Enterprise Mobility and Security Blog


This is Part 3 of a 3-part blog series based on the new eBook, “Protect Identities, Devices, and Your Company Information in Today’s Device-Centric World.” Check out Part 1 and Part 2.

A lot of cloud and enterprise mobility vendors are going to end a discussion about planning for your future by explaining why a wholesale rip and replace of your existing infrastructure is critical. I think that is a bit drastic.

Instead, in this post, I’m going to look at what you can do to build upon what you already have in order to ensure you can meet the future needs of your growing workforce, as well as be ready to deliver what they need right now.

To put all of this in perspective, let’s look at 3 scenarios and see what a cloud-based control plane built on EMS can do for you:

  • Managed Mobile Productivity
  • End-to-end Information Protection
  • Identity-driven Security

I think it’s important to consider these three elements together, rather than things to be tackled individually. In the examples below, I’ll make the case for why I think they are best addressed as a converged part of your IT processes – especially when approached as cloud-based services.

Managed Mobile Productivity

We all use mobile devices for the very simple reason that they make us so much more productive. But, if these devices can’t be effectively managed, then the risks become far too great – and that tradeoff simply isn’t worth it. With this in mind, it is valuable to think about productivity and effective management as the same goal. What every organization really needs, then, is managed mobile productivity.

This is a topic that is especially near and dear to me – in fact, I begin nearly every meeting (whether internal or external) with this statement about the vision of the EMS team:


To see how EMS makes this possible, let’s first look at how a user (Anna) adds a new iPad (but the same process applies to Windows or Android devices) to the corporate network:


Figure 10: EMS can automatically install management software on a device, then enforce policies for accessing applications.

As I’ve noted on many previous occasions, identity is the foundation for everything else. That’s why this process begins with Anna logging in with Azure AD (step 1). The iPad she’s using might be her own, or it might be one that her organization has provided. In either case, the first thing she does after logging in is try to access a SaaS app. In the example seen in Figure 10, that application is Exchange Online (a part of Office 365) and she wants to access her corporate e-mail. Because her new iPad is currently unmanaged, this request is re-directed to Intune (step 2).

Once directed to Intune, the software is then installed on Anna’s iPad (with her permission, of course) to allow this device to be managed and receive all the policies that have been defined for iPads (as seen in step 3). These policies may specify (based on the discretion of the admins) that in order to be a part of your corporate environment, an iPad must have an unlock password set up, it must encrypt the corporate data it stores, and it will require the user’s email account to be managed. To set up these policies, the admin will rely on both Azure AD and Intune.

Now that Anna’s device is managed, she can successfully access her corporate e-mail (step 4). The final step before the e-mail starts flowing includes Azure AD and Intune working together to ensure that she is 100% compliant with a policy defined for this specific app. For example, an Exchange Online policy might require requests to come from Intune-managed devices that have also applied all the available updates. This is an example of conditional access, where a user is allowed to do something only if several conditions are met: e.g., the right identity, the right kind of device with the right characteristics, and more at the discretion of network admins.

Conditional access is an incredibly powerful feature, and it’s only possible when multiple services work together.

End-to-end Information Protection

Once Anna has access to Exchange Online, she immediately starts receiving her corporate e-mail. Now that she’s up and running, the corporate data on it needs to be protected – no matter where that iPad travels (different offices, airports, Starbucks), – and IT needs a way to stop her from (accidentally or intentionally) sending this information to outsiders. To do this, you need end-to-end information protection.

This kind of end-to-end protection is best provided by EMS through the combined feature sets of Azure AD, Intune, and Azure RMS:


Figure 11: EMS protects corporate information by letting it be used and copied only within a managed environment and by embedding access controls directly into encrypted files.

As seen in Figure 11, if Anna receives a corporate e-mail with an attached Excel spreadsheet (step 1), and she opens this attachment using the Excel mobile app on her iPad, and then tries to copy and paste data from the spreadsheet to the iPad’s built-in Notes app – with EMS in place, this attempt will fail (step 2).

The reason this fails is that Intune effectively separates managed apps on Anna’s iPad from her personal apps. As the Figure 11 shows, Anna’s Office mobile apps are all marked as “Managed,” which means that data from these apps cannot be copied to non-managed apps. In this example, the “Paste” option will not appear when she tries to move data from the Excel spreadsheet to the Notes app. Anna is, of course, free to move information between the managed apps (e.g. from an Excel spreadsheet to a Word document) – but that is all.

Only Microsoft can provide this kind of information protection for the Office mobile apps on iPads and Android devices – absolutely no other MAM vendor can do this. If Anna wants to use the Office mobile apps for both business and personal work, she’s free to do this – all she needs to do is log in with a different identity. Intune will make sure that she can access only her personal data when she’s logged in with a non-corporate identity.

To learn more about how to bring your internal applications into this solution, and to learn more about how Box, Adobe, SAP, Citrix, and others have updated their apps to include the Intune MAM capabilities, check out this recent post about the Intune Application Ecosystem.

Also, although unrelated to security, in this scenario consider that the Excel spreadsheet renders perfectly when it opens. Surprisingly often the Office apps will not properly render on other EMM solutions, and you end up with spreadsheets that look like this. This is actually one of the most common complaints I hear from customers using other EMM solutions – far too often their Office documents wont render and are unusable. You want to use the real Office!

The information protection provided by Intune is essential for mobile devices – but, by itself, it is not enough. Suppose, for example, that Anna receives an e-mail with another attachment containing confidential corporate data (step 3). She may never open this doc on her iPad, but she may accidentally forward it to someone outside the company. In this scenario, even more expansive end-to-end information protection is necessary. Azure RMS was created to solve problems like this.

In the event that the attachment Anna received is protected by Azure RMS, it is encrypted. The document has embedded into it the identities of the users that can access the documents and the rights they have for editing or reading it. If the user attempting to open the document is not one of those users, they simply cannot open the file (step 4). Azure RMS uses Anna’s identity (which is provided via Azure AD), along with information in the protected document itself, to determine what access rights she has to that doc. Even if the doc is in her inbox, the settings on that doc might allow her to only read the document. In the event that doc is forwarded, the external recipient would have absolutely no rights to it and it would be un-openable.

Azure RMS protects information wherever that information might travel. This is a matter of protecting data wherever it goes and wherever it is accessed. We believe you should always be able to control your data – even when it is accessed by devices you don’t control. This is another example of the evaporating “perimeter” that was historically used to protect data. Some data must be mobile to truly be valuable; and when that data is mobile and being shared it is typically outside perimeter. These files must be self-protecting.

When operated together, these two EMS components provide truly end-to-end information protection.

Identity-driven Security

As noted near the beginning of this post, all of the capabilities we’ve seen thus far rely upon identity. Intune uses Anna’s identity to decide what policies to apply to her device, and Azure RMS decides what level of access she should have to as sensitive document. Identity is central to everything a cloud-based platform provides.

The logical next question is this: What happens if an attacker is able to compromise Anna’s identity?

There are countless ways for this to happen: For example, perhaps she is using a password that is easy to guess, or perhaps her credentials are captured through social engineering or a phishing attack. Both of these circumstances are very common – and, once breached, you need tools that can identify compromised accounts and help you block their access. A major source of protection against this is Azure AD’s multi-factor authentication feature.

Detecting and neutralizing this kind of attack requires identity-based security. To put that terminology in context, consider that an attacker using a stolen identity usually behaves differently than the actual owner of that identity. Microsoft’s ability to detect that difference in behavior is how we keep your organization safe. Microsoft Advanced Threat Analytics (ATA) can detect these differences and then alert your security staff to the problem:

Figure 12: Azure AD can warn about several kinds of spurious logins.

Here’s how this scenario plays out: Anna logs into Azure Active Directory (step 1), then works her typical daytime schedule. Because Anna works for the human resources department, she primarily accesses the organization’s HR app and the data associated with it (step 2). But now an attacker logs in as Anna using her stolen credentials (step 3). This attacker immediately acts differently – instead of spending most of her time accessing HR data, she’s going through financial documents and technical research. Also, the service can see that this hacker has logged in during the middle of the night in Anna’s timezone (step 4).

This variation in behavior can be detected by Microsoft ATA. By monitoring traffic in and out of your on-premises Active Directory, then using machine learning technology to analyze this traffic, ATA can quickly learn the usual access patterns of your users and spot a user deviating from those patterns by alerting your security staff to the possible breach (step 5).

Also, with Azure Active Directory Premium, you can require an MFA or a change of password when these abnormalities are detected.

Once an attacker has penetrated an organization, she commonly lurks for months looking for opportunities, and she’s often not discovered until she’s already exploited what she’s fond. The average time before a breached user account is discovered is over 200 days (in many cases far more than 200). It is really scary to consider the damage that can be done and what can be stolen over that massive period of time. Using an identity-driven security approach with ATA, together with the reporting services provided by Azure AD, can help you detect and stop these attacks before they damage your business.

The sophistication of the security offered by Machine Learning simply cannot be overstated. Take a moment to look at the post New Levels of Security via Machine Learning & Combined Data Sets where I go into detail on the strength of our Machine Learning-based security solution. I’ve also recorded two separate podcasts on this topic (here and here), as well as written about how your network’s architecture can be made rock solid with a Machine Learning-based approach to security.

To learn more about Azure Machine Learning, check out these resources:

Next Steps: