O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen

•

0 gostou•115 visualizações

NCCOMMS

Office 365 & SharePoint Connect 2019 Session

Tecnologia

Office 365 Identity
Management and
"The Golden Config"
Chris Goosen – Office Apps and Services MVP

Who? Me?
• Senior Architect at Insight
• Host of The Cloud Architects Podcast
• Based in Dallas, TX
• Office Apps and Services MVP
• Microsoft Certified Master – Exchange
• Blog: cgoosen.com
• Twitter: @chrisgoosen
• Podcast: thearchitects.cloud

In this session
• Azure AD Identity 101
• Why do I need more?
• What is “The Golden Config”?
• 5 steps to securing your identities
• Deployment best practices

Azure AD Identity 101
Cloud-only Identities
Pass-through
Authentication (PTA)
Federated Identities
Password hash Sync
(PHS)

Azure AD Identity 101
• All except cloud-only can provide “SSO”
• Cloud-only doesn’t scale well
• Federation/PTA relies on on-prem infra
• What about 3rd party IdPs? (Okta, etc?)
• Apply the KISS principle when designing
• Consider PHS unless you have specific requirements
• PHS is not less secure – HMAC-SHA256

Why do I need more?
• Over 6.5 trillion security signals per day
• Phishing attacks are on the increase
• Leaked/Stolen credentials
• Breaches are becoming very common
• 328 Breaches reported in 2019 (US)
• Passwords are the weakest form of auth
• haveibeenpwned.com = 8.5 billion accounts

What is “The Golden Config”?
• A prescribed set of policies and guidance to protect access to
services integrated with Azure AD
• Recommendations have been provided
for three different tiers of security and
protection that can be applied based
on the granularity of your needs
• Baseline Protection, Sensitive Protection,
Highly Regulated Protection
Most Customers
Some Customers
Few Customers

What is “The Golden Config”?
• Available at aka.ms/m365goldenconfig
• Includes data protection recommendations
• Will probably require additional licenses
• Protection Mechanisms:
• Enforce MFA
• Enforce password change
• Enforce Intune application protection
• Enforce Intune enrollment (COD)

5 - Enable
complete end-
user security
with self-help
4 - Increase your
awareness
5 steps to securing your identities
3 - Automate
threat response
2 - Reduce your
attack surface
area
1 - Strengthen your
credentials
• Strong passwords
!= Strong credentials
• Banning commonly
passwords and turn
off traditional
complexity, and
expiration rules
• Protect against
leaked credentials
• Block legacy
authentication
methods
• Block invalid
authentication entry
points
• Block end-user
consent
• Implement Azure AD
Privileged Identity
Management
• Implement user risk
security policy using
Azure AD Identity
Protection
• Implement sign-in
risk policy using
Azure AD Identity
Protection
• Monitor Azure AD –
Health, Audit logs
etc.
• Monitor Azure AD
Identity Protection
events
• Audit apps and
consented
permissions
• Enable Single Sign-
On (SSO)
• Implement self-
service password
reset
• Implement Azure AD
access reviews

Deployment best practices
• Treat identity as the primary security perimeter
• Object health is important - GIGO
• Carefully plan your sync scope
• MFA, MFA, MFA – No… really!
• Plan your network ranges carefully
• Lower exposure of privileged accounts
• Always have at least one “break glass” account

Mais conteúdo relacionado

Mais procurados

Azure Active Directory (AD) is a directory as a service on Microsoft Azure. More than the cloud identity Azure AD provides a platform to build cloud applications with multi tenancy support. A flexible authentication systems which enables developers to leverage the cloud identity model and develop applications at ease. The session will walk you through on the basics of Azure AD and how to develop .NET applications using Azure AD.

Azure Active Directory

Thurupathan Vijayakumar

Windows Azure Active Directory - from Atidan

David J Rosenthal

The IDaaS (identity as a service) market segment continues to grow in popularity, and the scope of its vendor's capabilities continue to grow as well. It's still not a match for everyone, however. Join identity architect Sean Deuby for an overview of the most popular IDaaS deployment scenarios, scenarios where IDaaS has a tougher time meeting customer requirements, and whether your company is likely to find its perfect IDaaS mate.

CIS 2015 The IDaaS Dating Game - Sean Deuby

CloudIDSummit

O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager

NCCOMMS

Azure Active Directory

SharePoint Saturday New Jersey

O365Con18 - Compliance Manager - Tomislav Lulic

NCCOMMS

CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal

NCCOMMS

O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...

NCCOMMS

[Dux Raymond Sy] So you’ve made the decision to move to Office 365 – now how do you ensure your critical business information is secure in the cloud? In this interactive session, you will learn how to reduce risk and ensure your users do the right thing by employing industry best practices for information governance, risk, and compliance. We’ll also explain how recent enhancements from Microsoft – including Office 365 Security & Compliance Center and Azure Information Protection – as well as other related technologies can help. This session will empower you to implement proven tactics to ensure your Microsoft Cloud investment meets business needs while protecting your most sensitive data.

[Sy] How to Develop Your Office 365 Information Governance Strategy in 4 Steps

European Collaboration Summit

O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...

NCCOMMS

ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...

European Collaboration Summit

Azure AD with Office 365 and Beyond!

Ravikumar Sathyamurthy

Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen. This session covers the 10 most common mistakes we see in the field In organizations that have deployed AD FS and performed a hybrid identity deployment. Learn from their mistakes, so you don’t have to make them.

ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...

ITProceed

Get your Hybrid Identity in 4 steps with Azure AD Connect

Ronny de Jong

Dell EMC Spanning

Novosco

Azure Saturday: External Collaboration With Azure AD B2B

Sjoukje Zaal

CIS 2016 Content Highlights

CloudIDSummit

Azure AD and Office 365 - Deja Vu All Over Again

Sean Deuby

In this modern age of collaboration, it is important for content to be secure. Moving content to the cloud opens it up for easier access, but also allows sophisticated authentication and auditing to be used to secure the content more robustly. This session explores a real-life scenario that focuses on using Azure B2B, conditional access and SharePoint Online to allow external parties to access collaboration sites with appropriate permissions, replacing the traditional extranet solution. We will go through multi-factor authentication and access reviews to demonstrate the governance and control of the external users as well.

Security in an age of collaboration 201903 - tvaug

Alan Eardley

1. Day 1 - Office 365 Trainning

Huy Pham

Mais procurados (20)

Azure Active Directory

Windows Azure Active Directory - from Atidan

CIS 2015 The IDaaS Dating Game - Sean Deuby

O365Con19 - Keep Control of Your Data with AIP and CA - Bram de Jager

Azure Active Directory

O365Con18 - Compliance Manager - Tomislav Lulic

CSF18 - External Collaboration with Azure B2B - Sjoukje Zaal

O365Con18 - A Lap Around Monitoring, Auditing and Securing Microsoft Azure - ...

[Sy] How to Develop Your Office 365 Information Governance Strategy in 4 Steps

O365Con18 - Exploring Conditional Access to content stored in Office 365 - Pa...

ECS19 - Bram De Jager - Design a secure collaboration solution with Azure In...

Azure AD with Office 365 and Beyond!

ITPROCEED_TransformTheDatacenter_ten most common mistakes when deploying adfs...

Get your Hybrid Identity in 4 steps with Azure AD Connect

Dell EMC Spanning

Azure Saturday: External Collaboration With Azure AD B2B

CIS 2016 Content Highlights

Azure AD and Office 365 - Deja Vu All Over Again

Security in an age of collaboration 201903 - tvaug

1. Day 1 - Office 365 Trainning

Semelhante a O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen

Fundamentals of Microsoft 365 Security , Identity and Compliance

Vignesh Ganesan I Microsoft MVP

Best Practices in Cloud Security

Alert Logic

Microsoft Security Advice ISSA Slides.pptx

Mike Brannon

Encryption is widely used by companies to secure sensitive data. It comes in different varieties and purposes. There's symmetric vs asymmetric encryption, there's encryption at rest, in transit and in use, there's TDE vs record-level encryption vs column/field level encryption, and then there's key-encryption (wrapping). All of these varieties serve different purposes and use-cases that we review - from the point of view of an infosec person, a sysadmin, a developer and an architect.

Encryption in the enterprise

Bozhidar Bozhanov

Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...

itnewsafrica

Identity and Security in the Cloud

Richard Diver

IglooConf 2019 Secure your Azure applications like a pro

Karl Ots

Securing your Azure Identity Infrastructure

Vignesh Ganesan I Microsoft MVP

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)

Codit

Security has become more and more important as we move to the cloud and countries & companies are being hacked – remember the Sony hack? But how do we securely store sensitive data such as connection strings to our databases? Where do we store our encryption keys? Can I share them with my customers? How do I prevent abuse of my secrets and block them from doing so? That’s what this session is all about – I will introduce you to the concepts of Microsoft Azure Key Vault where you can use this as it allows you to securely store keys, credentials and other secrets in the cloud. We will also have a look at how it enables us to store encryption keys for SQL Server TDE and how it can help you safeguard your cloud solutions even more.

ITProceed 2015 - Securing Sensitive Data with Azure Key Vault

Tom Kerkhove

Webcast Recording: https://www.youtube.com/watch?v=fCbVMWvncuw Increasingly, more organizations are migrating resources to being hosted in the cloud. With this comes a greater potential for misconfiguration if there isn’t a solid understanding of the attack surface. While there are many similarities between traditional on-premises pentesting and cloud-based pentesting, the latter is an animal of its own. This webcast will attempt to clear up some of the fogginess around cloud-based pentesting, specific to Microsoft Azure environments, including Microsoft 365. In order to adequately determine the attack surface, the appropriate coverage areas will be highlighted. Differences between Azure resources and Microsoft 365 can oftentimes be confusing but knowing these differences is key to helping you pivot and escalate privileges. Conditional access policies are great for defining different scenarios for how users can authenticate securely but can also be misconfigured. There are security protections for stopping certain password attacks but some of these can be bypassed. Ultimately, a methodology for testing Azure environments along with tools and techniques will be presented in this talk.

Getting Started in Pentesting the Cloud: Azure

Beau Bullock

Cloud Computing & Privacy Protection

Igor Zboran

The cloud is not an 'All or Nothing' approach with regards to replacing workloads inside your datacenter. Enterprises with existing datacenters can easily extend their Infrastructure into the cloud to seamlessly leverage the benefits of cloud while using the same set of controls familiar to their business. However availability and security still remain among the top two concerns for CIOs when deciding on cloud adoption for their organization. Amazon Web Services has infrastructure across multiple geographical Regions spanning five continents, with multiple Availability Zones in each Region along with a set of global edge locations. Building a similar infrastructure for high availability with your traditional datacenter would be non-trivial and cost prohibitive. Join this session to understand how you can achieve high availability across geographies, deploy your applications close to your users, control where your data is located, achieve low latency, and migrate your applications around the world in a cost-effective and easy manner using AWS services. You will also learn how AWS builds services in accordance with security best practices, provides appropriate security features in those services, has achieved industry standard certifications, and other third-party attestations. In addition, in line with the shared security model on the cloud, AWS customers must leverage on security features and best practices to architect an appropriately secure application environment. Enabling customers to ensure the confidentiality, integrity, and availability of their data is of the utmost importance to AWS, as is maintaining trust and confidence.

AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...

Amazon Web Services

2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...

aOS Community

Azure Lighthouse provides capabilities to perform cross-tenant management at scale. We do this by providing you the ability to view and manage multiple customers from a single context. Building a scalable business model in the cloud is a real challenge that is of uncomparable complexity compared to project-based solutions. If you want to offer a solution in the cloud and onboard multiple customers, the next step would be to consider how would you deploy, maintain and monitor such environment. What is Azure Lighthouse and how to make your first steps following good practices is the response to that question and the main topic of our session.

Global azure virtual 2021 - Azure Lighthouse

Ivo Andreev

Top Azure security fails and how to avoid them

Karl Ots

As presented at the (ISC)2 EMEA Secure Summit. Karl Ots has assessed the security of over 100 solutions built on the Microsoft Azure cloud. He has found that there are 6 key security pitfalls that are common across all industry verticals and company sizes. In this session, he will share what these security pitfalls are, why do they matter and how to mitigate them. 1. Upon completion, participant will know the most common threat vectors in real-life Microsoft Azure applications across all industries and company sizes.2. Upon completion, participant will be able to effectively articulate the presented risks to both software developers and technical decision makers.3. Upon completion, participant will be able to remediate the presented risks and focus their security investments in the most effective controls

ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...

Karl Ots

As organizations shift control of their infrastructure and data to the cloud, it is critical that they rethink their application security efforts. This can be accomplished by ensuring applications are designed to take advantage of built-in cloud security controls and configured properly in deployment. Attend this webcast to gain insight into the security nuances of the cloud platform and risk mitigation techniques. Topics include: • Common cloud threats and vulnerabilities • Exposing data with insufficient Authorization and Authentication • The danger of relying on untrusted components • Distributed Denial of Service (DDoS) and other application attacks • Securing APIs and other defensive measures

Securing Applications in the Cloud

Security Innovation

Security Considerations for Microservices and Multi cloud

Neelkamal Gaharwar

Shifting security left simplifying security for k8s open shift environments

LibbySchulze

Semelhante a O365Con19 - O365 Identity Management and The Golden Config - Chris Goosen (20)

Fundamentals of Microsoft 365 Security , Identity and Compliance

Best Practices in Cloud Security

Microsoft Security Advice ISSA Slides.pptx

Encryption in the enterprise

Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...

Identity and Security in the Cloud

IglooConf 2019 Secure your Azure applications like a pro

Securing your Azure Identity Infrastructure

Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)

ITProceed 2015 - Securing Sensitive Data with Azure Key Vault

Getting Started in Pentesting the Cloud: Azure

Cloud Computing & Privacy Protection

AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...

2019-06-04 aOS Strasbourg - Technique 3 - MS Threat Protection - Seyfallah Ta...

Global azure virtual 2021 - Azure Lighthouse

Top Azure security fails and how to avoid them

ISC2 Secure Summit EMEA - Top Microsoft Azure security fails and how to avoid...

Securing Applications in the Cloud

Security Considerations for Microservices and Multi cloud

Shifting security left simplifying security for k8s open shift environments

Mais de NCCOMMS

O365Con19 - UI:UX 101 Learn How to Design Custom Experiences for SharePoint -...

NCCOMMS

O365Con19 - Model-driven Apps or Canvas Apps? - Rick Bakker

NCCOMMS

O365Con19 - Office 365 Groups Surviving the Real World - Jasper Oosterveld

NCCOMMS

O365Con19 - Developing Timerjob and Eventhandler Equivalents - Adis Jugo

NCCOMMS

O365Con19 - Sharepoint with (Artificial) Intelligence - Adis Jugo

NCCOMMS

O365Con19 - What Do You Mean 90 days Isn't Enough - Paul Hunt

NCCOMMS

O365Con19 - Start Developing Teams Tabs and SharePoint Webparts with SPFX - O...

NCCOMMS

O365Con19 - Start Your Journey from Skype for Business to Teams - Sasja Beere...

NCCOMMS

O365Con19 - Lets Get Started with Azure Container Instances - Jussi Roine

NCCOMMS

O365Con19 - Customise the UI in Modern SharePoint Workspaces - Corinna Lins

NCCOMMS

O365Con19 - Be The Protagonist of Your Modern Workplace - Corinna Lins

NCCOMMS

O365Con19 - How to Really Manage all your Tasks Across Microsoft 365 - Luise ...

NCCOMMS

O365Con19 - Sharing Code Efficiently in your Organisation - Elio Struyf

NCCOMMS

O365Con19 - Things I've Learned While Building a Product on SharePoint Modern...

NCCOMMS

O365Con19 - Kaizala a Dive Into the Unknown - Rick van Rousselt

NCCOMMS

O365Con19 - How to Inspire Users to Unstick from Email - Luise Freese

NCCOMMS

O365Con19 - Exposing Multi-Geo Capabilities in Office 365 - Paul Hunt

NCCOMMS

O365Con19 - Customizing Microsoft Teams Provisioning and Governance - Olli Jä...

NCCOMMS

O365Con19 - Automate All The Things - Chris Goosen

NCCOMMS

O365Con19 - 7 Key Steps to Help Your Teams to Love Office 365 - Gerard Duijts

NCCOMMS

Mais de NCCOMMS (20)