In the traditional world of an on-premises network it is a common practice to implement a defense in depth: multiple layers of networks isolated from one another so that the critical organizational data resides in a secure core. In order for an intruder to access that critical data they have to breach each layer individually, slowing them down, increasing their chances with each layer of either failure or abandonment of the attack in favor of a softer target.
But what do you do in a world where an organization’s key knowledge workers want to operate with full productivity, and with full access to their data, outside of the layered perimeter than IT has spent decades creating and refining? Solutions up to this point have focused on dropping a single perimeter, typically in the form of either an application container or managed applications on mobile devices. VDX took a close look at the Microsoft Enterprise Mobility Suite (“EMS”) when it was first released, and saw something that was lacking in the other solutions on the market: defense in depth targeted specifically at devices that cannot be protected by the hardened network shell.
The Enterprise Mobility Suite consists of three existing cloud products bundled together as an integrated solution: Azure Active Directory Premium, Intune, and Azure Rights Management. While a casual look at this bundle may fail to connect the dots, a closer examination reveals how these tools can be used together to form a complete layered solution. EMS provides layered defense through the concept of:
- Protect who they are: the user identity
- Protect what they use: their device and applications
- Protect what they know: their data
Protect who they are. Azure Active Directory Premium (AADP) gives the organization a way of establishing a secure cloud identity for its users. This identity is typically synchronized with the on-premises Active Directory identity, which provides centralized management for the organization and avoidance of a user having to maintain multiple identities. AADP then provides additional services tailored to the security needs of the public cloud and Internet. These services include Single Sign on, cloud identity security reporting and alerts, and Multifactor Authentication (MFA). Extending the user’s existing identity to the cloud and wrapping it with additional security features gives organizational IT the ability to protect the user identity as it roams outside of the perimeter.
Protect what they use. Intune is a mobile device and application management platform for Android, iOS, Windows Mobile, and Windows 10. While Intune is similar to other MDM and MAM market leaders, it has specific differentiators that are critical to large or complex organizations:
- Application Management. Many of the market leaders in the MAM space use the concept of a “managed application” for Personal Information Management (PIM) and other core business applications. These are traditionally custom applications to the MAM that a user must learn to use. With Intune, the managed applications are Outlook, Word, Excel, PowerPoint, and other applications users are accustomed to from daily PC use. This is critical to users accepting the managed applications, and as a result the managed platform.
- Integrated Management. System Center Configuration Manager (SCCM) is far and away the most popular endpoint management solution for complex organizations. Intune offers the option to integrate its management console with SCCM, bringing all organizational devices into a single console with centralized reporting.
- Integrated cloud directory services. Intune uses Azure Active Directory for user identify management and device enrollment – there is no need for an additional repository
Protect what they know. In the end, it’s all about the data. In an increasingly cloud-centric environment, the emphasis is on securely sharing data between organizations. But in order to share, you have to be able to authenticate the other organization’s user identities. In many traditional solutions, this means federation. However federation is point-to-point, so as organizational partnerships expand, so to does the complexity of the solution. Azure Rights Management uses Azure Active Directory as a common federation point: federate once to Azure Active Directory, and your organization can now begin to securely assign rights to data to users of other Azure Active Directory-federated organizations. Sharing with Azure Rights Management means the capability to send documents outside of the organization’s user base and still define granular permissions such as printing and copying. Rights Management-aware applications (known as “RMS-enlightened”) include the Microsoft Office Suite as well as a small set of third-party applications.
In summary, the layers of Microsoft’s EMS when used together provide an integrated defense in depth for your organization’s data as it is consumed and shared outside of your traditional network boundaries, all with end user ease of use, and with that acceptance and full usage, as the priority.
Rich Gondek, CISSP, PMP, is the Director of Delivery Services at VDX.