As a customer moving to cloud services such as Microsoft 365 and Microsoft Azure, one of the foremost items on your list is “how do we secure the cloud services like we do on-premises computing services”? Some of the first conversations or thoughts are how do you secure the clients and access to Office 365/Microsoft 365/Azure?
Moving the Security Boundary
The initial thinking for most customers is to think “secure the perimeter”. This concept is the older school of thought. The old way of using the corporate network perimeter as your security boundary does not hold up in today’s world of anywhere, anytime, and from any device access. The value and power of cloud services such as Microsoft 365 and Azure is the ability to enable and empower your users by providing them with the ability to work when and where they like that best suits their productivity. Today’s biggest challenge is providing this capability to your end users while protecting the security and integrity of corporate data.
Securing new cloud services cannot be done using old network security boundary tools such as proxies and firewalls. Having worked with many customers in the recent past, their first inclination is for remote users to use VPN and force all user-based cloud connections through their corporate network, so they can control and inspect the network traffic though their current on-premises network security stack. This hair-pinning negates the advantage of enabling remote users to connect directly to cloud services and relieve network traffic on the corporate infrastructure. This solution does not scale well and almost always results in a poor user experience.
Today’s focus should be identity, device, and service security. Microsoft has been building and acquiring various solutions in the security space for numerous years, and they now have solutions that will secure cloud services focusing on these areas of identity, device, and service security.
What Does Microsoft Have to Offer?
Microsoft has various security solutions. The security solutions are well integrated, provide better “single pane of glass” view, and better integration with cloud services than on-premises/3rd party solutions. Microsoft is arguably providing some of the best-in-breed security services. These services cover all aspects of the identity, device, and service security. The following is a list of Microsoft security services for which Perficient can provide assessment, guidance, and deployment assistance:
- Microsoft Cloud App Security (MCAS) – shadow IT assessment and policy enforcement service. This service provides the ability to understand and control where data maybe leaking in cloud service applications.
- Microsoft Defender Advanced Threat Protection (ATP) – provides enhanced end-point protection for Windows devices. Includes integration with MCAS to provide assessment, control, and access policies to authorized/unauthorized applications.
- Microsoft Intune – is a cloud-based enterprise mobility management instrument that helps organizations manage their mobile devices using business information and applications. This includes Windows 10, android, and iOS devices.
- Microsoft Information Protection formerly Azure Information Protection – discover, classify, label, and protect your sensitive data. Track and manage access wherever documents travel.
- Office 365 Data Loss Prevention (DLP) – protect your organization from data leakage. Tools provide auditing and restriction of data access based on organization needs of sensitive data types. DLP is integrated with all areas of Microsoft 365 including Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.
- Azure Conditional Access – security policies that determine how users can access the Microsoft cloud services. These policies can take into account where, from what device, and what application that users can access.
- Azure Application Access – provide single sign-on (SSO) to SaaS and custom applications using Azure Active Directory.
- Azure App Proxy – provide single sign-on (SSO) and access to legacy on-premises applications without using VPN.
- Azure Advanced Threat Protection (ATP) – provides monitoring and management of abnormal and suspicious activity of users to alert your security team to investigate. This includes hybrid identity services integrated with on-premises Active Directory.
- Azure Privileged Identity Management (PIM) – provides the capability to limit static administrator accounts, discover privileged access, and review access. This includes Azure AD, Azure resources, and other Microsoft Online Services
This is a pretty exhaustive list of security and access tools that Microsoft provides with various license levels. As you can see Microsoft has been working hard to provide tools that protect your corporate data. If you have questions or need help deploying any of the services mentioned in this article, please connect with us to learn how Perficient can help you or your organization maximize these tools and solutions.