What is Enterprise Mobility + Security?
Microsoft are leading the cloud market with their Office 365 solution. Office 365 is a powerful set of tools which has opened the possibility of mobile working. Employees are now able to access their data anywhere and at any time. From an operational perspective, this has allowed front line workers at Professional Services companies to access all the information they need for their day to day job, from locations such as building sites, facilities they are managing or from the comfort of their home office.
However, the fact that employees can now access data anywhere and at any time has opened Pandora’s box from a security perspective.
With data leakage and hacks becoming a daily occurrence for companies, the need to strike the balance between providing a great end user experience and ensuring that appropriate security measures are in place has never been more crucial. Professional Services organisations hold a lot of personal information on their customers such as salaries, home addresses and banking information. If this data was stolen, then the reputation of your organisation would be hugely affected. This is where Microsoft’s “Enterprise Mobility + Security” (EM+S) package provides a solution. EM+S is made up of four main components:
- Identity and Access Management
- Managed Mobile Productivity
- Information Protection
- Identity Driven Security
If managed and monitored correctly, EM+S should provide peace of mind for the security team that their estate is less vulnerable to attacks.
Key features of Enterprise Mobility + Security
EM+S is made up of a number of different tools designed to provide security for the four main components mentioned previously. This blog is going to focus on a few of the products included: Multi-Factor Authentication, Conditional Access, Intune and Azure Information Protection.
Conditional Access and Multi Factor Authentication
Employee priorities differ depending on the role. Whether you’re a lawyer, surveyor or recruiter (essentially an “end user”) you want a non-disruptive experience to access the data you need. Whereas the IT department wants to ensure that the correct security protocols are in place. It is the age-old challenge of balancing risk and business needs.
One of the great features in EM+S is Conditional Access. As the name suggests, Conditional Access lets you put parameters in place around how employees can access data. This can be locked down to factors such as an IP address, device or usual working hours. If a user’s login behaviour is unusual, for example, they normally login from the same device at their office but are trying to access their data at 3am from abroad, the user would be blocked from being able to login. Of course, there are instances where this is not an attack and the “true” user is attempting to access their data. This is where Multi Factor Authentication (MFA) would be activated.
MFA can be set up in different ways. When the user is set up, they provide a backup email address or phone number which will then be used to authenticate their identity during Multi-Factor Authentication. When the user tries to login, they will be sent a code to enter into the login page, to pass the security check. Microsoft also have an app which the user can use for the authentication process.
These two tools offer a solution which manages perceived risk whilst causing the least disruption to an end user.
Intune
Intune is the component of EM+S that manages mobile devices and the applications. Intune lets organisations have a record of what device is assigned to each employee and the applications which are running on the machine. The Azure Intune Portal is a great feature which presents a single source of truth on your device estate and makes it easier to measure device compliance to your corporate standards.
Different organisations have different requirements on what applications they want their employees to be able to use. For instance, you may not want your employees to be able to use Facebook on their corporate phones, and therefore this can be blocked. When considering corporate applications such as email, Intune has the ability to control how the data is being used and shared.
In Professional Services organisations, turnover of mobile workers can be quite high. Facilities Management companies may hire more staff when a new building is brought onto their books or construction workers are hired to complete specific projects. When considering a mobile workforce, you want to make sure that they feel part of the company and have access to email and company news. However, if these staff are hired on a temporary basis, then you need to manage the risk and ensure that all company data can be wiped from their devices when they leave. Intune allows you to remotely wipe corporate data from mobile devices so that when an employee leaves, your data does not leave with them.
The capability within Intune is huge as it provides management, reporting and tracking features. The key message to take away is that the IT team can rest easier at night knowing that security has been applied at device level.
Azure Information Protection
It is crucial to put security parameters in place at the device level, but EM+S also includes a feature which provides security at the document level. Azure Information Protection (AIP) allows you to classify data (documents and emails) which sets the boundaries on what you can do with that data. For instance, you might choose three different levels of classification: “Public”, “Confidential” or “Highly Confidential”. If you are working for an Estate Agency these classifications could be used as follows:
- Public: House Marketing Brochures
- This data does not have much security applied to it and actions such as it being able to be downloaded and shared to other emails (internal and external) are allowed
- Confidential: Email communication on pricing negotiations
- This data can be shared with a selected group of users (internal) but cannot be downloaded or screenshot
- Highly Confidential: Any personal or sensitive information about your customers which may breach GDPR regulations if leaked.
- This data cannot be forwarded, downloaded or screenshot
The product is intuitive and will pick up details (such as credit card numbers) and will automatically apply the appropriate level of security. Users can also manually apply these classifications.
Is your estate as secure as it can be?
The security features that Microsoft provide are extensive and can sometimes lead to more questions being asked then answered!
From licensing to implementation to ongoing support of your IT estate, Core can provide help and guidance to make sure your security is at the level it needs to be and meets all your requirements.
If you would like to learn more about EM+S, then please do contact me today for a chat; I’d be delighted to discuss EM+S and our security offering in more detail.
