Microsoft Cloud Security Approach & Architecture

During your plan to implement the modern workplace (a.k.a Digital Workplace), it is so important to have a solid vision and road-map about how to think of mobility and security. Having a clear cloud security approach from the beginning is a key thing and should be communicated internally within the IT, security and key stakeholders inside your company.

While Microsoft can provide you with top productivity solution as a SaaS offering (which is Office 365), you need to think about how to deliver productivity across devices, and at the same time, maintain security measures. Microsoft has a great offering named (Enterprise Security and Mobility) that can help here.

As a consultant, I saw many companies trying to move to the cloud and adopt a SaaS approach when possible. During this transformation, companies might choose to go to Office 365 to elevate their productivity inside the company, empowering people to work from anywhere, and allow employees to use personal devices. What is missing her is how IT can keep up with all these continuously changing and complex requirements, while maintaining control and security measures.

Take a pause, and envision the future

It all starts from my perspective, by a small pause, where you can look at the big picture, understand what is happening in your company, embrace change, and come up with a road-map and clear vision. A road-map is usually envisioning where you want to be in 3-5 years in terms of security, manageability and mobility, taking into consideration, your business direction to move to the cloud and use more SaaS applications.

Make sure your IT security, information security, CTO, CDO CIO and all relevant stakeholders, are in sync when it comes to the big picture and the road-map. They do not need to know the details, but you should communicate with them your vision of security and mobility in a cloud first world.

Design Factors

During the design for your road-map, i would suggest you put couple of design factors, so that you can have a criteria when you choose a technology or a solution. I usually use the below design factors.

This helps a lot indeed, so if you want to implement an email security solution, and you have two proposed technologies, one requires a hardware box to be implemented on-premises, and one is offered completely as a SaaS, then by looking at the below design factors, we can see that (simplify Infrastructure) and (SaaS First) design factors will help us decide on the cloud solution.

Another key design factor that will help you during your vision and architecture exercise is the principle of (integration over preference). A good example would be to use Microsoft Office 365 Advance Threat Protection ATP to protect your emails from zero day attacks, instead of purchasing this service from a third party, in case your mailboxes are hosted in Office 365. The reason behind this, is that you will get a lot of integration and capabilities that otherwise would be hard to get from any third party.

Recently, I was evaluating Microsoft Cloud App Security (CAS), and I was so impressed by the integration it provides when it comes to Office 365 services. Microsoft CAS is deeply integrated with Azure Information Protection, your Office 365 tenant, and with Azure AD. Not only you can detect anomalies and have a full investigation dashboard for all your office 365 workloads, you can actually trigger an action from within CAS portal, like disabling an external share link, label the document with Azure AIP, or even suspend the user who is doing suspicious activities. It is hard for any other vendor to provide such deep integration from the same angel.

Another design factor that I would like to discuss is the concept of SaaS first, then PaaS then IaaS. SaaS will give you the lowest administrative work, and you just focus on configuring the service and getting values so quickly. Whenever you have two solutions and one of them is SaaS, just give that a higher ranking in your mind before deciding which technology to go for if they both are similar in functionalities and expected added value.

Solution Areas

Whenever I think of the modern workplace, I always think of five main solution areas:

• Productivity and Voice.
• Devices.
• Identity.
• Security.
• Culture and adoption

For each solution area, you need to spend some time creating your own road-map and vision. For example, in the productivity areas, what are the business scenarios and behavioral changes you are looking for, and what technologies you might need in place for that. This will give you more clear idea about what technologies to onboard and projects to initiative.

For identity, devices and security, I think they are all related somehow. More about this to be discussed later.

 

Simple way to think about security and mobility

It is hard in one blog post to talk about drafting a vision for security and mobility, so I will just give a simple example here. Contoso are using Microsoft Office 365 productivity tools, and they are now they are thinking about how to provide security and mobility support for Office 365 data. When they planned for an anti-malware solution for their email, they went for Microsoft Advanced Threat Protection, as one of the design patterned is (Integration over preference), and it would make sense to go with Microsoft solution for better integration.

Contoso are also planning to adopt a SaaS model for their business applications, and they have a big need to provide single sign on capabilities and MFA for couple of workloads.  They recognized that they need to provide a solid identity services using Azure Active Directory Premium tier. They immediately start investing in positioning Azure AD as the source of SSO connections for all current and future services. They also made it clear that any MFA requirement should be handled by Azure AD as the unified solution for MFA inside the company. Any application that requires an MFA shall integrate with Azure AD first.

For mobility, Contoso is heavily investing in Microsoft Intune, as it helped them enroll devices that the company own, and personal devices using MAM policies. Intune also helped in enrolling Windows 10 devices for remote workers with the Azure domain join functionality.

For data protection and DLP, Contoso is heavily investing in Office 365 DLP and Azure Information Protection, to prevent leakage and protect documents at the data level.

Contoso is trying to provide a defense in depth approach for their cloud workloads at the following levels:

• Identity
• Device
• Applications (SaaS) | Shadow IT
• Data

The new firewall concept in the cloud is well known as (Identity Driven Security) and it is implemented inside Microsoft Azure using Azure Active Directory (Conditional Access, Identity Protection “Risk Based Score”). The below diagram summarize the full defense in depth mechanism.

 

 

Final Thoughts

Microsoft also provides an advanced security features in their EMS E5 tier like :

• Azure AD Premium P2 ( Identity Protection).
• Cloud App Security ( Shadow IT, CAS-B , Office 365 Advance Security).
• Azure Information Protection AIP  : Automatic Data Classification.

On the device side, Windows 10 E5 also provides a high end security EDR solution called Windows 10 Advance Threat Protection that deeply integrates with Office 365 ATP solution. More on that can be found here.

The whole picture from Infrastructure and solution perspective can be imagined in the below diagram:

 

Download the Poster

You can download the high definition poster from here.

 

MICROSOFT 365 ADVANCED THREAT PROTECTION VIDEO

Here is a video I published on my YouTube channel. It is about “How to secure your modern workplace with Microsoft Advanced Threat Protection”. Please subscribe to the channel to get updates on my new videos.

“I will introduce you to Microsoft 365’s threat protection services and demonstrate how Microsoft 365’s threat protection leverages strength of signal, integration, machine learning and AI to help secure the modern workplace from a advanced persistent threats or APT.”