Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.

Size: px

Start display at page:

Download "Jay Ferron. CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir."

Claire Lambert
5 years ago
Views:

1 Jay Ferron CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.net

2 A comprehensive identity and access management cloud solution for your employees, partners, and customers. It combines directory services, advanced identity governance, application access management, and a rich standards-based platform for developers. B2E B2B B2C

3 Product Features Product Features Azure Active Directory Premium Self-service password reset to reduce helpdesk calls Multi-factor authentication options for greater security Group-based provisioning and single sign-on for thousands of SaaS apps Machine learning-driven security reports for visibility and threat management Robust sync capabilities across cloud and on-premises directories Microsoft Intune Mobile application management across devices Broad device support for ios, Android, Windows and Windows Phone devices Selective wipe of apps and data for greater security Use of System Center Configuration Manager and Endpoint Protection** Microsoft Intune Mobile application management across devices Broad device support for ios, Android, Windows and Windows Phone devices Selective wipe of apps and data for greater security Use of System Center Configuration Manager and Endpoint Protection** Azure Rights Management Information protection from the cloud or in a hybrid model with your existing on-premises infrastructure Integration into your native applications with an easy-to-use SDK Windows Server Active Directory Rights Management Server CAL use rights** Microsoft Advanced Threat Analytics*** Behavioural analytics for advanced threat detection Detection for known malicious attacks and security issues Simple, actionable feed for the suspicious activity alerts and the recommendations Integration with your existing Security Information and Event Management (SIEM) systems Windows Server CAL Windows Server CAL use rights**

4 Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Common features Directory objects 1 500,000 object limit No object limit No object limit No object limit for Office 365 user accounts User/group management (add/update/delete)/userbased provisioning, device registration Yes Yes Yes Yes Single Sign-On (SSO) 10 apps per user 2 (preintegrated SaaS and developer-integrated apps) 10 apps per user 2 (free tier + Application proxy apps) No limit (free, Basic tiers + Self-Service App Integration templates 4 ) 10 apps per user 2 (preintegrated SaaS and developer-integrated apps) Self-service password change for cloud users Yes Yes Yes Yes Connect (sync engine that extends on-premises directories to Azure Active Directory) Yes Yes Yes Yes Security/usage reports Basic reports Basic reports Advanced reports Basic reports

5 Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Premium + Basic features Group-based access management/provisioning Yes Yes Self-service password reset for cloud users Yes Yes Yes Company branding (logon pages/access panel customisation) Yes Yes Yes Application proxy Yes Yes SLA 99.9% Yes Yes Yes

6 Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Premium features Self-Service Group and app Management/Self-Service application additions/ Dynamic Groups Yes Self-service password reset/change/unlock with onpremises write-back Yes Multi-factor authentication (cloud and on-premises (MFA server)) Yes Limited cloud-only for Office 365 Apps MIM CAL + MIM Server 3 Yes Cloud app discovery Yes Connect Health Yes Conditional Access based on group and location (Preview) Yes Conditional Access based on device state (allow access from managed devices) Yes + Intune license

Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Windows 10 + Azure AD Join related features Windows 10 + Azure AD Join related features

7 Azure Active Directory Free Azure Active Directory Basic Azure Active Directory Premium Office 365 apps only Windows 10 + Azure AD Join related features Windows 10 + Azure AD Join related features Join a Windows 10 device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator Bitlocker recovery MDM autoenrollment, Selfservice Bitlocker recovery, additional local administrators to Windows 10 devices via Azure AD Join, Enterprise State Roaming Yes Yes Yes Yes Yes

8 The current reality

9 Identity as the core of enterprise mobility Windows Server Active Directory Simple connection Other directories Self-service Single sign-on Azure SaaS Public cloud On-premises Microsoft Azure Active Directory Cloud

10 Microsoft s Identity Management as a Service (IDaaS) for organizations. Millions of independent identity systems controlled by enterprise and government tenants. 86% of Fortune 500 companies use Microsoft Cloud (Azure, O365, CRM Online, and PowerBI) Azure AD Directories >9 M More than 600 M user accounts on Azure AD Information is owned and used by the controlling organization not by Microsoft. Born-as-a-cloud directory for Office 365. Extended to manage across many clouds. Evolved to manage an organization s relationships with its customers/citizens and partners (B2C and B2B). 1 trillion Azure AD authentications since the release of the service >80k third-party applications used with Azure AD each month >1.3 billion authentications every day on Azure AD Every Office 365 and Microsoft Azure customer uses Azure Active Directory

11 Azure Active Directory. Identity at the core of your business 1000s of apps, 1 identity Enable business without borders Manage access at scale Cloud-powered protection Provide one persona to the workforce for SSO to 1000s of cloud and on-premises apps Stay productive with universal access to every app and collaboration capability Manage identities and access at scale in the cloud and on-premises Ensure user and admin accountability with better security and governance

12 1000s OF APPS, 1 IDENTITY Connect and sync on-premises directories with Azure Active Directory HR apps * Azure Active Directory Connect and Connect Health MIM * PowerShell SQL (ODBC) LDAP v3 Web Services ( SOAP, JAVA, REST) Microsoft Azure Active Directory OTHER DIRECTORIES

13 1000s OF APPS, 1 IDENTITY OTHER DIRECTORIES Microsoft Azure Connect and sync on-premises directories with Azure pre-integrated popular SaaS apps and self-service integration via templates Easily publish on-premises web apps via Application Proxy + custom apps SaaS apps Web apps (Azure Active Directory Application Proxy) Integrated custom apps

15 Create a user on premises Force Sync Check logs eventviewer + Azure AD Sync Get-MSOLUser

1000s OF APPS, 1 IDENTITY A mobile authenticator

existing Azure Authenticator and all consumer

MFA for any account, enterprise or consumer and 3rd

(workplace join) SSO to native mobile apps -

16 1000s OF APPS, 1 IDENTITY A mobile authenticator application for all platforms Converges the existing Azure Authenticator and all consumer Authenticator applications. MFA for any account, enterprise or consumer and 3rd party : Push Notifications/OTP Device Registration (workplace join) SSO to native mobile apps - Certificate-based SSO Future: Sign in to a device (Windows Hello), app, or website without a password

17 1000s OF APPS, 1 IDENTITY Your domain controller as a service for lift-and-shift scenarios Azure Lift-and-shift on-premises apps to Azure IaaS Your virtual network Your Azure IaaS workloads/apps Azure AD Domain Services Kerberos NTLM LDAP Group Policy Azure Active Directory Azure AD Connect Windows Server Active Directory On-premises

18 ENABLE BUSINESS WITHOUT BORDERS Company-branded, personalized application Access Panel: + ios and Android Mobile Apps Integrated Office 365 app launching Manage your account, apps, and groups Self-service password reset Application access requests

19 Users Groups Applications Domains Directory Integration Configure Reports Licenses

20 ENABLE BUSINESS WITHOUT BORDERS Azure Active Directory Join makes it possible to connect work-owned Windows 10 devices to your company s Azure Active Directory Enterprise State Roaming Enterprise-compliant services SSO from the desktop to cloud and on-premises applications with no VPN MDM auto-enrollment Windows 10 Azure AD joined devices Intune/MDM auto-enrollment Support for hybrid environments

ENABLE BUSINESS WITHOUT BORDERS Consumer identity and access management in the cloud Cross-platform Identity management for consumers Superior economics Identity experience engine By using Azure

21 ENABLE BUSINESS WITHOUT BORDERS Consumer identity and access management in the cloud Cross-platform Identity management for consumers Superior economics Identity experience engine By using Azure Active Directory B2C we were able to build a fully customized login page without having to build custom code. Additionally, with a Microsoft solution in place, we alleviated all our concerns about security, data breaches, and scalability." - Rafael de los Santos, Head of Digital, Real Madrid

ENABLE BUSINESS WITHOUT BORDERS Share without complex configuration or duplicate users Partners use their own credentials to access your org Users lose access when leaving the partner org No external

22 ENABLE BUSINESS WITHOUT BORDERS Share without complex configuration or duplicate users Partners use their own credentials to access your org Users lose access when leaving the partner org No external directories No per partner federation You manage access You control partner access in your directory: app assignment group membership custom attributes Partners of all sizes Bulk invite 1000s at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite partners We needed to quickly and cost effectively stand up new IT infrastructure, including extranet applications for thousands of business partners. Azure Active Directory B2B collaboration provides a simple and secure way for partners, large and small, to use their own credentials to access Kodak Alaris systems.

23 ENABLE BUSINESS WITHOUT BORDERS Partner

24 ENABLE BUSINESS WITHOUT BORDERS Partners manage their own credentials Organizations manage access Partners of all sizes Partners use their own credentials to access your org Users lose access when they leave the partner org No external directories No per-partner federation You control partner access in your directory: app assignment group membership custom attributes Thousands of bulk invites at a time Partners with Azure Active Directory sign in to accept invite Other partners simply sign up to accept invite

MANAGE ACCESS AT SCALE Comprehensive identity and access management console Centralized access administration for pre-integrated SaaS apps and other cloud-based apps Dynamic groups, device

25 MANAGE ACCESS AT SCALE Comprehensive identity and access management console Centralized access administration for pre-integrated SaaS apps and other cloud-based apps Dynamic groups, device registration, secure business processes with advanced access management capabilities IT professional We want to ensure that we re keeping our operating costs as low as possible to help the business grow. With the help of Azure Active Directory Premium, I m managing double the number of SaaS applications with the same size team.

Monitor: The Azure AD Connect sync engine

26 MANAGE ACCESS AT SCALE Monitor and gain insights into the identity infrastructure used to extend on-premises identities to Azure Active Directory and Office 365. Monitor: The Azure AD Connect sync engine health ADFS infrastructure health On-premises AD Domain Services health

We benefit from its experience in securing millions of users across its cloud assets, from Outlook.

29 Cloud-powered protection Compliance reporting X R Ensure accountability with better security and governance Conditional access to resources "Microsoft is consistently and constantly looking out for us from a security perspective. We benefit from its experience in securing millions of users across its cloud assets, from Outlook.com to Xbox Live to Office 365 and Azure. Microsoft is a silent partner on our security team. - Will Lamb, Infrastructure Coordinator, Whole Foods Market Protect against advanced threats Mitigate administrative risks

CLOUD-POWERED PROTECTION Conditions Actions User User, App sensitivity Device state Location Risk Allow access or Enforce MFA per user/per app

30 CLOUD-POWERED PROTECTION Conditions Actions User User, App sensitivity Device state Location Risk Allow access or Enforce MFA per user/per app Block access MFA IDENTITY PROTECTION NOTIFICATIONS, ANALYSIS, REMEDIATION, RISK-BASED POLICIES CLOUD APP DISCOVERY PRIVILEGED IDENTITY MANAGEMENT

Suspicious signin activities Risk-based policies MFA Challenge Risky Logins Risk severity calculation Risk-based conditional

31 CLOUD-POWERED PROTECTION Identity Protection at its best Gain insights from a consolidated view of machine learning based threat detection Remediation recommendations Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Risk-based policies MFA Challenge Risky Logins Risk severity calculation Risk-based conditional access automatically protects against suspicious logins and compromised credentials Machine-Learning Engine Change bad credentials Block attacks

32 CLOUD-POWERED PROTECTION Use the power of Identity Protection in PowerBI, SIEM and other monitoring tools Infected devices Brute force attacks Configuration vulnerabilities Leaked credentials Suspicious signin activities Notifications Security/Monitoring/Reporting Solutions Data Extracts/Downloads Reporting APIs Microsoft machine - learning engine Apply Microsoft learnings to your existing security tools

visibility through alerts, audit reports and access reviews Global Administrator

35 CLOUD-POWERED PROTECTION Discover, restrict, and monitor privileged identities Enforce on-demand, just-in-time administrative access when needed Provides more visibility through alerts, audit reports and access reviews Global Administrator Billing Administrator Exchange Administrator User Administrator Password Administrator

36 CLOUD-POWERED PROTECTION How time-limited activation of privileged roles works SECURITY ADMIN Users need to activate their privileges to perform a task ALERT MFA is enforced during the activation process Configure Privileged Identity Management Alerts inform administrators about out-of-band changes Users will retain their privileges for a preconfigured amount of time Security admins can discover all privileged identities, view audit reports and review everyone who has is eligible to activate via access reviews USER Identity verification MFA ADMIN PROFILES Billing Admin Global Admin Read only Service Admin Monitor Audit Access reports PRIVILEGED IDENTITY MANAGEMENT

37 CLOUD-POWERED PROTECTION Reduces exposure to attacks targeting admins Simplifies delegation Increases visibility and finer-grained control Removes unneeded permanent admin role assignments Limits the time a user has admin privileges Ensures MFA validation prior to admin role activation Separates role administration from other tasks Adds roles for read-only views of reports and history Asks users to review and justify continued need for admin role Enables least privilege role assignments Alerts on users who haven t used their role assignments Simplifies reporting on admin activity

DETECT ATTACKS BEFORE THEY CAUSE DAMAGE An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics

38 DETECT ATTACKS BEFORE THEY CAUSE DAMAGE An on-premises platform to identify advanced security attacks and insider threats before they cause damage Behavioral Analytics Detection of advanced attacks and security risks Advanced Threat Detection Microsoft Advanced Threat Analytics brings the behavioral analytics concept to IT and the organization s users.

39 Discovery Gain complete visibility and context for cloud usage and shadow IT no agents required Data control Shape your cloud environment with granular controls and policy setting for access, data sharing, and DLP Threat protection Identify high-risk usage and security incidents, detect abnormal user behavior, and prevent threats Integrate with existing security, mobility, and encryption solutions

40 Extend enterprise-grade security to your cloud and SaaS apps Microsoft Cloud App Security Intune Azure Active Directory Identity Protection Manage identity with hybrid integration to protect application access from identity attacks Protect your data, everywhere Azure Rights Management and Secure Islands Protect your users, devices, and apps Detect problems early with visibility and threat analytics Advanced Threat Analytics

41 FastTrack for EMS: Deploy it Right Now included with all EMS services Microsoft FastTrack for Enterprise Mobility Suite provides remote deployment assistance for Azure Active Directory Premium, Intune, and Azure Rights Management Premium. Azure Active Directory Premium Microsoft Intune Azure Rights Management Premium FastTrack will: Get organizational identities to the cloud Set up single sign-on for test apps (including Azure Active Directory Application Proxy apps) Configure self-service options like password reset and Azure Multi-Factor Authentication in the MyApps site FastTrack will: Set up users and groups Enable management of test devices Optionally connect on-premises Microsoft System Center Configuration Manager to Intune for a single pane management experience FastTrack will: Retain control of sensitive documents locally and over Automatically protect mail containing privileged information Ensure files stored in SharePoint are rights protected

42 1000s OF APPS, 1 IDENTITY Identity synchronization with password (hash) sync Microsoft Azure Active Directory User attributes are synchronized using identity synchronization services, including a password hash; authentication is completed against Azure Active Directory Identity synchronization Microsoft Azure Active Directory User attributes are synchronized using identity synchronization tools; authentication is passed back through federation and completed against Windows Server Active Directory ADFS

43 Corporate network DMZ 1000s OF APPS, 1 IDENTITY Microsoft Azure Active Directory A connector that auto-connects to the cloud service contoso.msappproxy.net/ Application Proxy Multiple connectors can be deployed for redundancy, scale, multiple sites, and different resources Connectors are deployed usually on corpnet next to resources Users connect to the cloud service that routes their traffic to resources via the connectors

44 1000s OF APPS, 1 IDENTITY

CLOUD-POWERED PROTECTION as many Cloud apps are in use than IT estimates Discover all SaaS apps in use within your organization Microsoft Azure

45 CLOUD-POWERED PROTECTION as many Cloud apps are in use than IT estimates Discover all SaaS apps in use within your organization Microsoft Azure Active Directory Cloud app discovery Comprehensive reporting SaaS app category Number of users Utilization volume Source: Help Net Security 2014

46 CLOUD-POWERED PROTECTION X X X X X Built-in security features XXXXX Security reporting that tracks inconsistent access patterns, analytics, and alerts Reporting API X X X X X Step up to Multi-Factor Authentication

CLOUD-POWERED PROTECTION A standalone Azure identity and access management service, also included in Azure Active Directory Premium Prevents unauthorized access to both

47 CLOUD-POWERED PROTECTION A standalone Azure identity and access management service, also included in Azure Active Directory Premium Prevents unauthorized access to both on-premises and cloud applications by providing an additional level of authentication Trusted by thousands of enterprises to authenticate employee, customer, and partner access

48 CLOUD-POWERED PROTECTION Mobile apps Phone calls Text messages

49 CLOUD-POWERED PROTECTION MFA for Office 365/Azure Administrators Azure Multi-Factor Authentication Administrators can enable/enforce MFA to end users Yes Yes Use mobile app (online and OTP) as second authentication factor Yes Yes Use phone call as second authentication factor Yes Yes Use SMS as second authentication factor Yes Yes Application passwords for non-browser clients (e.g., Outlook, Lync) Yes Yes Default Microsoft greetings during authentication phone calls Yes Yes Suspend MFA from known devices Yes Yes Custom greetings during authentication phone calls Fraud alert MFA SDK Security reports MFA for on-premises applications/ MFA server One-time bypass Block/Unblock users Customizable caller ID for authentication phone calls Event confirmation Trusted IPs Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes

50 DETECT ATTACKS BEFORE THEY CAUSE DAMAGE 1 Analyze Learn 2 Detect 3 ATA Analyzes all Active Directory-related traffic and collects relevant events from SIEM ATA automatically learns all entities behaviors ATA Builds the organizational security graph, detects abnormal behavior, protocol attacks and weaknesses and constructs an attack timeline

51 World of devices

52 EMPOWER USERS

53 HR system VS. Microsoft Azure Active Directory LDAP Windows Server Active Directory Finance User identities from multiple repositories LDAP v3 Hybrid identity Oracle DB Web apps Windows PowerShell Windows Server Active Directory Web services (SOAP, Java, REST) Generic SQL via ODBC

54 Cloud-ready identities Automatic preparation of Active Directory identities for synchronization with Azure Active Directory Powerful user self-service Password reset with Azure Multi- Factor Authentication Dynamic groups with approvals and redesigned certificate management Enhanced security Hybrid reporting and privileged access management to protect administrator accounts Support for new security protocols

55 Cloud-ready identities Powerful user self-service Enhanced security Standardized Active Directory attributes and values Partitioned identities for synchronization to the cloud Easier-to-deploy reporting connected to Azure Active Directory Preparation of user profiles for Microsoft Office 365 Self-service password reset with Multi- Factor Authentication New REST-based APIs for AuthN/AuthZ Self-service account unlock Certificate management support for multiforest and modern apps Privileged user and account discovery New Windows PowerShell support and REST-based API Workflow management: elevated just-intime administrator access Reporting and auditing specific to privileged access management

56 Jay Ferron CEHi, CISSP, CHFIi, C)PTEi, CISM, CRISC, CVEi, MCITP, MCSE, MCT, MVP, NSA-IAM blog.mir.net

News and Updates June 1, 2017

Microsoft Azure News and Updates June 1, 2017 Azure Backup for Windows Server System State Modern Backup Storage with Azure Backup Server v2 vcenter/esxi 6.5 support for Azure Backup Server Larger Disk