Companies of all types and sizes are becoming targets for all types of bad actors from the mischievous to the criminal. Solutions exist to offer protections of various sorts against damage from bad actors.
A financial services client recently approached Sikich for assistance to increase their security posture and provide additional protection for company data, specifically targeting mobile devices.
The Microsoft Enterprise Mobility & Security (EMS) solution offers all the capability to control and protect both users and the data they access. The added benefit is that EMS complements and integrates with the existing Office 365 services already present.
The objective for this client was user identity and mobile device protection. The solution selected and implemented was Microsoft Enterprise Mobility and Security. What is involved in this solution?
Enterprise Mobility & Security Components Include:
- Azure Active Directory Premium
- Microsoft Intune
- Azure Information Protection
- Microsoft Advanced Threat Analytics
While the EMS solution offers a huge value to nearly any company wanting this type/level of protection, not all services were deployed in the deployment mentioned. Here is a quick run-down of the elements that were deployed and why.
- Azure Active Directory Premium: Enhanced reporting.
- Intune: Mobile device protection, mobile application protection, PC management.
- Conditional Access: Restricting access.
- Azure Information Protection: Email Encryption.
- Multi-Factor Authentication: Identity protection.
Now let’s take a deeper dive into the utilized components to discuss how each dynamic plays a role in the successful solution.
- Azure Active Directory Premium
Active Directory Premium was leveraged for the enhanced reporting services available covering user identity threats (impossible login, high volume of login failures, etc…).
Intune allowed Sikich to deliver and manage apps across a broad range of devices, including iOS, Android, Windows, and Windows Phone all from a single management console. It also gave the client the ability to remove corporate data and applications when a device is not enrolled, non-compliant, lost, stolen, or retired from use.
Both mobile application management (MAM) and mobile device management (MDM) solutions were leveraged from Intune to allow for maximum user flexibility in using any of their personal devices (or a change their personal devices) when accessing corporate data.
For those unfamiliar with MDM/MAM, a brief outline:
MDM is all about locking down the whole device. The theory is that a device configured to enterprise specifications will be as secure and manageable as one that is enterprise-owned. Managing configuration and enforcing policies (such as virus scanning) are the hallmarks of MDM. The drawback is that MDM can affect the personal information on a device. For example, if IT wipes a lost or stolen device, the user will lose everything—not just corporate data.
MAM operates under the theory that IT can maintain security and infrastructure integrity through application blacklisting and whitelisting. It’s about managing applications instead of devices, with IT controlling which users can access which applications on which devices.
The PC management capability was leveraged to collect asset information and to ensure that basic security policies were audited, enforced and reported on.
Conditional Access was implemented following the enrollment stages to enforce the MDM/MAM policies. Only devices approved/enrolled for access would be able to connect to services and access data.
- Azure Information Protection
While the Azure Information Protection (AIP), formerly known as Azure Rights Management, offers many amazing features for document level protection, most of these were slated to be deployed later. The feature leveraged from this component was the Message Encryption service. This service provides users with the capability of sending secure, encrypted emails to their clients containing sensitive/privileged information.
- Multi-Factor Authentication
Multi-Factor Authentication (MFA) was the final deployed service to ensure user identity protection. This service offered the premier protection against credential theft to ensure that access to corporate data was only accessed by company personnel. This was backed by the already following best-practices regarding regular password rotation policies.
This is one example of how Enterprise Mobility Protection can benefit an organization. Is your business facing a similar challenge? Do you want to discuss your unique needs with a strategic IT adviser? Contact us today!