Microsoft Security - New Capabilities In Microsoft 365 E5 Plans
Enterprise Mobility+Security Overview
1. Go mobile.
Stay in control.
Chris Genazzio
Director of Business Development
Enterprise Mobility + Security
2. Mobile-first, cloud-first reality
Data breaches
63% of confirmed data breaches
involve weak, default, or stolen
passwords.
63% 0.6%
IT Budget growth
Gartner predicts global IT spend
will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of employees
admit to using non-approved
software as a service (SaaS)
applications in their jobs.
80%
3. Is it possible to keep up?
Employees
Business partners
Customers
Is it possible to stay secure?
Apps
Devices
Data
Users
Data leaks
Lost device
Compromised identity
Stolen credentials
4. Is it possible to keep up?
Employees Business partners Customers
The Microsoft vision
Secure and protect against new threats
Maximum productivity experience
Comprehensive and integrated
Apps
Devices
Data
Users
5. User freedomSecure against new threats Do more with less
Customers need
Identity – driven security Productivity without
compromise
Comprehensive
solutions
Microsoft solution
ENTERPRISE MOBILITY + SECURITY
Identity-driven
security
Comprehensive
solution
Managed mobile
productivity
8. Identity is the foundation for enterprise mobility
IDENTITY – DRIVEN SECURITY
Single sign-onSelf-service
Simple connection
On-premises
Other
directories
Windows Server
Active Directory
SaaS
Azure
Public
cloud
CloudMicrosoft Azure Active Directory
9. 1000s of apps,
1 identity
Provide one persona to the
workforce for SSO to 1000s of
cloud and on-premises apps with
multifactor authentication.
Manage access
at scale
Manage identities and
access at scale in the cloud
and on-premises
Enable business
without borders
Stay productive with universal
access to every app and
collaboration capability and self
service capabilities to save money
Identity at the core of your business
IDENTITY – DRIVEN SECURITY
10. Shadow
IT
Data breach
IDENTITY – DRIVEN SECURITY
Employees
Partners
Customers
Cloud apps
Identity Devices Apps & Data
Transition to
cloud & mobility
New attack
landscape
Current defenses
not sufficient
Identity breach On-premises apps
SaaS
Azure
11. IntelligentInnovativeHolistic Identity-driven
Addresses security
challenges across users
(identities), devices, data,
apps, and
platforms―on-premises
and in the cloud
Offers one protected
common identity for
secure access to all
corporate resources, on-
premises and in the
cloud, with risk-based
conditional access
Protects your data from
new and changing
cybersecurity attacks
Enhances threat and
anomaly detection with
the Microsoft Intelligent
Security Graph driven by
a vast amount of
datasets and machine
learning in the cloud.
IDENTITY – DRIVEN SECURITY
12. IDENTITY – DRIVEN SECURITY
1. Protect at the front door
Safeguard your resources at the front door with innovative
and advanced risk-based conditional accesses
2. Protect your data against user mistakes
Gain deep visibility into user, device, and data activity on-
premises and in the cloud.
3. Detect attacks before they cause damage
Uncover suspicious activity and pinpoint threats with deep
visibility and ongoing behavioral analytics.
14. IDENTITY – DRIVEN SECURITY
Azure Information Protection
Classify & Label
Protect
How do I control data
on-premises and in
the cloud
Monitor and Respond
Microsoft Intune
How do I prevent data
leakage from my
mobile apps?
LOB app protection
DLP for Office 365 mobile apps
Optional device management
Cloud App Security
Risk scoring
Shadow IT Discovery
Policies for data control
How do I gain visibility
and control of my
cloud apps?
15. IDENTITY – DRIVEN SECURITY
Microsoft Advanced Threat Analytics (ATA)
Behavioral Analytics
Detection of known malicious attacks
Detection of known security issues
On-premises detection
Cloud App Security
Behavioral analytics
Detection in the cloud
Anomaly detection
Azure Active Directory Premium
Security reporting and monitoring (access & usage)
16. Enterprise Mobility +Security
IDENTITY - DRIVEN SECURITY
Microsoft
Intune
Azure Information
Protection
Protect your users,
devices, and apps
Detect threats early
with visibility and
threat analytics
Protect your data,
everywhere
Extend enterprise-grade security
to your cloud and SaaS apps
Manage identity with hybrid
integration to protect application
access from identity attacks
Microsoft
Advanced Threat Analytics
Microsoft Cloud App Security
Azure Active Directory
Premium
24. MANAGED MOBILE PRODUCTIVITY
STRICTLY CONFIDENTIAL
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin sets policies,
templates, and rules
FINANCE
CONFIDENTIAL
Add persistent labels defining sensitivity to filesClassify data according to policies – automatically or by user
25. Manage your account, apps and
groups
Company branded, personalized
application Access Panel:
http://myapps.microsoft.com
+ iOS and Android Mobile Apps
MANAGED MOBILE PRODUCTIVITY
Self-service password reset
Application access requests
Integrated Office 365 app launching
30. COMPREHENSIVE SOLUTION
Employees Business partners Customers
Secure and protect against new threats
Maximum productivity experience
Comprehensive and integrated
Apps DevicesDataUsers
31. Always
up to date
• Real-time updates
• Keep up with new
apps and devices
Works with
what you have
• Support multiple platforms
• Use existing investments
Simple to set
up and connect
• Easy, secure connections
• Simplified management
COMPREHENSIVE SOLUTION
32. Simple set up with FastTrack
FastTrack will:
Retain control of sensitive documents locally and
over email
Automatically protect mail containing privileged
information
Ensure files stored in SharePoint are rights
protected
Envision
Azure Rights Management
FastTrack will:
Setup and deploy mobile app management
policies to help prevent Office 365 data leakage
Setup and deploy device security policies like pin
or device encryption
Integrate on-premises System Center
Configuration Manager with Intune
Enable conditional access and compliance
policies to control access to data
FastTrack will:
Get organizational identities to the cloud
Set up single sign-on for test apps (including
Azure Active Directory Application Proxy apps)
Configure self-service options like password
reset and Azure Multi-Factor Authentication in
the MyApps site
Azure Active Directory
Premium
Microsoft Intune
Onboard Drive Value
FastTrack is included with EMS to accelerate your deployments
COMPREHENSIVE SOLUTION
34. ENTERPRISE MOBILITY + SECURITY
Holistic, intelligent,
innovative security to keep
up with new threats.
Identity-driven
security
Secure your enterprise fast –
while keeping what you have
and saving money.
Comprehensive
solution
Encourage secure work habits
by providing the best apps
with built-in security.
Managed mobile
productivity
35. Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
Azure Information
Protection Premium P2
Intelligent classification and
encryption for files shared
inside and outside your
organization
(includes all capabilities in P1)
Azure Information
Protection Premium P1
Encryption for all files and
storage locations
Cloud-based file tracking
Microsoft Cloud
App Security
Enterprise-grade visibility,
control, and protection for
your cloud applications
Microsoft Advanced
Threat Analytics
Protection from advanced
targeted attacks leveraging
user and entity behavioral
analytics
Microsoft Intune
Mobile device and app
management to protect
corporate apps and data on
any device
Azure Active Directory
Premium P2
Identity and access
management with advanced
protection for users and
privileged identities
(includes all capabilities in P1)
Azure Active Directory
Premium P1
Secure single sign-on to
cloud and on-premises apps
MFA, conditional access, and
advanced security reporting
EMS
E3
EMS
E5
38. Enterprise
Mobility
+ Security
Basic identity mgmt.
via Azure AD for O365:
• Single sign-on for O365
• Basic multi-factor
authentication (MFA) for O365
Basic mobile device
management
via MDM for O365
• Device settings management
• Selective wipe
• Built into O365 management
console
RMS protection
via RMS for O365
• Protection for content stored in
Office (on-premises or O365)
• Access to RMS SDK
• Bring your own key
Azure AD for O365+
• Advanced security reports
• Single sign-on for all apps
• Advanced MFA
• Self-service group management
& password reset & write back
to on-premises,
• Dynamic Groups, Group based
licensing assignment
MDM for O365+
• PC management
• Mobile app management
(prevent cut/copy/paste/save as
from corporate apps to
personal apps)
• Secure content viewers
• Certificate provisioning
• System Center integration
RMS for O365+
• Automated intelligent
classification and labeling of
data
• Tracking and notifications for
shared documents
• Protection for on-premises
Windows Server file shares
Advanced Security
Management
• Insights into suspicious activity in
Office 365
Cloud App Security
• Visibility and control for all cloud
apps
Advanced Threat Analytics
• Identify advanced threats in on
premises identities
Azure AD Premium P2
• Risk based conditional access
Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
39. Windows
10
Enterprise
Mobility
+Security
• Single sign-on for business
cloud apps
• Device setup and registration
for Windows devices
• Windows Store for Business
• Traditional domain join
manageability
• Manageability via MDM and
MAM
• Encryption for data at rest and
generated on device
• Encryption for data included in
roaming settings
• Conditional access policies for
secure single sign-on
• MDM auto-enrollment
• Self-Service Bitlocker recovery
• Password reset with write back
to on-premises
• Cloud-based advanced security
reports and monitoring
• Enterprise State-Roaming
• Mobile device management
• Mobile app management
• Secure content viewer
• Certificate, Wi-Fi, VPN, email
profile provisioning
• Agent-based management of
Windows devices (domain-
joined via ConfigMgr and
internet-based via Intune)
• Automated intelligent
classification and labeling of
data
• Tracking and notifications for
shared documents
• Protection for content stored in
Office and Office 365 &
Windows Server on premises
Windows Defender Advanced
Threat Protection
• Identify advanced threats focused
on Windows 10 behavioral sensors
Cloud App Security
• Visibility and control for all cloud
apps
Advanced Threat Analytics
• Behavioral analytics for advanced
threat detection
Azure AD Premium
• Risk based conditional access
Information
protection
Identity-driven
security
Managed mobile
productivity
Identity and access
management
Editor's Notes
63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 Data Breach Report)
70% of the 10 most commonly used devices have serious vulnerabilities (HP 2014)
More than 80% of employees admit using non-approved SaaS apps for work purposes (Stratecast, December 2013)
33% of user breaches come from user error (VansonBourne February 2014)
88% organizations who are no longer confident in their ability to detect and prevent threats to their sensitive files and emails
0.6% http://www.gartner.com/newsroom/id/3186517
IT cannot afford to live in the past. Successful businesses of today (and tomorrow) realize the power of mobility to support employee productivity and collaboration. You need to prepare to mitigate the risks of providing freedom and space to your employees. You need to meet compliance and regulatory standards, maintain company security policies and requirements, and detect threats — all the while giving workers a better and more productive experience, so that they’re motivated to follow protocol. You need an enterprise mobility partner that can help you achieve all of this, so that everyone is a winner, and your business stays out of the headlines.
Microsoft’s vision includes management and protection across four key layers: users, device, app, and data – for both your employees, business partners, and customers.
Our strategy is to ensure management across these layers while ensuring your employees, business partners, and customers by providing access to everything they need from everything; protecting corporate data across email and collaboration apps all while integrating these new capabilities with what customers already have like Active Directory and System Center.
Mobility tools are often point solutions that address specific security needs, but even multiple point solutions are still disconnected from one another, leaving cracks. Microsoft believes you should have an integrated mobility solution that provides security across multiple layers. You should have a comprehensive set of tolls that use identity as a control plane, provide the visibility and insights required to quickly pinpoint and resolve issues or threats, and simplify mobile device and application management.
Identity-driven security. Microsoft simplifies identity management by creating a single set of credentials for each worker, making it easier for IT to apply identity-based security measures, including conditional access policies and multi-factor authentication. Identity based security reporting, auditing, and alerting offer greater visibility so you can spot potential issues. 200+ days. That’s the average amount of time that attackers reside within your network until they are detected, gathering classified data and information, waiting to strike at just the right moment. Microsoft helps you identify breaches and threats using behavioral analysis and provides a clear, actionable report on a simple attack timeline.
Managed mobile productivity. Encourage your workers to use secure applications for work — even on personal devices — by providing the Office tools they know and love. Management capabilities built into Office make it easier for IT to protect company information. Conditional access policies restrict actions such as copy, paste, edit, and save —ensuring that workers only access corporate files through approved, managed apps and not personal workarounds where information can be corrupted or leaked. Nobody manages Office better than Microsoft. Sharing is a mainstay of collaboration for the mobile workforce, but poses a serious challenge to security. Microsoft gives you another integrated approach to information protection with a layer of security at the file level. Encryption, rights management, and authorization policies can be applied to any file type and remain with the data, wherever it goes and even in motion. Only authorized users can access protected files, and only on the sender’s terms.
Comprehensive Solution: Meet new business challenges with the flexibility of a cloud-first mobility solution. Microsoft cloud services are designed to work seamlessly with your on-premises infrastructure and existing investments. Stay ahead of your BYOD workers with rapid release cycles to support the latest devices and apps. Scale quickly to onboard new hires, devices, apps, and more. It’s fast, it’s cost-effective, and it’s always up-to-date. Manage across multiple OS types (iOS, Android, Windows) and thousands of cloud apps.
Identity-driven security. Identity is the new control plane for security and management in the mobile-first, cloud-first world. Microsoft simplifies identity management by creating a single set of credentials for each worker, making it easier for IT to apply identity-based security measures, including conditional access policies and multi-factor authentication. Identity based security reporting, auditing, and alerting offer greater visibility so you can spot potential issues.
63% of confirmed data breaches involve weak, default, or stolen passwords (Verizon 2016 Data Breach Report)
200+ days. That’s the average amount of time that attackers reside within your network until they are detected, gathering classified data and information, waiting to strike at just the right moment. Microsoft helps you identify breaches and threats using behavioral analysis and provides a clear, actionable report on a simple attack timeline.
Microsoft has a solution for this
[Click] Traditional identity and access management solutions providing sing-sign on to on-premises applications and directory services such as Active Directory and others are used from the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
[Click] Now, as we have discussed, there are new pressing requirements to provide the same experience to cloud applications hosted in any public cloud.
[Click] Azure Active Directory can be the solution to this new challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way.
[Click] In order to do that, one simple connection is needed from on-premises directories to Azure AD.
[Click] and everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises
[Click] And we don’t forget the users. Azure AD provides Self-service capabilities and easy access to all the application, consumer or business, they need.
in the cloud but on-premises too (Application Proxy)
Safeguard your resources at the front door. Our solution calculates risk severity for every user and sign-in attempt, so risk-based conditional access rules can be applied to protect against suspicious logins.
Protect your data against users mistakes: Gain deeper visibility into user, device, and data activity on-premises and in the cloud to create more effective, granular-level policies. Classify and label files at creation, track their usage, and change permissions when necessary.
Detect attacks before they cause damage: Identify attackers in your organization using innovative behavioral analytics and anomaly detection technologies – all driven by vast amounts of Microsoft threat intelligence and security research data.
Microsoft’s enterprise & security solutions provide a holistic framework to protect your corporate assets across, on prem, cloud and mobile devices
Advanced Threat Analytics helps IT detect threats early and provide forensic investigation to keep cybercriminals out
Azure Active Directory Premium security reports help identify risky log ins. That paired with Azure Active Directory Identity Protection gives IT the ability to automatically block access to apps based on real time risk scoring of identities and log ins.
Microsoft Cloud App Security provides deep visibility and control of data inside cloud applications
Microsoft Intune manages and secures corporate data on mobile devices and collaborated within corporate apps.
Azure Information Protection helps keep data secure and encrypted throughout a customers environment and extends security when data is shared outside the organization.
Enterprise Mobility Suite (EMS) helps to provide employees with secure and seamless access to corporate email and documents as well as familiar email and productivity experiences with Office mobile apps such, as Outlook, Word, Excel, and PowerPoint. EMS helps protect corporate data on the device itself and beyond with four layers of protection—all without affecting the personal data on the device. IT can even manage these apps without requiring the device to be enrolled for management.
Unsecured apps pose a serious risk for IT. EMS can ensure that you provide your end users great apps that are secure and manageable.
More than 80% of employees admit to using non-approved software as a service (SaaS) applications in their jobs.
http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report
Protect your Office Mobile apps without compromising your Office experience: EMS is the only solution built with and for Microsoft Office. This means that email and other Office files can be secured without compromising the Office experience – the gold standard of productivity.
Enable easy access to resources: Sign in once for secure access to all corporate resources, on-premises and in the cloud, from any device. This includes pre-integrated support for Salesforce, Concur, Workday, and thousands more popular SaaS apps.
Enable users to protect and control data: Employees can encrypt virtually any type of file, set granular permissions, and track usage. With Office files, encryption can be applied with just one click. The encryption stays with the file where it goes, enabling more secure file sharing, internally and externally.
Empower users with self-service capabilities: Users can update passwords and join and manage groups via a single portal to help save your IT helpdesk time and money. This applies across all iOS, Android, and Windows devices in your mobile ecosystem.
If we take a closer look at our user’s newly enrolled device which is now compliant and ready to go, we can see that she is still able to maintain a personal experience on her device. She has organized her applications the way she wants, with all of her apps available on one screen.
She has her managed corporate apps—the Office mobile apps she knows and loves and personal apps that she uses outside of work and may even consider using these personal apps to try to boost her productivity at work. Even though our user has all of her apps at hand on her personal device, IT is able to enjoy unparalleled management of the Office mobile apps, so that with Microsoft Intune, our IT pro has a different perspective on the organization of our user’s personal device. With the new multi-identity management feature, you an enable users to access both their personal and work accounts using the same Office mobile apps while only applying the MAM policies to their work account – providing a seamless experience while employees are on-the-go.
For our IT pro, there is still a clear separation of the managed corporate apps and our user’s personal apps. But, this doesn’t affect the user’s access to apps. By applying policy at the app level, our IT pro can support mobile productivity while maintaining user preferences, and still have the ability to protect corporate data and resources with the Intune-managed Office mobile apps.
The Intune App Wrapping Tool also allows IT to apply similar policies to your existing line-of-business applications so that these resources are equally protected through the organization’s proprietary apps. You can enable users to securely view content on devices within your managed app ecosystem using the Managed Browser, PDF Viewer, AV Player, and Image Viewer apps for Intune as well.
Let’s now take a closer look at how app-level policies can help keep company data and information secure. Our user receives a work email through her managed Outlook account with an attached Excel spreadsheet containing information she needs for a report. Our user opens the attachment in her Excel mobile application to find the information she needs. She then wants to copy the info to add to her report.
But when she tries to paste it into her personal notepad, it doesn’t work—the personal notepad is not a managed app and our IT pro has applied policies that restrict copy, paste, and cut functions to only apps that are part of the managed app ecosystem (for Intune enrolled devices). So our user opens her Microsoft Word mobile app which is managed by Intune and she is successfully able to paste her information. Now our user wants to save the working copy of her report to her personal OneDrive account so that she can access it from her home computer.
Because her personal OneDrive account is not one of the managed applications, she’s unable to save it here. IT has applied policies restricting the ability to save to only apps that are part of the managed app ecosystem.
So our user must save her working copy to her managed OneDrive for Business account, which means when she does want to work on this report from another device, this device will have to be an enrolled for management . By using the mobile application management capabilities of Intune, the IT pro can help prevent leakage of important company data and make sure that this information doesn’t get into the wrong hands.
With Microsoft Azure Information Protection, you can:
Provide persistent protection
Data itself carries the protection. This ensures data is always protected – regardless of where its stored or with whom its shared
Enable safe sharing
Access to shared data is identity driven. This enables safe sharing with internal employees as well as customers and partners.
Empower users
Deep integration with Office 365 enables users to apply protection easily without interrupting your employees normal course of work.
In product notifications empower users to make right decisions and tools such as document tracking help them gain visibility into use of shared data
Maintain control
Different key management and deployment options are available to fit your requirements. IT can use powerful logging and reporting to monitor, analyze and reason over data.
Classify your data based on sensitivity
Policies classify and label data at time of creation or modification based on source, context, and content. Classification can be fully automatic, driven by users, or based on recommendation.
Protect your data at all times
Embed classification and protection information for persistent protection that follows your data—ensuring it remains protected regardless of where it’s stored or who it’s shared with.
Add visibility and control
Users can track activities on shared files and revoke access if they encounter unexpected activities. Your IT team can use powerful logging and reporting to monitor, analyze, and reason over data.
0.6% http://www.gartner.com/newsroom/id/3186517
IT is continually being asked to do “more with less”. As business embraces a mobile first cloud first world IT budgets aren’t increasing. Finding a vendor that offers a comprehensive, cost effective, integrated solution is key to maximizing limited budgets.
Microsoft’s vision for Enterprise Mobility expands the boundaries of current thinking. Managing devices with MDM or Identities with IAM is not enough. Microsoft EMS protects holistically across users, devices, apps, and data with a comprehensive solution that no other vendor provides.
