Last week, at a customer event, a customer challenged me with a question that was difficult to answer.
I had presented on the security tools within Microsoft 365 licensing that enable security enhancements to customers when looking at the world through the current lens of working from home, and how in a lot of cases, the traditional approach is to extend out traditional perimeter security, which poses some issues. The main body of my presentation was how to counter these flaws with a layered security approach using features customers are already licensed for in their Microsoft 365 E3 or E5 packages.
The customer asked how this delivered Defense in Depth.
Defense in Depth is defined as having layers of defense and control to provide a fortified security envelope for your IT environment. Typically, the layers of defense are categorised as physical controls that prevent actual access, or limit access to IT systems; technical controls to virtually prevent or limit access to IT systems; and administrative controls to override technical and physical controls, effect changes or quarantine devices. Ultimately, this is exactly what the presentation covered and the root of the dilemma with answering the question;
Either the person asking the question hadn’t been paying attention, and calling that out would make them look bad which is not something I like doing to anyone; or they had a point to make - perhaps they were a staunch advocate of another technology stack. I am not a security architect, so it wouldn’t be right or sensible to debate anyone who is a security architect on this complex subject. Finally, Defense in Depth, like “cloud” is one of those terms that has multiple definitions to different people, but asking the person to explain their definition is also slightly hostile.
The day’s agenda was already a little behind and no one would have welcomed a drawn out discussion which put us further behind. So, I came away from this meeting with the view that I could cover the dilemmas above with a quick blog post. There are Microsoft white papers on Defense in Depth; they are long and detailed, so this blog will cover a quick 30,000-foot view of the key highlights - and for those that want more information there are links at the end.
I am going to break this down by device and user type rather than by product, which is how the white papers are constructed, as I hope this will give a better overview of the layers of security that you can deploy with your M365 licensing.
Corporate managed devices
The vast majority of enterprise users will be conducting their work using a corporate-issued and managed device. M365 contains features and services that allow you to add several layers of security from the outside in:
Windows Hello – Biometric, digital key or PIN enabled access to the device ensures that only the authorised user can access the device.
Secure Boot – A system to ensure malware or other threats cannot break open the Windows 10 OS or bypass critical security processes on the device.
Remote Management – Via SCCM or Intune you can exercise control over the device, its contents, and its ability to access other corporate services. If a device is lost or compromised, it can be quarantined and wiped. We can also control how the device deals with items physically plugged into it such as USB devices, to add a further layer of protection.
Conditional Access Policies – we can set up conditional access policies which will check and manage accesses on a device level, to include ensuring that the device OS is up to a minimum version and with a requisite level of patches and updates, in a specific location or region, and limit what it is able to access in the main IT environment.
Multi Factor Authentication – we can require MFA for certain logins based on risk, or require it as a standard for accessing key systems.
Always-On VPN – for customers that require users to deploy a VPN tool to access on-premises or other remote services, Always-On VPN can be used to immediately establish a secure connection on OS start up, so that all user activity is via a sanctioned connection.
Microsoft 365 Advanced Threat Protection – This service contains two key tools to protect users from viruses and malware. Safe Attachments scans all incoming attachments and looks for potential threats, either quarantining them or if it’s an unknown item, running the code in a detonation chamber within Microsoft’s environment before releasing it to the user. Safe Links uses Microsoft as a firewall between the user and a website until its threat level can be assessed, with known bad links being blocked.
Cloud App Security – Microsoft 365 lets you apply persistent data encryption to sensitive data stored in your Office 365 tenancy AND connected cloud platforms. Depending on the level of licensing, you can either assign policies manually or automatically crawl data for Personally Identifiable Data, such as credit card numbers, passport numbers or other key information. These policies enable you to control access to data in perpetuity, even if it’s been sent to external parties, requiring them to authenticate with your platform before decrypting the data. This is also a powerful post breach mitigation tool.
Windows Defender – Powerful security software baked into the OS with all the privileges required to protect the device at every level from viruses and other malware.
BitLocker encryption – Full drive encryption of all data on the device to provide protection against a range of brute force hacking attempts in case all other features fail.
Non-managed devices/BYOD
Mobile Application Management – Intune allows us to publish corporate applications to users which can be managed in the same way as a corporate device. We can control whether data is stored (with encryption) on the device or just streamed to it, disable the ability to copy and paste data from managed applications or take screenshots. User access can be controlled and denied if the device is lost or stolen
Windows Hello on Applications – All of the current Microsoft Office applications can be set to require a user biometric or device passcode authentication before opening and allowing access, protecting corporate data if the user’s phone is already unlocked for use by someone else.
Cloud and connected platforms
Role Based Access Control – the ability to determine user privilege based on their role within the organisation and set their access rights based on this role. This is a key part of the least privilege model, with any additional access requirements being dealt with as an exception.
Connectors – Office 365 has a rich range of connectors that enable you to link your Office 365 tenant to a range of other cloud and on-premises services. One of the main advantages of this is the ability to extend the rich access control and authentication features of Azure AD to your other supported systems. Onward authentication can be managed by seamless or single sign on (SSO), shielding your users from credentials to access those cloud platforms directly to reduce potential insider threats or credential harvesting, and providing a better user experience.
Azure B2B Connections – for customers that need to enable secure access to systems within their environments to external parties, Azure B2B connections enable a secure and low administration option. Azure B2B leverages the external users native identity, so that you don’t have to create and manage accounts in your environment to support this, with the ability to use RBAC to limit what these external users can access and the actions thy can take.
Overall, the services included in your M365 subscription will enable you to add multiple layers of security to your devices, whether corporate owned and managed, or unmanaged. You can extend multiple layers of security to permanent employees and contractors, suppliers, partners and anyone who you need to interact deeply. Not only is this simple to manage and administer from a single pane of glass, it also presents opportunities to make structural cost savings by deprecating 3rd party tools such as email hygiene or MDM solutions, as market-leading versions are included in your M365 subscription.
I think the point that my customer may have been trying to make was that the Defense in Depth was shallow due to all of the layers being provided by one software vendor. That is a fair point, but it should be noted that a lot of Microsoft’s growth over the years has been by acquisition and I suspect that a lot of the technologies have been acquired as much as home grown. Even so, the overall picture is compelling, and coupled with the traditional perimeter security solutions that a customer will already have invested in, the fortification that can be provided here is not to be sniffed at.
If you would like help reviewing what you can do to improve your IT security using tools that you are already paying for in M365 licensing, please contact the team at Core. We can help you assess what you can use and what you can save by removing 3rd party duplicates.
For more information on Microsoft – Defense in Depth, click here: