enterprise mobility + security - spanfor the purpose of managing and protecting users, devices,...

Enterprise Mobility + Security

Karolina Maslać / Span

[email protected]

[email protected] tel. +385 1 6690 200

Do you keep pace with change? Are your users, data, applications and devices protected?

Companies whose employees work only in the o�ce, from 9 a.m. to 5 p.m., and cannot access business data unless connected to their local server, no longer exist. Today everything happens in the cloud and on mobile devices. IT experts should keep changing and should not fall behind.

E�cient operations of digitally transformed companies require IT professionals who can provide their employees with the possibility of working from any place and at any time while protecting their business data and applications.

THE IT WORLD IS CHANGING AGAIN

Users

Data

Apps Devices

Lost device

Compromised identity

Stolen credentials

Data leaks

Customers

Employees

Business partners

HOW TO BE SECURE AND MOBILE, EVEN IN THE CLOUD?

Do you know of any company that stores all data locally, on servers, has employees who don’t use cell phones and work solely in the o�ce? We believe you can’t think of a single company like this. That kind of company is a thing of the past.

Nowadays, the majority of companies are digitally transformed – everything is located in the cloud and everything is mobile. Employees can access business data from any device, whenever they want to and from wherever they are. Information of importance to the company's business is located in the cloud and to access it all we need is an Internet connection.

Digital transformation brings new challenges for IT experts. Smart phones, tablets and laptops are becoming parts of the IT environment. Users access business mail, apps and files from various mobile devices that are not controlled by IT professionals. How can a company's data be protected while allowing its employees to remain mobile?

For the purpose of managing and protecting users, devices, applications and data in today's cloud-first, mobile-first world, Microsoft created a comprehensive solution: Enterprise Mobility + Security (EMS). EMS contains a tool package that enables organizations to manage and control the IT environment e�ciently – from the protection of a unique digital identity, through management and control of mobile devices to encryption of all documents and e-mail messages in the cloud.

NEW CHALLENGES FOR IT EXPERTS

Managing identities, devices and information protection has not been tied exclusively to the on-premises environment of an organization for a long time now. IT sta� not only take care of users and servers, but also of mobile devices, cloud platforms, online apps…

According to Gartner forecasts,1 mobile smart devices and wireless internet create a new digital world. IT experts are facing new security threats arising from various technology sources. The threats do not come solely from smart phones and tablets, but rather from all portable devices.

The diversity of mobile devices is additionally complicated by digital identity management. Business data is found in numerous applications in the cloud, rather than on local servers alone. At the same time, cyber-attacks are becoming more advanced and demand sophisticated security tools and strategies. However, Microsoft claims that security and mobility can certainly be achieved for users, applications, data, and devices.

HUMAN ERROR – A SOURCE OF DANGER

There is something that has not been changed by digital transformation. Data on mobile devices can be lost in only two ways – either by an employee losing a device, or by misusing applications. However, the consequences have changed! Employees today keep and handle significantly more sensitive and important data in their smart phones, laptops and tablets.

Any unmonitored mobile device holding important information represents a potential risk to a company’s operations.

Furthermore, the majority of losses of business data occurs due to threatened credentials (access rights). Since most users have only a password as a security measure, hackers easily obtain standard credentials.


Over 80 % of employees admit to using unauthorised

Internet apps at work.2

33 % of security threats occur due to

user error.3

Attackers stay in a company or organization

network for an average of 146 days before being found.4

63 % of all attacks against a network

occur due to threatened user

credentials.5

OOPS!

1: Gartner’s “Predicts 2016: Mobile and Wireless” report2: http://www.computing.co.uk/ctg/news/2321750/more-than-80-per-cent-of-employees-use-non-approved-saas-apps-report3: VansonBourne, February 20144: https://www.microsoft.com/en-sa/cloud-platform/advanced-threat-analytics5: https://www.microsoft.com/en-sa/cloud-platform/advanced-threat-analytics


PROTECTING USERS, DEVICES, DATA AND APPLICATIONS

When creating the Enterprise Mobility + Security Suite, Microsoft had only one idea in mind – how to protect users, devices, data and applications in a world where everything is in the cloud and everyone is on the move (on smartphones, laptops and tablets)? It found the solution in the Enterprise Mobility + Security.

Namely, EMS contains tools that provide for:• managing digital identities and secure access to all business sources• monitoring user behaviour, predicting and preventing advanced cyber-attacks• managing mobile devices and applications• data protection using advanced security technologies• protecting applications in the cloud

When creating the Enterprise Mobility + Security Suite, Microsoft had only one idea in mind – how to protect users, devices, data and applications

1

2

3

4

5

1. Azure Active Directory 2. Azure Information Protection 3. Microsoft Cloud App Security4. Microsoft Intune5. Microsoft Advanced Threat Analytics

E5 E3

Identity and access management

Managed mobile productivity

Informationprotection

Identity-driven security

Azure Active Directory Premium P2

Azure Active Directory Premium P1

Microsoft Intune

Azure Information Protection Premium P2Azure Information Protection Premium P1

Microsoft Cloud App Security

Microsoft Advanced Threat Analytics

Identity and access management with advanced protection of users and privileged identities.

Managing mobile devices and applications. Protection of business data and applications across all devices.

Single sign-on for all applications in the cloud or on-premises. Multi-factor Authentication and an advanced reporting.

Intelligent classification and encryption of files and mails shared inside and outside an organization.

Encryption of all files and mails in the cloud or on-premises. Cloud-based data monitoring.

Monitoring and control of applications in the cloud.

Monitoring user behaviour and protection from cyber-attacks, as well as detecting advanced threats.


Such organizations, and those that use the listed tools, meet several important criteria for successful operations:

1. users – mobile and secure2. devices – mobile and secure3. business data – available from all places and secure4. applications – available from all places and secure

Why is it important to provide employees with mobility and security?

→ You want to allow them to work from any device, any place and at any time – during field work, a business trip or at the o�ce.→ You want business data and applications to be secure! You do not want to lose business information because someone’s privately-owned computer was infected by malware or because one of your employees left his smartphone behind in a restaurant.

Microsoft Enterprise Mobility + Security enables employees to work when, where and from devices they want. Employee e�ciency is promoted and business data and applications are protected.

To achieve security and mobility for users, applications, data, and devices

1 3 42


IDENTITY AND ACCESS MANAGEMENT (AZURE ACTIVE DIRECTORY)

An increasing number of employees uses applications on the Internet (Software-as-a-Service). The service for synchronising local Active Directory identity with Azure Active Directory system enables use of a unique identity and Single sign-on for all applications on-premises or in the cloud (including O�ce 365 apps).

Thus, IT administrators have control over user identity and passwords, or higher level of control over access to a company’s resources.

Azure Active Directory further o�ers the possibility of higher protection at authentication. Namely, along with username and password, an additional authentication factors is used – Multi-factor Authentication (MFA). The additional factor can be an SMS or e-mail message with a single-use code, automated phone call or mobile app for generating single-use codes.

Azure Active Directory system enables use of a unique identity and Single sign-on for all applications on-premises or in the cloud

Problems:

- It's George's first day at work in sales – IT administrators manually create his digital identities- George can't begin work until accounts are created on all applications- It takes half an hour each morning for George to log into all programs and applications required for work- George wrote down his username and password on a post-it and stick it on his monitor – anyone can get access to his computer and confidential data

Advantages:

- IT administrators need not create George’s digital identities manually, they are created automatically- IT administrators have control over user identities and passwords- George doesn’t need to memorize passwords for various applications- Thanks to Multi-factor Authentication the possibility that only George would access business data and applications using his username and password is higher

63 % of all attacks against a network

occur due to threatened user

credentials.


MANAGED MOBILE PRODUCTIVITY(INTUNE)

Unprotected and uncontrolled applications pose a serious threat to IT security. Mobile Device Management (MDM) helps organizations implement quality management of mobile devices, employee user identities and passwords, and access to company resources. There is almost no person today without a smartphone, and they are used to access business data and applications. Moreover, mobile applications like PowerPoint, OneDrive for Business, Word, Excel, and PowerBI enable links to O�ce 365 services in the cloud and provide for direct access to company resources.

An employee can share company data with third parties intentionally or accidentally, thus causing substantive (financial) or intangible (company reputation) damage. A company can protect itself from information “leaks” by using solutions like Microsoft Intune. Intune is integrated with all types of mobile devices (Windows Phone iOS, Android) and obliges users to configure policies on their mobile device, like setting an unlocking PIN, encrypting the device, or automatically configuring functionalities like e-mail profiles, WiFi network, authentication certificates…

The Mobile Application Management (MAM) policy isolates business applications into virtual containers from which it is impossible to transfer data to another, non-business application. In case of loss of a device storing business data, an administrator can delete the entire device from a distance, or, in case of a user leaving the company, the administrator can perform selective deletion of data – only business data are deleted, while private data remain intact.

Microsoft Intune is integrated with all types of mobile devices (Windows Phone iOS, Android)

Problems:

- George uses his privately owned, unprotected smartphone to reply to o�cial mail- George lost his laptop – what happens to business data?- IT administrators have no control over user identities, passwords and privately-owned devices used by George - George was laid o� – how will IT administrators delete business data stored on his privately-owned devices?

Advantages:

- IT administrators have control over user identities, passwords and privately-owned devices used by George- IT administrators spend less time configuring mobile devices- Should George lose a device containing business data, administrators can delete the entire device remotely- Possibility of selective deletion of applications and data from written-o� or lost devices- George can securely access company resources from various mobile devices

Over 80 % of employees admits

to using unauthorised

Internet applications at work.


Azure Information Protection protects a document rather than the location at which it is stored

33 % of security threats occur due to

user error.

INFORMATION PROTECTION (Azure Information Protection)

Document protection is often tied to the protection of media holding the document. And a document is secure for as long as it is located on a particular server, disk… Yet, what happens when someone opens a folder on that server or disk, opens the document, copies it and moves it to his/her laptop? From that moment onward the document is no longer secure. The document owner does not know that someone has “stolen” data, is not aware what he/she is doing with the data or where the data will eventually end up.

Do you still believe that your data are secure?

Azure Information Protection protects a document rather than the location at which it is stored. Employees can encrypt specific data, limit access to a document and monitor document usage from the moment of creation to the moment they decide to delete or destroy it.

Thanks to Azure Information Protection, document owners can encapsulate a specific protection level directly into the document which thereafter “travels” together with the document. Moreover, they can set who can edit, read, print, or copy a document.

Hence, you can provide your employees with safer information sharing both inside and outside the organization.

Documents are not only shared within a single organization. More than ever before, data travel between users, devices, applications and services. How do you protect a document once it leaves your organization?

Problems:

- George forwarded a message with confidential o�cial data- George was laid o�, but downloaded important information from the server to his USB stick beforehand- George created documents. Does George know who is using the document and where it is located (in which departments, companies)?- George copied or moved data from a secure location and can do whatever he pleases with them now

Advantages:

- What is protected is the document, rather than the place (media) where the document is stored- George monitors the life cycle of the document from the moment of its creation to the moment he decides to delete it- George knows at any given moment where his data are located and who uses them- Document sharing is safer, along with cooperation inside or outside the organization


IDENTITY-DRIVEN SECURITY (Microsoft Cloud App Security & Microsoft Advanced Threat Analytics)

Cyber-attacks are becoming more sophisticated and more frequent. Threats used to be a “simple” piece of code, software designed in a specific form. Initially they were made for fun, or for hackers to prove their mettle. However, things have changed. Today, it’s no longer fun and games, but rather a criminal enterprise – individuals make a living from it and make huge amounts of money.

What are advanced threats? These are threats that are no longer a “simple” piece of code, rather they contain several components. Attackers first search for a way to enter the system – most often via e-mail. Once inside a system, they spend months researching and gathering data on the network – where the data on users are stored, where the confidential and classified data are located… Only then do they attack and extract data from the system.

With the emergence of bitcoin and ransomware-as-a-service, the number of ransomware attacks increased. Namely, bitcoin is a cryptocurrency that is hard to track, while ransomware-as-a-service enables anyone with basic computer literacy to become a hacker. All it takes is going to the dark web, buying a specifically coded cryptolocker for $100-200, going to another web site, creating an e-mail campaign and placing a cryptolocker on a target group of e-mail addresses.

Who can become a target? Everyone! From private data of individuals to financial institutions? How can one protect oneself?

Advanced Threat Analytics (ATA) discovers and identifies advanced treats before they cause damage. ATA collects information on logos and events from several sources within the network of a certain organization and, thanks to machine learning, creates a user behaviour pattern. ATA alerts IT experts of unusual behaviour or activities. Along with behaviour analysis, Advanced Threat Analytics includes forensics for already known cyber-attacks and problems.

To reduce costs and improve cooperation, organization more often use applications in the cloud, like Dynamics, SharePoint and O�ce 365. The control and protection of critical business data are just one of the issues presented by applications in the cloud.

Problems:

- George received an e-mail with a code that will turn malicious after a certain period. Will your protection system recognize it?- George uses certain applications in the cloud on a daily basis. Do you know which applications he uses? Do you know which data he shares with the applications?- George surfs the Internet and picks up malware that “sits” in your system for months. Will you know the virus is there right away, or will you find out about its existence only after it causes damage?

Advanced Threat Analytics (ATA) discovers and identifies advanced treats before they cause damage

Attackers stay in a company or organization

network for an average of 146 days before being found.

Microsoft Cloud App Security ensures data visibility while at the same time controlling and protecting applications on the Internet. It all begins with research. Cloud App Security identifies over 13,000 cloud applications located on your network (on all devices). It then estimates the risk and analyses individual applications. The research is done automatically, by gathering information from firewall and proxies and requires no agent engagement.

When you discover which cloud applications are used in your system, you can determine the level of control and a policy for sharing specific data. Furthermore, Cloud Ap Security protects applications on the Internet from threats – it identifies risky behaviour, security incidents and detects abnormal behaviours and prevents threats.

Prednosti:

- IT experts know exactly which applications are used in the cloud- Threats get detected before causing damage- IT experts control and monitor George while using applications – what can and can’t be done is well known- Business data are secure in cloud applications- Thanks to machine learning, normal behaviour patterns are created, abnormal ones are recognized and threats are prevented

Cloud App Security identifies over 13,000 cloud applications


HOW DOES EMS FUNCTION IN PRACTICE (#O365)

Identity is the starting point of all activities. Azure AD currently o�ers single sign-on (SSO) for over 2,000 applications on the Internet, like O�ce 365, Dynamics and SharePoint. The Multi-factor Authentication adds to increased control over user identities and passwords, i.e. increases the security of access to company resources.

How does EMS function in practice? Let’s look at the example of O�ce 365, or Exchange Online. Mary bought a smartphone. She wants to access her o�cial mail via a new, privately-owned device.

How to add Mary’s new smartphone to the company’s network

step 1 - Mary logs on to Azure AD.

step 2 - Mary tries to access applications on the Internet, specifically on Exchange Online as part of O�ce 365. She cannot access business mail, as her new smartphone is not among the managed devices… Mary’s request for access to business mail is rerouted to Intune.

step 3 - Intune establishes a link with Mary’s smartphone (with her permission, of course), adds it to managed devices and applies the policy defined for smartphones. Administrators can, for example, specify that smartphones must be protected by a password, encrypt data when they are stored and have managed e-mail.

step 4 - once Mary’s new smartphone is successfully added to managed devices, Mary can access business e-mails from a privately-owned cell phone.


Apps

Mary

2.

1.

3.

4.

Azure ActiveDirectory

Microsoft EnterpriseMobility + Security

MicrosoftIntune

AzureInformationProtection

Identity and access management

Managed mobile productivity

Informationprotection

Identity-driven security

- Single sing-on- Multi-factor authentication- advanced security reports

- managing PCs- managing mobile apps - selective deletion

- protection of files stored in O�ce (on-premises or O365)- classification and monitoring of documents

- visibility and control- identification of suspicious activities- detection of advanced threats

ADVANTAGES OF EM + S FOR OFFICE 365 USERS

A COMPREHENSIVE SOLUTION FOR CLOUD-FIRST, MOBILE-FIRST CHALLENGES

Each component of Enterprise Mobility + Security Suite individually o�ers solutions for managing identity, managing devices, protecting information, but together the solutions are even more powerful as it o�ers an integrated approach to challenges of today's world, where everything is mobile and everything is in the cloud. Furthermore, the technologies are closely connected by various tools used by employees on a daily basis, like O�ce and O�ce 365. Via EMS one gets a higher level of control and of security, without having to change the way in which the employees work.

Are you interested in how to protect company data and enable employees to work at any time, any place, and from any device?

Contact Span's experts today and gain security for your employees, data, applications and devices!


Span d.o.o.Koturaška 47, 10 000 Zagreb, Croatia

www.span.eu

[email protected]

ph. +385 1 6690 200fax. +385 1 6690 299

Nino Veronek / SpanSolution Arhitect

[email protected]

Ivan Ivković / SpanSenior Solution Engineer

[email protected]