Security and Compliance
As you embark on digital transformation journey, you need to tackle the challenges of how to effectively manage security, privacy, and regulatory compliance.
Securing your data and information is critical to your business successes
The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.
Stealing credentials / identity is the No 1 target for phishing and malware attacks. As identity is managed in more and more SaaS applications, not only is it a hassle for users, but it’s impossible for IT administrators and security managers to control.
Traditional identity and access management solutions providing single-sign on to on-premises applications and directory services such as Active Directory and others are used for the vast majority of organizations and huge investments were made to deploy and maintain them. These solutions are perfect for the on-premises world.
Now, IT can provide the same sign on and management experience to cloud applications hosted in the public cloud. Azure Active Directory addresses this challenge by extending the reach of on-premises identities to the cloud in a secure and efficient way. One simple connection is needed from an on-premises directory to Azure AD. Everything else will be handled by Azure AD. Secure single sign-on to thousands of SaaS applications hosted in any cloud by using the same credentials that exist on-premises. In addition, Azure AD provides Self-service capabilities and easy access to all the applications, consumer or business, they need, in the cloud and on-premises.
Microsoft Office 365 supports many Independently verified industry certifications, and several third party Security Audits, and Certifications. Organizations must activate the capabilities in the Compliance Center and elsewhere.
- SAS 70 / SSAE16 Assessments
- ISO 27001 certified
- EU Model Clauses
- EU Safe Harbor
- HIPAA-Business Associate Agreement
- FISMA/FedRAMP Authority to Operate
- Microsoft Data Processing Agreement
- PCI DSS Level One
These rules can be applied to email, but also to shared docs with SharePoint and OneDrive.
Organizations can also set email retention rules, legal holds, and archiving. Upon being subpoenaed, organizations can use the Advanced eDiscovery capabilities to minimize the time needed to comply to an inquiry.
Data Loss Prevention
Data Loss Prevention is the catchall term for the prevention of losing company data, either to maliciously intended actors, from inadvertent user error (i.e. sending a file to the wrong person cached in your Outlook To: window), or from replying to all in error.
Microsoft doesn’t offer one specific DLP product, per se, but instead protects data loss at multiple layers:
- Locking down files with Azure Information Protection to keep users from sharing Personally Identifiable Information within documents
- Enabling access controls to critical data (i.e. SharePoint files) and systems (role based access control)
- Monitoring for and alerting on anomalous behavior (i.e. mass download from OneDrive), especially on users with access to and files with monetizable data (financial account information, personally identifiable information (PII), payment cards, medical records).
- Full Disk encryption, with Bit Locker is on by default after Windows 8.1
- Protecting from malware, which is the entry point to many command/control or keylogger attacks, using Advanced Threat Protection in Office 365
- Protecting user devices from being the entry point via remote application wipe/control using Office 365 MDM or Intune MAM
In their unique interactive infographic about the anatomy of a breach, Microsoft outlines an intruder’s approach to infiltrating and extracting data, as well as some of the other Microsoft capabilities that protect, detect, and respond.
Are data breaches completely preventable? No, but the impact can be minimized by employing all possible prevention techniques, along with monitoring and response tools.
Servers and Applications
Cloud App Security
37 minutes. That’s the average time that it takes to decommission an employee’s access to corporate and SaaS applications after they resign or are terminated. What can a disgruntled employee do in 37 minutes? While IT is busy shutting down access to AD and a myriad of SaaS, the organization is at risk.
Using Azure Active Directory and its interface to 3300+ SaaS apps in the marketplace, organizations can immediately moderate that risk. Once a ex-employee is decommissioned from AD, their credentials are invalid in their on-premises or SaaS applications. As a productivity bonus, users enjoy SSO to those SaaS apps, instead of managing separate logins.
To understand what SaaS apps are in use, Cloud App Security is enabled, identifying logins to SaaS portals. With the inventory of cloud apps in-hand, IT can now configure Azure AD to pass credentials through to sanctioned SaaS apps, and bring them under organizational control.
Once a user is configured for single sign-on for specific Cloud apps, instead of logging in individually to several web portals, they will log in once to their active directory account. Then, instead of going to the main homepage of the SaaS application, they’ll go to a unique URL that takes him to the same app, but already logged in. When they terminate, the administrator can simply decommission the active directory account. When the user attempts to log into that application, they will be blocked just as they will be blocked to corporate data on premises.
Advanced Threat Protection
It’s not always due to cluelessness. The main perpetrators for these attacks are organized crime syndicates and state-affiliated Actors, who put lots of time into creating clever, legit-looking content.
To keep users’ PCs, laptops, smart phones or bank accounts from being owned by ransomware or phishing attacks, consider turning on Office 365 Advanced Threat Protection. To date, it’s been the most widely deployed feature of Office 365’s E5 bundle, because it solves a real issue facing organizations. It’s also available for only $2/user/month a la carte.
Advanced Threat Protection uses Safe Attachments and Safe Links capabilities to ensure another layer of security for users.
End users aren’t aware of threats and may unknowingly allow viruses or malware to attack their machines. An example of a well-meaning employee eagerly clicking their way into the hurt locker is a salesperson who is sent an email with an attached word document. The email gives vaguely mentions an attached purchase order. Programmed to process POs, the sales rep opens the attached file only to realize that they’ve installed a virus. Or maybe they don’t, and the virus silently installed a keylogger which captures their bank account data next time they enter it. Either way, they’re owned.
Exchange Online Protection does a good job quarantining/cleaning known viruses and malware from email. But if users are sent new/undetected malware that looks legit enough to open, how can the organization stay protected? Advanced Threat Protection (ATP) protects the user and organization at the time of the click, not just at the time of delivery.
Advanced Threat Protection uses machine learning and an advanced analysis/cleansing service to protect against unknown malware and viruses, providing better zero-day protection to email. All inbound email is sent through multiple filters. Those showing characteristics of known exploits are blocked, those showing characteristics of known/safe messages are delivered. If the message falls somewhere in the middle, it’s subjected to the additional filtering of Advanced Threat Protection.
There are three likely means to install malware. Emails with malicious attachments, websites serving up drive-by downloads with each visit, and a hybrid of the two—emails with links to pages with drive-by code installs.
Mobile Application Management
Typical Mobile Device Management systems have two main shortcomings which are resolved by Mobile Application Management solutions. First, there are too many users (contractors, field workers, techs, BYOD users) for which device enrollment isn’t feasible. MAM enables control without enrolling devices. Also, Mobile device management lacks the granular control that enables governance at the app-level.
MAM solutions can address both issues and more, by providing granular, application level security. Applications can be secured without enforcing enrollment. MAM solutions can properly manage devices that are more loosely controlled, such as partners and agents.
Mobile Application Management (MAM) allows a business to:
- Deliver and manage apps across a broad range of devices, including iOS, Android, Windows and Windows Phone all from a single management console
- Simplify administration by deploying required apps automatically during enrollment and allowing users to easily install corporate apps from the self-service Company Portal
- Help maximize productivity with the Office mobile apps your employees know and love while preventing the leakage of company data by restricting actions such as copy/cut/paste/save in your managed app ecosystem, and extend these capabilities to existing line-of-business apps
- Deploy certificates, WiFi, VPN, and email profiles automatically once a device is enrolled, enabling users to seamlessly access corporate resources with the appropriate security configurations
- Provide comprehensive settings management for mobile devices, including remote actions such as passcode reset, device lock, and data encryption
- Remove corporate data and applications when a device is unenrolled, noncompliant, lost, stolen, or retired from use
- Extend System Center Configuration Manager infrastructure through integration with Microsoft Intune to provide a consistent management experience across devices located on-premises and in the cloud
Microsoft Advanced eDiscovery offers attorneys and IT pros better algorithms to pore through troves of data that usually come back in an electronic search. For instance, an attorney might get 10,000 hits on a certain query, and manually try to pare that down with better keywords. With Advanced eDiscovery, they can select a type of message that is similar to what they’re looking for, and then rerun the query and return a more accurate set of documents/messages to manually review. This iterative process is more accurate and cost effective than keyword searches and manual review of vast quantities of documents.
This capability comes from Microsoft’s acquisition of Equivio, which applies machine learning to enable users to explore large, unstructured sets of data and quickly find what is relevant. It uses advanced text analytics to perform multi-dimensional analyses of data collections, intelligently sorting documents into themes, grouping near-duplicates, isolating unique data, and helping users quickly identify the documents they need. As part of this process, users train the system to identify documents relevant to a particular subject, such as a legal case or investigation.
ENFORCE ENROLLMENT, ACCESS, AND APPLICATION CONTROLS USING OFFICE 365 MDM OR INTUNE
The benefits of employees accessing company information while mobile is undeniable. So too is the risk of insecure remote access. ActiveSync Remote Device Wipe has been adequate for many organizations, but as data beyond email is accessed, Microsoft has methods to solve the problem in layers.
Microsoft provides MDM solutions in Office 365 and/or Intune. With Office 365, the essentials are included with any E3 or E5 plan. Intune steps up the granularity of control and enables devices to be managed without actually enrolling them.
With Office 365 MDM, administrators can completely wipe a device (back to factory resets) OR, selectively wipe data and apps that have been published by the organization. With Intune, the latter may be done without even enrolling the device.
Below are the main differences between MDM for Office 365 and Microsoft Intune:
For MDM for Office 365, the cost is included in Office 365 commercial subscriptions (Business, Enterprise, EDU and Government), while Microsoft Intune is a paid subscription
(single $6 per user per month or with the Enterprise Mobility Suite $7 to $12 per month).
2. Device Management
MDM for Office 365 manages devices through the Office 365 admin center while Microsoft Intune manages devices through the Microsoft Intune Cloud console or the System Center Configuration Manager console.
3. Supported devices
MDM for Office 365 supports IOS, Android, Windows Phone while Microsoft Intune supports IOS, Android, Windows Phone and Windows.
MDM for Office 365 is limited to the following: Conditional access, Device management, Selective wipe. Microsoft Intune includes all of the MDM for Office 365 capabilities, plus the following: Advanced mobile device management, Mobile application management, PC management.
Windows Defender Antivirus
Keep your PC safe with trusted antivirus protection built-in to Windows 10. Windows Defender Antivirus delivers comprehensive, ongoing and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud and the web.
Nothing to install
Complete, built-in and ongoing protection. Standard, nothing to buy. There’s nothing to install. No configuration, no subscriptions, and no nagware.
Why you should choose Velvot for Digital Transformation
Engagement with your customers and customer experience team to transform your business by guiding strategy, enhancing your value chain, and driving innovation
Certified to develop bespoke solutions in Microsoft, Amazon and Google to fulfill your unique and specific business requirements
We have the expertise and proven experience in digital transformation, application integration and development capabilities that stretch across the leading global enterprise application vendors: Microsoft, Amazon and Google.
Technology-attached services coupled with full management support of your environment, under a single contract from a single service provider.