Securing and maintaining a trustworthy Office 365 and Microsoft Azure deployment is not an easy task. In this session we'll take a look into how you can secure and control your cloud-based servers and services, data and users using Azure Active Directory, Azure Security Center, Privileged Identity Management and Advanced Security Management. In addition we’ll also take a look at how Operations Management Suite and Microsoft Advanced Threat Analytics can be used to provide better overall security for on-premises and hybrid deployments.
5. Agenda and
takeaways
Security building blocks The Big Picture
Azure AD Premium
External threats
Internal threats
How to protect
Azure and Office 365
How to protect On-
Premises services
Licenses Wait whattt?
12. Wait, what? Hold on!
Do I have to manage security on all
these AND on-premises too?
13. A starting point: ”We are in the cloud!”
This is the common, kind-of hybrid architecture model.
Microsoft Azure
Office 365
Site-to Site
VPN
Azure AD Connect
ADFS
Proxy
On-premises
14. The heart of security: Azure Active Directory
The core of each Azure subscription
You can have multiple AAD tenants
within the same Azure subscription
Users, groups, licenses, permissions,
apps, app proxies, domains.. all
here!
Managed through Azure Portal,
some tiny things are still only
available in the Classic Portal
It’s important to understand the
difference between AAD, AD and
AAD Connect (and AAD DS)
Identities, management and security
16. Azure Active Directory: Free, Basic, Premium
Feature AAD Free AAD Basic AAD Premium P1 AAD Premium P2
SSO support 10 apps/user 10 apps/user No limit No limit
Security reports 3 (basic) 3 (basic) Advanced Advanced
Self-Service password reset
Application Proxy
Multi-Factor Authentication
Connect Health
Cloud App Discovery
Privileged Identity Management
Identity Protection
Price Free! 0.84 €/user/month 5.06 €/user/month 7.59 €/user/month
A few highlighted features of AAD and a comparison between licenses
(cloud users)(cloud users)
17. Security building blocks in Azure
Role-Based Access Control
Key Vault
Microsoft anti-malware
Rights Management/Information
Protection
Cloud App Discovery
Security Center
Infrastructure
Network Security Groups (NSG)
Site-to-Site VPN
Point-to-Site VPN
ExpressRoute
Network Security Appliances
Host-based & NextGen firewalls
Azure Active Directory
Connect Health
Identity Protection
Privileged Identity Management
OMS Security & Audit
Multi-Factor Authentication
Security
18. Analogy to cloud security
18
Rancilio Silvia
Best. Espresso. Ever.
(This is what I got)
Customized Rancilio Silvia
(This is what you think you need)
Rancilio Silvia with the
Rocky grinder and steel base
(This is what you should end up with)
20. Securing authentication for users with Multi-Factor Authentication
Enforces security beyond username and password
User must possess something – typically a mobile device
Strong authentication occurs over text message, pin, fingerprint, mobile app approval or voice call
Users must enroll through https://aka.ms/mfauserhowto
Available as Office 365 MFA, Azure MFA for Admins and Azure MFA
Certain non-browser apps do not support MFA -- users have to provision separate App
Passwords (one or more) through the MyApps portal
This tends to be challenging for non-technical users
Multi-Factor Authentication for on-premises with Azure MFA Server
Enables easy securing of VPNs, IIS web apps & Remote Desktop
Maybe not the most logical to set up..
Supports RADIUS so fairly easy to integrate with legacy systems ;-)
Strong and secure authentication for on-premises, hybrid & the cloud
21. Baseline your security in Office 365 with Secure Score
A free service at
https://securescore.office.com
After initial scoring you can select a new
baseline
Provides a list of actions for things to fix, in order
to achieve a new baseline
Max score is 432
Office 365 average is 29 I have 72!
You get to 111 just by enabling MFA for global
admins
Automated scan of your Office 365 subscription settings and general security
22. A dashboard for Azure security with Security Center
A simple way to view what’s secured and what’s not in Azure
Includes behavioral analytics and incident reporting
Standard license gives advanced threat detection & intelligence
Provides an overview on security for cloud resources
23. Securing and monitoring Azure AD Connect, ADFS and on-
premises AD configuration with Azure AD Connect Health
Monitors your AD FS, AD FS Proxy, AAD Domain Services
and AAD Connect status
Can alert you when things break down – useful for many
directory-related services, and especially for Azure AD
Connect issues
Deploying is easy:
Install agents for AD FS, AAD Connect and AD DS servers
Verify configuration on AAD CH blade in Azure Portal
Somewhat sadly this feature requires AAD Premium license
– all users must be licensed in the scope of AAD CH
Agent-based service to monitor your AD domain controllers and ADFS infrastructure
24. Safeguarding for users who log in from weird countries with
Azure AD Identity Protection
Watchdog for user sign-ins, can associate
individual logins with risk factors
Automatically flags suspicious events, such as
users who perform impossible travel times
(typically with VPN connectivity)
Enforces additional policies based on low/high risk
factors
Enforce MFA for the duration of the login
Enforce self-service password reset (which subsequently
enforces MFA)
Weekly email digest of findings and things to lose
your sleep over
Monitoring for risk events, vulnerabilities and automatic policy changes
25. Getting rid of static admin roles with Azure AD
Privileged Identity Management (PIM)
Instead of granting permanent admin privileges, PIM
allows ad-hoc & just-in-time admin roles
Users can request for new privileges for predefined duration
Scans for fixed admin roles and changes them to temporary
roles
Admin roles become non-permanent
Duration can be set from 1 hour to 72 hours
Can enforce MFA during role grant
In preview: Approval workflows for new privilege requests
Central view & management for all admins roles
throughout Azure and Office 365
”Just-in-time” administration privileges for users on request
26. Tracking botnet and brute force attacks
OMS provides System Center-like capabilities in the cloud
Capable of tracking hybrid deployments, including Office 365 and Azure
Gathers logs (also custom ones), configuration data, update status,
availability, backup info and even Surface Hub data
Operations Management Suite (OMS) is the Swiss Army knife you need
27. Protecting from external threats with Office 365
Provides a 360ᴼ view on external threats against users
Insights and analysis based on evidence, act accordingly
Allows for custom policies and reactions
Threat Intelligence uses evidence-based knowledge on threats
28. Publishing internal services securely
Enforce authentication at Azure AD, before allowing access to internal
resources
Configuration is simple, and support high availability deployments
Internal services do not require changes
Dual-authentication also supports:
First on Azure AD, then in on-premises against local AD/service
Azure AD Application Proxy provides a one-way HTTPS tunnel to on-premises
31. Securing Edge network & cloud app usage with Advanced Security
Management
Similar to OMS, but directly aimed for Office 365 workloads
Records all activities of users, including external users
Supports on-premises edge router log analysis
Discover activity and incidents in Office 365
32. Monitoring what admins and developers are doing with Azure resources
Query against Azure backends to see operations against services
Connect with
Log Analytics (for further analysis)
Power BI (for reports)
Application Insights (for wisdom)
Azure Monitor provides monitoring throughout tenants and resource groups
33. Finding Shadow IT within the organization with Cloud App Discovery
Works by dropping an agent on workstations
Consent can be requested; or just install silently..
Discover apps, amount of data transferred and who uses what
Based on reports, act accordingly
Discover unmanaged (and managed) cloud apps in use
34. Active Directory surveillance & analysis with Advanced Threat Analytics (ATA)
Captures all authentication traffic to-
and-from Domain Controllers
Uses Machine Learning to identify
issues and unauthorized usage
Fully automatic, install & forget!
Almost like SharePoint ;-)
Can connect with OMS to provide
hybrid reporting in the cloud
Aggressive auditing and analytics for on-premises Active Directory requests
41. Onsight
Enterprise Mobility + Security (EMS)
Used to be known as Enterprise Mobility Suite
A bundled collection of licenses for Azure-based services
Available as E3 and E5
(Source: Microsoft)
42. Security-related services and licenses
Advanced Threat
Analytics
Active Directory Azure MFA Server
Advanced Security
Management
Threat Intelligence Secure Score Intune
Azure MFA for
Admins
Azure AD
Azure AD Premium
Security Center
Cloud App
Discovery
Privileged Identity
Management
Identity
Protection
Azure MFAConnect Health
Network Security
Groups
Next-Gen FirewallsInformation
Protection
Operations
Management Suite
No extra license needed
EMS E3/Office 365 E3
EMS E5/Office 365 E5
Additional licensing
43. Recommendations & recap
Follow current practices and patterns: http://bit.ly/azuresecpnp
Get the book!
http://bit.ly/azuresecbook
Get the guidance!
http://bit.ly/perimeterbook
Deploy the free services
Azure Security Center
Office 365 Secure Score
Azure MFA for Admins
OMS Security (AAD+O365)
Go for AAD Premium
Either with EM+S or
separately
Deploy ATA
Enable PIM and Identity
Protection