2017 Integro, Inc. 25
- 26. PresentDay 2015 2016 201720142013 2018 © Copyright 2014-2017 Integro, Inc. 26
- 27. Securing Privileged Access Office 365 Security Rapid Cyberattacks (Wannacrypt/Petya) https://aka.ms/MCRA Video Recording Strategies SQL Encryption & Data Masking Office 365 Dynamics 365 +Monito r Data Loss Protection Data Governance eDiscovery
- 38. Microsoft Tools We Use » Office 365 E3 with Advanced Data Governance • Retention rules and Labels preserve/delete and classify » EMS - Intune, Azure AD and MFA • Secure devices and authentication methods » Windows 10 Enterprise - GPO, BitLocker, AppLocker • Hardened OS – Credential Guard, More Security Included
- 39. EMS is a BIG Basket of tools and features! • Intune – Devices and Apps • Config, Certs, Data Protection • Azure AD – Conditional Access Rules • MFA, Password Resets • Identity Manager – IAM and Sync
- 41. Microsoft Tools For Data Classification and Protection Retention Rules & Labels in O365 Azure Info Protection (Separate now) LABELS Classify Content Use Labels Delete by Default - Retention Rules by - Office 365 App
- 42. Intune for Mobile » Register Devices • Configure / Compliance » Data / App Protection • Containerize Our Data • Conditional Access – AAD • Powerful Policies!
- 43. Intune / Azure AD Conditional Access » Register Devices • Configure / Compliance » Data / App Protection • Containerize Our Data • Conditional Access – AAD • Powerful Policies!
- 44. Cloud App Security » Discovery • Survey Usage » Threat Detection • Logs user, content actions » Data Protection • API to integrate tools » O365 Only or Azure AD
- 45. Additional Microsoft Tools We Use » Office 365 E5 Licenses • Many more extensive capabilities than E3 - manage content, Analyze O-365 usage • eDiscovery Tools for Searches, Supervision, Legal Holds • PowerBI Tools and delivered Analysis Packages • Insights into user behavior, content / management • More tools beyond content management too » Office 365 Secure Score – Guidance Linked to Settings
- 54. Questions? » Any Additional Info Needed? » Links to topics in Notes for Slides » Presentation Shared!!
- 56. Labels and ADG » Create Label • Settings, Retention » Deploy / Publish • Site, Doc Library » O365 Only or Azure AD
- 57. O365 Retention Policies » Admin Managed • Others Unaware » Settings Per Policy • Action? Timing? » Choose Locations • Applied to O365 ‘Containers’
Editor's Notes
- SHIFT from on prem toward SaaS as a business imperative! Office 365 as a chosen landing spot! https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/ See the slides for our “Collaboration Workload” – Email – OneDrive for Business – Skype for Business -- THEN SharePoint and Teams
- CLOUD Advantage – buy what you need – no giant commitment to start – Enterprise type agreements usually mean you “overbuy” You buy seats for ALL then you deploy what you can – as you can. For us – only buying the seats we can deploy has postponed a LOT of costs! Choosing the correct VERSION of Office 365 has large cost implications – just as does selecting the right Azure service options! With Azure – You can pay as you go - However after you ramp things up you may need to buy “reserved instances” and you can get some discounts by doing some amount of “pre-purchase” Famous quote: No battle plan survives with any certainty beyond first contact with the enemy’s main force – Prussian general Moltke Simpler version – from boxer Mike Tyson – Everyone has a plan until they get punched in the mouth! In any case – plan – iterate learn – adjust !!
- Link to a great resource for explaining ALL the components of Office 365 - http://icansharepoint.com/an-everyday-intro-to-office-365/ Interactive full size version https://app.jumpto365.com/ GUIDANCE MONEY LINK: https://docs.microsoft.com/en-us/office365/securitycompliance/security-and-compliance This is a KEY Resource that your admins need to leverage! Link to the Office e-Discovery slide and info - https://www.microsoft.com/itshowcase/Article/Content/843/Office-365-meets-evolving-eDiscovery-challenges-in-a-cloudfirst-world
- Data Classification (all company data marked based on risk / security) has been an elusive goal for us – With this new approach we expect to achieve it! By moving to a ‘delete by default’ approach we will be completely RID of a lot of data that was never well managed – and then people can focus on only the business relevant data! Properly labeling our data – getting it classified – will make it far easier to secure and we will have far less “attack surface area” – i.e. lots of poorly managed info – for someone to find, phishing or otherwise! Retiring OLD servers and PCs and moving to newer secured services, servers and PCs – designed, built and managed with modern tooling and process to be MORE secure – Makes us much more secure – Microsoft delivers LOTS of updates and improvements to the new setup and we are following a path to stay as “mainstream” as we can – (But updates come FAST) Our older systems are edging toward receiving NO more new updates so we need to get them retired! (Happening during 2018 – 2019) Overall – very high level – explanation of Microsoft’ approach to helping us secure and protect our data, devices and interests is HERE – https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/default.aspx (Go take a peek at this and at least hit the “SECURITY” tab – show how there are a great many linked resources here!!)
- Example is email specific but really works for any documents.
- Proactively control E-Discovery cost and manage risk http://www.naylornetwork.com/ngc-nwl/articles/index-v2.asp?aid=190762&issueID=28729
- http://www.naylornetwork.com/ngc-nwl/articles/index-v2.asp?aid=190762&issueID=28729
- Microsoft Retention Policy https://support.office.com/en-us/article/overview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423 With a retention policy, you can: Decide proactively whether to retain content, delete content, or both – retain and then delete the content. Apply a single policy to the entire organization or just specific locations or users. Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information. Microsoft Labels Overview – https://support.office.com/en-us/article/overview-of-labels-af398293-c69d-465e-a249-d74561552d30 Enable people in your organization to apply a label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied. Apply labels to content automatically if it matches specific conditions, such as when the content contains: Specific types of sensitive information. Specific keywords that match a query you create. The ability to apply labels to content automatically is important because: You don’t need to train your users on all of your classifications. You don’t need to rely on users to classify all content correctly. Users no longer need to know about data governance policies – they can instead focus on their work. Note that auto-apply labels require an Office 365 Enterprise E5 subscription. Apply a default label to a document library in SharePoint and Office 365 group sites, so that all documents in that library get the default label. Implement records management across Office 365, including both email and documents. You can use a label to classify content as a record. When this happens, the label can’t be changed or removed, and the content can’t be edited or deleted.
- Proactively control E-Discovery cost and manage risk http://www.naylornetwork.com/ngc-nwl/articles/index-v2.asp?aid=190762&issueID=28729
- https://www.linkedin.com/pulse/marks-list-mark-simos/ Great Microsoft References from one their creators! STATIC SLIDE VERSION (No Animations) The Microsoft Cybersecurity Reference Architecture (https://aka.ms/MCRA) describes Microsoft’s cybersecurity capabilities and how they integrate with existing security architectures and capabilities. We recently updated this diagram and wanted to share a little bit about the changes and the document itself to help you better utilize it. Class: https://mva.microsoft.com/en-US/training-courses/cybersecurity-reference-architecture-17632?l=sa3b33xtD_404300474 How to use it We have seen this document used for several purposes by our customers and internal teams (beyond a geeky wall decoration to shock and impress your cubicle neighbors :-) Starting template for a security architecture - The most common use case we see is that organizations use the document to help define a target state for cybersecurity capabilities. Organizations find this architecture useful because it covers capabilities across the modern enterprise estate that now spans on-premise, mobile devices, many clouds, and IoT / Operational Technology. Comparison reference for security capabilities - We know of several organizations that have marked up a printed copy with what capabilities they already own from various Microsoft license suites (many customers don't know they own quite a bit of this technology), which ones they already have in place (from Microsoft or partner/3rd party), and which ones are new and could fill a need. Learn about Microsoft capabilities - In presentation mode, each capability has a "ScreenTip" with a short description of each capability + a link to documentation on that capability to learn more. Learn about Microsoft's integration investments - The architecture includes visuals of key integration points with partner capabilities (e.g. SIEM/Log integration, Security Appliances in Azure, DLP integration, and more) and within our own product capabilities among (e.g. Advanced Threat Protection, Conditional Access, and more). Learn about Cybersecurity - We have also heard reports of folks new to cybersecurity using this as a learning tool as they prepare for their first career or a career change. As you can see, Microsoft has been investing heavily in security for many years to secure our products and services as well as provide the capabilities our customers need to secure their assets. In many ways, this diagram reflects Microsoft massive ongoing investment into cyber security research and development, currently over $1 billion annually (not including acquisitions). What has changed and why We made quite a few changes in v2 and wanted to share a few highlights on what's changed as well as the underlying philosophy of how this document was built. New visual style - The most obvious change for those familiar with the first version is the simplified visual style. While some may miss the "visual assault on the senses" effect from the bold colors in v1, we think this format works better for most people. Interactivity instructions - Many people did not notice that each capability on the architecture has a quick description and link to more information, so we added instructions to call that out (and updated the descriptions themselves). Complementary Content - Microsoft has invested in creating cybersecurity reference strategies (success criteria, recommended approaches, how our technology maps to them) as well as prescriptive guidance for addressing top customer challenges like Petya/WannaCrypt, Securing Privileged Access, and Securing Office 365. This content is now easier to find with links at the top of the document. Added Section headers for each grouping of technology areas to make it easier to navigate, understand, and discuss as a focus area. Added Foundational Elements - We added descriptions of some core foundational capabilities that are deeply integrated into how we secure our cloud services and build our cybersecurity capabilities that have been added to the bottom. These include Trust Center - This is where describe how we secure our cloud and includes links to various compliance documents such as 3rd party auditor reports. Compliance Manager is a powerful (new) capability to help you report on your compliance status for Azure, Office 365, and Dynamics 365 for General Data Protection Regulation (GDPR), NIST 800-53 and 800-171, ISO 27001 and 27018, and others. Intelligent Security Graph is Microsoft threat intelligence system that we use to protect our cloud, our IT environment, and our customers. The graph is composed of trillions of signals, advanced analytics, and teams of experts hunting for malicious activities and is integrated into our threat detection and response capabilities. Security Development Lifecycle (SDL) is foundational to how we develop software at Microsoft and has been published to help you secure your applications. Because of our early and deep commitment to secure development, we were able to quickly conform to ISO 27034 after it was released. Moved Devices/Clients together - As device form factors and operating systems continue to expand and evolve, we are seeing security organizations view devices through the lens of trustworthiness/integrity vs. any other attribute. We also re-organized the Windows 10 and Windows Defender ATP capabilities around outcomes vs. feature names for clarity. We also reorganized windows security icons and text to reflect that Windows Defender ATP describes all the platform capabilities working together to prevent, detect, and (automatically) respond and recover to attacks. We also added icons to show the cross-platform support for Endpoint Detection and Response (EDR) capabilities that now extend across Windows 10, Windows 7/8.1, Windows Server, Mac OS, Linux, iOS, and Android platforms. We also faded the intranet border around these devices because of the ongoing success of phishing, watering hole, and other techniques that have weakened the network boundary. Updated SOC section - We moved several capabilities from their previous locations around the architecture into the Security Operations Center (SOC) as this is where they are primarily used. This move enabled us to show a clearer vision of a modern SOC that can monitor and protect the hybrid of everything estate. We also added the Graph Security API (in public preview) as this API is designed to help you integrate existing SOC components and Microsoft capabilities. Simplified server/datacenter view - We simplified the datacenter section to recover the space being taken up by duplicate server icons. We retained the visual of extranets and intranets spanning on-premises datacenters and multiple cloud provider(s). Organizations see Infrastructure as a Service (IaaS) cloud providers as another datacenter for the intranet generation of applications, though they find Azure is much easier to manage and secure than physical datacenters. We also added Azure Stack capability that allows customers to securely operate Azure services in their datacenter. New IoT/OT section - IoT is on the rise on many enterprises due to digital transformation initiatives. While the attacks and defenses for this area are still evolving quickly, Microsoft continues to invest deeply to provide security for existing and new deployments of Internet of Things (IoT) and Operational Technology (OT). Microsoft has announced $5 billion of investment over the next four years for IoT and has also recently announced an end to end certification for a secure IoT platform from MCU to the cloud called Azure Sphere. Updated Azure Security Center - Azure Security Center grew to protect Windows and Linux operating system across Azure, on-premises datacenters, and other IaaS providers. Security Center has also added powerful new features like Just in Time access to VMs and applied machine learning to creating application whitelisting rules and North-South Network Security Group (NSG) network rules. Added Azure capabilities including Azure Policy, Confidential Computing, and the new DDoS protection options. Added Azure AD B2B and B2C - Many Security departments have found these capabilities useful in reducing risk by moving partner and customer accounts out of enterprise identity systems to leverage existing enterprise and consumer identity providers. Added information protection capabilities for Office 365 as well as SQL Information Protection (preview). Updated integration points - Microsoft invests heavily to integrate our capabilities together as well as to ensure use our technology with your existing security capabilities. This is a quick summary of some key integration points depicted in the reference architecture: Conditional Access connecting info protection and threat protection with identity to ensure that authentications are coming from a secure/compliant device before accessing sensitive data. Advanced Threat Protection integration across our SOC capabilities to streamline detection and response processes across Devices, Office 365, Azure, SaaS applications, and on Premises Active Directory. Azure Information Protection discovering and protecting data on SaaS applications via Cloud App Security. Data Loss Protection (DLP) integration with Cloud App Security to leverage existing DLP engines and with Azure Information Protection to consume labels on sensitive data. Alert and Log Integration across Microsoft capabilities to help integrate with existing Security Information and Event Management (SIEM) solution investments. Feedback We are always trying to improve everything we do at Microsoft and we need your feedback to do it! You can contact the primary author (Mark Simos) directly on LinkedIn (https://aka.ms/markslist) with any feedback on how to improve it or how you use it, how it helps you, or any other thoughts you have.
- When talking about security in the public cloud, people often ask “what are the main differences between security on-premises and security in the public cloud?” Two BIG Differences – Shift in Shared Responsibilities and Isolation CHANGE Shared responsibility in public cloud is related to the fact that you have a partner when you host resources on a public cloud service provider’s infrastructure. Who is responsible for what (in terms of security) depends on the cloud service model you use (IaaS/PaaS/SaaS). With IaaS, the cloud service provider is responsible for the core infrastructure security, which includes storage, networking and compute (at least at the fabric level – the physical level). As you move from IaaS, to PaaS and then to SaaS, you’ll find that you’re responsible for less and the cloud service provider is responsible for more. https://blogs.msdn.microsoft.com/azuresecurity/2016/04/18/what-does-shared-responsibility-in-the-cloud-mean/ Ignite presentation from Oct 2017 - Secure Office 365 like a cybersecurity pro: Top priorities https://www.youtube.com/watch?v=luignzNyR-o
- What does Microsoft do for us now (in an operational sense)? https://www.youtube.com/watch?v=luignzNyR-o
- What do you depend on Microsoft for in an “Attack Scenario”? What does MS protect you from (that you used to deal with on your own)? https://www.youtube.com/watch?v=luignzNyR-o Highlight difference! On-prem – if you have even ONE unpatched and therefore vulnerable system on premise it may be found and exploited! Microsoft takes this on in this Brave New World and you are now completely counting on them to do this FOR you (behind the scenes) WannaCry/Peyta/NotPetya – Org gets compromised but NOT the Microsoft cloud setup! (Could be issues with ADFS/Hybrid Authentication!)
- SaaS – THERE IS NO FIREWALL NOW – where there was one before! User Services and Interfaces – Needs to be exposed to be accessed at all! Admin Interfaces – Used to be VERY controlled – “Inside the perimeter” – ANY host can access this in the SaaS cloud model – BIG Change!! AUTHENTICATION IS ABSOLUTELY CRITICAL Strong authentication is VERY important and MFA (strong MFA) is essential as a baseline! MFA Increases Attacker Cost a whole lot!!! Makes you a harder target UEBA and Common Sense Rules can also increase attacker cost and make the attacker more clearly “anomalous” – See conditional access rules later as part of AAD See SecureScore later – but correct config is another essential thing!
- We experienced password compromise issues BIG TIME – End user password (NGC email and password) was used for a compromised service – then used in a probe then an attack on one user’s account. Four other accounts were then harvested by phishing (Docusign / attachment malware) We have disabled EWS / Outlook Web Access and we now REQUIRE everyone to use the “Outlook” client on their mobile devices – with proper Intune registration for the devices – This keeps us SECURE but it does limit options! Link to the attacks stuff - https://channel9.msdn.com/Events/Ignite/Microsoft-Ignite-Orlando-2017/BRK2150 Next IGNITE (coming up) – BRK4022 - Troubleshooting OpenID Connect and OAuth2.0 protocols on Azure Active Directory BRK3234 - An IT pros guide to Open ID Connect, OAuth 2.0 with the V1 and V2 Azure Active Directory endpoints BRK4027 - Azure Active Directory security insights with Conditional Access, Identity Protection, and reporting THR3036 - Azure Active Directory hybrid identity and banned password detection
- Big time change for admins and support!!
- 450 billion authentications in a month now – this delays the arrival of items to the LOGS All UEBA can be driven from the Logs
- Microsoft 365 - https://www.zdnet.com/article/what-is-microsoft-365-microsofts-most-important-subscription-bundle-explained/ Microsoft 365 is an integrated bundle of Windows 10, Office 365 and Enterprise Mobility + Security (aka EMS, which includes Intune device management, analytics and some Azure Active Directory capabilities), sold on a subscription basis. Corporate Vice President Brad Anderson now has overall responsibility for Microsoft 365, all-up. Can customers still buy the piece-parts of Microsoft 365 as standalone products? And for how long? Microsoft is continuing to sell Windows 10 E3/E5, Windows 10 Pro, Office 365 and EMS separately and has not said it has plans to only offer these components as part of a bundle. What is "Windows 10 Business"? Windows 10 Business is a custom variant of Windows 10 that is only available as part of the Microsoft 365 Business plan. It includes everything in Win 10 Pro plus Windows Defender Security Controls, Windows AutoPilot, as well as hooks for Automatic Office apps deployment, What is a "Microsoft 365-powered device"? Shortly after announcing Microsoft 365, Microsoft officials began talking about Microsoft 365-powered devices. This was a new marketing term, and not actually a way that customers or organizations could buy or license a piece of hardware. It was simply meant to encourage customers to run one of the Microsoft 365 bundles on a Windows 10 machine.
- https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security Setting up Single Sign On experiences that leverage SAML apps and your AD / Azure-AD https://docs.microsoft.com/en-us/azure/active-directory/user-help/active-directory-saas-access-panel-introduction Interactive Infographics about various facets of Access and IAM – https://discover.office.com/simplify-application-access Crash course in Azure AD – online access https://discover.office.com/crash-course-azure-active-directory Youtube video channel – Microsoft Mechanics on EMS topics https://www.youtube.com/playlist?list=PLXtHYVsvn_b-0X3R9QCJ4T-Y27DK376NR
- Key Point – Set of interlocking puzzle pieces you need to license and configure properly! Core – Protect your business data! O365 Advanced Data Governance (DLP if you need it – we do not presently have that setup) https://www.slideshare.net/appie1701/advanced-data-governance-in-office-365-82267851/8 Only allow your data to rest on registered DEVICES – in a protected way, via encryption Windows 10 PC – Enterprise licenses for data protection and device configuration / security Intune for Mobile Devices (iPhone, etc) to provide similar effective device registration, application, configuration controls Microsoft Azure and Office 365 settings in servers and services to protect data – Add on Cloud App Security to further protect data and manage solutions (Whole Sidebar presentation at the end from the RecordPoint and Joanne Klein items) ----------- Enterprise Windows 10 Licenses Registered Devices (AD joined) with Group Policy applied Bitlocker Encryption, USB Storage Blocked on Devices AppLocker with BeyondTrust extensions – no Admins! Certificates tied to devices / user login “Always On” VPN / Direct Access to NGC resources Windows Defender / ATP and 3rd Party endpoint defenses ---------------- Enterprise Mobility & Security (EMS) We only permit O-365 Access From Registered Devices “Secure bubble” around our data on devices ‘Conditional Access Rules’ for MultiFactor Authentication Azure Active Directory extends AD into Microsoft Cloud --------------------
- Microsoft Retention Policy https://support.office.com/en-us/article/overview-of-retention-policies-5e377752-700d-4870-9b6d-12bfc12d2423 With a retention policy, you can: Decide proactively whether to retain content, delete content, or both – retain and then delete the content. Apply a single policy to the entire organization or just specific locations or users. Apply a policy to all content or just content meeting certain conditions, such as content containing specific keywords or specific types of sensitive information. Microsoft Labels Overview – https://support.office.com/en-us/article/overview-of-labels-af398293-c69d-465e-a249-d74561552d30 Enable people in your organization to apply a label manually to content in Outlook on the web, Outlook 2010 and later, OneDrive, SharePoint, and Office 365 groups. Users often know best what type of content they’re working with, so they can classify it and have the appropriate policy applied. Apply labels to content automatically if it matches specific conditions, such as when the content contains: Specific types of sensitive information. Specific keywords that match a query you create. The ability to apply labels to content automatically is important because: You don’t need to train your users on all of your classifications. You don’t need to rely on users to classify all content correctly. Users no longer need to know about data governance policies – they can instead focus on their work. Note that auto-apply labels require an Office 365 Enterprise E5 subscription. Apply a default label to a document library in SharePoint and Office 365 group sites, so that all documents in that library get the default label. Implement records management across Office 365, including both email and documents. You can use a label to classify content as a record. When this happens, the label can’t be changed or removed, and the content can’t be edited or deleted. Demo of AIP – Azure Information Protection – https://www.youtube.com/watch?v=6hneqjL4qjI&index=6&list=PLXtHYVsvn_b-0X3R9QCJ4T-Y27DK376NR&t=26s
- Microsoft introduction to Intune https://docs.microsoft.com/en-us/intune/introduction-intune
- Azure AD Conditional Access https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal
- Overview https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security Manage the permissions you allow for Apps https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions Compare O365 and Azure AD P1 Versions https://docs.microsoft.com/en-us/cloud-app-security/editions-cloud-app-security-o365 Note that these items – Windows AD – Intune and App Security – all have feeds connected to “Secure Score” mentioned later!!
- Office 365 E5 Many more extensive capabilities than E3 - manage content, Analyze O-365 usage eDiscovery Tools for Searches, Supervision, Legal Holds PowerBI Tools and delivered Analysis Packages Insights into user behavior, content / management More tools beyond content management too Link to Secure Score -- https://docs.microsoft.com/en-us/office365/securitycompliance/office-365-secure-score Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren't assigned an admin role won't be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization. NOTE – this is being transitioned to your “Microsoft Secure Score” - https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Office-365-Secure-Score-is-now-Microsoft-Secure-Score/ba-p/182358 Great Mechanics demo at this link! Threat Intelligence licensing provides for attack simulation and testing scenarios -
- NOTE: E-Discovery roles are very powerful and attackers are using them against folks! They have great visibility across your tenant – so with great power comes great responsibility! Send As – attached in a log – MCAS or other SIEM can detect and help alert / respond!!
- Recommendations for adopting Office 365 tools to replace your existing systems and services – New license – Threat Intelligence and ‘attack simulator’ – good way to perform a REAL assessment! Replace your shared folder based file servers -- http://www.interlink.com/blog/entry/i-hate-file-servers-eliminate-your-file-server-with-office-365-file-sharing-tools (Which tool to use?)
- https://www.slideshare.net/appie1701/advanced-data-governance-in-office-365-82267851/8 Joanne Klein Approach and definitions https://joannecklein.com/2018/06/24/a-modern-retention-approach-for-office-365-workloads/
- Using Advanced Data Governance Labels https://www.recordpoint.com/advanced-data-governance-labels/ Link to Label Settings GIF https://www.recordpoint.com/site/2018/06/Label-Retention.gif Link to Publish a Label GIF https://www.recordpoint.com/site/2018/06/Office-365-Label-Policy-Location.gif Link to some limitations of Labels ‘Out of the Box’ – https://www.recordpoint.com/data-governance-labels/ Joanne Klein Approach and definitions https://joannecklein.com/2018/06/24/a-modern-retention-approach-for-office-365-workloads/ NOTES The options for retention applied using a label are a bit different than the settings if you are creating a retention policy without using a label. Here are your options: You can decide to either retain the content for a specific period or delete content if it is older than a certain amount of time. You can also choose to retain content forever. You can specify time periods in days, months, or years. You can retain or delete the content based on the following date fields: when it was created, when it was last modified when it was labeled, or based on an event. You cannot use other date fields, such as those created in a SharePoint column. The label can be designated as a “record,” which means that users cannot modify or delete the content, or change or remove the label. However, they can still edit the content’s metadata. Once the content has reached the end of its retention period, the content can be deleted automatically, trigger a disposition review, or nothing can happen.
- Office 365 Retention Policy Details https://www.recordpoint.com/office-365-retention-policy/ Link to GIF (Also in the “Settings Per Policy” part of the slide https://www.recordpoint.com/site/2018/07/Retention-Policy-Options.gif Limits on the number of retention policies that you can define!