The Impact of introducing the Microsoft Enterprise Mobility + Security in the organization

In my work as an advisor and consultant I see organizations adapting to the emerging IT landscape, where user behavior is changing and security risks are increasing. In the midst of this change, I encounter frustrated IT professionals trying to keep up with everything and not having enough time to do so. I encourage my customers to be on top of changes and make sure they stay on top. That message goes beyond IT pros and extends to business owners and managers who can no longer afford to allow IT to drive changes by itself. To understand the changes, first understand what’s driving the change and second look at how those changes will impact your environment and help drive the business.

Change Agents

There is no single new technology or trend driving the change. Rather it comes from a variety of factors, such as changes in user behavior, adoption of personal devices in the workplace, demand for greater business agility, and compounding security threats from multiple sources. We have to make decisions faster than ever before. To understand the change, it’s important to realize that specific devices like desktop and laptop PCs no longer play a leading role. Rather, change is being driven by external demands from the business ecosystem, including customers, and new business activities.

In the context of this changing landscape, organizations must focus on data first. While attention must still be paid to devices and applications, organizations need to ask themselves important questions, like how is data made available and to whom? How can they track the use of data? And how do they secure it? Think a moment about Uber and Airbnb. What is the one thing they have? That’s right, data.

If data is the key, then the role of IT professionals goes beyond deploying software and assisting users with forgotten passwords. As an IT professional these changes require more in depth knowledge and expertise on identity and data protection.

Let me break down some of the changes and see how they will impact the way your organization works with IT.  

Users: People no longer work solely in the office. Many workers spend a great deal of time on the road, accessing data and services from airports, hotel rooms and client sites. Likewise, telecommuting and telework programs allow employees to work from anywhere, improving productivity and reducing time spent commuting. Many companies don’t even have a dedicated cube for each employee–my local Microsoft office for example provides cubes for 50 percent of the employees. 

Devices: The number and types of devices connecting to corporate networks has exploded over the past decade. The uptick in smartphone, tablet and portable device usage has moved IT departments to support Bring Your Own Device (BYOD) programs, which aim to enable secure access to data, applications and services from personally owned devices. Some organizations are opting for a more restrictive Choose Your Own Device (CYOD) approach, where employees may only connect to corporate networks using devices on an approved list. Alas, many organizations lack a robust device plan. This can have catastrophic consequences, as a lost or stolen device can result in data leakage if controls are not in place.

Applications: Each year, about 20 percent of small businesses fall victim to cybercrime. Over half of those will end up going out of business within six months of an attack, according to a report by the National Cyber Security Alliance. Security gaps and vulnerabilities created by poorly managed or non-updated applications pose a significant risk. And that risk grows when application upgrades are put off because they won’t play well with an old internal CRM system or other software.

Applications are a portal to organizational data. As such, I encourage my customers to migrate to applications that support the business philosophy. If data must be available from everywhere, so must the application. Stop worrying about specific application versions and start focusing on identity management and Software-as-a-Service (SaaS).

Security threats: Gartner estimates that one-quarter to one-half of all calls to service desks are related to a password activity. I have heard of IT managers using this statistic as an excuse for not implementing a strong password policy. They simply don’t want to increase the cost of running the service desk—a position that invites disaster. Look at the facts: 65 percent of all users use the same password for multiple Web sites, while 33 percent will happily share their password with others, according to a 2015 survey by One Poll. The consequences can be devastating for an organization.

I know of examples where marketing users have been in charge of the company Twitter and Facebook account and use the same password for those as they do for their private social media accounts. Another for instance: Recently I was on site at a customer concerned that its internal sales people were copying and sharing price lists with competitors—something the company had encountered in the past.

 The Microsoft Enterprise Mobility Suite

There is no single piece of software that can make all the changes and threats challenging enterprise IT shops magically disappear. The answer is a mix of changing internal business processes and implementing solutions that enable both managed access to and protection of data. Microsoft Enterprise Mobility Suite is not a single application but a suite of three cloud services and one on-premises application. All four share one thing in common—they make data available in a secure manner.

  • Microsoft Intune: The modern mobile device management (MDM) platform that enables application management, device configuration and security.
  • Microsoft Azure Active Directory: Provides Identity in the cloud along with security features like multi-factor authentication and enhanced reporting.
  • Microsoft Azure Rights Management: Offers document security, tracking and control.
  • Advanced Threat Analytics: An on-premise security solution that analyzes and identifies normal and abnormal traffic on the network.

Azure Active Directory Premium

Azure Active Directory (AAD) Premium provides organizations with a cloud identity, which is required for organizations to utilize cloud services like Microsoft Intune. The business value of implementing AAD can be tremendous, with features like multi-factor authentication, self-service password reset, Software-as-a-Service and detailed reporting of abnormal user behavior.

One highly recommended task for organizations adopting AAD Premium is implementing a self-service password reset service. Doing so can significantly reduce service desk calls and support IT efforts to implement more restrictive password policies that mandate use of complex passwords and other security-enhancing policies.

To ensure compliance, it’s a good idea to craft a program for educating and training end users in the new system. Inform them about why changes are being made and show them how easy it is to reset passwords. The effort will help ensure that users opt into the change. The password reset experience is very similar to that used in many social password reset services. The password reset can be requested from any platform that is being used to access data and employs multi-factor authentication to increase security, as shown in Figure 1.


Figure 1 The Password Self-Service Experience

Software-as-a-Service is another element in the Enterprise Mobility Suite that impacts security and agility. The main benefit of implementing SaaS is granting users easy and secure access to data. With a single sign-on the workforce can access data stored in Salesforce and thousands of other applications. At the same time social media passwords, like those used for Twitter access, can be hidden from users in Marketing. Replacing existing on-prem applications doesn’t happen overnight, so it’s important to look for low hanging fruit, such as company Facebook, Twitter and other social media accounts. Configure these assets as SaaS applications, as shown in Figure 2, and in less than 20 minutes you can remove the threat of users accessing your services with a compromised password.


Figure 2 Configuring Facebook as a SaaS Application

The built-in reports are a very powerful resource when tracking how users are utilizing the different Azure services, such as accessing SaaS applications, using the password self-service or detecting suspicious behavior in user activity. In the example in Figure 3 the report displays the time between user sign-ins and the estimated hours of travel between the listed locations.


Figure 3 One of the Many Built-In Reports

 Microsoft Intune

Microsoft Intune is a modern mobile device management platform that enables management of Windows, Apple iOS and Android devices. The scope of features in the tool is overwhelming and keeps growing every month. My advice: Take the time to understand why Intune is being implemented and the business case it supports. From there, consider breaking the project into easy-to-manage stages, starting first with data protection.

The initial phase of an Intune project must address conditional access, compliance policies and the use of managed applications. With conditional access and compliance policies, I can define rules that must be enforced for any device before it is allowed to access company data or resources. For instance, I will not allow company email access unless the device is enrolled into Microsoft Intune. Furthermore, I can also enforce password and encryption policies on the device.

The key to success is motivating end users to enroll their devices, and blocking access to corporate mail will do just that. Figure 4 shows the email users receive when they try to access corporate email using a device that has not been enrolled with Intune. Once the device is enrolled, users can access corporate data through mail or other online services like SharePoint.


Figure 4 Devices Must Be Enrolled to Access Corporate Email

Intune can also be used to deploy managed applications, making it possible to prevent data from being shared outside the managed application. The controls help shut down one of the main culprits in application data leaks—users copying data and pasting it to unapproved targets.

The Intune feature list is long and keeps expanding on a monthly basis. Intune today supports hardware and software inventory and the ability to deploy and manage applications, certificates, WiFi profiles, VPN profiles and email profiles. Remote action features include remote passcode reset, remote lock, full device wipe and the ability to only wipe company data and access from devices.

Azure Rights Management

Data protection goes beyond device-level encryption and strong password policies. It’s critically important to consider where data lives. What happens to a secure Excel file after it’s mailed to a business partner? Who is accessing the file, how long is the file supposed to exist “out there,” and is the data being manipulated?

With Azure Rights Management data is protected using predefined templates created and published in Azure. Protecting data using rights management will be a new experience to many, so a measured approach may be best. Start by defining a few simple templates, rather than creating 50 templates that will end up confusing users. Define some rules for what data must be protected and find a group within the organization to test the solution and provide feedback to the project. Figure 5 shows a template that provides view-only access to files.


Figure 5 Assigning Custom Rights to the Azure Rights Management Template

Final configuration before publishing the template involves configuring data expiration and rules for offline access. Once configured, the template is ready to be published.  

At this point users can start protecting files from File Explorer and Microsoft Office. In the example in Figure 6, the document is being shared to a number of colleagues using a template that only allows read-only access to the document.


Figure 6 Protecting a Word Document Using Azure Right Management

Users have the ability to track documents by right clicking the file in File Explorer or from within Microsoft Office. Azure lists the document information in a dashboard, from which users can drill into more detailed views on who accessed the document and from where, as shown in Figure 7. Geolocation tracking is a particularly useful feature when protecting data, as it can help flag data and documents being accessed from unexpected locations.


Figure 7 Document Tracking

 Microsoft Advanced Threat Analytics

Microsoft Advanced Threat Analytics (ATA) is an on-premises solution to help IT professionals protect their enterprises from advanced attacks by automatically analyzing, learning and identifying normal and abnormal entity (user, devices and resources) behavior. ATA uses behavioral analysis to understand normal entity behavior, reducing false positives by applying contextual insight into traffic produced by engaged entities.

A key benefit of ATA is the ability to detect advanced attacks. Real-time detection, combined with awareness of existing security risks and behavioral analysis using Machine Learning algorithms help flag and foil sophisticated attacks.

ATA features a comprehensive console that enables IT admins to quickly view a timeline of attacks and the details of each affected entity, as shown in Figure 8 below:


Figure 8  The ATA Timeline View

The example above shows an identity theft type of attack (Pass-the-Hash) where the Client2 hash was stolen and used by Client1. Click on each one of these entities and you’ll see more details that help you gain a better understanding of the role, if any, each entity had in the attack. ATA also provides recommendations for the IT administrator to take based on the type of attack or suspicious activity.

ATA deployment is non-intrusive and can be installed in workgroup. The only infrastructure requirement is to have port mirroring configured in the Domain Controller since ATA need to listen to Active Directory traffic.

 Wrapping Up

What is the business impact of implementing Microsoft Enterprise Mobility Suite? Or put another way, what is the impact of not implementing the service? Protecting data is the key. Agile applications, data tracking and access to skilled workers are all vital assets that businesses rely on to preserve the integrity of data and applications.

With Microsoft Intune and managed applications, IT organizations can protect data from being shared. With Azure Active Directory, they can implement strong password policies and enforce multi-factor authentication while keeping service desk costs at a minimum. With Azure Rights Management, organizations can enable granular file protection and access tracking. And with Microsoft Advanced Threat Analytics, companies can implement intrusion detection to greatly minimize the risk of man in the middle attacks.

Be a leader, drive the change and create your own business case, where you start by defining the impact of not implementing the Microsoft Enterprise Mobility Suite.

For more information about Microsoft Enterprise Mobility +Security