SAAM2291BE Securing Access and Protecting Information in Office 365 with Workspace ONE Camilo Lotero Senior Technical Marketing Manager Adarsh Kesari Senior Systems Engineer #VMworld #SAAM2291BE
Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. Technical feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies or features discussed or presented have not been determined. #SAAM2291BU CONFIDENTIAL 2
Securing Access and Protecting Information in Office 365 with Workspace ONE 1 Data Loss Prevention 2 Simplified Authentication 3 Conditional Access 4 Securing Productivity Apps #SAAM2291BU CONFIDENTIAL 3
340M Downloads of Office Mobile Applications (Source: Microsoft, 2016)
Four Pillars of Office 365 Security At rest In use In transit Data Loss Prevention On any device Simplified Authentication No passwords (SSO) Control Modern and Legacy Auth Consumer-simple MFA Workspace ONE + Office 365 Conditional Access Block Unapproved Access Email compliance Securing Productivity Apps Email Content Browsing #SAAM2291BU CONFIDENTIAL 5
Data Loss Prevention
A New Level of Data Security At Rest In Use Passcode protection Device encryption In Transit Containerization SSL encryption DLP policies App-level VPN Enterprise wipe MAM co-existence #SAAM2291BU CONFIDENTIAL 7
Prevent Data Loss Using Native Platform Controls Managed App container Open-in controls Device passcode and Touch ID VMworld 2017 Content: Not for publication Android for Work container Copy/Paste controls Device passcode Windows Information Protection Passport for Work and Windows Hello #SAAM2291BU CONFIDENTIAL 8
Available Data Loss Prevention Policies Prevent Backup Allow Apps to Transfer Data to Other Apps Allow Apps to Receive Data from Other Apps Prevent Save As Restrict Cut Copy Paste with Other Apps Restrict Web Content to Display in Managed Browser Encrypt App Data Disable Contacts Sync Disable Printing Allow Specific Data Storage Locations One Drive for Business, SharePoint, Box, Dropbox, Google Drive, Local Storage Require PIN for Access Number of Attempts before PIN Reset Allow Simple PIN PIN Length Allowed Pin Characters Allow Fingerprint Instead of PIN Require Corporate Credentials For Access Block Managed Apps from Running on Jailbroken or Rooted Devices Recheck The Access Requirements after Timeout Offline Grace Period Offline Interval before App Data is Wiped Block Android Screen Capture and Android Assistant #SAAM2291BU CONFIDENTIAL 9
Current Integration Office 365 & Azure Cloud Microsoft cloud services enforce policies on all Office apps managed or unmanaged AirWatch calls Graph API to configure and assign DLP for native Office apps Device enrolls to manage apps and wipe corporate data #SAAM2291BU CONFIDENTIAL 10
Integration Office 365 Azure APIs Azure Active Directory Graph API Layer 1. Add Azure admin into AW & save 2. Search Azure groups by name 3. Return matching Azure groups 4. Select Azure groups to add in AW 5. Configure DLP rules in AW & save Permission scope of token AW Azure Admin user permissions AW Azure app permissions Graph API request or response AW 6. Create ios & Android DLP policy AW 7. Set specific DLP rules for policies #SAAM2291BU CONFIDENTIAL 11
#SAAM2291BU 12
#SAAM2291BU CONFIDENTIAL 13
#SAAM2291BU CONFIDENTIAL 14
#SAAM2291BU CONFIDENTIAL 15
#SAAM2291BU CONFIDENTIAL 16
Demo Office 365 Integration
Simplified Authentication
Office 365 is Complex: Many Clients (Modern, Legacy, & 3 rd Party) Can Access Data and Emails. IT Must Close All the Holes Outlook Android Native ios Native Thunder -bird Boxer Legacy Outlook Excel OneNote SharePoint App OneDrive Word Power Point #SAAM2291BU CONFIDENTIAL 20
Office 365 is Complex: Some Clients Use Modern Auth, and Some Use Legacy. IT Must Protect Both Outlook OneDrive Android Native Word Users can get to Office 365 using legacy or modern auth. Workspace ONE protects both Modern auth Workspace ONE ios Native Legacy Outlook Legacy auth #SAAM2291BU CONFIDENTIAL 21
Office 365 Requires Protection For Two Kinds of Authentication: Modern Auth and Legacy Auth What is Modern Auth? MSFT s official definition: authentication that uses the Active Directory Authentication Library (ADAL) and OAuth 2.0 ADAL and OAuth work together to provide users/apps access to protected resources through security tokens 1. User authenticates to the IDP to get a token VMworld 2017 IDP Content: Not for publication 2. App uses the token from step 1 to get the protected resource User/app Resource #SAAM2291BU CONFIDENTIAL 22
O365 Modern Authentication Flow Passive Federation (WS-Fed Passive Profiles) SAML 2 3 4 1 5 1. Client connects to O365 2. Client is redirect to IdP for Authentication 3. SAML Assertion is sent via redirect to O365 4. Access and Refresh OAuth2 Tokens are generated and passed to client 5. Access Token is now used for accessing O365 OAuth2 OAuth2 OAuth2 Access Token Refresh Token Access Token Access Token TTL = 1h Refresh Token TTL = 15-90 days #SAAM2291BU CONFIDENTIAL 23
What is Modern Auth: Simple Definition Modern Auth is when the user authenticates to an IDP in a browser, rather than putting credentials into the app itself VMworld 2017 This is Modern Auth The app redirects the user to an IDP in a browser The user sees an IDP screen and authenticates (configurable at the IDP) Content: Not for publication The IDP sends the user back to the app with an auth token #SAAM2291BU CONFIDENTIAL 24
What is Not Modern Auth: Simple Definition If the user has to enter credentials directly into the app, it s not Modern Auth This is not Modern Auth The user enters credentials into app UI The app sends credentials to IDP #SAAM2291BU CONFIDENTIAL 25
Bottom line: O365 Solutions Must Protect a Complex, Powerful Suite of Apps Used Across Your Organization Your solution must Handle all ways to authenticate into Office 365 Protect all the clients that users use to access Office 365 email and data Ensure corporate data doesn t leak from user s devices #SAAM2291BU CONFIDENTIAL 26
Federate Existing AD Credentials with Identity Manager VMware Identity Manager Existing Identity Solution(s) Active Directory #SAAM2291BU CONFIDENTIAL 27
Federate Existing AD Credentials with Identity Manager VMware Identity Manager Existing Identity Solution(s) Active Directory Federates identity for single version of truth Works across Office 365 and all other app investments Integrates with existing identity solutions Automatic SSO based on native OS APIs SSO based on certificates and Kerberos authentication #SAAM2291BU CONFIDENTIAL 28
Conditional Access
Restrict Office 365 Access to Managed and Compliant Devices No Management Management Profile Installed ACCESS DENIED or ACCESS GRANTED distribution User identity validated VMware Identity Manager #SAAM2291BU CONFIDENTIAL 30
Compliance Policies for Comprehensive Access Control Not Managed Managed by VMware AirWatch ACCESS DENIED ACCESS GRANTED User identity validated VMware Identity Manager Integrate with on-premises AD Validate user identity, groups, MFA policies Allow access to specific users, devices, OS versions Check device compromised status Ensure device is managed by EMM App-agnostic identity framework across all apps (non-microsoft apps) #SAAM2291BU CONFIDENTIAL 31
Conditional Access Model for Office 365 USER & GROUP User Management Status DEVICE Policy Framework USER APP Compliance DEVICE LOCATION Web Mobile APP Virtual In Network LOCATION Out Network Group Device Type Compromise Low Security High Security Corp Wifi 3G / 4G Risk Score Domain Joined Azure AD Joined External Internal Geo #SAAM2291BU CONFIDENTIAL 32
Leverage Your Existing Investments in the Conditional Access Workflow AirWatch Compliant? Passed an MFA check? Domain Joined? Azure AD Domain Joined? Has a valid certificate? #SAAM2291BU CONFIDENTIAL 33
Workspace ONE Integrates with Best of Breed MFA, CASB, UEBA and Security Providers Best of breed MFA Duo, RSA SecurID, and VMware Verify at no cost Best of breed CASB Netskope, SkyHigh Best of breed UEBA Gurucul Other security ecosystems Mobile Security Alliance (MSA) AppConfig #SAAM2291BU CONFIDENTIAL 34
Demo Adaptive Management, Mobile SSO and Conditional Access VMworld 2017 Content: Not for publication
Securing Productivity Apps
Office 365 Supports Many Legacy and 3 rd Party Clients Workspace ONE Keeps All Clients Secure Boxer (Extra security) Content Locker (Extra security) Outlook Android Native ios Native Thunder -bird Legacy Outlook OneNot e Sharep oint App OneDr ive Word Excel #SAAM2291BU CONFIDENTIAL 38
Accelerate your Knowledge of Workspace ONE Date Title Session # Speaker Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez Prab Kalra Tuesday, 3:30pm Tuesday, 5:00pm Wednesday, 2:00pm Wednesday, 3:30pm Thursday, 10:30am Thursday, 1:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops and Apps with Workspace ONE Securing Access and Protecting Information in Office 365 with Workspace ONE Deployment Deep Dive: Best Practices and Troubleshooting of Workspace ONE Secure and Seamless Access to all of your Applications with Conditional Access and Mobile SSO in Workspace ONE VMware on VMware: Winning a Single Sign-On Solution with VMware Workspace ONE Simplify Management and Security of your Mobile Apps with Workspace ONE SAAM1150BU SAAM2291BU SAAM2197BU SAAM2204BU SAAM1321BU SAAM2294BU Greg Armanini Matt Coppinger Camilo Lotero Adarsh Kesari Kevin Sheehan Adarsh Kesari Vikas Jain Prab Kalra Robert Coggins Josue Fontanez Vikas Jain Vinay Jain Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!