Tailor Security to Business Needs
While the fear of moving to the cloud has largely subsided, I still get the question of whether my data is safe in the cloud. That can be a lengthy conversation but to me the most interesting result of that conversation is that how secure your data is in the cloud is really up to you. Microsoft has been making strides in providing companies with cloud security features to enhance security across the enterprise. In Azure you can configure Multi-Factor Authentication (MFA), Advanced Threat Analytics (ATA) and take more control over your documents with Azure Information Protection (AIP). Microsoft provides an a la carte approach to security with all of their various offerings, although the trouble is that it can be challenging to determine which features are right for you and what licensing model makes the most sense.
The answer is different for each company, but I’ve taken the liberty to point out a couple features that I think are worth noting, as well as a quick licensing overview (that will almost surely change the minute I hit publish).
SSO + MFA = Extended Security
Configure federated Single Sign On (SSO) with your third-party applications and implement MFA policies. Doing so extends your MFA policies to your third-party applications. Now when a user logs into that payroll application from home they are forced to confirm their identity with MFA.
If you are dealing with sensitive data you may want to consider setting up conditional MFA based on the user’s location. If they are logging in from within your network then you may not want to worry about enforcing MFA but when offsite – be it at home or a café – you likely want MFA required.
These features will require Azure Active Directory (AAD).
Speed Up Security with Azure Advanced Threat Analytics
Microsoft does a nice job on their website explaining why Advanced Threat Analytics (ATA) can make a difference for your cloud security experience. One statistic worth noting: “Over half of all network intrusions are due to compromised user credentials.”
ATA tracks user’s behaviors and creates profiles for each user. When a user strays from their normal activities, ATA flags the suspicious activity and notifies administrators. ATA also tracks suspicious log in attempts and can either block or automatically force MFA for that login. If users are logging in from strange places it’s possible their credentials have been compromised. Forcing MFA or outright blocking that log in can prevent any damage from that attacker.
Licensing
The various licenses in Azure can be difficult to navigate as well so below is an outline of the licensing options available from Microsoft as of the date of this post. You can use the links provided to view more details regarding the features available within each product and license tier. My general rule of thumb is if you are interested in 2 or more of the options below - you may want to consider just going with Enterprise Mobility & Security (EMS) and getting some extra features that may be "nice to have."
- AAD Free - Included in E3
- AAD Basic - $2/user/mo.
- AAD P1 - $6/user/mo.
- AAD P2 - $14.50/user/mo.
Azure Information Protection (AIP)
- AIP for Office 365 – Included in E3
- AIP P1 - $2/user/mo.
- AIP P2 - $5/user/mo.
Azure Advanced Threat Protection (ATP)
- ATP - $5.50/user/mo. when added to E3
- InTune - $6/user/mo. when purchased solo
Azure Enterprise Mobility & Security (EMS)
- EMS E3 - $8.75/user/mo.
- Azure AD P1
- Azure Information Protection (AIP) P1
- Azure Advanced Threat Protection (ATP)
- Intune (Mobile Device Management)
- EMS E5 - $14.80/user/mo.
- Azure AD P2
- Azure Information Protection (AIP) P2
- Azure Advanced Threat Protection (ATP)
- Intune (Mobile Device Management)
