Tag: Microsoft 365

Microsoft 365 is a complete, intelligent solution for our commercial customers to empower everyone to be creative and work together, securely.

Azure AD Conditional Access
The value of Multi-Factor Authentication – Get your story right!

The value of Multi-Factor Authentication – Get your story right!

By | | Comments 0 Comment

I’ve tried something different last night. To write the story of Multi-factor authentication and bring the relation in the eco-system of Microsoft. Everything is connected. I would love a comment, share or a reply to see if this content is valuable for you! Thanks, Jasper

Creating the modern workplace! – Vision

  • Increase mobility: People are working from home. From clients and during travel. In regard to collaboration, 98% of information workers collaborate or communicate with someone else at work on a weekly basis.
  • Improve security and compliance. Most of the time there is no control of data compliance in the current on-premise environment. Security systems are complex and static without growing or proven improvements. Start with a Zero Trust model. Start with protection of your people.
  • Find more topics I’ve written in my previous article.

What is Multi-Factor Authentication – To know

  • Something you know, typically a password or a pincode.
  • Something you have, such as a trusted device that is not easily duplicated, like a phone or hardware key/token.
  • Something you are – biometrics like a fingerprint or face scan.

Cybersecurity Reference Architecture – The Cybersecurity vision to integrate deeply in Microsoft tech

Whoooaww, that’s a extreme reflex for doing our MFA implementation!! IS IT? Dear customer, colleagues. is it? I don’t think so. We need to see and understand that the small parts (Micro) are connected to the big parts. (Macro) Identity & Access management in crucial. Identity is the first step, is the bases, the baseline. We need to invest in the whole Cybersecurity frame and we need to start with the basics.

Next to the macro view of this Cybersecurity Reference architecture we need to dare to question the identity providers we have integrated in our current environment.

Foundation Infrastructure – The not so interesting part

The only way is up. Starting with your foundation. 1. Networking
2. Identity is the first investment before you ‘grow‘ to workloads and scenario’s.

Identity is a fundamental part of the workplace – The attack surface

As you can see in this figure all security mechanisms are built on the fundamentals of Identity Management. What can you protect IF you’re not able to enable MFA? It has his reasons. There are numbers out there to make you aware of this. We will come to that, later in this article.

Cloud Architecture Identity – MFA is part of something

Understanding identity management in the eco-system of Microsoft’s Identity management system is crucial to find the place where Multi-factor authentication (MFA) belongs. User Accounts – Identity management – Azure Active Directory – Azure/Microsoft365

Self-Service Password Reset – To help the people

Give people in your organization the ability to get some good because they ‘need’ to do MFA. This will ask people of your organization to change their password when there is a threshold higher or above the risk level. It will decrease the IT workload and more import it will make your customers happy. By the way, it’s very easy to configure go to Azure ADPassword ResetAuthentication Methods.

Force a password change when assuming breach – To prevent breaches AND decrease IT tickets

Go to Identity Protection in Microsoft Azure. Select your assignment. All users. Conditions. Select your requirement. And select Require Passwords Change. This will ask people of this organization to change their password when the threshold is at or above the risk level.

Did you know that: IT administrators can enable sign-in risk as a condition in multiple conditional access policies outside identity protection.
In case you don’t have MFA enrolled before this ‘risk policy’ – your account will be locked.

Azure AD Conditional Access – To make it easier

Conditional Access is a solution used by Azure Active Directory to bring signals together, to make decisions, and enforce organizational policies. Conditional Access is at the heart of the new identity driven control plane.

  • Keep user accounts safe by requiring strong authentication based on location and risks.
  • Keep data safe by only allowing managed devices.
  • Meet compliance requirements.
  • Create simple policies for everyone – not for groups, departments – make it simple!
  • Your modular dreams

What if MFA fails like it did before? – Probably won’t

  • MFA failed 2 times? Less than 4 hours? Ever? Compared to your on-premise environment?
  • We like to kill MFA implementations because we don’t like it but we still want more security. DO IT. If security is a priority, you can fix this technically. What if that’s the real problem?
  • What if you did not have MFA and are breached? OR leave MFA enabled and still be in control of your data.
  • What if MFA failed and you had your devices and identities connected to your modern workplace because it was not a side-project and part of a strategic decision and were able to work when the service fails for some hours?
  • The reflex should to be prevent: Like a break glass account in case of a problematic situation.
  • Next to that write up a document that describes the action requires in case of MFA authentication problems. High risk user will get a unique passwords, low risk users may authenticate without password change. Risky users with medium risk and higher will get a password change.

The standard pitch doesn’t work – So stop telling this

  • 99,9% compromised accounts did not have MFA.
  • Next to this fact the 50 accounts on 10.000 people that will be breached according the numbers of Microsoft is more and more understandable.
  • Your Pa$$word doesn’t matter
  • You can do internal phishing attacks and see that people are entering their passwords. It’s a fact. What’s the point of knowing again if it’s already known? Any fool can know, the point is to understand. Albert E.

These stories are well-known but will not trigger changes. Do’s & don’ts are judging. Don’t work on the ‘facts’. Work on the value and support and simplicity of modern technology. GIVE to the people. Don’t take things away.

99,9% compromised accounts did not have MFA

MFA is included in all licenses – It has been changed since a long time

Basic MFA is included in all Office 365 and Microsoft 365 licenses. It does not mean conditional access or other related features are included. Reference.

Passwordless authentication – To give to the people

Enablement of Passwordless authentication will activate authentication without a password – isn’t this great? Enablement of password Authentication in Azure AD is easy. Go to Azure Active DirectorySecurityAuthentication methods | Authentication method policy (Preview) – Enable.

Passwordless authentication is a feature that let us rethink our current MFA solution IF it’s not running in the cloud or third-party. As you can see the integration is deeper and deeper here.

The MFA Experience – It isn’t bad at all

The mobile experience shows 3 sign-in code’s to validate the sign-in. Your code needs to be validated. and you don’t need to enter the password.

approve sign in passwordless
PasswordLess Authentication example

Combined MFA and password reset registration – To make the onboarding smooth

Microsoft has announced that the combined security information registration is now generally available (GA). This new experience makes it easy for users to register for Multi-Factor Authentication (MFA) and Self-Service Password Reset (SSPR) in a simple step-by-step process.

Adoption and change management – To make everyone happy except the sponsor 😉

Make standards that are understandable for everyone, not only of the IT organization. Communicate MFA announcement and changes before the change – not after. Keep track of the change record. Explain very well how you’re using ‘standards’ in your organization. Put the guidelines on a place where all procedures are located. Communicate over multiple platforms. Make it about the end-user. Help end-users. It’s all about experience! And you are in control!

Published on the #WorldPasswordDay – Stay Save!

What are your thoughts after reading this article? Comment below! In case you were inspired by this article please share!

Microsoft 365 Business Premium
When and why should you start with Microsoft 365 business Premium

When and why should you start with Microsoft 365 business Premium

By | | Comments 0 Comment

Earlier I’ve brought the article: The value of Microsoft 365 E3 and E5. Due the request I’ve written this article about Business Premium. To respect the content of the previous article the creating the modern workplace is crucial to read before reading this one. Global value of the Microsoft 365 stack will be the same.

The value of Microsoft 365 Business Premium

1. High-level

  • Cloud strategy to become a modern organization that will tackle the on-premises complexity and grow to a modern cloud-first organization.
  • Some Microsoft 365 E3 or E5 features are included to enable and empower the people to reset their own password. Some are part of AD premium P1 features: Others are: Cloud App Discovery, Office 365 ATP, Application Proxy, Dynamic Groups, Passwordless authentication.
  • WHY? This product is made for companies under 300 people. And has more value because of this specific offering in the market. The price is lower. It has features of Microsoft 365 E3/E5, but there are constraints because the cloud-only focus. This will push the investment to consolidate on-premises workloads to M365 Business Premium. You will read the details below.

2. Defend against threats

  • Office 365 Advanced Threat protection to be protected with Safe Links, Safe Attachments, Anti-phishing intelligence.
  • Advanced multi-factor authentication. You can choose to bypass MFA from trusted locations.
  • You can enforce Microsoft Defender on your Windows 10 PCs with enhanced protection against ransomware and malware.

3. Protect business data

  • Data Loss Prevention: Microsoft 365 Business Premium can automatically detect when an email you’re about to send includes sensitive data like credit card info, social security numbers, and dozens of other confidential data types. If you’re just conducting normal business. But, if you’re about to do something dumb, it’s a welcome safety net. There are even templates that can conform to geographic or industry-specific regulatory requirements.
  • Encryption of email and documents: If you need to send sensitive data to a partner or customer outside your organization you can encrypt that email with just one click. This ensures that only the intended recipient with the right credentials can open the email.
  • Information protection: You can use this function to control who has access to company information. Whether it’s in an email or a document. By applying restriction that prevents people form forwarding, copying and printing.
  • Archiving: This is another function that’s been made simple for when you need to preserve email and documents for legal reasons, or if you need to access an employee’s email/files after they leave the company

4. Easily secure and manage your devices

  • MAM: Mobile Application Mangement is typically used for devices that aren’t owned by your employees, like personal phones or laptops. This type of management gives you control of company-owned email and files—but personal “data,” like pictures and texts, are not controlled with MAM. With MAM, your workers can use their personal devices to do their job without worrying that IT is controlling it. If a MAM device is ever lost or stolen, it’s simple to wipe all the corporate data from it.
  • MDM: Mobile Device Management: is the best option if your organization issues company-owned devices to your employees for work use. With MDM, you can centrally manage everything on the device, install apps on it, restrict the functions or usage, block recreational usage (kind of a buzzkill, but ok), just to name a few options. As with MAM, if an MDM device is ever stolen, wiping the corporate data or doing a full factory reset is easy.
  • You are able to set a minimum of security requirements needed for a modern midsize organisation.

The Microsoft 365 Business Premium strategy

Microsoft 365 business Premium is created to help midsize organization with their challenging ambition to be more productive and secure. It’s a known fact that not all small business have the possibly to provide a M365 E5 license for everyone.

  • Office apps and services
  • Advanced security + management
  • for 1-300 employees! Hard requirement!
Microsoft 365 Business Premium

Which features of E5 are included in Microsoft 365 Business Premium

Don’t choose Microsoft 365 Business Premium if…

  • I’ve met a lot of people who don’t dare to advice Microsoft 365 Business Premium because for a long time there were less features than today. And they don’t follow the evolution.
  • It is still difficult to grow to cloud-only. so take a good look to the things below that are not included.
  • It is important to know that Microsoft 365 Business Premium is focusing on a cloud-strategy. When you have a mid-size organization who is willing to shift to modern cloud solutions they will be able to shift if they make the commitment to remove these integrations. This product is created to work for cloud scenario’s. Are you able to decommission all of these workloads?
  • It looks difficult but the most services are replaced in cloud variants today. So it’s outdated technology with a high TCO.
  • Exchange Server, SharePoint Server, and Skype for Business Server Client Access License (CAL) equivalency is not included/licensed.
  • Windows Server, RMS, and Microsoft Identity Management CAL equivalency is not included/licensed.
  • System Center Configuration Manager and System Center Endpoint Protection Management License (ML) equivalencyis is not included/licensed.
  • Full overview here.

Microsoft 365 Business will include Azure AD Premium P1

Brad Anderson, Microsoft 365 Vice-President is referring to this blog: aka.ms/aadp1smbblog

High-level decisions to be made

  • Are you ready and able to stop investing heavily in your on-premises infrastructure?
  • Do you want to stop using, Exchange, SharePoint, Skype for business on premises?
  • Are you willing to shift your System center infrastructure to EndPoint Manager?
  • And at least, most important: Are you able to stop thinking Hybrid AND on-premises? Than GO, DO IT! Good luck! I’ve helped almost 5 customers to grow to full cloud. with no footprint in their local-AD. they are super exited and happy! Simplicity = key to grow.

New product names

The new product names go into effect on April 21, 2020. This is a change to the product name only, and there are no pricing or feature changes at this time. Maybe later.

Enable Microsoft 365 Security – Example from Microsoft

Set up tenant:Recommend settings – normal scenarioRecommended settings – high risk scenario
Decide between hybrid & cloud-only identityHybrid, Azure AD ConnectHybrid, Azure AD Connect
Azure AD Connect – sign-in methodPassword Hash SyncPassword Hash Sync
Azure AD Connect – single sign-onEnabledEnabled
Azure AD Connect – On-premises attribute for Azure AD usernameuserPrincipalNameuserPrincipalName
Azure AD Connect – Password writebackEnabledEnabled
Decide on email migration strategyHybrid AgentHybrid Agent
Configure DNS domainsSituationalSituational

Configure identity protection – example from Microsoft

Configure identity protection:Recommend settings – normal scenarioRecommended settings – high risk scenario
Plan for administrative accessRequiredRequired
Configure dedicated admin accountsRecommendedRecommended
Multi-factor authentication (MFA) for adminsSecurity defaultsRequired, Conditional Access
Multi-factor authentication (MFA) for usersSecurity defaultsRequired, Conditional Access
Self-service password reset (SSPR)Enabled-AllEnabled-All
Combined security information registrationEnabled-AllEnabled-All

Practical guide to securing remote work using Microsoft 365 Business Premium

This guide summarizes Microsoft’s recommendations for enabling employees at small and medium-sized businesses to securely work from home, using the features included in Microsoft 365 Business Premium is written above. Read the Microsoft Guide: Here with deep insights and knowledge of medium-sized business. Guide

Creating a security culture

Use the Chief Security Officer (CSO)

Succes Stories Microsoft 365 Business Premium

Something missing? Please leave a reply!

Shift to M365 E5 the attack chain
The value of Microsoft 365 E3 or E5

The value of Microsoft 365 E3 or E5

By | | Comments 1 comment

Creating the modern workplace!

  • Digital business transformation. Every company has a digital transformation initiative. Microsoft 365 drives this digital transformation.
  • Increasing agility. The ability to respond to and drive market change quickly is the fundamental measure of business agility.
  • Empower information workers and firstline workers so they can collaborate and communicate better. Internally as with customers.
  • Support different working styles for millennial’s, Gen Z, Gen X, Baby boomers.
  • Generate better intelligence and analytics with a single view into your company information!
  • Increase mobility. people are working from home. From clients and during travel. In regard to collaboration, 98% of information workers collaborate or communicate with someone else at work on a weekly basis.
  • Improve security and compliance. Most of the time there is no control of data compliance in the current on-premise environment. Security systems are complex and static without growing or proven improvements. Start with a Zero Trust model.

Microsoft 365 E3 OR E5?

  • Decision making is crucial. Also simplicity. Make IT-system simple to move faster and support your business better. 2-3 Flavors of license scenario’s or strategies will be great. Don’t mess with addons id you will not use or active them..build trust, choose platform, choose Microsoft.
  • Start with activating basic security mechanisms. Start support of what you are using. grow. Don’t buy E5 when you are not mature enough, yet. Buy E5 and enable CASB to understand shadow IT or act when people extract crucial organization data… etc..
  • Don’t think it’s complex. Even when your company size is 50 people. You could start using Microsoft Business, full cloud. With real value and benefits as in Microsoft 365 E3. You could even use M365 E5 for small business when data control and cloud security is required.
Microsoft 365 E3 license overview
Micrososoft 365 E5 License overview
Micrososoft 365 E5 License overview

Office 365 – standard set

  • Every company is using e-mail, calendar, contacts move to exchange Online. it’s a proven standard.
  • Voice, Video, Meetings. Microsoft Teams. It’s used by 500.000 organization and became a standard. Shift to Microsoft Teams for better collaboration.
  • Office ProPlus: Everyone is using rich office clients: Word, Excel, PowerPoint. It’s there for decades and became a standard.
  • Planner, Yammer, OneDrive, SharePoint,.. it isn’t always a standard but we currently have tools to Plan tasks, Share thoughts, Share Documents and colleborate in our organization. Proven standard

Office 365 – advanced

  • ‘Built-in’ Analytics – did you know there are free/default/built-in dashboards for a lot of Microsoft 365 Services. I know. These are not organizational related. So they can give rich insights of usability of Office 365 tools.
  • Workplace Analytics for example: Measure progress toward transformation goals or Evaluate effectiveness of change efforts. Measure meeting hours, Discover inefficient processes, Identify hurdles to innovation, Gaps in learning, Identify Influencers,..
Workplace Analytics Microsoft
  • MyAnalytics: It’s not to control – it’s to to help to find out how work is done. People in your organization can find out their own habits because of their Analytic-insights.
MyAnalytics Workplace

The bigger picture – Why?

To bring value of Microsoft 365 E3 or E5 it’s important to understand the bigger picture. In the underlaying topics I’ve brought as much features in the eco-system of the E5 license. The main question is what are the benefits for a organization to shift to cloud solutions?

Why shift to Microsoft 365 E5

1. Protection across the attack kill chain

This slide shows the real value of Microsoft 365 E5. A lot of customers al laughing with MDATP because they think this is a isolated product. And are going deep in the license compare strategy of their current antivirus. Have a separated anti-spam solution, NO Azure AD Protection, NO cloud App Security..

2. Microsoft 365 E5 license includes

O365 ATP, Windows Defender ATP, Azure ATP + Cloud App Security. Detailed descriptions can be found on the website of Microsoft.

3. Cloud App Security

Cloud App Security shows you exactly whether data is passing on all endpoints. Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications. Bring network devices logging in CASB to have more insights.

Cloud App Security

4. Security & Compliance

I’ve seen that there a not enough organizations aware of the richness of the Security & Compliance possibilities in Microsoft 365. Because of shifting to Microsoft 365 the compliance will be in control of your organization. Even if you leave some file-servers and SharePoint services on-premise.

Unified data classification platform

5. Identity & Access management

Because of simplified Identity management organizations are able to work with Security perimeters to protect their users and organization. Because of these simplified configuration users will be able to reset their own password, control their own devices, or configure additional security components. (ZERO-IT)

Azure Active Directory

6. Self-Service Password Reset (SSPR)

The SSPR possibility Is an Azure Active Directory (AD) feature that enables users to reset their passwords without contacting IT staff for help. People can unblock themselves and continue working no matter where they are.

7. Managed Mobile Device

Cloud intelligence drives management. Use Autopilot to roll-out new devices and Increase productivity, reduce help-desk costs and Provide the best employee experience. Manage you Windows 10 devices and your mobile devices. Stop allowing personal devices without taking control of organization data. Use MAM and be diplomatic for end-users.

8. Microsoft Defender Security Center Security operations dashboard

The Security operations dashboard is where the endpoint detection and response capabilities are surfaced. It provides a high level overview of where detections were seen and highlights where response actions are needed. USE your built-in possibility for SECOPS reporting. You HAVE IT.

EndPoint manager admin center

9. Identity driven Security

Because of the use of a single identity in Azure. Or hybrid synced from your local Active Directory services organizations will be able to protect and automatically act when necessary. request for update your password if breached. Ask MFA when your device is not trusted. etc.. let your users update their password from home. Increase productivity.

Microsoft Secure Score

10. Risky Sign-ins

This great feature will bring based on cloud intelligence insights to understand the RISK of a user. for example unfamiliar location, anonymous IP addresses, leaked credentials.. (more info here)

Risky Sign ins Azure AD
risky users
Risky Sing ins overview
Risky Sing ins overview

11. Information Protection

To start with classification and labeling of document choose your battles. Define 1-2-3 labels for example: “High-Confidential Internal Only”, “Public” and “Internal Only”. It’s a good start without auto-labeling documents so people can learn how to protect their confidential data. In a later phase you can enable auto-labeling when a document is highly confidential because of there are credit-card numbers, personal information etc in this document. The activation of Information Protection could come from the fact that 1 million files are shared with external people. Or that you want to stop third-party applications so company data stays safe in the environment.

Microsoft 365 Compliance

12. Advanced Threat Protection

Work with Microsoft Defender Security Center (previous WDATP) it will give you insights for Applications, OS, Network, Accounts, Security Controls + Give insights for Software patching, Top vulnerable software, Top exposed machines. Most reports are built-in and seamless integration is done in the Eco-system of Microsoft 365 E5.

Threat & Vulnerability management dashboard
Detection sources

13. Windows 10 Enterprise with modern approach

Windows 10: My personal favorite. I really love customers which did their homework and started using Windows 10 without policies, governance, Intune (for example), management solutions and now they are stuck in the patching & management of these systems. This is wrong!

Microsoft Windows 10: Windows 10 has been released to insiders in 2015. version. 1507 afterwards 1511, 1607, 1703,1709, 1803,1809,1903,1909. Microsoft did understand the pain of shifting from Windows XP to Windows 7, Windows 8 to 8.1 and Windows 10. And now they want you to work on this NEW versions in a different way.

Microsoft’s Windows 10 Enterprise: comes in the flavor of continues improvement. And needs to be implemented in a service-model with automatic updates, roll-outs, deployment, patching, updating, software requests (self-service) and even more!

Set compliance policies: Because of deep integrations you will be able to work on the compliance of the devices and grow to a recurrent update-model.

Device Compliance

14. Desktop Analytics 

Thanks to desktop analytics you will be able to evaluate the changes during updates as software distribution and compatibility issues. You can bring your organization to a next level. In case you were afraid that automation took your job, think again. These things need huge attention!

Dekstop Analytics

15. Native PowerBI Integration

Because of the rich Eco-system within Microsoft 365 everything can be measured. This report is default/standard without any manipulation of Power-bi. I know it sounds stupid, but without insights that can grow fast. You have nothing. Features/services are changing every year. Be prepared. Start consolidation and start using standards to built on.

Native PowerBI Integrations

Action Plan

  • Create a STRATEGY to bring value for Microsoft 365 E3 or E5. Do you want to: increase agility, empower information workers create intelligence increase mobility short: Drive transformation. AND invest in your SECURITY MATURITY -> than you should start with a STRATEGY. Non of all these things are technical. Even if we think it’s technical. DECIDE.
  • PLAN: Everything starts with a plan. PLAN to start a Microsoft Teams pilot, to evaluate, to pick-up the finding. and plan to go further. Most important PLAN to write a ROADMAP which describes the road ahead.
  • READINESS CHECK: Are you technically READY to start with a Microsoft Teams Roll-out? Is your company READY to start? Are the people READY to start? Is everyone involved? Are you READY?
  • IMPLEMENTATION: This is the easy part. Implement Microsoft Teams. Enable the features, check the boxes. Activate the subscriptions, copy the templates. Start the Pilot. Ask experts to deliver the technical requirements.
  • NEW WAY OF WORK: Microsoft Teams as used in this example as ‘new tech’, think about the groups we had in the top of the article. millennial’s, Gen Z, Gen X, Baby boomers. Do you think you should make some scenario’s? training and standard adoption programs to help them work as they never did before? YES!
  • TRANSFORM(ATION): Real transformation is successful when you KNOW/MEASURE it went well. Wen you see the activation/usage ratio in numbers. When you know the people are confident and happy to use new technology. When nobody is complaining and the organization has grown to a higher level of collaboration. And even when it fails or needs more improvements start over with this S-P-R-I-N-T.

Thank you for reading!

Jasper

Cloud Discovery 30 days Demo
The top 10 security recommendations to consider while working from home!

The top 10 security recommendations to consider while working from home!

By | | Comments 0 Comment
  • Mobile working is a standard, today.
  • Companies are not longer protected by their infrastructure in their corp-environment.
  • Crucial document data is moving away from centralized systems because it’s easier to work on them on our own document systems.
  • The irrelevance of bombastic systems in corporate environment is holding collaboration down.
  • Does it sounds familiar?

the 10 security recommendations we should consider while working from home!

  1. Identity Security / MFA
  2. Install the latest patches and updates
  3. Passwords and management
  4. Build real-time reports of security risks 
  5. Create automated and intelligent alerts 
  6. Install antivirus on all endpoints 
  7. Secure devices and corporate devices (+ personal phones) 
  8. Evaluate regularly which users have access to data, devices and networks 
  9. Track, change and block access for temporary projects and when employees are leaving your company 
  10. Use information protection solutions to protect your data everywhere. 

1. Identity protection

  • Some facts: 1.2 million of all Office 365 or Microsoft 365 accounts (each month) are compromised. This represents 0.5% of all accounts in your environment. Source: theregister-co-uk

Multi-factor authentication prevents 99.9% of all attacks.

99,9% compromised accounts did not have MFA

2. Patching & updates

Device Compliance

3. Passwords and management of authentication

4. Create real-time reporting of security vulnerabilities

  • Identity risks are in every organisation. Don’t think that your changes are low. Check the facts.
  • It is very easy to use ‘risky users‘, ‘risky-sign’ ins and ‘risk detection’ to find out real risks.
  • Integrate with Microsoft Defender ATP and ATP Sensors to have all intelligence in the Microsoft cloud.
Risky Users
Risky Sign-ins

5. Create automated and intelligent alerts

  • There is only 1 answer. Microsoft Cloud App Security.
  • Create alerts when 100 files are deleted. Copied to Dropbox for example.
Cloud App Security Portal

6. Install antivirus on ALL endpoints + go beyond antivirus

  • Microsoft Defender ATP, sentinel-one, Norton, McAfee, it doesn’t really matter. As long as you are able to protect all endpoints.
  • The second factor is to make sure that your antivirus is enabled. Use a single console. OR use MDATP. Set security alerts so you know when you are at risk.
  • Use EDR monitors to detect and respond to advanced attacks in real time.
Antivirus Windows 10

7. Secure private(personal) devices and corporate devices

  • workstations and portables (With W10 for example) are in control in most of the companies. Mobile devices are left unmanaged because we don’t know the options.
  • With Intune (EndPoint Manager) you can isolate and segment applications without having to manage the device. The corp. applications is under control. The organization’s data is protected. The most important thing is done!
  • Choose a fingerprint, faceID worst-case pincode in app protection.
  • Below you may find an example of the Outlook application which is protected by Mobile Application Management. In case organisations are not the owner of these devices this is a great option. And simple to implement.
Mobile Application Management

8) Evaluate regularly which users have access to data, devices and physical network

  • Cloud App Security shows you exactly whether data is passing on all endpoints.
  • Document data, lateral movements, usage of applications, global traffic, count of applications in use in your organisation. Risk levels, GDPR proof applications..
  • Bring network devices logging in CASB to have more insights.
Cloud Discovery
Cloud Discovery

9. Track and block access for temporary projects or employees leave the company

  • governance without enforcement is just good advice.
  • Create simple written policies, enforce policies.
  • Create retention policies for example in a Microsoft Team that removes the team after 180 days.

10. Use information protection to protect your data everywhere

  • Use Information protection to protect document data. Even if you lose the document “physically”. There are still options to block this from opening and keep in secure from distribution, opening, editing,..
  • Create document data insights from on-premises and cloud solutions with Microsoft Information Protection Policies.
Unified data classification platform
Retention Label

Conclusions

Windows Secure Score
  • Security priorities are difficult. However, I would always start with MFA becasue this is fundamental identity security. Afterwards document and device security. Because companies are moving to Teams during Covid-19. And you don’t want data leakage during this time.
  • If your identity is not secure, and compromised, there is no point in doing information protection. Because a ‘hacker’ will use your accounts to access your corporate data.
  • Use Microsoft Securescore.microsoft.com as a guidance. Extract your priorities.
  • Let’s do it!
Information protection & governance
Secure your corporate information, not your devices!

Secure your corporate information, not your devices!

By | | Comments 0 Comment

Introduction

I’ve seen multiple customers struggling with their corporate information. Most of the time this data is secured in a traditional way without flexibility to collaborate.

Result: People find other way to collaborate: Dropbox, OneDrive, Box, Mails, Private-mails, whatsapp,..

You don’t want your personal data published on the web. Why do we allow organizations to be less secure with OUR information?

Goal: If you are curious about your data at this moment, setup a fast pilot traject. In 24 hours you will have real insights in your organization.

Environment: Office 365, Fileservers :-), Box, Dropbox. Connect!

What’s your strategy for protecting and governing sensitive and business critical data?

  • Please comment if you managed to protect your data with a control mechanism. You have great insights and known your possible leakage.

Why should you work to protect information within corporate environments

  • Users are accidentally sharing information
  • žUsers copying sensitive data for future use
  • Organizations not knowing what they have and what’s exposed at this moment
  • Users negligently sharing improperly with internal or external people
  • Sensitive data has being accessed or stolen by unauthorized persons

Use Microsoft native solution to discover your crucial data!

  • Start with labeling of your information cross-platform to get actual insights!
  • Labeling doesn’t mean it should be actionable – it’s just a state of reporting!
  • later: classify, protect and monitor your sensitive data everywhere – cross platform.
Unified data classification

See your actual data in compliance center

Retention Label Usage

Pilot project – High-level startup

  • Deploy AIP Scanner in discovery mode and start with analysing your data
  • Configure MCAS & AIP scanner
  • Define and publish some labels and policies
  • Create DLP and pop-up rules based on specific labels
  • And now start!

Pilot project – results

  • Discovery of sensitive info in endpoints and servers and services
  • Let people start with manual Labeling of documents and emails. (with default, simple, understandable labels!)

More information?

Modern Device Management
Modern Desktop implementation – Behind the scenes

Modern Desktop implementation – Behind the scenes

By | | Comments 0 Comment

Introduction & Vision

At Synergics we truly believe the mission of Microsoft to empower every person and every organization on the planet to achieve more. Every great implemented project start with a vision and with goals/milestones.

In the first project we delivered workshops to understand the transformation needs of the organization. we identified these digital outcomes below. (the description is basic, I know. But it’s another side-traject of this implementation)

  • Empower information workers and firstline workers so they can collaborate and communicate.
  • Simplified communication – Communicate through the full organization.
  • Increase agility for the IT-Organization – adaptability.
  • Futureproof design – Technical design, cloud first strategy.

You can read the reference-case in NL or FR! Microsoft Surface with Windows Autopilot ensure efficiency gains and easier IT management for the city of Lokeren. Reference Case.

Evolution to modern management – 100% CLOUD!

  • Less complexity
  • built-in automation
  • brand-new configuration & policies
  • higher security standards
  • self-service possibilities
  • 100% CLOUD!

To achieve more it’s important to give control to the people (empower), update your platform, easier roll-out’s of new devices etc.. (Scenario on the right, 100%…)

Traditional Co-Management Modern

New device setup experience with Autopilot

Imaging/cloning/etc of devices is taking a lot of crucial time – compared to Autopilot. This isn’t the easiest enabler because there are policies, GPO’s, in place. With Autopilot we deliver the roll-out of the Windows 10 Devices and sync back the Device-Object so on-premise resources can still be accessed in transition for future plans.

Autopilot Microsoft EndPoint Manager
  • – Old GPO’s can stay for some time.
  • – New possibilities of modern management becomes active.
Autopilot

Microsoft Windows update in waves & delivery optimization

It looks like a easy job but most of the time it’s a non-controlled mechanisms.

Windows 10 started in 2015 with builds as: 1511, 1607, 1703,1709, 1803,1809,1903,1909. As you see can in the screenshot, now we are transforming to 1903! and 1909 starting soon.

Compliance Policy
Device Compliance

Hybrid Identity – and password write-back

I was hoping to write cloud-identity but we still live in a world of on-premise infrastructure waiting to move to the cloud. For now we are creating and maintaining identities on-premise. We enable password-write-back so users are able to change their password.

Azure AD connect configuration

Intune mobile device management authority

Office 365 ProPlus distribution based on dynamic collections

It sounds very easy but I’ve seen a lot of customers fighting with licenses and automated processes.

  • When a user is in a M365 E3 dynamic collection because of the parameters Office ProPlus is automatically distributed.
  • When a user has no ProPlus acces, like a O365 F1 user, office 365 ProPlus will be removed.

Onedrive Known Folder Move (KFM)

There are two primary advantages of moving or redirecting Windows known folders (Desktop, Documents, Pictures, Screenshots, and Camera Roll) to OneDrive for Business for the users in your domain:

  • Your users can continue using the folders they’re familiar with. They don’t have to change their daily work habits to save files to OneDrive.
  •  Saving files to OneDrive backs up your users’ data in the cloud and gives them access to their files from any device.
  • This has value, value, value. Users can find their documents on their phones because of the automated move. When there workstations crashes, the data is still there..

Microsoft Defender Advanced threat protection

All devices are fully managed under the greatest MDATP. (also see the quadrant)

  • Multi-layered protection: Microsoft Defender ATP provides multi-layered protection (built into the endpoint and cloud-powered) from file-based malware, malicious scripts, memory-based attacks, and other advanced threats
  • Threat Analytics: Contextual threat reports provide SecOps with near real-time visibility on how threats impact their organizations
  • A new approach to Threat and Vulnerability Management: Real-time discovery, prioritization based-on business context and dynamic threat landscape, and built-in remediation process speed up mitigation of vulnerabilities and misconfiguration
  • Built-in, cloud-powered protections: Real-time threat detection and protection with built-in advanced capabilities protect against broad-scale and targeted attacks like phishing and malware campaigns
  • Automated security, SecureScore and +10 more features!
Microsoft Defender ATP

Enterprise state roaming (ESR)

With Windows 10, Azure AD users gain the ability to securely synchronize their user settings and application settings data to the cloud. Enterprise State Roaming provides users with a unified experience across their Windows devices and reduces the time needed for configuring a new device. Enterprise State Roaming operates similar to the standard consumer settings sync that was first introduced in Windows 8. Additionally, Enterprise State Roaming offers:

  • Separation of corporate and consumer data – Organizations are in control of their data, and there is no mixing of corporate data in a consumer cloud account or consumer data in an enterprise cloud account.
  • Enhanced security – Data is automatically encrypted before leaving the user’s Windows 10 device by using Azure Rights Management (Azure RMS), and data stays encrypted at rest in the cloud. All content stays encrypted at rest in the cloud, except for the namespaces, like settings names and Windows app names.
  • Better management and monitoring – Provides control and visibility over who syncs settings in your organization and on which devices through the Azure AD portal integration.
  • Even next to KFM! Even more great for data loss etc..

Future achievements..

  • Everything starts with the value of Microsoft 365 E3 of E5.
  • Analytics and data. My-analytics, Workplace Analytics?
  • Security Operations – Advanced hunting?
  • Proactive services – thousand scenario’s possible..
  • Automation in processes with Power Automate?
  • Deep integration with third-party applications?
Modern Device Management

Search

Categories