Post on 03-Mar-2017
transcript
Enterprise Mobility + SecurityWhy should Office365 customers consider EMS?
David J. Rosenthal, VP & GM, Digital Business Solutions
Razor Technology
Microsoft Briefing Center, NYC February 23, 2017
Secure access
Single sign-on experience
augmented by self-service
capabilities.
Mobile management
Control how data within Office Mobile
apps (and other apps) is shared.
Advanced security
Protect against identity breaches
that can result in data loss.
Extending Office 365 capabilities through EMS
Secure access
Conditions
Device state• Allow
• Remediate
• Block access
• Wipe device
Actions
User
MFA
Microsoft AzureLocation (IP range)
User group
Risk
On-premises
applications
• Enforce MFA
Ensure the right people have access to
apps and files under the right conditions.
On-premises
applications
Microsoft Azure
Enable compliant users with
easy access to all resources. Adjust access policies in real
time with machine learning.
Empower users with
self-service options.
EMS connects your workforce to 1000s of cloud and on-premises applications using one unified identity.
Single sign-on to Office 365 and all other applications
User
SINGLE SIGN-ON TO ALL APPS
On-premises
applications
Microsoft Azure
Cloud HR
Web apps
(Azure Active Directory Application Proxy)
Integrated
custom apps
SaaS apps
HR and other directories
2500+ popular SaaS apps
Connect and sync on-premises directories
with Azure
Easily publish on-premises web apps via
Application Proxy + Custom apps
through a rich standards-based platform
Microsoft Azure AD
Risk severity calculation
Remediation recommendations
Risk-based conditional access automatically protects against suspicious logins and compromised credentials.
Gain insights from a consolidated view of machine learning based threat detection.
Risk-based
policies
MFA Challenge Risky Logins
Block attacks
Change bad credentials
Machine-Learning
Engine
Leaked credentials
Infected devices
Configuration vulnerabilities
Brute force attacks
Suspicious sign-in activities
Enforce on-demand, just-in-time administrative access when needed.
Gain more visibility through alerts, audit reports, and access reviews.
Global Administrator
Billing Administrator
Exchange Administrator
User Administrator
Password Administrator
Account, apps and group management
Self-service password reset
Application access requests
Integrated Office 365 app launching
Self-service capabilities in EMS include:
Mobile management
Protect Office Mobile app data with
• App encryption at rest
• App access control – PIN or credentials
• Save as/copy/paste restrictions
• App-level selective wipe
Extend protection to line of business and third-party apps
Personal apps
Corporate apps
MDM policies
MAM policies
MDM – optional (Intune or third party)
Azure Rights
Management
Microsoft Intune
Corporate data
Personaldata
Multi-identity policy
Intune gives you the option to manage the data, without the need to manage the device.
A great option for BYOD scenarios where your end users may be reluctant to enroll their personal devices.
Protect with and without enrollment
SECRET
CONFIDENTIAL
INTERNAL
NOT RESTRICTED
IT admin can set policies,
templates, and rules.
Classifications, labels and encryption can be applied automatically based on file source, context, and content.
EMS extends Office 365 manual protection of files
with automatic protection to ensure policy
compliance.
User can build on policies. User can track file and
revoke access if needed.
Revoke access in the case
of unexpected sharing
Track who accessed the data, when, and where
Sue
Bob
JaneJane Competitors
Jane’s access is revoked
Bob accessed from South America
Jane accessed from India
Joe blocked in North America
Jane blocked in Africa
Sue
Map View
Advanced security
Shadow
IT
Data breach
Employees
Partners
Customers
Cloud apps
Identity Devices Apps & Data
Transition tocloud & mobility
New attack landscape
Current defenses not sufficient
Identity breach On-premises apps
SaaS
Azure
Microsoft Advanced Threat Analytics brings the behavioral
analytics concept to IT and the organization’s users.
An on-premises platform to identify advanced security attacks and insider threats beforethey cause damage
Behavioral
Analytics
Detection of advanced
attacks and security risks
Advanced Threat
Detection
Shadow IT
Sanctioned
App Security
Visibility and
control
Compliance and
regulations
Integration with
existing systems and
workflows
Cloud security
expertise
Cloud Discovery
Cross-SaaS solution
• Shadow IT discovery
• Advanced visibility, data control, and protection
• Threat detection and prevention
Office 365 Advanced
Security Management
Enhanced visibility and control for Office 365
• Discovery for apps with similar functionality to Office 365
• App permissions and control
• Advanced security alerts
Cloud App Security
Enterprise Mobility + Security
Basic identity mgmt. via Azure AD for O365:
• Single sign-on for O365
• Basic multi-factor authentication (MFA) for O365
Basic mobile device management via MDM for O365
• Device settings management
• Selective wipe
• Built into O365 management console
RMS protection via RMS for O365
• Protection for content stored in Office (on-premises or O365)
• Access to RMS SDK
• Bring your own key
Advanced Security Management
• Insights into suspicious activity in Office 365
Azure Active Directory
• Risk based conditional access
• Advanced security reports
• Single sign-on for all apps
• Advanced MFA
• Dynamic Groups, Group based licensing assignment
• Privileged identity management
Identity and access management
Cloud App Security
• Visibility and control for all cloud apps
Advanced Threat Analytics
• Identify advanced threats in on premises identities
Identity-driven security
Intune
• Mobile app management
• Users self-service management
• Certificate provisioning
• PC management
Azure Information Protection
• Automated intelligent classification and labeling of data
• Tracking and notifications for shared documents
• Protection for on-premises Windows Server file shares
Information protection
Managed mobile productivity
Capabilities and features - details
Directory as a service (no object limit) ● ●
User and group management ● ●
Single sign-on for pre-integrated SaaS and custom applications● ●
Security/usage reports ● ●
Self-service password reset for cloud users ● ●
Company branding (logon pages/access panel customization) ● ●
Application proxy ● ●
SLA 99.9% ● ●
Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups ● ●
Self-service password reset/change/unlock with write-back to on-premises directories ● ●
Multi-Factor Authentication (cloud and on-premises (MFA server))●
Limited cloud-only for Office 365 Apps●
MDM auto-enrollment, Self-service BitLocker recovery, additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming ● ●
Group-based access management/provisioning ●
MIM CAL + MIM Server*** ●
Cloud app discovery ●
Connect Health ●
Conditional Access based on group/location/device state ●
Identity Protection ●
Privileged Identity Management ●
Join a Windows 10 device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator BitLocker recovery ●
*Default usage quota is 150,000 objects. An object is an entry in the directory service, represented by its unique distinguished name. An example of an object is a user entry used for authentication purposes. If you need to exceed this default quota, please contact support. The 500K object limit does not apply for Office 365,
Microsoft Intune, or any other Microsoft paid online service that relies on Azure Active Directory for directory services. **With Azure AD Free and Azure AD Basic, end-users are entitled to get single sign-on access for up to 10 applications. ***Microsoft Identity Manager Server software rights are granted with Windows Server
licenses (any edition). Since Microsoft Identity Manager runs on Windows Server OS, as long as the server is running a valid, licensed copy of Windows Server, then Microsoft Identity Manager can be installed and used on that server. No other separate license is required for Microsoft Identity Manager Server.
RMS for O365* Azure RMS (EMS)
Protection for Microsoft Exchange Online, Microsoft SharePoint Online, and Microsoft OneDrive for Business content ● ●
Bring Your Own Key (BYOK) for customer-managed key provisioning life cycle2 ● ●
Custom templates, including departmental templates ● ●
Protection for on-premises Exchange and SharePoint content via Rights Management Services (RMS) connector ● ●
RMS software developer kit for all platforms: Windows, Windows Mobile, iOS, Mac OSX, and Android ● ●
Protection for non-Microsoft Office file formats, including PTXT, PJPG, and PFILE (generic protection) ●** ●
RMS content consumption by using work or school accounts from RMS policy-aware apps and services ● ●
RMS content creation by using work or school accounts ●*** ●
Manual document classification and consumption of classified documents ● ●
Automated data classification and administrative support for automated rule sets ●
Hold Your Own Key (HYOK) that spans Azure RMS and Active Directory RMS for highly regulated scenarios ●
RMS connector with on-premises Windows Server file shares by using the File Classification Infrastructure (FCI) connector ●
Document tracking and revocation ●
*Some Office 365 subscriptions also include data protection using Microsoft Azure RMS. For information on those Office 365 subscriptions and the data protection capabilities they include, refer to Azure Information Protection licensing datasheet. **Azure subscription required to use configured key for Bring Your Own Key (BYOK).
***Currently, you can also use this free subscription to help protect documents and create new email messages with enhanced protection. However, the ability to author new protected content is intended for trial use only and might be removed in the future.
Cloud-based management for iOS, Android, and Windows Phone. ● ● ●
Devi
ce
config
ura
tio
n
Inventory mobile devices that access corporate applications ● ● ●
Remote factory reset (full device wipe) ● ● ●
Mobile device configuration settings (PIN length, PIN required, lock time, etc.) ● ● ●
Self-service password reset (Office 365 cloud only users) ● ● ●
Off
ice 3
65 Provides reporting on devices that do not meet IT policy ● ●
Group-based policies and reporting (ability to use groups for targeted device configuration) ● ●
Root cert and jailbreak detection ● ●
Remove Office 365 app data from mobile devices while leaving personal data and apps intact (Selective wipe) ● ●
Prevent access to corporate email and documents based upon device enrollment and compliance policies ● ●
Pre
miu
m m
ob
ile
devi
ce &
ap
p m
anag
em
ent
Self-service Company Portal for users to enroll their own devices and install corporate apps ●
Deploy certificates, VPN profiles (including app-specific profiles), and Wi-Fi profiles ●
Prevent cut/copy/paste/save as of data from corporate apps to personal apps (Mobile application management) ●
Secure content viewing via Managed browser, PDF viewer, Imager viewer, and AV player apps for Intune ●
Remote device lock via self-service Company Portal and via admin console ●
Enroll and manage collections of corporate-owned devices, simplifying policy and app deployment. ●
Deploy your internal line-of-business apps and apps in stores to users. ●
Enable more secure web browsing using the Intune Managed Browser app ●
PC
m
anag
em
ent Cloud-based management for Mac OS X and Windows PCs. ●
PC management (e.g. inventory, antimalware, patch, policies, etc.) ●
OS deployment (via System Center ConfigMgr) ●
PC software management ●
Single management console for PCs and mobile devices (through integration with System Center ConfigMgr) ●
Contact us for additional information & deployment offersDavid.Rosenthal@razor-tech.com