EMS

As we discussed in the last entry, Microsoft has recently enhanced the EMS offering by adding more services into the bundle and adding an additional tier.  This post will focus on the Azure Active Directory Premium P2 (AADP P2) portion of the suite.

What is in the Azure AD Premium P2 tier?

Let’s start with the Microsoft definition of these features:

  • Azure AD Identity Protection – provides you:
    • A consolidated view into risk events and potential vulnerabilities affecting your organization’s identities
    • An ability to automatically block or offer adaptive remediation actions
  • Azure AD Privileged Identity Management – enables you to know:
    • Which users are Azure AD administrators
    • Enable “just-in-time” administrative access to Office 365 & Intune
    • Get reports about administrator access history & changes to administrator assignments
    • Get alerts about access to a privileged role

Why would you use it?

With the transition of businesses to cloud- and mobile-based applications, traditional defenses will not be sufficient to thwart determined attackers.  Firewalls and Intrusion Detection Systems are not of much use when there is no traditional edge to your network.  Today’s user works in an environment that allows her:

  • To access data on any device and from any network
  • She decides how to share data and with whom to share it
  • She does her job with scores of cloud-based applications (each with their own authentication and authorization systems)
  • IT doesn’t have a lot of visibility or control into how the user does her job

When you add in how the typical IT administrator does her job, it gets even scarier:

  • Users are assigned privileged access based on a job title – instead of what they need to do
  • Audits of who has what access become increasingly difficult with the rise of SaaS-based systems
  • Users keep access to sensitive systems – even after job changes

How do these services help protect your organization?

Microsoft has access to so many different data sources (authentications, web indexes/crawls, emails, etc.), that they’ve applied a name to it – the Intelligent Security Graph.

Azure Identity Protection

Identity Protection uses this graph to:

  • Gain insights – which means that they see and gather so much data from the internet, that they can spot trends before anyone else
  • Make remediation recommendations – by learning what’s ‘normal’ for your users, they can help you fix what’s wrong before something happens
  • Assign risk severity calculations – by spotting:
    • Use of leaked credentials
    • Impossible travel situations
    • Sign-ins from infected devices, anonymous IP addresses, IP addresses with suspicious behavior, or from unfamiliar locations
    • User lock-out events
  • Risk-based conditional access – Detect suspicious logins and compromised credentials and then apply your risk-based policies:
    • MFA Challenges to risky logins
    • Change bad credentials
    • Block attacks

Identity Protection isn’t just another place for you to perform monitoring – the service can give notifications, data extractions, and access reporting APIs to feed into your existing Security Information and Event Management (SIEM) systems, monitoring tools, even Microsoft’s PowerBI.

Privileged Identity Management adds additional protections for your most important users – those with access to your most important and sensitive systems / data.  One of the ways that this service accomplishes this is through “just-in-time” or “time-limited” activation of privileged roles.

Azure Privileged Identity Management

As seen in the graphic, Privileged Identity Management builds in an automated workflow whereby a user requests elevated access to perform a specific task, the privilege is granted after MFA-enabled authentication, and then the privilege “times-out” after a pre-determined amount of time.  This is the method by which Microsoft grants itself access to its customers’ Office 365 subscriptions – only gaining access after being authenticated and then having the access expire after a set period.

This example of how Microsoft runs its own systems (Outlook.com, Xbox, Office 365, Azure, etc.) show how these services came to be – Microsoft needed them to safely operate their own businesses and now can offer those same capabilities to all its customers – even for non-Microsoft services and software.

I hope this post has got you interested in this portion of the EMS E5 suite.  Future posts will cover Azure Information Protection, Cloud App Security, and then will wrap up with how all of these services work together to protect your business!