Thank you so much for reading my blog about: Cybersecurityfor local governments.
In this article I’ve written an high-level approach for implementation and shift from a more a more classic or less secure environment towards future proof.
People: Awareness is the fundamental step for each security implementation. If you want to improve with ‘security’ the general thoughts and awareness. It’s a responsibility of each individual to carry out the importance of ‘doing it right’, ‘be aware’, ‘understand the risk’, ‘know what to do before opening a strange e-mail’,…
Example: If people don’t understand the risks they will not improve the organisation or themselves.
Technology: Technology can help to met the challenges of today. The main things to implement are easy and could be implemented without big efforts — but still these challenges are not implemented on 100 customers i’ve seen over the last year.
Example: Multi-factor Authentication, Enablement of conditions to get rid of pop-ups AND integrate the workstation in the Microsoft 365 stack.
Microsoft and Office 365
If your government has Windows 10 on their local machines, Office 365 for collaboration the Microsoft (only) choices already has been made.
To keep it simple: in the early days, all infrastructure was on-premises. In the modern days some things are on-premises, some are in the Cloud. If is Google or Office 365 — it doesn’t really matter. Is not on-premise anymore, documents have been shifted to cloud.
We need to think beyond the on-premise OR cloud. It’s hybrid, or full-cloud.
I didn’t see any government in Belgium yet that has their full infrastructure in the Microsoft or Amazon or different cloud.
Connecting the dots
To get a simple context of improvements their is only one most important aspect. And this is: the identity. ‘The username and the password’ that lays in the heart of authenticating with your ‘account’ on your computer, office 365, Google, fileserver, laptop, computer, application,..
Next to the identity you have a device with Windows 10. That can be integrated in Office 365 for additional security. Why? To bring these 2 pieces together and connect them to understand the risks better — from a technical point of view.
In these 10 steps pointed out an actionplan to work and increase the security in each organization — which is a big need in governments at this moment.
1. Identity protection
1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk
Multi-factor authentication prevents 99.9% of all attacks.
Activate MFA, for Office 365 or Google or .. This will decrease the risk of account breach.
Take control of Mobile Devices, or at least use Mobile Aplication Management and protect your corporate data. (iOS, Android, W10, MacOSX,..)
3. Passwords and management of authentication
Create a password policy. Check if 100% is during renewals. Enable MFA for everyone. In case you don’t do it create policy for example: IF not with MFA than set password +100 characters. (for applications, not users) etc..
Microsoft has advised to disable password renewals in this article. I think it’s possible IF you are doing multiple other steps of this article.
4. Create real-time reporting of security vulnerabilities
Identity risks are in every organisation. Don’t think that your changes are low. Check the facts. It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.
5. Create automated and intelligent alerts
There is only 1 answer to the ‘control’ question.. Microsoft Cloud App Security. Create alerts when 100 files are deleted. Copied to Dropbox for example.
6. Install antivirus on ALL endpoints + go beyond antivirus
Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
Use EDR monitors to detect and respond to advanced attacks in real time.
7. Secure private(personal) devices and corporate devices
workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
Choose a fingerprint, faceID worst-case pincode in app protection.
Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.
8) Evaluate regularly which users have access to data, devices and physical network
Cloud App Security shows you exactly whether data is passing on all endpoints.
Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
Bring network devices logging in CASB to have more insights.
9. Track and block access for temporary projects or employees that left the company
governance without enforcement is just good advice.
Create simple written policies, enforce policies. Do monthly or weekly monitoring.
Create retention policies for example in a Microsoft Team that removes the team after 180 days.
Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.
Conclusions
Security priorities are difficult. However, I would always start with MFA because this is fundamental improvement for any organisation. It creates awareness + prevents risks on account breaches.
Keep control of all assets. Implement Endpoint manager to increase the maturity of the workplace.
Thank for reading my blog about: the technical implementation for a Microsoft 365 workplace. In this article I’ve written an high-level approach of an implementation and shift from a more traditional organisation towards a cloud focused organization. If you not totally ‘fan’ of the cloud idea please read this article: The value of Microsoft 365 E3 and E5. andHow to build your Zero Trust modern workplace with Microsoft 365 – which totally bring the why cloud and why modern technology.
This blog is describing the high-level tech actions to grow to a Microsoft 365 modern organization. I would love to receive feedback in in the comment, Linkedin, Twitter.
1. Start with Identity Management and extending Active Directory to Azure AD
Install Azure AD Connect and sync your users and groups to Azure AD.
You could use Directory and password Synchronization to bring all identities from your current environment towards Azure AD. I prefer the hybrid scenario and later full cloud scenario. Worst-case ADDS in Azure. To have the ‘control’s shifted and the primary Directory in Azure AD.
Why? Microsoft Azure AD is beyond the current ‘legacy’ integration and is a next-gen identity platform. Make it simple. If you don’t need third-party solutions (which always limits new capabilities) don’t go for it. Use native Azure AD. Also it’s a big opportunity to leave things behind and smoothly shift to ADDS or Azure AD.
2. Migrate your exchange workload with Exchange Hybrid Wizard
It’s very easy to shift Exchange workloads as first load to Office 365.
Setup Azure AD connect – Sync all identities.
Change the UPN’s if required, same as e-mail preferred. Easier for users.
Pre-sync all mailboxes to a state of 95. Throttled, change the maximum in your virtual webservices.
Cut-over migration is best-practice under 2000-5000 best one shift, if more phased approach. Approach and instructions here.
After the migration over hybrid Exchange the next steps is shifting the relay to O365 direct. Or alternative solutions. Make it simple. Not over-think, don’t create complexity for hybrid mailflow. You could keep hybrid-Exchange for the first phase with management to AD en Exchange Online.
3. Migrate personal data to OneDrive
Document data is one of the post important things running in any workplace. Personal data is crucial for taking into account for migration. It will help support the shift to M365 when you help to achieve a better collaboration space for the people.
Use OneDrive Known Folder move so you can automatically discover your favorites, desktop document and place them on OneDrive’s. People love this feature. It’s easy to implement, and has additional value without changing the core.
Migrate your homedrives, to OneDrive with the SharePoint migration tool or different tools when you need more control. Document shift is important to get away from the current system(s).
4. Migrate departments to Teams or SharePoint Online
I’m not going super deep into details for document migration. But I will provide the high-levels of migrations of workloads.
Assess your current environment and understand the needs.
Migration of team data could result in Microsoft Teams Libraries.
Migration of organization data could result in SharePoint Online.
Still personal data could (only touched by 1 person) can land in OneDrive.
There are great tools on the marked to to the assessment. Phased approach is necessary. Standards & building blocks will help with speed of implementation.
5. Voice shift from on-premises to Microsoft 365 or any other cloud integration solution
There are 4 options of Microsoft Teams voice solution:
Phone system with Microsoft’s calling plan
Phone system with your own carrier. (direct-routing)
Phone system with own carrier via Skype For Business or cloud connector Edition.
Enterprise voice in Skype for Business with own carrier.
Don’t go for less. Use Microsoft Teams. And if you will choose other platforms think about trust – compliance – think about the adoption. Inclusion, security, segmentation and most important: Think about the speed of implementation comparted to the easiness of one platform.
If there are complex need for voice, callcenter. There are solutions in the marked to help shift to cloud voice with Teams. And keep in mind that Microsoft shifted it’s full organization to Team. I mean, they have a complex organization and multiple flavors of requirements and needs.
6. Microsoft EndPoint Manager
Implement Microsoft EndPoint manager for Windows 10 + all mobile devices as described above. The minimum set is written in this article.
Onboard all current devices with Hybrid Join or full cloud join / Azure AD join.
Onboard all new devices with Windows Autopilot.
Implement MAM for mobile at least. Manage all your company owned devices at least.
7. Increase basic identity Security
Multi-Factor Authentication or Azure Security Defaults.
Conditional Access for easier login’s – and more security.
Connect your devices to Azure AD with EndPoint Manager. Hybrid Join – Full Cloud. Connect it.
Risky User Sign-in policies. Define some security policies as written here.
Create control on lifecycle management of identities. Expiration, onboarding, offboarding etc..
Automatic password reset or disablement of account when breached.
Shift to primary Azure AD, later.
8. Windows Autopilot for enrollment of Windows devices
Enroll new device with Windows Autopilot (staging Principe)
Onboard current domain joined devices with a Group Policy written here.
9. Software Deployment migration
Microsoft Office 365 ProPlus (now Microsoft 365 Apps) can be quickly deployed by Endpoint Manager.
Windows Updates can shift ASAP when using endpoint manager. Total control is build-in.
Microsoft Edge will deliver great value when it comes to browser support, can support old ‘sessions’ as well. Azure AD integrated, great new stuff, super modern.
Use third-party mechanisms as PatchMyPC or Chocolatey for ‘simple’ deployable software. Use own written scripts and create packages when necessary.
10. Group-Policy-Objects (GPO) Migration
Microsoft is currently working on policy analytics which will help the migration of GPO’s to MDM policies with controls. But keep in mind, a lot of policy are used for legacy. I don’t believe in migration of GPO. I believe in a basis workplace ‘greenfield’ were you build standards for everyone. Not for groups. And if you do. For 10 groups. and 90% same architecture and flavors. So: Don’t migrate non used GPO’s. Rethink GPO’s -> MDM.
ADMX backed baselines will help for smooth and faster configuration. Whenever it’s not possible use the OMA-URI’s.
Most important try to be prepared for 80% to shift the authority from GPO’s to MDM. And leave the GPO’s in your on-premise DC’s behind.
11. Windows updates and security improvements
Create a Windows 10 update ring with peer-to-peer caching to not kill the internet break out. VPN etc..
Create segmented of pre-test groups to validate the update version in production.
Use the standard Security Baselines to implement the W10 MDM Baseline and MDATP configuration. Baselines are great. It’s so easy to use.
12. Shift infrastructure to Azure
Think about: Rehost, Refactor, Rearchitect, rebuild, replace! If you want to do infrastructure shift follow the next steps. Otherwise do the assessment and write down all infrastructure and start with rearchitecting were possible. When you’re hosting well known vendor applications try to get in touch and ask if they are planning for SaaS, Azure, others.
Create an Azure Migrate project and add the Server Assessment solution to the project. Tutorial
Set up the Azure Migrate appliance and start discovery of your server. To set up discovery, the server names or IP addresses are required. Each appliance supports discovery of 250 servers. You can set up more than one appliance if required. Prereq’s
Once you have successfully set up discovery, create assessments and review the assessment reports.
Use the application dependency analysis features to create and refine server groups to phase your migration.
13. Migration of legacy Active Directory Integration
Shift applications that use AD Groups or AD Authentication to authenticate applications towards Azure AD worst case ADDS.
Try to isolate all applications, monitor the active usage of AD and try to find and understand what you can transform easily.
Sometimes there is an application which is old for billing or accountants, mostly used by some people. Don’t integrate, isolate and shift with dedicated accounts to Azure IaaS. But write it in the long-term plan and push these vendor for integration of choose other platforms.
14. Build collaboration platforms with Microsoft Teams & SharePoint
I’ve probably missed some ‘crucial’ applications on-premises that are used for 20 years. I’m saying: We need to leave complex legacy behind. Choose SaaS solutions with future-benefits. Don’t wait for phasing these out to go cloud. Do cloud and leave legacy behind. OR migrate and isolate. And more important: Long term strategy.
We are always choosing short-term quick solutions for fixing a problem, integrating on solutions and after 5 years its bombastic. Choose long-term. Don’t choose non compliant solutions that are not ready for the compliance requirements of the future. Security complexity and needs are growing, GDPR, ISO27 is important.
Build your new Microsoft Teams Sites for collaboration.
Create a SharePoint Hub for all SharePoint sites – create a frame and design of the requirement and visual for your full organization.
Build out department and long-term SharePoint collaboration spaces.
Migrate the old ’20’ years ago applications to SharePoint list, with PowerApps and integrate with power Platform. I’ve seen simple apps in Lotus Notes that can easily shift their history to SharePoint lists and PowerApps. PowerBI can help with the transparent reporting.
15. Rethink on-premises
Rehost, Refactor, Rearchitect, rebuild, replace!
Rethink the new needs of on-premises. All collaborations spaces are shifted to Office 365. Your devices are managed with M365 EndPoint Manger. Documents are shifted to OneDrive, Teams and SharePoint. Authentication and integration with Azure AD is shifted. Printers with universal Print of different solutions as Printix. Core applications are moved to IaaS and are waiting to become SaaS overtime. What else is there?
16. Build security mechanisms than can be automated
Now, only now, when the shift is completed is the time to build your SEC-OPS landscape.
Why? It’s easier. Don’t you want to go fast? Don’t you want to have 1 platform. Don’t you want to integrate with modern technology in Azure AD, M365..
Security Operation and your incident responds can be done with MDATP. I know it’s working in hybrid – it’s the first phase. Not the end goal.
Build on the next level modern workplace with Information Protection – which automatic labels classified documents. Use the unified data classification platform.
Get grip on actionable risks on devices, users with MDATP in combination with Cloud App Security to identity and isolate risks. Sometimes automatic remediation.
Thank you so much for reading my blog about: How to build your modern workplace with Microsoft 365. In this article I’ve written an high-level approach of an implementation and shift from a more traditional organization towards a cloud focused organization. I would love to receive feedback in in the comment, on Linkedin or Twitter. Also read: The value of Microsoft 365 E3 and E5.
This blog is describing the strategic, high-level possibilities how Microsoft 365 can help you, as an organization to be ready for a modern future.
Strategy and vision
Welcome in 2021. The world has changed since Covid-19…
Organizations are struggling to anticipate better on their workforce to help and achieve their ultimate goals.
To collaborate better, to get in contact different than before a more modern approach is necessary – change is required. I don’t want to go to deep in the fact that it is becoming a huge challenge for CIO’s and IT Manager since the world has shifted into a new era. Working different has become a new standard. And the change driver is from the outside towards inside. It is happening — there is no way not to accept the signals and facts. There is no way, not to change.
When mapping these challenges on the technological needs of today I’ve summed up some topics that will come back in my article, later. The main challenges are:
To connect people to collaborate in a different way with new technical possibilities – Keeping in mind that the experience needs to be great. It should be simple. Transparent. Team driven, no individuality.
To use proven standards that do work – because they are used in multiple organizations. The slowness of not believing these standards and references and going the own way is killing organizations from within. This results in slow implementation speed – lack of confidence and trust which results in over thinking. And conclusion: failing.
To provide the right tools that do work for organizations – In a modern world – without the fence of physical locations and more important with the same security level as in the early on-premise days.
To be fast enough and accelerate your business goals. Timing = everything — Lack of speed = lack of relevance.
To get you security maturity in order, better, safer, to grow to a technical safer workplace – this is more important than ever. If you see the cyber Risk trends growing, somethings needs to change.
Companies are working different than before. And I trully believe that the one that is most adaptable to change do survive.
It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.
The traditional corporate infrastructure is isolated of the outside world
As you can see in this picture that’s is brought by Microsoft in the zero-trust concept organization did build great solutions in their datacenters on their premises. In their decentralized redundant datacenters with everything in place to have their DRP and failover working great. I’m not bashing on smart people which did a great job fixing these massive complex integration to keep everything running 24/7, in their de-central service centers / data centers.
The problem is, the solution is… As I’ve mentioned in my last point. Organizations did a great job, on their premises to get everything working as it should.
Disruptive of cloud organizations as Microsoft, Amazon and Google came with scalable and relative quick-deployable solutions. Solutions that didn’t require the technical need of the on-premise or ‘self-owned’ of Infrastructure on premises. Software-as-a-Service (SaaS) solutions that were isolated from these corporate environments with plug and play capabilities to most important leverage solutions for these organizations – and this is the most important aspect of it all. Solutions for organizations, to achieve more. The get to the ultimate goals of these organizations. Non technical driven scenario’s, business case and business scenario’s. I think we are somewhat naïf not understanding why disruptive came. It is mainly because we were not able to adapt on changes required to make our organizations more modern. With high speed implementation. Image a new Office 365 customer in a cloud scenario. With: Exchange, Sharepoint, Teams, mobile device management. They can start after some hours of implementation. Image this setup on- premises. How long will it take? Perspective = everything.
A new concept of layered approach which kills the fish tank within corporate infrastructure
In the picture below you will see the corporate datacenter with all servers running in virtualized state, segmented with additional security solutions. Segmentation on networking storage and many more services. It’s so extreme complex. One mistake could impact everything. next to mistakes: Ransomware, targeted-attacks, phishing attacks,.. and all other bad-actors took this opportunity to infiltrate and bring this infrastructure down. Sell data. Bottom-line: it became so complex to react on all aspect of just only the core infrastructure where your servers and services are.
Microsoft didn’t invented the layered approach when it comes to: Identity, Devices, Services, Data and Network. It’s no new model nor real solution that fixes any problem. No, it’s a way of understanding and integration of your assets to bring them in a layered solution where it cannot touch the asset next to it. And isolation was always the biggest problem of own infrastructure. Even when your organization is huge it’s still extremely hard to take everything under control and secured. The right conclusion: Layered approach.
Building your foundation identity management solution
Almost every organization did start with Microsoft Active Directory Servers/services with Windows 2000 or Windows Server 2003. Upgraded to more future-proof versions to integrate better. More features, more integration capabilities, more security. Newer versions.
Cloud solutions came disruptive like BPOS, Office 365 and we did integrated our current infrastructure with Identity federation solutions as Microsoft FIM to provision our on-premise active-directory ‘accounts’ towards Azure Active Directory. Later the process was well optimized to bring all on-premises identities in sync with Azure AD connect. A modern tool that helps extending your current on-premise Active directory to Azure Active Directory. But we didn’t thought Office 365 was the most important part of our core organization.
Azure Active Directory is different than Active Directory On-premise. Is has more features and a more security baselines than a Active Directory server. I’m not saying that Azure AD is by design more secure. I’m saying the options are there to start with a better secure platform. Building blocks. Easier for activations as for example: Azure AD Security Defaults. Maximum value, less complexity faster implementation speed.
Enterprise hybrid cloud solution to extend to Office 365 and Azure
Before 2020 a lot of organizations shifted workloads from their on-premises systems infrastructure to Office 365. The most common workload was Exchange On-premise to Exchange Online. Later these workloads did shifted in the Office 365 landscape. For example:
Fileservers became -> OneDrive, SharePoint or Microsoft Teams
Voice/Skype tot hybrid Skype -> Skype Online -> now Microsoft Teams with PSTN, Direct routing and all voice capabilities.
As you see I’ve migrated the biggest workloads on paper and there is nothing left except application servers, other e-mail systems, voice solutions and other solutions. (See Apps & Scenario’s)
As you all know sometimes small infrastructures or some applications are slipping in the architectural designs – I don’t think we need to overvalue the fact that in every change some things needs to change! Old legacy, phase it out, migrate to different solutions. Focus long-term.
Endpoint devices and future-proof device management
Devices as Windows XP, Vista, 7, 8, 8,1, Windows 10 (since 2015) 1703, 1706, 1709, 1803, 1806, 1809, 1903, 1909. Were staged by System-Center Configuration Manager in a on-premise solution. And are now brought in a hybrid deployment with Microsoft EndPoint Manager.
Microsoft EndPoint manager is a combination of SCCM + Intune. To get the best of both worlds. Manage workloads from cloud and on-premises. Example: You could implement, during Covid-19 the change of update mechanisms from SCCM towards Endpoint Manager.
In this great overview you see on the left the integration of the current Active-Directory environment towards Azure Active Directory. In the right you see future state building blocks that needs to be active on your endpoint devices, to be prepared for the non-phish tank approach. Because most of the time: you already chose Microsoft, Windows 10 and Office 365. The possible scenario’s of managing your endpoint devices:
SCCM only or third-party solutions
SCCM CO-Management with EndPoint Manager
EndPoint manager only
How to choose what’s right for your organization? What is the right path for modern management? Which products would you need to choose to be ready for a future state workplace?
I’m total fan of going for EndPoint manager in the cloud only world. Because if your new to modern management you have the opportunity to use your hybrid Identity (from on-premises) and your cloud-only joined Azure AD Windows 10 workstation.
Why? Because different than before speed became a huge factor of implementation. And focusing on only the deployment and core Windows 10 enrollment has became less important compared to security implementations and improvements.
The first reason:The configuration and implementation is easy. Not because I’m lazy to implement more complex solutions but the create simplified standard solutions to manage your Windows 10 Devices is just so important. It’s great to have standard sets in Intune that are on or off. It helps the dialogue and the complex discussions and integration in high-speed.
Second reason is: Mobile devices, mobile device management with basis functionality is very easy and transparent with Endpoint Manager. And as we all know: You need to have some scenario’s for: BYOD, CYOD, COPE and COBE. BYOD is Bring Your Own Device; CYOD is Choose Your Own Device; COPE is Company Owned/Personally Enabled; and COBO is Company Owned/Business Only. Are you thinking this is the bla bla cool term discussion? Let’s get that sorted out: Are you able to securely work on your mobile applications and protection your companies IP. Do you know where your company data is located?
Third Reason: The security maturity and implementation effort has pro’s: Bitlocker activation, Windows Hello For Business working great full-cloud, easy activation. I believe segmentation of this device layer is important to not have lateral movement with domain joined devices connected on-premises. It’s not even technical possible if the device is not trusted. (zero-trust)
Fourth reason: No hybrid complexity, easier staging with Windows Autopilot. Staging from anywhere. Not possible in hybrid scenario’s, at the moment. It’s announced will be possible soon.
Fifth reason:Go Cloud. If you have no on-premises infrastructure left and are able to go without ‘traditional’ domain controllers to Azure AD or ADDS. The baseline is the most important real touchable factor. There are more capabilities easier to implement. Long-term is the real reason.
Why should you choose for CO-Management and what are decision points?
When you are not in a hurry moving to full-cloud. And for example defined you will shift in 2025. And still will keep your on-premises core-environment intact until then.
When you have big task-sequence and big deployment of software that is not possible to bring to Endpoint Manager. But more important is strategy. It will be strange if you keep SCCM without any other workload on-premise. Choose strategic, long term.
If strategy of full-cloud is defined. Don’t invest in co-management. For example: No business critical application service is running on-premises, shift to EndPoint Manager. Its better to make the invest in modern tools compared to well know configuration manager.
When you have 20 language packs and custom scripts. Sometimes hard decisions needs to be made to be more flexible in a later stadium. Again, Strategic decision.
Services, servers and infrastructure
It’s al about responsibility, complexity, standards, governance, way of stabilizing your businesses critical systems.
Responsibility and Security: As you can see in this matrix thanks to the shift of On-premise servers, appliances, services running Windows Server or different operations systems the ownership is in the organizations hands.
The downside in general is security. It’s difficult to segment, patch, upgrade, update and keep track of risks in the attack chain. Servers are integration with active-directory. Next to Security TCO is important. Did you know that we spend a lot of our time doing core-infrastructure task to keep everything running. It’s so critical infrastructure. Do we really want to keep on working and supporting this infrastructure when there are other options? It’s illusion to think organizations can keep up evolving and transforming when the focus is not shifted and the battle of cloud focus is not yet won.
The next diagram shows the responsibilities – import for knowing the opportunity for engineers, architects and the impact on these people. Next to the workload and impact the technology is probably more important.
“Rehost, Refractor, Rearchitect, rebuild, replace” – IF you want to shift to a modern approach redesign to Software as a service, wen possible is very important.
Example: Azure FileServer, Azure SQL. No Windows server 2016 running SQL instance(s). Just a SaaS solution. Easier for technical workers.
Data (documents)
Data maturity. automatic processing. Automation,. You get the point. (document)data is crucial and needs protection. Data is the core of every organization. And still we are sending documents over e-mail, sharing over third-party solutions that are not trusted etc.. We need a consolidated approach to fix document data ‘problem’ and discovery of security risks, compliance. We need to take back control of corporate data. It’s sometimes difficult to understand that companies are building data warehouses with high-end security and leave the door open of information documents / management. We are building super complex systems with machine learning, intelligent architectures for modern needs. With super smart people – but we leave the “core workplace behind” maybe because we are having less smart people really understanding what we are doing.
Trust / Platform / Decide -> Choose Microsoft. If you chose Office 365 to collaborate better and you don’t trust the environment you made the wrong choice. I mean, use the technology to make your environment more secure. Don’t use it if it’s just for mail. The tech goes beyond the tool itself.
Migrate personal documents to OneDrive, Organizational document to SharePoint of Teams and other application data to Azure Fileserver or different solutions.
The main reason is data control. When fileservers, and local copies are gone Microsoft 365 cloud can deliver automated labeling an classification or at least insights on confidential data. We lack data-control. Not even ‘understanding’ of document movement in our organizations.
Cloud App Security. Cloud App Security can help you remediate and take actions when necessary, discover document flows and help to set rules on document when the risk of data-leakage is valid. Cloud App Security will not fix the ‘complex’ solutions when we made them complex. There is nothing easier to manage than Office 365: Teams, SharePoint, Yammer, Exchange when this is the only platform used.
Security and governance in Microsoft 365 is hard. But it’s even harder if you also have on-premises resources and non-controlled instances. The pro’s of only O365 is you can deliver actionable insights.
Network
I’m not a network specialist. I don’t know a thing of networking. But what I do now is that because of this ‘gap’ of IT-Pro’s to opportunity of hackers will rise. Because of the unknown facts. If you are able to shift all workloads to Microsoft 365 the network part, and the network-security will become less important. When it comes to information breaches, and core-infrastructure is gone on the on-premises. Every organization needs stable network, shaping, priorities and all other things to regulate network infrastructure. It is super important. But, we need to stop trusting our own networks as much as we did, before. Because the silo walls are gone. The crucial organization data did shifted to somewhere else.
Why should we even make a more trusted inside network than outside over VPN or private connections?
Strategic modern workplace decisions
Strategic long-term definitions are important to set milestones to grow to a real modern workplace. Most of the time we are delivering workplace optimizations for 20% of the workplace – of the possibilities and the needs. Only modern management for example.
Shifting al or our traditional infrastructure to Azure, Microsoft 365 is crucial for the long-term. For future-proof architecture.
Modern Management is a part of a workplace. For just only managing your assets, devices, updates, applications and deployment. But we are making this the import part. It’s the easy part. maybe in the near future Microsoft will deliver end-to-end solutions for deployment and management of devices. I hope they will. Probably we will complain of Microsoft taking over. And we are not willing to see the opportunity of the broad workplace.
Security baselines became important to get easier packages with a big value, low-cost, maximum impact. Building blocks to implement to get your organization on a high(er) security level.
Consolidation and migration to Microsoft 365 gives control to start with Unified Classification of documents and rich integration with for example PowerPlatfrom. It’s a tremendous opportunity to see how data is moving thought your workplace. And it creates insights to get things in order.
Real communication and collaboration is possible from anywhere if you brought all services from on-premises to Microsoft 365. Example: Using Teams with an on-premise exchange? What’s the strategy for that? And this brings me to the start of the article.
Mindset. Things have changed in the last decade. In the early days we have build IT-systems that were not able to change fast and may ‘never break’ -> Time has changed with superspeed — mindset should change. To old ‘system’ lacks modern need. This topic is deeply written in the CISO workshop 1 of Microsoft.
There is no room for traditional workloads when your strategy is to work and invest in Security optimizations. There is no room for traditional Exchange, SharePoint and fileservers when you want to be a flexible and cloud company.
We have seen the world changing the last 3 months. Maybe we will turn back to where we were. The choice now is:
Would you be the company that is prepared for next trends of working from anywhere – with a future proof ready architecture. to build on. To grow security, data maturity and easiness of future integration and implementations?
Would you go back, and use the old-tech? Until your organization is irrelevant because someone will change faster someday.
It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is most adaptable to change.
Thank you so much for reading! In my post of next week you will read 15 technical high-level implementations and the next steps of a modern secured workplace. If you have feedback please comment below or reach out on Linkedin or Twitter.
Jasper
The top 10 security recommendations to consider while working from home!
Some facts: 1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk
Multi-factor authentication prevents 99.9% of all attacks.
Take control of Mobile Devices, or at least use Mobile Aplication Management and protect your corporate data. (iOS, Android, W10, MacOSX,..)
3. Passwords and management of authentication
Create a password policy. Check if 100% is during renewals. Enable MFA for everyone. In case you don’t do it create policy for example: IF not with MFA than set password +100 characters. (for applications, not users) etc..
Microsoft has advised to disable password renewals in this article. I think it’s possible IF you are doing multiple other steps of this article.
4. Create real-time reporting of security vulnerabilities
Identity risks are in every organisation. Don’t think that your changes are low. Check the facts.
It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.
5. Create automated and intelligent alerts
There is only 1 answer. Microsoft Cloud App Security.
Create alerts when 100 files are deleted. Copied to Dropbox for example.
6. Install antivirus on ALL endpoints + go beyond antivirus
Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
Use EDR monitors to detect and respond to advanced attacks in real time.
7. Secure private(personal) devices and corporate devices
workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
Choose a fingerprint, faceID worst-case pincode in app protection.
Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.
8) Evaluate regularly which users have access to data, devices and physical network
Cloud App Security shows you exactly whether data is passing on all endpoints.
Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
Bring network devices logging in CASB to have more insights.
9. Track and block access for temporary projects or employees leave the company
governance without enforcement is just good advice.
Create simple written policies, enforce policies.
Create retention policies for example in a Microsoft Team that removes the team after 180 days.
Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.
Conclusions
Security priorities are difficult. However, I would always start with MFA becasue this is fundamental identity security. Afterwards document and device security. Because companies are moving to Teams during Covid-19. And you don’t want data leakage during this time.
If your identity is not secure, and compromised, there is no point in doing information protection. Because a ‘hacker’ will use your accounts to access your corporate data.
I’ve seen multiple customers struggling with their corporate information. Most of the time this data is secured in a traditional way without flexibility to collaborate.
Result: People find other way to collaborate: Dropbox, OneDrive, Box, Mails, Private-mails, whatsapp,..
You don’t want your personal data published on the web. Why do we allow organizations to be less secure with OUR information?
Goal: If you are curious about your data at this moment, setup a fast pilot traject. In 24 hours you will have real insights in your organization.
The struggle for a Multi-factor authentication implementation is REAL and most of the time, really frustrating? Some frequently asked questions and answers below! Let’s change problem into a solution.
We don’t want to use Multi-factor authentication – it’s too complex!
Ask the people in your organization if they use the same password as their corporate account for: Dropbox, Yahoo, Gmail, Facebook. Do they?
I know, it’s really bad advice. But type your ‘old’ password in Haveibeenpwned.comIs it still ‘safe’?
Do you have MFA on your Facebook account? Your iCloud account, You’re private mail? Is it that bad?
How to tackle the resistance!
END-USER AWARENESS: There are a lot of organizations helping with a great case which can help your organization (including Microsoft) to communicate well. Communicate – make people understand WHY – support them – give them more!
MEASURE THE NEED FOR MFA: Measure the impact in your organization. And make people understand WHY. You could send out a ‘false Payroll update’ and measure how many people are entering their credentials. Make them aware that they did very good not entering their corporate credentials. Don’t punish people because they did. Help them to identify and understand phishing mails. https://protection.office.com/attacksimulator
SELF-SERVICE: Give people in the organization the ability to get some pro’s because they ‘need’ to do MFA. For example: self service reset password possibilities. It could also mean that the workload of IT-teams will decrease because of self-service mechanisms. It’s nearly impossible (insecure) to deliver self-service without a trusted-second factor.
MODERN MANAGEMENT: Bring all your devices in a Azure AD in a state where they are at least Azure AD Joined so users will have pro’s like Single-Sign-On in Microsoft Edge. Other browsers are possible, but requires a little bit more time.
CONDITIONAL ACCESS: It’s simple to define a basic set of conditions where there shouldn’t be an second factor required. For example your work-environment. It creates a huge way of possibilities to have a better roll-out. Better have MFA with one condition then having no MFA at all.
PASSWORDLESS AUTHENTICATION: Deliver passwordless authentication. It will help your users to not struggle with their password. Implementation guide here.
MEASURE THE RISK(S): Login to your Azure AD portal and export all sign-in logs of the last 3 month. Filter on SUCCESS and filter on a country which your company is not in. (or filter out all locations you are in and work with the left-overs) You have leaked credentials. Mostly it’s clear after this simple exercise.
MICROSOFT AUTHENTICATOR APP: You could just use SMS as a factor but don’t bother and use the Authenticator App
AZURE ADVANCED THREAT PROTECTION: Work with Azure Advanced Threat Protection in a ‘Pilot’. This setup will cost you 60 minutes. Order a trial license of Microsoft 365 E5, go through the wizard of Azure ATP and add your domain controllers as a sensor.
After 30 days go to the console and export: Passwords exposed in clear text, lateral movement paths to sensitive accounts. I’m sure you can find something happening without knowing! This will bring insights where you had none before.
THIRD PARTY ASSESSMENT: Work with third-party tools to measure the security or cyber-security maturity of your organization.
CLOUD APP SECURITY: Measure that data is extracted to machines to understand the needs in your environment. This will prioritize the need of identity-protection (later data-control)
Advice to IT Administrators
Maintain an 8-character minimum length requirement (and longer is not necessarily better)
Eliminate character-composition requirements.
Eliminate mandatory periodic password resets for user accounts.
Ban common passwords, to keep the most vulnerable passwords out of your system.
Educate your users not to re-use their password for non-work-related purposes.
Enforce registration for multi-factor authentication.
Enable risk based multi-factor authentication challenges.
Microsoft sees over 10 million username/password pair attacks every day. This gives them a unique vantage point to understand the role of passwords in account takeover. 99.9 percent of attacks on your accounts can be prevented. (and it is not)
