Download presentation
Presentation is loading. Please wait.
Published byVictor Richard Modified over 9 years ago
3
Script Kiddies; CybercrimeCyber-espionage; Cyber-warfare CybercriminalsState sponsored actions; Unlimited resources Attacks on fortune 500All sectors and even suppliers getting targeted Software solutionsHardware rooted trust the only way Secure the perimeterAssume breach. Protect at all levels Hoping I don‘t get hacked You will be hacked. Did I successfully mitigate? FamiliarModern Company owned and tightly managed devicesBring your own device, varied management
4
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
5
http://www.uefi.org/specs/
6
Firmware boot loaders OEM UEFI applications Windows boot manager Power On Windows OS boot Windows update OS boot Boot to flashing mode SoC Vendor OEM MSFT
9
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
10
Least Privilege Chamber (LPC) Trusted Computing Base (TCB) Dynamic Permissions (LPC) Fixed Permissions Chamber Central repository of rules 3-tuple {Principal, Right, Resource} Chamber boundary is security boundary Chambers defined using policy rules Expressed in application manifest Disclosed in Windows Store Defines app’s security boundary on device
12
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
16
IDP Active Directory Azure Active Directory Microsoft Account Other IDP’s 1 Create Account or proves identity Create and trust unique key Authentication by validating this signed request 2 3 Resource 4 Authentication token Trusts tokens from IDP User Unlock Windows identity container w/ PIN or Hello Token binding Access Token Relying Party
22
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
25
IDP Active Directory Azure Active Directory Microsoft Account Other IDP’s 1 Create Account or proves identity Create and trust unique key 2 MDM 4 Authentication token User Unlock Windows identity container w/ PIN or Hello MDM enrollment EDP Policies Key Management Enterprise allowed apps Network / Storage App data flow management Block or Allow/Audit controls Selective wipe on un-enroll
26
Personal Apps & Data (Unmanaged) Business Apps & Data (Managed) Data exchange is controlled
27
UPDATE ARTWORK Cortana assets from Shane Early Designs Not Final UI
28
Office Early Designs Not Final UI
29
UPDATE ARTWORK Cortana assets from Shane Pasting content from a Fabrikam file to a personal file is discouraged, and if you choose “paste anyway” your action and the content will be logged for IT review. Early Designs Not Final UI
30
One consistent set of MDM capabilities across Mobile, Desktop, and IoT Provisioning Bulk enrollment Simple bootstrap Converged protocol Azure AD Integration Extended set of policies Context based policies Client certificates – Direct install (PFX) Enterprise Wi-Fi profiles VPN profiles Email provisioning MDM Push when user not logged in Kiosk Mode, Start screen configuration and control Curated Windows Store Volume Purchase Program and app distribution License reclaim/re-use Enterprise App management LOB app management App inventory (MDM/Store) App allow/deny list Enterprise data protection Remote Lock, PIN reset, Ring, Find Full device wipe Un-enrollment with alerts Removal of configuration & EDP protected data ENROLLMENT INVENTORY APPLICATION MANAGEMENT DEVICE CONFIGURATION AND SECURITY REMOTE ASSISTANCE UNENROLLMENT Enhanced inventory for compliance decisions
31
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
35
Online with Mobile Device Management
37
Attestation UEFI Secure BootTPM 2.0 Only signed binaries Single source updates OS Services Trusted Boot App Platform Network security Microsoft Passport Two Factor authentication Windows Hello Mobile Device Management Enterprise Data Protection Device encryption IRM & S/MIME Browser security Store Apps Business Store Portal Cloud Services 01011 01101
39
Microsoft Cloud Enterprise Mobility Suite + Office 365 + Azure AD Simplified and Interated Flexible options Reduced complexity Windows Security Solid identitiesData protection Secured devicesApplication controls Enabled By
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.