In the latest blog post I’ve just shared my view on the real Cloud Security and Compliance model, and I made it in a totally vendor-agnostic way.
Let’s decline it in the Microsoft world of solutions, and specifically starting from the first realm that we call “Modern Workplace”, the IT environment where the digital transformation journey of an organization typically starts.
These solutions help employees to use the best collaboration tools that enable them to securely access applications (inside and outside the company) and to process data (with colleagues and external partners) without sacrificing the mandatory need of the Security and Compliance teams to have this productivity environment, without any tangible perimeter, still under total control of the company.
In this Microsoft realm, the Cloud Security and Compliance model can be declined with the following diagram:
When the Microsoft Office 365 suite is at the center of your risk assessment evaluations, you should understand how the several security and compliance controls are layered over the stack from the endpoint to the cloud applications inside Office 365.
The key infrastructure security solutions in the middle of this stack at layer 3 are represented by the Microsoft Enterprise Mobility and Security (EMS) solutions: a fundamental note is these are able to secure even non-Microsoft applications (3rd party web applications in the cloud and on-premises) and to protect data processed by non-Microsoft devices (iOS and Android devices as well), as I’ll show you better in a future blog post of this series where I’ll go deep in the several solutions layers (Identity, Information and Threat Protection).
Where we consider the Windows PC as the main device to enable this secure productivity environment, you may note from the green square box in the picture how Microsoft has been able to build a commercial bundle to help customers to acquire the full set of licenses and related security and compliance features to secure the full end-to-end stack from the device to the cloud productivity suite: Microsoft 365 !
The following picture adds just a bit of licensing detail: every product suite inside Microsoft 365 Enterprise is offered in two flavors, the Enterprise E3 or E5, and the size of the relative boxes is there to suggest how they broaden the spectrum of coverage over the main Identity, Information and Threat Protection solutions areas.
Hoping these diagrams are quite clear, I can now use them to make an example to demonstrate the Microsoft strategy behind the Microsoft 365 Security platform to offer a layered incremental feature set depending on the component and the licensing level of choice.
Example: Multi-Factor Authentication (MFA) capabilities.
Just to catch even the interest of novice readers not so expert about security, let me remind that MFA is the technology solution that adds a second authentication factor to prove the real identity of the user after the less secure first one (the password), as maybe everyone experiments when making disposition actions in their internet banking web application.
As you can see from the light green boxes from the Office 365 E3, to the EMS E3 layer and ending on the EMS E5 layer, there are 3 incremental solutions that offer MFA capabilities over the platform:
- The MFA features inside Office 365 E3 are not so granular: think about them as a big power supply handle to switch on/off MFA for all Office 365 applications (and only for them!) and for all user/group without any ability to selectively choose which application/user/group should benefit from it.
- Azure MFA inside Azure AD Premium P1 plan is the complete MFA feature set to gain granularity to specify which application (even a not Microsoft one!) and which user/group should benefit from it. The only “limitation” with regards to the following solution is related to the static setting nature of these capabilities.
- The best of breed MFA capabilities offered in the Microsoft 365 security platform are represented by the ability of Azure AD Identity Protection to offer MFA as one of the dynamic and automatic remediation actions where the Azure AD solution, powered by machine learning and artificial intelligence analysis of the authentication logs at sign-in, may rate at high risk a specific user/session combination. This is the most powerful and with the best user experience way to harden the access to Azure AD protected applications (Microsoft and not).
This incremental progression I’ve just shared represents the Microsoft strategy behind the different types of security and compliance solution in the platform: the more you need security feature richness, 3rd party application protection, automation of protection, and the empowering by machine learning and artificial intelligence, the more you need to move towards EMS and specifically to the best M365 E5 plan.
Now at this point I hope you may be eager to know which are the specific security and compliance solutions included in this Microsoft 365 Security platform…
…I’ll be glad to give you this view in the next blog post, stay tuned!