chris martin - indiana.bank · drive encryption remote wipe business data separation file...

Chris MartinSolutions Architect

Matrix [email protected]

• Extended Support Ends January 14, 2020

• Extended Security Updates (ESU) January 2023• Additional fee

• Requires volume license with SA or subscription

• Hardware Compatibility Issues (Drivers)

• Software Compatibility Issues (Office 2019)

Windows 7 – The Long Goodbye

• Secure Boot

• BitLocker

• Security Baseline Policy

Windows 10 Hardening

The current reality…

Self-service Singlesign on

•••••••••••

Username

Identity as the control plane

Simple connection

Cloud

SaaSAzure

Office 365Publiccloud

Other directories

Windows ServerActive Directory

On-premises Microsoft Azure Active Directory

A comprehensive identity and access management cloud Solution

It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers

What is Azure Active Directory?

Centrally managed identities and access

IT professional

Enforce on-demand, just-in-time administrative access when needed

Use Alert, Audit Reports and Access Review

Domain User Global Admin. Domain UserAdmin. privileges expire after a specified interval

PROTECT PRIVILEGED IDENTITIESDiscover, restrict, and monitor privileged identities

A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium

Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication

Trusted by thousands of enterprises to authenticate employee, customer, and partner access

What is Azure Multi-Factor Authentication?

80%

of employees use non-

approved apps for work

81%

of breaches are caused

by credential theft

73%

of passwords are

duplicates

WHY IDENTITY IS IMPORTANT

Do your users struggle to remember

complex passwords?

Do they have to juggle multiple

credentials?

Can you extend user identity for Office 365

or Windows to other apps?

Do you MFA every time you want to

ensure secure access?

Simplify access to devices and apps

Protect at the front door

Safeguard your credentials

IDENTITY & ACCESS MANAGEMENTProve users are authorized and secure before granting access to apps and data

Securitymanagement

Threat protection

Identity protection

Information protection

Intelligent security with Windows 10

Windows Defender Antivirus

Detect fast-changing malware variations using behavior monitoring and

cloud-powered protection

Windows Defender System Guard

Maintain system integrity during boot time, runtime, and remote access to

avoid compromised devices

Windows Defender Advanced Threat Protection

Protect endpoints from cyber threats, detects advanced attacks and

automates security incidents to improve security posture

Threat protectionPrevent attacks, isolate threats and control malicious code execution with Windows Defender

Identity protectionProtect identities with more than just a password

1To use Windows Hello with biometrics specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required.

Hardware-based protection of the Windows Hello credential/keys requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys

protection will be software-based. 2Companion devices must be paired with Windows 10 PCs via Bluetooth. To use a Windows Hello companion device that enables the user to roam

with their Windows Hello credentials requires Pro or Enterprise edition on the Windows 10 PC being signed into.

Windows Hello1

Get better protection when you unlock your device with a look or a touch

Remotely sign in to your PC and services with companion devices2

Credential Guard

Isolate and protect credentials from a full system compromise

Configure easily with existing management tools

Passwordless strong authentication via

multiple factors

PC + PIN or Biometrics

PC + Companion Device

PC supported Biometrics: fingerprint & facial

Companion Device can support other

biometrics options (e.g.: EKG)

Supported on any Windows 10 device

>100 devices supporting biometrics

WINDOWS HELLO FOR BUSINESS

Strong authentication

via multiple factors

User credentials

protected by hardware

Secure biometrics

• Hardened biometric

implementation in

Windows & hardware

• Anti-spoofing and brute-

force protection

HOW HELLO PROTECTS CREDENTIALS

• Uses two factors for

authentication (e.g.: PC +

PIN or Biometric)

• Asymmetrical Keys (i.e:

Private/Public)

• Hardware generated

credential (keys)

• Credential isolated and

protected by hardware

Windows Information Protection

Prevent accidental or intentional data leaks by separating personal and

professional data1

Bitlocker

Encrypt sensitive information and protect against unauthorized access2

Microsoft Bitlocker Administration & Monitoring

Use tools to provision, enforce, report compliance and recover BitLocker-

protected data

Information protectionEasily protect data at rest and in use

1WIP requires either Mobile Device Management (MDM) or System Center Configuration Manager to manage settings. These products sold

separately. Active Directory makes management easier, but is not required. 2Requires TPM 1.2 or greater for TPM based key protection.

Security managementIncludes comprehensive security lifecycle management for security operations and configuration management

Windows Defender Security Center

Centrally manage the end-to-end security management lifecycle with a single

console

Search up to six months of historical data

Windows Security Analytics

Better understand your overall security health score

Get recommendations to help reduce future attacks

Securitymanagement

Threat protection

Identity protection

Information protection

Intelligent security with Windows 10

Windows Defender Antivirus

Windows Defender System Guard

Windows Defender Advanced

Threat Protection

Windows Defender

Security Center

Windows Security Analytics

Windows Hello

Credential Guard

Windows Information Protection

BitLocker

Microsoft BitLocker

Administration and Monitoring

(MBAM)

SECURITY MANAGEMENT IMPERATIVES

VISIBILITY

Understand the security state and risks across

resources

CONTROL

Define consistent security policies and enable

controls

GUIDANCE

Elevate security through built-in intelligence and

recommendations

INFRASTRUCTUREAPPS / DATADEVICESIDENTITY

Understand the security state and risks across resources

IDENTITY

UNDERSTAND SECURITY STATE OF USERS

COMPLETE VISIBILITY INTO THE

ENDPOINT SECURITY

QUICKLY ASSESS THE SCOPE OF

INCIDENTS AND ROOT CAUSES

RICH TOOLSET FOR

INVESTIGATION AND

REMEDIATION ACTIONS

DEVICES

UNDERSTAND SECURITY STATE OF DEVICES

GAIN VISIBILITY INTO CLOUD

APPS USED IN YOUR

ENVIRONMENT & GET A RISK

ASSESSMENT

AUDIT LOGS AND REPORTS

TO HELP DETECT ACTIVITY

WITHIN PRODUCTIVITY APPS

ALERTS TO HELP YOU

SEE ANOMALOUS ACTIVITY

APPS / DATA

UNDERSTAND SECURITY STATE OF APPS & DATA

Define consistent security policies and

enable controls

IDENTITY

DEFINE CONSISTENT SECURITY POLICIES AND

ENABLE CONTROLS FOR USERS

ONE PLACE TO CONFIGURE

THE FULL WINDOWS SECURITY

STACK

CONTROL DEVICE SECURITY

POLICIES AND SEE THE

DEPLOYMENT STATUS IN A

CENTRAL PLACE

DEVICES


ENABLE CONTROLS FOR DEVICES

CUSTOMIZABLE PORTAL FOR

MOST IMPORTANT SECURITY

FEATURES FOR PRODUCTIVITY

APPS

CONTROL DATA IN CLOUD

APPS WITH GRANULAR POLICIES

FOR DLP AND DATA SHARING

SEE SECURITY CONTROLS AND

THEIR STATUS FROM DIFFERENT

WORKLOADS

APPS / DATA


ENABLE CONTROLS FOR APPS & DATA

Enhance security through built-in

intelligence and recommendations

IDENTITY

BUILT-IN INTELLIGENCE AND RECOMMENDATIONS

FOR USERS

ASSESS ORGANIZATIONAL

SECURITY SCORE INCLUDING

TRENDS OVER TIME

RECOMMENDATIONS DRIVEN

BY YOUR ENDPOINTS FOR

ENHANCED SECURITY

EVERY ALERT COMES WITH

RECOMMENDATION FOR

REMEDIATION FOR THREATS

AND FUTURE RISKS

DEVICES


FOR DEVICES

MACHINE LEARNING BASED

RECOMMENDATIONS DRIVEN BY

SIGNALS SPECIFIC TO YOUR

ORGANIZATION

LEVERAGE THE MOST

EFFECTIVE CONTROLS BASED

ON BEST PRACTICES AND YOUR

GOALS

APPS / DATA


FOR APPS & DATA

Information

Rights

ManagementMobile Device

& Application

Management

Cloud Access

Security

Broker

SIEM

Data Loss

Prevention

User &

Entity

Behavioral

Analytics

Mobile

Data Loss

Prevention

Threat

Detection

Identity

governanceSingle-

sign on

Cloud

Data Loss

Prevention

Conditional

access

Discovery

Cloud

visibility

Secure

collaboration

Cloud

anomaly

detection

Identity & Access

Management

Microsoft 365 is a fully-integrated security solution

AZURE ACT IVE D IRECTORY

CONDITIONAL ACCESS

WINDOWS HELLO

WINDOWS CREDENTIAL GUARD

AZURE ADVANCED THREAT ANALYTICS

WINDOWS DEFENDER ADVANCED THREAT PROTECTION

OFF ICE 365 ADVANCED THREAT PROTECTION

OFF ICE 365 THREAT INTELLIGENCE

AZURE INFORMATION PROTECT ION

OFF ICE 365 DATA LOSS PREVENTION

WINDOWS INFORMATION PROTECTION

MICROSOFT CLOUD APP SECURITY

OFF ICE 365 ADVANCED SECURITY MGMT

MICROSOFT INTUNE

AZURE SECURITY CENTER

OFF ICE 365 SECURITY & COMPL IANCE CENTER

WINDOWS DEFENDER ADVANCED SECURITY CENTER

Advanced Threat Protection

• Protect against unknown malware and viruses

• Provide real-time, time-of-click protection against malicious URLs

• Deliver rich reporting and URL trace capabilities with Click Tracing

Advanced Security Management• Identify high-risk and abnormal usage, security incidents, and threats

• Gain enhanced visibility and context into Office 365 usage and shadow IT

• Reduce the possibility of attacks with granular controls that monitor access

Customer Lockbox• Explicitly control all access to data; Microsoft must be granted permission

• Grant just-in-time access to limit data access

• Maximize data security and privacy by logging access control activities

Advanced eDiscovery

• Focus on what is unique and relevant by training the system to identify emails

and documents through predictive coding

• Reduce document volume with Near Duplicates and Email Threading

Advanced Threat Protection

Advanced Security Management

Customer Lockbox

Advanced eDiscovery39

HOW DO I PROTECT SENSITIVE INFORMATION?

Detect

Scan & detect sensitive data based on policy

Classify

Classify data and apply labels based on sensitivity

Protect

Apply protection actions, including encryption,

access restrictions

Monitor

Reporting, alerts, remediation

I N F O R M A T I O N P R O T E C T I O N L I F E C Y C L E

THE LIFECYCLE OF A SENSITIVE FILE

Data is created, imported,

& modified across

various locations

Data is detected

Across devices, cloud

services, on-prem

environments

Sensitive data is

classified & labeled

Based on sensitivity;

used for either

protection policies or

retention policies

Data is protected

based on policy

Protection may in the

form of encryption,

permissions, visual

markings, retention,

deletion, or a DLP

action such as blocking

sharing

Data travels across

various locations, shared

Protection is persistent,

travels with the data

Data is monitored

Reporting on data

sharing, usage,

potential abuse; take

action & remediate

Retain, expire,

delete data

Via data

governance

policies

Detect ProtectClassify Monitor




access restrictions


aDETECT SENSITIVE INFORMATION

CLOUD & SaaS APPS





access restrictions


HIGHLY CONFIDENTIAL

CONFIDENTIAL

GENERAL

PUBLIC

PERSONAL

Business-lead policies & rules;

configured by ITAutomatic classification

Policies can be set by IT Admins for automatically

applying classification and protection to data

Recommended classification

Based on the content you’re working on, you can be

prompted with suggested classification

Manual reclassification

You can override a classification and optionally be

required to provide a justification

User-specified classification

Users can choose to apply a sensitivity label to the email

or file they are working on with a single click

CLASSIFY INFORMATION BASED ON SENSITIVITY

FINANCE

CONFIDENTIAL

SENSITIVITY LABELS PERSIST WITH THE DOCUMENT

Document labeling – what is it? Metadata written into document files

Travels with the document as it moves

In clear text so that other systems such as a DLP engine

can read it

Used for the purpose of apply a protection action or data

governance action – determined by policy

Can be customized per the organization’s needs

Policies for specific groups or

departments

Can be viewed and applied only by members

of that group

Policies targeting specific locations

Determine which locations are subject to

policy, such as Exchange Online and

SharePoint Online

Configure label schema and settings

Customize labels, sub-labels and settings like

mandatory labeling, default label and

justifications

DEFINE AND CUSTOMIZE POLICIES

Labels are persistent and readable by other systems e.g. DLP engine

Label is metadata written to data

Sensitive data is automatically detected

CLASSIFICATION & LABELING EXAMPLE – SENSITIVE DATADiscover personal data and apply persistent labels





access restrictions


PROTECT SENSITIVE DATA ACROSS YOUR ENVIRONMENT

Drive encryption

Remote wipe

Business data separation

File encryption

Permissions and rights-based

restrictions

DLP actions to prevent sharing

Policy tips & notifications for

end-users

Visual markings in documents

Control and protect data in

cloud apps with granular policies

and anomaly detection

Data retention, expiration,

deletion

Devices

Cloud & on-premises

Separation and containment of business information

Prevents accidental leaks by automatically separating

and containing business information

Business-lead policies & IT stays in control

Policies enable IT to define which apps and users are

authorized to access business information as well as the

rights users have when using it (e.g.: copy and paste)

Easy for end users

Built directly into Windows and works behind the

scenes – only notifying users when they’re attempting

to take unauthorized actions

PROTECT BUSINESS INFORMATION ON WINDOWS 10 DEVICES

PROTECT SENSITIVE INFORMATION ACROSS CLOUD SERVICES & ON PREMISES

Data encryption built into

Azure & Office 365Revoke app access

File-level encryption and

permissions

Policy tips to notify and

educate end users

DLP actions to block

sharing

Visual markings to indicate

sensitive documents

Control cloud app access &

usage

Retain, expire or delete

documents

Retention

Retain content in sites, mailboxes, and public folders

indefinitely or for a specific duration

In-place

Data remains in its original location in Office 365 and

users can continue to work with their documents or

mail, but a copy of the content as it existed when you

initiated the policy is preserved

Delete data

A retention policy can both retain and then delete data,

or simply delete old data without retaining it

AUTOMATICALLY RETAIN AND DELETE DOCUMENTS IN OFFICE 365 WITH DATA GOVERNANCE





access restrictions


MONITOR INFORMATION PROTECTION EVENTS FOR GREATER CONTROL

Policy violations

Document access &

sharing

App usage

Anomalous activity

End-user overrides

False positives

Visibility

Tune & revise policies

Revoke access

Quarantine file

Quarantine user

Integrate into workflows & SIEM

Take Action

Know when policy is violated

Incident report emails alert you in real time when

content violates policy

See the effectiveness of your policies

Built in reports help you see historical information and

tune policies

Integrates with other systems

Leverage the Activity Management API to pull

information into SIEM and workflow tools

MONITOR DLP AND DATA GOVERNANCE EVENTS

Distribution visibility

Analyze the flow of personal and sensitive

data and detect risky behaviors.

Access logging

Track who is accessing documents and

from where.

Access revocation

Prevent data leakage or misuse by changing

or revoking document access remotely.

MONITOR DOCUMENT SHARING & ACCESS

Advanced incident investigation tools

Investigate on users, file, activities, locations

and managed apps, quantify exposure and risk

Cloud data visibility

Identify how data – both classified and not

classified – is shared across cloud apps and

identify risk

Cloud app risk assessment

Assess risk cloud apps based on ~60 security

and compliance risk factors.

On-going analytics & anomaly detection

Get anomalous usage alerts, new app and

trending apps alerts

MONITOR CLOUD APP USAGE

MICROSOFT’S INFORMATION PROTECTION SOLUTIONS


C L O U DD E V I C E S O N P R E M I S E S

Comprehensive protection of sensitive data throughout the lifecycle – inside and

outside the organization

Active Directory Modernization

Windows 10 Deployment with Cloud Services

Use Office 365 DLP to protect your Office 365

email and documents

Use Azure Information Protection to protect beyond

Office 365 – on the supported versions of Office,

Windows and mobile devices

GETTING STARTED:

Thank You

chris martin - indiana.bank · drive encryption remote wipe business data separation file...

Documents