This blog is part of a series that responds to common questions we receive from customers about deployment of Microsoft 365 Security solutions. In this series you’ll find context, answers, and guidance for deployment and driving adoption within your organization. Here is the first installment of an 8 part series on deploying intelligent security scenarios. Check out our last blog, Assessing Microsoft 365 Security solutions using the NIST Cybersecurity Framework.
Your users expect technology to help them be productive, yet you need to keep your organization’s data safe. This blog will show you how Microsoft 365 Security solutions can help you achieve this fine balance between productivity and security. We recommend an integrated solution that incorporates managing identities, managing devices, then securing applications, email, and data.
First, we’ll start with the question that we often hear from customers: “How can I make sure my employees are working securely when they are working remotely?” With digital technology changing how people work, users need to be productive on a variety of devices, regardless if they are company-provided or bring your own device (BYOD). The vital foundation to your in-depth security strategy is strong, integrated identity protection.
Securing identities to protect at the front door
Identity management in Azure Active Directory (Azure AD) is your first step. Once user identities are managed in Azure AD, you can enable Azure AD single sign-on (SSO) to manage authentication across devices, cloud apps, and on-premises apps. Then layer Multi-factor Authentication (MFA) with Azure AD Conditional Access (see Figure 1). These security tools work together to reauthenticate high-risk users and to take automated action to secure your network.
Figure 1. Set user policies using Azure AD Conditional Access.
Security across devices
From identity, we move to devices. Microsoft Intune lets you manage both company-owned and BYOD from the cloud. Once you set up your Intune subscription, you can add users and groups, assign licenses, deploy and protect apps, and set up device enrollment.
Through Azure AD, you can then create conditional access policies according to user, device, application, and risk.
To strengthen employee sign-in on Windows 10 PCs, Windows Hello for Business replaces passwords with strong MFA consisting of a user credential and biometric or PIN.
Security across apps
Microsoft Cloud App Security gives you visibility and control over the cloud apps that your employees are using. You can see the overall picture of cloud apps across your network, including any unsanctioned apps your employees may be using. Discovering shadow IT apps can help you prevent unmonitored avenues into or out of your network.
Security across email
Once you have secured your organization’s devices and applications, it’s equally important to safeguard your organization’s flow of information. Sending and receiving email is one of the weakest spots for IT security. Azure Information Protection allows you to configure policies to classify, label, and protect data based on sensitivity. Then you can track activities on shared data and revoke user access if necessary.
For security against malicious emails, Office 365 Advanced Threat Protection (ATP) lets you set up anti-phishing protections to protect your employees from increasingly sophisticated phishing attacks.
Security across data
Once you have secured how employees access data, it’s equally important to safeguard the data itself. Microsoft BitLocker Drive Encryption technology prevents others from accessing your disk drives and flash drives without authorization, even if they’re lost or stolen. Windows Information Protection helps protect against accidental data leaks, with protection and policies that travel with the data wherever it goes.
Deployment tips from our experts
Now that you know more about how Microsoft 365 security solutions can protect your people and data in a mobile world, here are three proven tips to put it all into action:
- Be proactive, not reactive. Proactively provision identities through Azure AD, enroll devices through Microsoft Intune, and set up Intune App Protection. Enrolling devices can help keep your company’s data safe by preventing threats or data breaches before they happen.
- Keep your company data safe. Managing employee identities is a fundamental part of information security. Enable SSO and MFA, set up conditional access policies, and then deploy Azure Information Protection for classification and protection of sensitive data.
- Plan for success with Microsoft FastTrack. This valuable service comes with your subscription at no additional charge. Whether you’re planning your initial rollout, needing to onboard your product, or driving user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.
Want to learn more?
For more information and guidance on this topic, check out the “Enable your users to work securely from anywhere, anytime, across devices” white paper. You can find additional security resources on Microsoft.com.
More blog posts from this series: