Mate Barany, VMwareManuel Mazzolin, VMwarePeter Schmitt, Deutsche Bahn Systel
SIE3197BE
#VMworld #SIE3197BE
Secure Your Windows 10 and Office 365 Deployment with VMware Security Solutions
VMworld 2017 Content: Not fo
r publication or distri
bution
Speaker Introduction
2
• Mate Barany, VMware
• Manuel Mazzolin, VMware
• Peter Schmitt, Deutsche Bahn Systel
Understanding the modern security architecture for today’s workforce
Who
Why
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
3
VMworld 2017 Content: Not fo
r publication or distri
bution
Session Agenda
1 Modern Security Requirements
2 Securing your Windows 10 Deployments
3 Securing your Office 365 Apps and Data
4 Customer Spotlight
4CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Modern Security Requirements
5
VMworld 2017 Content: Not fo
r publication or distri
bution
The Old World
6
VMworld 2017 Content: Not fo
r publication or distri
bution
The New World
7
Private
Clouds
Virtualized Compute, Storage, Networking, Security
Hybrid
Clouds
Infrastructure
Devices
Apps
Traditional Apps Cloud-Native Apps SaaS Apps
Typical App Connects
to 7 Cloud Services
Public
CloudsVMworld 2017 Content: N
ot for publicatio
n or distribution
8
Securing Interactions is Increasingly Complex
We have a large and growing surface
area that needs to be securedVMworld 2017 Content: N
ot for publicatio
n or distribution
9
Why Your Security Team is Concerned
250% INCREASE
34% REPORTED
56% INCREASE
RANSOMWARE ATTACKSincrease in 2017
INTELLECTUAL PROPERTYtheft in 2015
EMPLOYEEScited as source of compromise in 2015
VMworld 2017 Content: Not fo
r publication or distri
bution
VMware’s Approach to Security
TRANSFORM SECURITY
New apps and
delivery models can’t
be easily protected
with perimeter-
centric network
security.
Proliferating and
diverse endpoints
access a range of
apps and IT services.
Increasingly complex
threat ecosystem
and slow to identify
non-compliance.
Secure Applications
and DataProtect Identity
and Endpoints
Streamline
Compliance
Intrinsic Security from Device to Data Center
10
VMworld 2017 Content: Not fo
r publication or distri
bution
The whole IT Security journey
Federated Identity,
Biometric, Two-Factor
Authentication
11
Endpoint Security, DLP,
App Scanning, Malware
Detection
Per App VPN, Intelligent
Networking, Network
Scanning and Security
Conditional Access,
Secure App Token SSO,
Threat Analytics
Secure OS, Secure
Hypervisor, Secure Data
at Rest/Transit
Same Security and
Policies work for Public,
Private, Hybrid Clouds
Self-Encrypt Drives, Analyze
Environment for Anomalies
Audit Logs for All
Infrastructure
Components
Secure micro VPN, Limited
Cyber Attack Footprint,
Threat Analytics
Audit Network
and Data Center
Traffic
Sandbox Data Center Application, Limit Cyber
Attack Vector
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing your Windows 10 Deployments
12
VMworld 2017 Content: Not fo
r publication or distri
bution
Traditional PC ManagementFalls short for your modern security demands
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Compromised SecuritySlow to identify non-compliance
Data ProliferationNew ownership models; cloud apps / services
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Modern WorkforceIncreasingly mobile and off-network
Limited VisibilityPolicies and updates pending
Tra
dit
ion
al
Syste
ms M
an
ag
em
en
t
OS UpdateServers (WSUS)
Software Distribution
Servers
GPO PolicyServers
(AD)
VMworld 2017 Content: Not fo
r publication or distri
bution
Unified Endpoint ManagementEnables a modern approach to Windows security
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Security Across NetworksBacked by a powerful compliance engine
Data Loss PreventionProtect data at rest, in use, in transit
© 2017 VMware Inc. All rights reserved. Confidential – Not for Distribution
Modern ITInstant, cloud-based management
Real-time VisibilityPolicy and updates in seconds, not months
Un
ifie
d E
nd
po
int
Man
ag
em
en
t
Store B
Configuration, Apps,
Updates, Security
VMworld 2017 Content: Not fo
r publication or distri
bution
Ensure desired OS state with
over the air configuration of
hardware and OS
Harden OS with real-time device
and OS health data; block access
for compromised endpoints
Protect Identity and Endpoints
15
Safeguard user identities and endpoints
Establish user trust with new
identity features; multifactor
authentication based on context
Across any user, application and device
VMworld 2017 Content: Not fo
r publication or distri
bution
Secure access to any app with
context of identity, endpoint and
app interactions
Secure Apps and Data
16
Gain transformative insights into application infrastructure
Across any app, app type, and location
Lock down access to un-
approved and un-trusted apps
and malware
Protect data with encryption,
native DLP, per-app tunneling,
and traffic filtering
Remote wipe company data from
admin console or self-service
portal
VMworld 2017 Content: Not fo
r publication or distri
bution
#VMworld #SIE3197BE
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
#VMworld #SIE3197BE
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365
CONFIDENTIAL21
VMworld 2017 Content: Not fo
r publication or distri
bution
Managing and Securing Office 365
TRANSFORM SECURITY
Traditional access
control methods
based on network and
perimeter security are
no longer useful.
Today’s evolving
workforce requires a
new identity and
user trust model.
Mobile and BYOD
adoption present new
data security
challenges.
Conditional
AccessSimplified
Authentication
Data Loss
Prevention
Providing Holistic Support for Office 365
22
VMworld 2017 Content: Not fo
r publication or distri
bution
Federated Identity and SSO
23
Ensure Single Version of Truth
Works across Office 365 and all
other app investments
Integrates with existing identity
solutions
Automatic SSO based on native
OS APIs, certificates and
Kerberos authentication
Password-less authentication for
Modern Authentication clients
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE Conditional Access
24
AUTHENTICATION
MODULE
DEVICE
POSTURE
USER
AUTH
APP SERVICE
Workspace ONE
Managed Jail Broken
DEVICE COMPLIANCE
OS
3rd PartyMSA | Malware | Trust
LocationBlacklist
Apps
IDENTITY CONTEXT
Authentication
Provider
Network
Scope
Authentication
Strength
Session
Time
Per
Application
Remote Apps | Web Apps | Native Apps
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access For Office 365
25
OWA
Modern Auth.
Clients
Browser
Client App
Active Sync & Legacy Clients
Client App
Conditional
Access
Policy
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access Example:Restrict Office 365 Access to Managed and Compliant Devices Only
26
X
Access Denied
✔Access Granted
SSO to Apps
✔
Unmanaged
VMware Identity
Manager Validates
User Identity
Managed by AirWatch
VMworld 2017 Content: Not fo
r publication or distri
bution
Intune MAM
Intune MDM
Data Loss Prevention Controls for Office 365
27
Office 365 App Settings
Copy / Paste Blocking
Workspace ONE
App-level PIN / Passcode
DLP Settings (save data in personal OneDrive)
OS MAM Settings
Open-with controls
SSO, remote wipe
Graph API
Configure Intune DLP policies from Workspace ONE console
VMworld 2017 Content: Not fo
r publication or distri
bution
#VMworld #SIE3197BE
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
DB Systel Deutsche Bahn's digitalisation partner
30
DB Systel takes an integrative and value-enhancing approach to its work for the Group.
• 3,600 employees
• Revenues: 838 Million (2016)
• It offers a range of solutions and consulting services that are holistic and customer-specific.
• They meet the highest IT standards and make use of innovative developments in the sector.
• DB Systel combines this expertise with its outstanding knowledge of the rail sector and IT
industry.
• It is a business partner that always takes the long view of a project and follows supplier-neutral
strategies as it works towards the collective goals that everyone at DB AG shares.
VMworld 2017 Content: Not fo
r publication or distri
bution
DB Systel services all kind of workspaces
Office worker(Mobile Mail)
31
Train driver(Rail in Motion)
Maintenance worker(e.g. Puma)
VMworld 2017 Content: Not fo
r publication or distri
bution
• implemented SSO for mobile
• 2 factor authentication of
device during rollin
• per app VPN
Transform
Security
• moved from MDM to Airwatch
EMM in 2015
• migration of 30,000 devices
up to 700 per day
• currently serving 75,000
throughout Europe
(iOS, Android)
32
Empower
Digital
Workspaces
What we have achieved so far
VMworld 2017 Content: Not fo
r publication or distri
bution
33
Modernize
Data
Centers
Integrate
Public
Clouds
Empower
Digital
Workspaces
Transform
Security
DB Systel current challenges
• DB Systel is moving all kind of workloads into cloud services like AWS
oder SaaS
• The own datacenter will be sold
• O365 is being implemented as hybrid cloud service replacing Lotus
Notes email infrastructure as well as other products e.g. storage
• move from EMM to UEM (Unified Endpoint Management)
• gain market share within the imaged desktop environment currently 90k
Desktops with our basic Workplace (Win10, Mac)
• SSO
• 2 factor authentication of device during rollin
• per app VPN
VMworld 2017 Content: Not fo
r publication or distri
bution
Ways to Learn More
Sessions
• UEM1359BE - Best Practices in Migrating Windows 7 to Windows 10 – 13/09 5.00 PM
• SAAM2291BE - Securing Access and Protecting Information in Office 365 with Workspace ONE 13/09 12 PM
Content
• www.vmware.com/it-priorities/transform-security
• www.airwatch.com/solutions/windows
Hands-on Labs
• Stop by our hands on labs at VMworld
• https://www.vmware.com/try-vmware/try-hands-on-labs.html
ASK THE EXPERTS
34
VMworld 2017 Content: Not fo
r publication or distri
bution
Questions?
35
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution