Presentation is loading. Please wait.

Presentation is loading. Please wait.

Wait, Microsoft is in the Security Game?

Published byBerenice Glenn Modified over 6 years ago

Similar presentations

Presentation on theme: "Wait, Microsoft is in the Security Game?"— Presentation transcript:

1

2 Wait, Microsoft is in the Security Game?
By: Eric Raff

3 Quick introduction Joined JourneyTEAM in April 2015
In IT industry for 20+ years Cloud Solutions Architect Identity & Access Management Architect SharePoint Architect Exchange Server Engineer OCS/Lync Engineer GroupWise Guy Published Author Teacher

4 Some Fun Trivia 1 Billion 450 Billion 400 Billion
How much a year does Microsoft spend on Security R&D? How many AuthN events does Microsoft perform each month? How many s does Microsoft scan each month? 1 Billion 450 Billion 400 Billion

5 MICROSOFT’S SECURITY GRAPH API
Microsoft Cloud Security Solutions AZURE INFORMATION PROTECTION Classify, label & protect files – beyond Office 365, including on-prem & hybrid MICROSOFT CLOUD APP SECURITY Visibility into 15k+ cloud apps, data access & usage, potential abuse MONITOR OFFICE 365 DLP Prevent data loss across Exchange Online, SharePoint Online, OneDrive for Business OFFICE 365 ADVANCED SECURITY MANAGEMENT Visibility into Office 365 app usage and potential data abuse – little brother to Cloud app security AZURE PRIVLEDGE IDENTITY MANAGEMENT Non Standing Admin Rights, Request, Approve, Audit, Time Based access. Flows over into Azure RBAC framework MICROSOFT’S SECURITY GRAPH API RESPOND PROTECT AZURE IDENTITY PROTECTION MFA Enrollment, User Risk, Sign-in Risk. Integrates with Conditional Access ADVANCED THREAT ANALYSIS On-Prem Active Directory monitoring, alerting and protection ADVANCED THREAT PROTECTION URL Re-writing, attachment scanning and detonation, Office 2016 link integration DETECT WINDOWS DEFENDER ADVANCED THREAT PROTECTION Windows 10 OS Security integrated with the power of Microsoft Cloud Security Graph API CONDITIONAL ACCESS Control access to files based on policy, such as identity, machine configuration, geo location INTUNE / DEVICE ENROLLMENT Manage Mobile and Desktop devices. Integrates with Conditional Access

6 A Note on Licensing Office 365 E3, EM+S E3, Microsoft 365 E3
Security is differentiating technology between SKU’s Office 365 E3, EM+S E3, Microsoft 365 E3 E3 Bundles Office 365 E5, EM+S E5, Microsoft 365 E5 E5 Bundles

7 AAD AuthN Methods First some Fun – Lets see what method ____ uses for AuthN? Password # Sync (P#S) * Active Directory Federation Service (ADFS) 3rd party Federation Service Pass Through Authentication (PTA) * * Optional: Seamless SSO – Kerberos to AAD from AD (very cool for on-prem Desktop sso from classic domain joined machines) Passwordless AuthN is here for MSA, coming in 2018 for AAD accounts - DEMO Password # Sync (P#S): With this option, password hashes (actually a derivative with 'salt') are synced to Azure AD allowing users to sign-in with the same password as they used with their on-premises Active Directory. Do note that the hashes stored in Active Directory cannot be used to login into your on-premises environment. This is the simplest option with the least infrastructure foot print. You can learn more about password hash synchronization here. Active Directory Federation Service (ADFS): Federating your sign-in with ADFS allows the sign-in to be delegated to an on-premises server that validates your credential and sends a security assertion back to Azure AD. In this model, Azure AD never sees any credential associated with their on-premises Active Directory. Additionally, ADFS provides desktop SSO for your corporate domain joined devices. You can learn more about ADFS here and integration with Azure AD Connect here. For those of you concerned with on-premises data center outages, we recommend that you keep a site available in Azure that you can swap your DNS to or also password # sync at the same time and use that if your on-premises data center goes down. ADFS is the #1 federation provider for Azure AD and accounts for nearly 45% of all Azure AD logins (as of May '17). 3rd party Federation Service: This is similar to the model for ADFS where a customer uses 3rd party federation products or services to perform the sign-in. Examples of 3rd party federation services are Ping Federate and Shibboleth. If the 3rd party federation uses WS-* (recommended) to perform the sign-in the product and the version must be certified to be used. The certified list is available here. Protocol requirements for SAML protocol vendors connecting to Azure AD is listed here. Pass Through Authentication (PTA): PTA allows you to enter your credentials on the Azure AD sign-in page which is then tunneled securely to an on-premises connector to validate against your Active Directory. While the credential is entered on an Azure AD page, it is never stored or saved in any form. You can learn more about PTA here.

8 Conditional Access Policy Conditions Policy Controls Applications
9/6/2018 3:24 AM Conditional Access Policy Conditions Policy Controls Applications Microsoft Cloud 3rd Party SaaS Apps On Premises Apps Microsoft Azure User identity Group membership Session Risk Access Control Azure AD Identity Protection Service User Allow sign-in Block sign-in OS Platform Is Compliant / Domain joined Is lost or stolen Device Risk Enforce MFA Device Windows Defender Terms of Use Partners Session Restrictions Mobile or Cloud app Per app policy Restrict download App IP range Country / Region Disable print Location Prevent data leak © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 Conditional Access DEMO

10 AAD App Proxy: Secure on-prem Apps
The user accesses the application through the Application Proxy service and is directed to the Azure AD sign-in page to authenticate. After a successful sign-in, a token is generated and sent to the client device. The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector. If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user. The connector sends the request to the on-premises application. The response is sent through Application Proxy service and connector to the user.

11 Azure AD Privileged Identity Management
Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time access Optionally leverage per-role approval workflows Attest admin role membership with access reviews Visibility through alerts and audit reports Ordinary user Global administrator Role privileges expire after a specified interval Ordinary user

12 PIM DEMO

13 Leaked Credentials = High Risk User

14 Cloud App Security Microsoft Cloud Access Security Broker (CASB)
Today‘s supported apps Box G Suite Office 365 AWS Dropbox Okta Exchange ServiceNow Salesforce See feature support matrix here

15 Cloud App Security DEMO

16 Azure Advanced Threat Protection

17 Azure Advanced Threat Protection

18 Azure Advanced Threat Protection
Attachment is removed but message is delivered with note about the attachment scanning process in place.

19 Azure Information Protection
Data Labeling and Classification Integrated into Office 2016 via AIP client install AIP Client install here Allows you to secure the data. More secure than behind your firewall. See Hector Perez session

20 Summary Security services in Microsoft Cloud are maturing
Services are enabling advanced security for everyone. Continually evolving and improving

21 Other Sessions SEND SECURE TO ANYONE WITH OFFICE 365 AND ENTERPRISE MOBILITY + SECURITY SUITE 1:50 – 2:50 Hector Perez IDENTITY & ACCESS MANAGEMENT SHOWDOWN - MICROSOFT EMS VS OKTA 3:10 – 4:10 Eric Raff & Joe Crandall

22

23 THANK YOU

Download ppt "Wait, Microsoft is in the Security Game?"

Similar presentations

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
Identities and Azure AD Premium

Identities and Azure AD Premium
EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries

EMS in action Hugh Simpson-Wells and Mark Riley 2016 Redmond Summit | Identity Without Boundaries
SaaS apps.

SaaS apps.
ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.

ADFS - Does it Still have a Place? Fitting into the EMS puzzle Frank C. Drewes III 2016 Redmond Summit | Identity.
Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.

Protect your data Enable your users Desktop Virtualization Information protection Mobile device & application management Identity and Access Management.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Identity; What you need to know to be in the Microsoft Cloud

Identity; What you need to know to be in the Microsoft Cloud
Azure Information Protection

Azure Information Protection
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016
LOCAL CLOUDINESS Dino Buljubašić Rijad Smajlović

LOCAL CLOUDINESS Dino Buljubašić Rijad Smajlović
9/12/2018 6:21 PM BRK2203 Protect and control your sensitive emails with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.

9/12/2018 6:21 PM BRK2203 Protect and control your sensitive s with new Office 365 Message Encryption capabilities Praveen Vijayaraghavan Principal.
Identity & Access Management for a cloud-first, mobile-first world

Identity & Access Management for a cloud-first, mobile-first world
Azure Information Protection Strategy and Roadmap

Azure Information Protection Strategy and Roadmap
SaaS Application Deep Dive

SaaS Application Deep Dive
Azure AD for the client management guy (or gal!)

Azure AD for the client management guy (or gal!)

Similar presentations

Ads by Google