Enterprise Mobility and Security Blog

RSS

This is Part 2 of a 3-part blog series based on the new eBook, “Protect Identities, Devices, and Your Company Information in Today’s Device-Centric World.” Check out Part 1 and Part 3.

When your job requires you to manage identity, devices, and protect information – you don’t have any “simple” tasks. Just staying up to date on the latest technology, ongoing trends, and emerging threats is a full-time job – to say nothing of having to implement all of this and keep up with the specific day-to-day demands of your organization.

We created the Enterprise Mobility Suite (EMS) to address the enormous challenges associated with identity management, device management, and information protection – and, in this post, I’m going to dive in on what the EMS can do for you in each of these areas.

Identity Management

Single sign-on to multiple apps is something that would be a welcomed time-saver for any worker, and the fact that it would eliminate the need to remember multiple passwords and logins – that’s even better. In the past, many of these problems have been solved via on-prem identity management like Active Directory (AD).

As the current workforce’s workstreams, responsibilities, and data consumption move to the cloud, the management of their identity has to go there, too. Asking an on-prem solution to manage the nearly infinite scale of cloud-based apps is to (at best) invite chaos. Creating a direct connection between your identity management solution and every SaaS app your workforce uses will instantly become too complex to ever successfully manage. Unsurprisingly, however, this is exactly the situation in which many organizations find themselves today:

clip_image002

Figure 4: Creating a direct connection between every organization’s identity management solution and every SaaS application would quickly become too complex to manage.

Rather than spend your days untangling your infrastructure from that sort of tangle, a much more productive approach is using the aforementioned cloud-based solution for identity management. There is only one cloud-based identity management solution that can interoperate with the one you’re already using on-prem: Azure Active Directory Premium (AADP).

With AADP, the AD you’ve been using (AD has a 90% share of the market, so I assume you’re using it!) is still an essential part of your operation, but now, by connecting it to AADP, you can manage all the connections your workforce makes to SaaS apps.

Rather than that train wreck shown above in Figure 4, see how much simpler AADP makes things in Figure 5:

clip_image004

Figure 5: Cloud-based identity management with Azure Active Directory greatly simplifies managing single sign-on to SaaS applications.

AADP intelligently addresses a lot of otherwise intractable problems: SSO is made simple, you retain control of identities via the AD console you already know, and by leveraging the power of a cloud-based control plane you can control access to local and SaaS apps with a single login. Life immediately becomes easier for both the users and the admins.

Azure AD currently provides SSO to more than 2,000 cloud apps, including Office 365, Salesforce.com, Dropbox, Workday, and ServiceNow. To see what it can do in action, I really recommend checking out my recap of the Cloud App Discovery demo I did at Ignite.

It’s not all about SSO, however; this service offers a ton of other features, such as:

  • Support for multi-factor authentication (MFA).
    This is based on the same technology we built to detect suspicious logins in Outlook.com. In the event our machine learning detects anything suspicious, the person requesting access will automatically get a challenge to provide their password + an additional piece of information (e.g. a code that is sent to their mobile phone). This makes you more secure.
  • The Cloud App Discovery tool.
    As noted above, this is how you learn which SaaS applications your employees are actually using. For just about every organization, this tool represents the first time they see all the SaaS in use inside of their company. This makes you more educated.
  • Detailed reporting that tracks users and issues warnings about suspect behavior.
    For example, Azure AD is alerted to logins from possibly compromised corporate identities. When I show this to people they are blown away by how we can identify compromised identities and stop attacks. This makes you more secure.
  • Integration with the most popular SaaS applications.
    The list includes Salesforce, Workday, and others that go far beyond SSO. For example, you can automatically add a user to these applications when a new user is added to Azure AD. This makes you more efficient.

Device Management

The need to manage devices of every shape/size/platform has long-since been the new normal for IT. Managing the devices themselves (aka Mobile Device Management or MDM) is a must-have first step, but, in order to be proactive/scalable/secure, managing the apps on those devices (aka Mobile Application Management or MAM) is critical.

Mobile devices are much more likely to have the majority of the content they consume come from the cloud and other SaaS apps, so, just like with identity management, the management of these devices also needs to be cloud-based. Running MDM on-prem will require you to route your communications between devices and apps through your on-prem setup:

clip_image006

Figure 6: Traditional solutions for MDM and MAM often require communication between mobile devices and cloud applications to go through an on-premises bottleneck.

There are a lot of legit concerns with this setup, notably: There is a really low ceiling on its performance and scalability. There’s also the fact that when one of your users purchases a new mobile device and is setting it up at home, the communication to the cloud app goes directly to the app and never comes back through your organization. Big problems all around.

Using an on-prem solution for MDM means you have to wrestle with the fact that you’re limiting the speed of interaction between devices and cloud apps, and you’re requiring your own IT organization to worry about scaling in order to do this. Save yourself the years this will take off your life by doing both your MDM and MAM from the cloud. Do it the modern way:

clip_image008

Figure 7: By providing MDM and MAM as a cloud service, Microsoft Intune provides a simpler, more sensible approach for the modern world.

This is the exact approach we have developed with Microsoft Intune. With Intune, devices can use both on-prem and SaaS apps via a common, cloud-based control plane. As noted in Figure 7, what was once a huge bottleneck with on-prem is now a scalable, cloud-based service. Intune can manage all the cloud-based traffic, and your infrastructure can manage on-prem traffic the same as before (in most cases with SCCM).

The benefits of using a cloud-based solution for MDM and MAM are vast.

Consider, for example, the challenge of keeping up with constant stream of OS and app updates – iOS, Android, and now Windows 10 will be updated frequently (and, oftentimes, in ways that affect how those devices are managed). The volume of new material is immense. These updates require subsequent updates to the MDM software so that 1) those devices can continue to operate as expected, and 2) so that the users can take advantage of those new updates.

Here’s what this process looks like using an on-prem setup:

  1. The MDM/MAM vendor will need to ship out the new patches to each customer (which takes time).
  2. Then you have to install these patches (which takes time).
  3. Next, your team will have to test these patches (even more time).
  4. Now, multiply this by all the different types of devices and each platform (an insane amount of time).

Considering how often these updates roll out, the odds of you ever being 100% current are very small.

A problem like this seems almost too big to solve – but, with cloud-based MDM/MAM, every time a new version of (for example) iOS is available, we update Intune simultaneously and every one of your devices remains up to date. Automatically. You never see or feel it happen. It just works.

A quick overview of the additional benefits of Intune include:

  • The unique ability to effectively manage Office mobile applications on your users’ iOS, Android, and Windows devices. (We’ll look more closely at what this means later.)
  • The ability to effectively manage your internal applications – and have them fully participate with the Office mobile apps.
  • The ability to effectively manage the key apps from partners like Box, SAP, Adobe and Citrix.
  • The ability to remotely delete all corporate information from a user’s device while leaving his personal data intact. You might do this when an employee leaves your organization, or when his device falls out of compliance.
  • A unified endpoint management solution that lets you manage your organization’s mobile devices and desktop PC’s from the same administrative environment. This relies on the tight integration Microsoft has built between Intune and System Center Configuration Manager.

Information Protection

Any IT organization is going to sleep a lot easier if they can consistently answer questions like: Who is allowed to access a particular document? and What kind of access is permitted (reading, writing, etc.)?

Being able to get this granular with data protection is worth its weight in gold – if you can do it. Even in the on-prem era, before documents were flying between devices and living in the cloud, this type of control was more aspirational than reality, but now, with a need for it greater than ever, a solution is finally intact.

For the last several years, we have offered something called Active Directory Rights Management Service, but it came with its own limitations:

clip_image010

Figure 8: Relying on an on-premises technology for information protection requires manually configuring point-to-point connections for identity management between individual organizations.

In Figure 8 we see two organizations that want to share a protected doc, and they want only certain people within each org to see it. To do this, each attempt to access the doc has to be verified by a data protection service. An on-prem solution can meet this need if you go to the trouble of setting up a point-to-point federation between the identity management solution each org is using. That’s a lot of trouble for a handful of people to view 1 document. So much trouble, in fact, that it was very rarely done – and this left the boundaries around sensitive docs very porous.

A cloud-based data protection setup, however, looks a lot simpler:

clip_image012

Figure 9: Using a shared cloud solution for identity management and information protection greatly simplifies controlling access to documents.

What you see in Figure 9 is a way for the two orgs to work securely without the giant time commitment of setting up direct connections to each other. Instead, they both securely connect to a cloud service – in this case, Azure AD and Azure Rights Management Service (RMS). With this cloud-based model in place, you can work securely with limitless numbers of organizations and this model moves with you. Working securely means operating simply.

For reference, Azure RMS also delivers:

  • Support for policy templates, which allow defining policies for sharing protected documents. For example, an organization might define a template that restricts access to a particular document to people only in the R&D organization.
  • Document tracking that monitors successful and unsuccessful access attempts by recipients of a protected document. It also provides the ability to revoke access to a document.
  • The option to encrypt documents using your own key rather than one provided by Azure RMS.
  • Cloud identity + AADP – we can help protect your cloud identities and your on-prem identities.

 

Next Steps:

 

In_The_Cloud_Logos