I’ve seen multiple customers struggling with their corporate information. Most of the time this data is secured in a traditional way without flexibility to collaborate.
Result: People find other way to collaborate: Dropbox, OneDrive, Box, Mails, Private-mails, whatsapp,..
You don’t want your personal data published on the web. Why do we allow organizations to be less secure with OUR information?
Goal: If you are curious about your data at this moment, setup a fast pilot traject. In 24 hours you will have real insights in your organization.
At Synergics we truly believe the mission of Microsoft to empower every person and every organization on the planet to achieve more. Every great implemented project start with a vision and with goals/milestones.
In the first project we delivered workshops to understand the transformation needs of the organization. we identified these digital outcomes below. (the description is basic, I know. But it’s another side-traject of this implementation)
Empower information workers and firstline workers so they can collaborate and communicate.
Simplified communication – Communicate through the full organization.
Increase agility for the IT-Organization – adaptability.
Futureproof design – Technical design, cloud first strategy.
You can read the reference-case in NL or FR! Microsoft Surface with Windows Autopilot ensure efficiency gains and easier IT management for the city of Lokeren. Reference Case.
Evolution to modern management – 100% CLOUD!
Less complexity
built-in automation
brand-new configuration & policies
higher security standards
self-service possibilities
100% CLOUD!
To achieve more it’s important to give control to the people (empower), update your platform, easier roll-out’s of new devices etc.. (Scenario on the right, 100%…)
New device setup experience with Autopilot
Imaging/cloning/etc of devices is taking a lot of crucial time – compared to Autopilot. This isn’t the easiest enabler because there are policies, GPO’s, in place. With Autopilot we deliver the roll-out of the Windows 10 Devices and sync back the Device-Object so on-premise resources can still be accessed in transition for future plans.
– Old GPO’s can stay for some time.
– New possibilities of modern management becomes active.
Microsoft Windows update in waves & delivery optimization
It looks like a easy job but most of the time it’s a non-controlled mechanisms.
Windows 10 started in 2015 with builds as: 1511, 1607, 1703,1709, 1803,1809,1903,1909. As you see can in the screenshot, now we are transforming to 1903! and 1909 starting soon.
I was hoping to write cloud-identity but we still live in a world of on-premise infrastructure waiting to move to the cloud. For now we are creating and maintaining identities on-premise. We enable password-write-back so users are able to change their password.
Office 365 ProPlus distribution based on dynamic collections
It sounds very easy but I’ve seen a lot of customers fighting with licenses and automated processes.
When a user is in a M365 E3 dynamic collection because of the parameters Office ProPlus is automatically distributed.
When a user has no ProPlus acces, like a O365 F1 user, office 365 ProPlus will be removed.
Onedrive Known Folder Move (KFM)
There are two primary advantages of moving or redirecting Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll) to OneDrive for Business for the users in your domain:
Your users can continue using the folders they’re familiar with. They don’t have to change their daily work habits to save files to OneDrive.
Saving files to OneDrive backs up your users’ data in the cloud and gives them access to their files from any device.
This has value, value, value. Users can find their documents on their phones because of the automated move. When there workstations crashes, the data is still there..
Microsoft Defender Advanced threat protection
All devices are fully managed under the greatest MDATP. (also see the quadrant)
Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
With Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:
Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.
Even next to KFM! Even more great for data loss etc..
Office 365 Advanced Threat Protection is growing and evolving over time. Writing documentation takes time – automation doesn’t. Automatically export your O365 ATP settings in one HTML file to see the scores and recommendations.
Solution: ORCA! Orca is a report that you can run in your environment which can highlight known configuration issues and improvements which can impact your experience with Office 365 Advanced Threat Protection (ATP).
Start from Exchange Online Powershell
Start up your Exchange Online Powershell Module from:
At MS Ignite session’s Microsoft announced a new best-practice portal in Office 365’s admin console. This session can be found here: 79719(BRK2104)
Bring it all together
Export and compare multiple customer-scenario’s. This will help you determine the differences.
Modern Security mechanisms as Office 365 ATP are continues improving and need continues attention and recurrent validations. (each month!)
In 2018, the percentage of inbound emails that were Phishing messages grew 250%. That trend has continued to grow with increased level of targeting and sophistication! Still super important!
Focus on user education and training. In addition to advanced security tools for detection, investigation and response still 40% is user-related.
More and more control an reporting will come to the Office 365 portal!
AND NOW since you have the report in a easy way. ACT and enable best-practices!
Protect apps with Microsoft Cloud App Security Conditional Access App Control
A lot of companies are struggling with data leakage when it comes to their exchange online environment. Easy fix! Enable: Microsoft Cloud App Security Conditional Access App Control! First, check the 7 seconds demo. It explains the unnecessary words!
Scenario:
You have all your devices enabled in Microsoft’s endpoint manager aka Intune
You are able to have an inventory and control of your hardware assets (CIS Control 1)
You don’t want users to download their e-mail attachments on a non-company owned device. (other scenario’s possible!)
Protect apps with Microsoft Cloud App Security Conditional Access App Control
It sounds so complex and i strongly believe this is making the implementations way to complex. So now the 2 Practical steps for the configuration.
Step 1: Choose the cloud application – select the condition!
Select cloud apps or actions: Microsoft Exchange
Select a condition – IF your device is marked as compliant. Based on a intune policy that is able to CHECK if the device is compliant. Users are able to just go their way on Exchange Online.
Step 2: select the Access Controls
IF not they are not able to download attachments to their environment. Block downloads. That’s it!
By natively integrating with Azure AD, any app that is configured with SAML or Open ID Connect can be self-onboarded.
In addition, the following apps are featured by Cloud App Security and are already onboarded and ready to use in any tenant: More apps: Here
Exchange Online
OneDrive for Business
Power BI
SharePoint Online
Microsoft Teams
Conclusions
It’s not because you block attachment downloads in Exchange or OneDrive from non-company owned devices that your organization is good to go! This practical example shows the flexibility to get conditions in your organizations which can prevent leakage of data in e-mail systems.
Blocking exchange download could shift that your organization will become aware they are still sending crucial information by mail which should be found in Microsoft Teams or SharePoint Online.
Microsoft Information protection could play a big role in this configuration but this enablement can be a first step in security maturity growth.
More options? YES: Notification when someone is downloading +10 documents, leaked credentials, impossible travel, File shared with unauthorized domain, New risky app, …
