Windows and Devices Partners: Focus on Secure Productive Enterprise


Walt-Perry-author-block_thumb.jpg

This month, in addition to the regularly scheduled Windows and Devices Partner community call about Windows 10 Creators Update on April 18, we’re hosting a second, special edition call on April 26 for Windows and Devices partners, about your opportunity with Secure Productive Enterprise. Secure Productive Enterprise standardizes packaging offers across Office 365, Enterprise Mobility + Security, and Windows 10 Enterprise. These products work with each other and with partner solutions from across the security ecosystem to deliver a holistic, agile security platform.

Microsoft sales teams have found that starting customer discussions by acknowledging the challenges customers are facing, and explaining how Secure Productive Enterprise enables their digital transformation backed by security, expands what customers will consider. Partners that understand how to deliver multiple capabilities for digital transformation that include enterprise security, management, collaboration, and business analytics, on their own or through business relationships with other partners, will be well positioned.

On this April 26 call, my colleagues from the Office 365 & Voice and Enterprise Mobility + Security Partner communities will join me for the discussion.

Sign up for the April 26 partner call

The partner opportunity with Secure Productive Enterprise

In this post, I’ll cover security protection across the products that make up Secure Productive Enterprise: Windows 10 Enterprise, Enterprise Mobility + Security (EMS), and Office 365. It’s a great story for partners and customers about products that complement each other and are better together, empowering employees through uncompromising productivity, collaboration, mobility, business insights, and a secure experience. There are two plans for acquiring Secure Productive Enterprise, E3 and E5. Secure Productive Enterprise E5 provides the latest, most advanced enterprise security, management, collaboration, and business analytics.

Windows for Business – for every customer

Let’s start with my passion – Windows. Windows 10 is an amazing operating system, and if you’re using the latest version with the latest security patches and technologies, you have a very effective way to protect users and data.

In addition to security protection, Windows for Business offers customers:

More control

Windows 10 integrates into a customer’s existing infrastructure, with features such as Azure Active Directory Domain Join that allow the customer to create and enforce network, user, group, and device policies to align with business needs.

Stay connected

Windows 10 enables customers to connect with their customers, partners, and suppliers. Users can bring their desktops with them virtually anywhere, regardless of device. Simple, single sign-on to a business’s network gives users easier access to shared data and devices.

Stretch hardware investments

Business devices are designed for business, with security and features unmatched by consumer devices. Many come with more durable components, longer warranties, and better support options to help protect a customer’s financial investments.

Devices can grow along with a business

A customer may not need or use every Windows 10 feature today, but as a business grows, so will the complexity and the stakes. Getting devices with Windows 10 Pro now sets customers up with the right technology for successful business growth. These devices can be quickly networked, updates are more easily managed, and customers get the extra security and peace of mind that systems and data are protected.

Windows for Business

Learn more about the Windows 10 Pro, Enterprise, and Education editions

Windows 10 Enterprise security capabilities

Windows 10 is the safest, most secure Windows ever. It includes the latest security technology available, to address the tactics used in today’s attacks.

In the chart below, you’ll see how each of the features in Windows 10 Enterprise counters an attack, by attack vector. An attack vector is a path for a hacker to gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors let hackers exploit system vulnerabilities, including the human element.

Attack vector

Countermeasure

Description

Identity theft

Windows Hello for Business
More information

Replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a biometric or PIN.

Identity theft

Credential Guard
More information

Aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a pass-the-hash style attack if malicious code is already running via a local or network based vector.

Malware

Windows Defender Advanced Threat Protection
More information

A security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.

Malware

Device Guard
More information

Lets organizations lock down devices in a way that provides advanced malware protection against new and unknown malware variants as well as advanced persistent threats. It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps. To help protect users from malware, when an app is executed, Windows decides on whether that app is trustworthy, based on IT’s decision and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision-making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege. This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others which are subject to tampering by an administrator or malware.

Malware

Secure Boot
More information

A security standard developed by members of the PC industry to help make sure that PCs boot using only software that is trusted by the PC manufacturer. Support for Secure Boot was introduced in Windows 8 and is a key point of security on devices with Windows 10. When the PC starts, the firmware checks the signature of each piece of boot software, including firmware drivers (Option ROMs), EFI applications, and the operating system. If the signatures are good, the PC boots, and the firmware gives control to the operating system.

Data loss

Windows BitLocker
More information

BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.

Data loss

Windows Information Protection (WIP)
More information

Helps protect against potential data leakage without otherwise interfering with the employee experience. WIP helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
Azure Information Protection works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.

Security protection in Enterprise Mobility + Security

Security should be at the forefront of every conversation partners have with customers. Enterprise Mobility + Security (EMS) lets customers keep pace with security challenges, offering holistic, identity-driven protection. EMS protects, detects, and responds to common attack vectors, including phishing, spearphishing, spoofing, malware, credential theft, ransomware.

Attack vector

Countermeasure

Description

Identity theft

Azure Active Directory Identity Protection
More information

A feature of Azure AD Premium P2 edition that provides a consolidated view into risk events and potential vulnerabilities affecting an organization’s identities. More than just a monitoring and reporting tool, Azure AD Identity Protection uses risk events to calculate a user’s risk level, enabling configuration of risk-based policies to automatically protect the identities of an organization.

Identity theft

Azure Multi-Factor Authentication (MFA)
More information

The Microsoft two-step verification solution that helps safeguard access to data and applications while meeting user demand for a simple sign-in process. It delivers strong authentication via a range of verification methods, including phone call, text message, or mobile app verification.

Identity theft

Microsoft Advanced Threat Analytics
More information

Provides a simple and fast way to understand what is happening within a network by identifying suspicious user and device activity with built-in intelligence and providing clear and relevant threat information on a simple attack timeline.

Identity theft

Conditional access in Azure Active Directory
More information

Conditional access control capabilities offer simple ways for companies to secure resources in the cloud and on-premises. Conditional access policies can protect against the risk of stolen and phished credentials with Multi-Factor Authentication. You can also enforce conditional access policies to keep company data safe. For example, only devices enrolled in a mobile device management system like Microsoft Intune are granted access to sensitive services.

Data loss

Azure Information Protection
More information

Control and help secure email, documents, and sensitive data that shared outside a company’s walls. From easy classification to embedded labels and permissions, enhance data protection at all times with Azure Information Protection, no matter where it’s stored or with whom it’s shared.

Data loss

Cloud App Security
More information

A comprehensive solution that helps organizations as they move to take full advantage of the promise of cloud applications while providing improved visibility into activity. It helps increase the protection of critical data across cloud applications. With tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, an organization can more safely move to the cloud while maintaining control of critical data.

Malware

Microsoft Intune
More information

Assure mobile and lightly managed device compliance. Set device protection policies. Lookout integration adds malware protection for Android and IOS devices. Lookout provides visibility into the app, network, and device-based risks, and through our deep integration with EMS, organizations can use that risk data to enforce conditional access on mobile devices.

Malware

Mobile application management
More information

Use Microsoft Intune mobile application management policies to help protect a company’s data. Microsoft Intune mobile application management policies can be used independent of any mobile device management solution, you can use it to protect data with or without enrolling devices in a device management solution. By implementing application-level policies, you can restrict access to company resources and keep data within the purview of the IT department.

Office 365 security features

Office 365 offers organizations control over data security and compliance with built-in security.

Read the blog post about Office 365 and SPE

Attack vector

Countermeasure

Description

Phishing Exchange Online Protection
More information
Cloud-based email filtering service that helps protect your organization against spam and malware, and includes features to safeguard your organization from messaging-policy violations. EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware and software.
Identity theft Office 365 Advanced Security Management
More information
With Advanced Security Management, you get alerts that you can set up by using policies to notify you about anomalous and suspicious activity. And you can also get Productivity app discovery, which lets you use the information from an organization’s log files to understand and act on users’ app usage in Office 365 and other cloud apps.
Identity theft Multi-Factor Authentication
More information
All privileged Office 365 users (such as global administrators or billing administrators) should use Multi-Factor Authentication. Combined with dedicated user accounts and workstations, Multi-Factor Authentication provides the most important protection for privileged accounts. Multi-Factor Authentication delivers strong two-step authentication with a range of easy verification options—phone call, text message, or mobile app notification—allowing users to choose the method they prefer.
Identity theft Secure privileged access
More information
Securing privileged access is a critical first step to establishing security assurances for business assets in a modern organization. The security of most or all business assets in an organization depends on the integrity of the privileged accounts that administer and manage IT systems. Cyberattackers are targeting these accounts and other elements of privileged access to rapidly gain access to targeted data and systems using credential theft attacks like pass-the-hash and pass-the-ticket.
Identity theft Azure AD Privileged Identity Management
More information
Manage, control, and monitor access within the organization. This includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune. Just in time administrative access allows privileges to be set on demand for a predetermined amount of time, instead of permanent administrators.
Identity theft Azure Active Directory Password Management
More information
Allow users to manage any password from any device, at any time, from any location, while remaining in compliance with defined security policies.
Data loss Office Message Encryption
More information
Deliver confidential business communications with enhanced security, allowing users to send and receive encrypted email as easily as regular email directly from their desktops. Customize the email viewing portal to enhance your organization’s brand. Email can be encrypted without complex hardware and software to purchase, configure, or maintain, which helps to minimize capital investment, free up IT resources, and mitigate messaging risks.
Data loss Azure Information Protection
More information
Azure Information Protection (AIP) is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination, where users are given recommendations.
Data loss Data Loss Prevention (DLP)
More information
To comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure. Examples of sensitive information that you might want to prevent from leaking outside your organization include financial data or personally identifiable information such as credit card numbers, social security numbers, or health records. With a Data Loss Prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365.
Malware / Ransomware Advanced Threat Protection (ATP)
More information
Advanced Threat Protection in Office 365 is an email filtering service that provides additional protection on top of existing Exchange Online Protection. ATP helps protect against unknown malware and viruses, and provides better zero-day protection to safeguard messaging systems.

Security comparisons

Multi-Factor Authentication versions feature comparison

azure-information-protection-plans

Resources

Sign in to the Drumbeat partner website for access to these partner- and customer-ready materials

Community call about Secure Productive Enterprise on Wednesday, April 26

Discover more about Secure Productive Enterprise and Windows 10 Enterprise on the April 26 community call for Windows and Devices Partners. The value of SPE goes beyond Windows 10, and my fellow community leads for Office 365 and Voice Partners and EMS Partners will join me to talk about this offering to give you an in-depth look at your opportunity to provide a comprehensive solution to customers.

Sign up for partner calls about Secure Productive Enterprise

Windows and Devices Partner Community

We look forward to continuing the conversation with you about the Windows 10 opportunity. We use our Windows and Devices Partner Community calls, blog posts, and Yammer group to share information and connect with you. If you’re serious about building and sustaining a profitable Windows practice, and want in-depth assistance, email WinRecruit@microsoft.com or post your question in the Yammer group.

Comments (0)

Skip to main content