chris martin - indiana.bank · drive encryption remote wipe business data separation file...
TRANSCRIPT
Chris MartinSolutions Architect
Matrix [email protected]
• Extended Support Ends January 14, 2020
• Extended Security Updates (ESU) January 2023• Additional fee
• Requires volume license with SA or subscription
• Hardware Compatibility Issues (Drivers)
• Software Compatibility Issues (Office 2019)
Windows 7 – The Long Goodbye
• Secure Boot
• BitLocker
• Security Baseline Policy
Windows 10 Hardening
The current reality…
Self-service Singlesign on
•••••••••••
Username
Identity as the control plane
Simple connection
Cloud
SaaSAzure
Office 365Publiccloud
Other directories
Windows ServerActive Directory
On-premises Microsoft Azure Active Directory
A comprehensive identity and access management cloud Solution
It combines directory services, advanced identity governance, application access management and a rich standards-based platform for developers
What is Azure Active Directory?
Centrally managed identities and access
IT professional
Enforce on-demand, just-in-time administrative access when needed
Use Alert, Audit Reports and Access Review
Domain User Global Admin. Domain UserAdmin. privileges expire after a specified interval
PROTECT PRIVILEGED IDENTITIESDiscover, restrict, and monitor privileged identities
A stand-alone Azure Identity and Access management service also included in Azure Active Directory Premium
Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication
Trusted by thousands of enterprises to authenticate employee, customer, and partner access
What is Azure Multi-Factor Authentication?
80%
of employees use non-
approved apps for work
81%
of breaches are caused
by credential theft
73%
of passwords are
duplicates
WHY IDENTITY IS IMPORTANT
Do your users struggle to remember
complex passwords?
Do they have to juggle multiple
credentials?
Can you extend user identity for Office 365
or Windows to other apps?
Do you MFA every time you want to
ensure secure access?
Simplify access to devices and apps
Protect at the front door
Safeguard your credentials
IDENTITY & ACCESS MANAGEMENTProve users are authorized and secure before granting access to apps and data
Securitymanagement
Threat protection
Identity protection
Information protection
Intelligent security with Windows 10
Windows Defender Antivirus
Detect fast-changing malware variations using behavior monitoring and
cloud-powered protection
Windows Defender System Guard
Maintain system integrity during boot time, runtime, and remote access to
avoid compromised devices
Windows Defender Advanced Threat Protection
Protect endpoints from cyber threats, detects advanced attacks and
automates security incidents to improve security posture
Threat protectionPrevent attacks, isolate threats and control malicious code execution with Windows Defender
Identity protectionProtect identities with more than just a password
1To use Windows Hello with biometrics specialized hardware, including fingerprint reader, illuminated IR sensor, or other biometric sensors is required.
Hardware-based protection of the Windows Hello credential/keys requires TPM 1.2 or greater; if no TPM exists or is configured, credentials/keys
protection will be software-based. 2Companion devices must be paired with Windows 10 PCs via Bluetooth. To use a Windows Hello companion device that enables the user to roam
with their Windows Hello credentials requires Pro or Enterprise edition on the Windows 10 PC being signed into.
Windows Hello1
Get better protection when you unlock your device with a look or a touch
Remotely sign in to your PC and services with companion devices2
Credential Guard
Isolate and protect credentials from a full system compromise
Configure easily with existing management tools
Passwordless strong authentication via
multiple factors
PC + PIN or Biometrics
PC + Companion Device
PC supported Biometrics: fingerprint & facial
Companion Device can support other
biometrics options (e.g.: EKG)
Supported on any Windows 10 device
>100 devices supporting biometrics
WINDOWS HELLO FOR BUSINESS
Strong authentication
via multiple factors
User credentials
protected by hardware
Secure biometrics
• Hardened biometric
implementation in
Windows & hardware
• Anti-spoofing and brute-
force protection
HOW HELLO PROTECTS CREDENTIALS
• Uses two factors for
authentication (e.g.: PC +
PIN or Biometric)
• Asymmetrical Keys (i.e:
Private/Public)
• Hardware generated
credential (keys)
• Credential isolated and
protected by hardware
Windows Information Protection
Prevent accidental or intentional data leaks by separating personal and
professional data1
Bitlocker
Encrypt sensitive information and protect against unauthorized access2
Microsoft Bitlocker Administration & Monitoring
Use tools to provision, enforce, report compliance and recover BitLocker-
protected data
Information protectionEasily protect data at rest and in use
1WIP requires either Mobile Device Management (MDM) or System Center Configuration Manager to manage settings. These products sold
separately. Active Directory makes management easier, but is not required. 2Requires TPM 1.2 or greater for TPM based key protection.
Security managementIncludes comprehensive security lifecycle management for security operations and configuration management
Windows Defender Security Center
Centrally manage the end-to-end security management lifecycle with a single
console
Search up to six months of historical data
Windows Security Analytics
Better understand your overall security health score
Get recommendations to help reduce future attacks
Securitymanagement
Threat protection
Identity protection
Information protection
Intelligent security with Windows 10
Windows Defender Antivirus
Windows Defender System Guard
Windows Defender Advanced
Threat Protection
Windows Defender
Security Center
Windows Security Analytics
Windows Hello
Credential Guard
Windows Information Protection
BitLocker
Microsoft BitLocker
Administration and Monitoring
(MBAM)
SECURITY MANAGEMENT IMPERATIVES
VISIBILITY
Understand the security state and risks across
resources
CONTROL
Define consistent security policies and enable
controls
GUIDANCE
Elevate security through built-in intelligence and
recommendations
INFRASTRUCTUREAPPS / DATADEVICESIDENTITY
Understand the security state and risks across resources
IDENTITY
UNDERSTAND SECURITY STATE OF USERS
COMPLETE VISIBILITY INTO THE
ENDPOINT SECURITY
QUICKLY ASSESS THE SCOPE OF
INCIDENTS AND ROOT CAUSES
RICH TOOLSET FOR
INVESTIGATION AND
REMEDIATION ACTIONS
DEVICES
UNDERSTAND SECURITY STATE OF DEVICES
GAIN VISIBILITY INTO CLOUD
APPS USED IN YOUR
ENVIRONMENT & GET A RISK
ASSESSMENT
AUDIT LOGS AND REPORTS
TO HELP DETECT ACTIVITY
WITHIN PRODUCTIVITY APPS
ALERTS TO HELP YOU
SEE ANOMALOUS ACTIVITY
APPS / DATA
UNDERSTAND SECURITY STATE OF APPS & DATA
Define consistent security policies and
enable controls
IDENTITY
DEFINE CONSISTENT SECURITY POLICIES AND
ENABLE CONTROLS FOR USERS
ONE PLACE TO CONFIGURE
THE FULL WINDOWS SECURITY
STACK
CONTROL DEVICE SECURITY
POLICIES AND SEE THE
DEPLOYMENT STATUS IN A
CENTRAL PLACE
DEVICES
DEFINE CONSISTENT SECURITY POLICIES AND
ENABLE CONTROLS FOR DEVICES
CUSTOMIZABLE PORTAL FOR
MOST IMPORTANT SECURITY
FEATURES FOR PRODUCTIVITY
APPS
CONTROL DATA IN CLOUD
APPS WITH GRANULAR POLICIES
FOR DLP AND DATA SHARING
SEE SECURITY CONTROLS AND
THEIR STATUS FROM DIFFERENT
WORKLOADS
APPS / DATA
DEFINE CONSISTENT SECURITY POLICIES AND
ENABLE CONTROLS FOR APPS & DATA
Enhance security through built-in
intelligence and recommendations
IDENTITY
BUILT-IN INTELLIGENCE AND RECOMMENDATIONS
FOR USERS
ASSESS ORGANIZATIONAL
SECURITY SCORE INCLUDING
TRENDS OVER TIME
RECOMMENDATIONS DRIVEN
BY YOUR ENDPOINTS FOR
ENHANCED SECURITY
EVERY ALERT COMES WITH
RECOMMENDATION FOR
REMEDIATION FOR THREATS
AND FUTURE RISKS
DEVICES
BUILT-IN INTELLIGENCE AND RECOMMENDATIONS
FOR DEVICES
MACHINE LEARNING BASED
RECOMMENDATIONS DRIVEN BY
SIGNALS SPECIFIC TO YOUR
ORGANIZATION
LEVERAGE THE MOST
EFFECTIVE CONTROLS BASED
ON BEST PRACTICES AND YOUR
GOALS
APPS / DATA
BUILT-IN INTELLIGENCE AND RECOMMENDATIONS
FOR APPS & DATA
Information
Rights
ManagementMobile Device
& Application
Management
Cloud Access
Security
Broker
SIEM
Data Loss
Prevention
User &
Entity
Behavioral
Analytics
Mobile
Data Loss
Prevention
Threat
Detection
Identity
governanceSingle-
sign on
Cloud
Data Loss
Prevention
Conditional
access
Discovery
Cloud
visibility
Secure
collaboration
Cloud
anomaly
detection
Identity & Access
Management
Microsoft 365 is a fully-integrated security solution
AZURE ACT IVE D IRECTORY
CONDITIONAL ACCESS
WINDOWS HELLO
WINDOWS CREDENTIAL GUARD
AZURE ADVANCED THREAT ANALYTICS
WINDOWS DEFENDER ADVANCED THREAT PROTECTION
OFF ICE 365 ADVANCED THREAT PROTECTION
OFF ICE 365 THREAT INTELLIGENCE
AZURE INFORMATION PROTECT ION
OFF ICE 365 DATA LOSS PREVENTION
WINDOWS INFORMATION PROTECTION
MICROSOFT CLOUD APP SECURITY
OFF ICE 365 ADVANCED SECURITY MGMT
MICROSOFT INTUNE
AZURE SECURITY CENTER
OFF ICE 365 SECURITY & COMPL IANCE CENTER
WINDOWS DEFENDER ADVANCED SECURITY CENTER
Advanced Threat Protection
• Protect against unknown malware and viruses
• Provide real-time, time-of-click protection against malicious URLs
• Deliver rich reporting and URL trace capabilities with Click Tracing
Advanced Security Management• Identify high-risk and abnormal usage, security incidents, and threats
• Gain enhanced visibility and context into Office 365 usage and shadow IT
• Reduce the possibility of attacks with granular controls that monitor access
Customer Lockbox• Explicitly control all access to data; Microsoft must be granted permission
• Grant just-in-time access to limit data access
• Maximize data security and privacy by logging access control activities
Advanced eDiscovery
• Focus on what is unique and relevant by training the system to identify emails
and documents through predictive coding
• Reduce document volume with Near Duplicates and Email Threading
Advanced Threat Protection
Advanced Security Management
Customer Lockbox
Advanced eDiscovery39
HOW DO I PROTECT SENSITIVE INFORMATION?
Detect
Scan & detect sensitive data based on policy
Classify
Classify data and apply labels based on sensitivity
Protect
Apply protection actions, including encryption,
access restrictions
Monitor
Reporting, alerts, remediation
I N F O R M A T I O N P R O T E C T I O N L I F E C Y C L E
THE LIFECYCLE OF A SENSITIVE FILE
Data is created, imported,
& modified across
various locations
Data is detected
Across devices, cloud
services, on-prem
environments
Sensitive data is
classified & labeled
Based on sensitivity;
used for either
protection policies or
retention policies
Data is protected
based on policy
Protection may in the
form of encryption,
permissions, visual
markings, retention,
deletion, or a DLP
action such as blocking
sharing
Data travels across
various locations, shared
Protection is persistent,
travels with the data
Data is monitored
Reporting on data
sharing, usage,
potential abuse; take
action & remediate
Retain, expire,
delete data
Via data
governance
policies
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
aDETECT SENSITIVE INFORMATION
CLOUD & SaaS APPS
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
HIGHLY CONFIDENTIAL
CONFIDENTIAL
GENERAL
PUBLIC
PERSONAL
Business-lead policies & rules;
configured by ITAutomatic classification
Policies can be set by IT Admins for automatically
applying classification and protection to data
Recommended classification
Based on the content you’re working on, you can be
prompted with suggested classification
Manual reclassification
You can override a classification and optionally be
required to provide a justification
User-specified classification
Users can choose to apply a sensitivity label to the email
or file they are working on with a single click
CLASSIFY INFORMATION BASED ON SENSITIVITY
FINANCE
CONFIDENTIAL
SENSITIVITY LABELS PERSIST WITH THE DOCUMENT
Document labeling – what is it? Metadata written into document files
Travels with the document as it moves
In clear text so that other systems such as a DLP engine
can read it
Used for the purpose of apply a protection action or data
governance action – determined by policy
Can be customized per the organization’s needs
Policies for specific groups or
departments
Can be viewed and applied only by members
of that group
Policies targeting specific locations
Determine which locations are subject to
policy, such as Exchange Online and
SharePoint Online
Configure label schema and settings
Customize labels, sub-labels and settings like
mandatory labeling, default label and
justifications
DEFINE AND CUSTOMIZE POLICIES
Labels are persistent and readable by other systems e.g. DLP engine
Label is metadata written to data
Sensitive data is automatically detected
CLASSIFICATION & LABELING EXAMPLE – SENSITIVE DATADiscover personal data and apply persistent labels
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
PROTECT SENSITIVE DATA ACROSS YOUR ENVIRONMENT
Drive encryption
Remote wipe
Business data separation
File encryption
Permissions and rights-based
restrictions
DLP actions to prevent sharing
Policy tips & notifications for
end-users
Visual markings in documents
Control and protect data in
cloud apps with granular policies
and anomaly detection
Data retention, expiration,
deletion
Devices
Cloud & on-premises
Separation and containment of business information
Prevents accidental leaks by automatically separating
and containing business information
Business-lead policies & IT stays in control
Policies enable IT to define which apps and users are
authorized to access business information as well as the
rights users have when using it (e.g.: copy and paste)
Easy for end users
Built directly into Windows and works behind the
scenes – only notifying users when they’re attempting
to take unauthorized actions
PROTECT BUSINESS INFORMATION ON WINDOWS 10 DEVICES
PROTECT SENSITIVE INFORMATION ACROSS CLOUD SERVICES & ON PREMISES
Data encryption built into
Azure & Office 365Revoke app access
File-level encryption and
permissions
Policy tips to notify and
educate end users
DLP actions to block
sharing
Visual markings to indicate
sensitive documents
Control cloud app access &
usage
Retain, expire or delete
documents
Retention
Retain content in sites, mailboxes, and public folders
indefinitely or for a specific duration
In-place
Data remains in its original location in Office 365 and
users can continue to work with their documents or
mail, but a copy of the content as it existed when you
initiated the policy is preserved
Delete data
A retention policy can both retain and then delete data,
or simply delete old data without retaining it
AUTOMATICALLY RETAIN AND DELETE DOCUMENTS IN OFFICE 365 WITH DATA GOVERNANCE
Detect ProtectClassify Monitor
Scan & detect sensitive data based on policy
Classify data and apply labels based on sensitivity
Apply protection actions, including encryption,
access restrictions
Reporting, alerts, remediation
MONITOR INFORMATION PROTECTION EVENTS FOR GREATER CONTROL
Policy violations
Document access &
sharing
App usage
Anomalous activity
End-user overrides
False positives
Visibility
Tune & revise policies
Revoke access
Quarantine file
Quarantine user
Integrate into workflows & SIEM
Take Action
Know when policy is violated
Incident report emails alert you in real time when
content violates policy
See the effectiveness of your policies
Built in reports help you see historical information and
tune policies
Integrates with other systems
Leverage the Activity Management API to pull
information into SIEM and workflow tools
MONITOR DLP AND DATA GOVERNANCE EVENTS
Distribution visibility
Analyze the flow of personal and sensitive
data and detect risky behaviors.
Access logging
Track who is accessing documents and
from where.
Access revocation
Prevent data leakage or misuse by changing
or revoking document access remotely.
MONITOR DOCUMENT SHARING & ACCESS
Advanced incident investigation tools
Investigate on users, file, activities, locations
and managed apps, quantify exposure and risk
Cloud data visibility
Identify how data – both classified and not
classified – is shared across cloud apps and
identify risk
Cloud app risk assessment
Assess risk cloud apps based on ~60 security
and compliance risk factors.
On-going analytics & anomaly detection
Get anomalous usage alerts, new app and
trending apps alerts
MONITOR CLOUD APP USAGE
MICROSOFT’S INFORMATION PROTECTION SOLUTIONS
Detect ProtectClassify Monitor
C L O U DD E V I C E S O N P R E M I S E S
Comprehensive protection of sensitive data throughout the lifecycle – inside and
outside the organization
Active Directory Modernization
Windows 10 Deployment with Cloud Services
Use Office 365 DLP to protect your Office 365
email and documents
Use Azure Information Protection to protect beyond
Office 365 – on the supported versions of Office,
Windows and mobile devices
GETTING STARTED:
Thank You