SAAM2291BE Securing Access and Protecting Information in ... · Securing Access and Protecting...
Transcript of SAAM2291BE Securing Access and Protecting Information in ... · Securing Access and Protecting...
Peter Björk, @thepebPrincipal Systems Engineer
Adarsh Kesari, @adarshkesariSenior Systems Engineer
SAAM2291BE
#VMworld #SAAM2291BE
Securing Access and Protecting Information in Office 365 with Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing Access and Protecting Information in Office 365 with Workspace ONE
1 Data Loss Prevention
2 Simplified Authentication
3 Conditional Access
4 Securing Productivity Apps
CONFIDENTIAL3
VMworld 2017 Content: Not fo
r publication or distri
bution
340MDownloads of Office mobile applications(Source: Microsoft, 2016)
VMworld 2017 Content: Not fo
r publication or distri
bution
Four Pillars of Office 365 Security
Data Loss Prevention
Simplified Authentication
Conditional AccessSecuring
Productivity Apps
• At rest
• In use
• In transit
• On any device
• No passwords (SSO)
• Control Modern and Legacy Auth
• Consumer-simple MFA
• Block Unapproved Access
• Email compliance
• Content
• Browsing
Workspace ONE
+ Office 365
5CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Data Loss Prevention
VMworld 2017 Content: Not fo
r publication or distri
bution
A New Level of Data Security
At Rest
• Passcode protection
• Device encryption
• Enterprise wipe
In Use In Transit
• Containerization
• DLP policies
• MAM co-existence
• SSL encryption
• App-level VPN
7CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Prevent Data Loss Using Native Platform Controls
8CONFIDENTIAL
• Windows Information Protection
• Passport for Work and Windows Hello
• Managed App container
• Open-in controls
• Device passcode and Touch ID
• Android for Work container
• Copy/Paste controls
• Device passcode
VMworld 2017 Content: Not fo
r publication or distri
bution
9
Available Data Loss Prevention Policies
• Prevent Backup
• Allow Apps to Transfer Data to Other Apps
• Allow Apps to Receive Data from Other Apps
• Prevent “Save As”
• Restrict Cut Copy Paste with Other Apps
• Restrict Web Content to Display in Managed Browser
• Encrypt App Data
• Disable Contacts Sync
• Disable Printing
• Allow Specific Data Storage Locations - One Drive for Business, SharePoint, Box, Dropbox, Google Drive, Local Storage
• Require PIN for Access
• Number of Attempts before PIN Reset
• Allow Simple PIN
• PIN Length
• Allowed Pin Characters
• Allow Fingerprint Instead of PIN
• Require Corporate Credentials For Access
• Block Managed Apps from Running on Jailbroken or Rooted Devices
• Recheck The Access Requirements after Timeout
• Offline Grace Period
• Offline Interval before App Data is Wiped
• Block Android Screen Capture and Android Assistant
CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Current Integration
Office 365&
Azure Cloud
AirWatch calls Graph API to configure and assign DLP for native Office apps
Microsoft cloud services enforce policies on all Office apps – managed or unmanaged
Device enrolls to manage apps and wipe corporate data
CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Integration
Office 365
Graph API Layer
Azure APIs
Azure Active Directory
Azure Admin user permissions
AW Azure app permissions
Permission scope of token
6. Create iOS & Android DLP policyAW
7. Set specific DLP rules for policiesAW
2. Search Azure groups by name
3. Return matching Azure groups
1. Add Azure admin into AW & save
4. Select Azure groups to add in AW
5. Configure DLP rules in AW & save
Graph API request or response
AW
VMworld 2017 Content: Not fo
r publication or distri
bution
12
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL13
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL14
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL15
VMworld 2017 Content: Not fo
r publication or distri
bution
CONFIDENTIAL16
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoOffice 365 Graph APIs
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Authentication
19
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 is complex: many clients (modern, legacy, & 3rd party) can access data and emails. IT must close all the holes
CONFIDENTIAL20
Outlook
Android
Native
iOS
Native
Boxer
Thunder
-bird
Legacy
Outlook
OneDrive
SharePoint
AppWord
Power
Point
OneNote
Excel
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 supports different authentication methods
21CONFIDENTIAL
Workspace ONE
Users can get to Office 365 using legacy or modern auth. Workspace ONE protects both
Modern auth
Legacy auth
Outlook
OneDrive
Word
Android
Native
iOS
Native
Legacy
Outlook
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 Modern Authentication - overview
• What is Modern Auth? MSFT’s official definition: authentication that uses the Active Directory Authentication Library (ADAL) and OAuth 2.0
– ADAL and OAuth work together to provide users/apps access to protected resources through security tokens
CONFIDENTIAL22
1. User authenticates to the IDP to get a token
2. App uses the token from step 1 to get the protected resource
IDP
User/app Resource
VMworld 2017 Content: Not fo
r publication or distri
bution
O365 Modern Authentication flow
23
2
OAuth2
Access Token
SAML
OAuth2
Access Token
OAuth2
Refresh Token
4
3
1
5
1. Client connects to O3652. Client is redirect to IdP for Authentication3. SAML Assertion is sent via redirect to O3654. Access and Refresh OAuth2 Tokens are generated
and passed to client5. Access Token is now used for accessing O365
Access Token TTL = 1hRefresh Token TTL = 15 - 90 days
Passive Federation (WS-Fed Passive Profiles)
VMworld 2017 Content: Not fo
r publication or distri
bution
O365 Legacy Authentication flow
24
2
3
1
1. Client connects to O365 and pass username and password
2. O365 connects to idP and pass username/PW for validation
3. Username and password is validated4. User are granted access
Basic Authentication in Office 365
4
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Modern Auth: simple definition
• Modern Auth is when the user authenticates to an IDP in a browser, rather than putting credentials into the app itself
CONFIDENTIAL25
This is Modern Auth
– The app redirects the user to an IDP in a browser
– The user sees an IDP screen and authenticates (configurable at the IDP)
– The IDP sends the user back to the app with an auth token
VMworld 2017 Content: Not fo
r publication or distri
bution
What is not Modern Auth: simple definition
• If the user has to enter credentials directly into the app, it’s not Modern Auth
CONFIDENTIAL26
This is not Modern Auth
– The user enters credentials into app UI
– The app sends credentials to IDP
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access
VMworld 2017 Content: Not fo
r publication or distri
bution
Restrict Office 365 Access to Managed and Compliant Devices
CONFIDENTIAL28
Management Profile Installed
No Management
VMware Identity Manager
ACCESS DENIED
ACCESS GRANTED
User identity validated
VMworld 2017 Content: Not fo
r publication or distri
bution
Compliance Policies for Comprehensive Access Control
CONFIDENTIAL29
Managed by
VMware AirWatch
Not Managed
VMware Identity Manager
ACCESS DENIED
ACCESS GRANTED
User identity
validated
• Integrate with on-premises AD
• Validate user identity, groups, MFA policies
• Allow access to specific users, devices, OS versions
• Check device compromised status
• Ensure device is managed by EMM
• App-agnostic identity framework across all apps (non-Microsoft apps)
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access model for Office 365
USER
Policy Framework
DEVICE
LOCATIONAPP
User
USER & GROUP
Group
Risk Score
Management
Status
DEVICE
Compliance
Device Type Compromise
Domain
Joined
Azure AD
Joined
Web
APP
Mobile Virtual
Low Security High Security
External Internal
In Network
LOCATION
Out Network
Corp Wifi 3G / 4G
Geo
CONFIDENTIAL30
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access – Admin interface
31
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access – Admin interface
32
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access – Admin interface
33
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE integrates with best of breed MFA, CASB, UEBA and security providers
CONFIDENTIAL34
Best of breed Multi-Factor Authentication (MFA)
• Duo, RSA SecurID, and VMware Verify at no cost
Best of breed Cloud Access Security Broker (CASB)
• Netskope, SkyHigh
Best of breed User and Entity Behavior Analytics (UEBA)
• Gurucul
Other Identity Solutions
• Microsoft ADFS
• Ping Identity
• Okta
Other security ecosystems
• Mobile Security Alliance (MSA)
• AppConfig
…and many, many more..
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoAdaptive Management, Mobile SSO and Conditional Access
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing Productivity Apps
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 supports many legacy and 3rd party clients—Workspace ONE keeps all clients secure
CONFIDENTIAL38
Boxer
OutlookAndroid
NativeiOS
Native
Thunder
-bird
Legacy
Outlook
Content
Locker(Extra security)
OneNot
e
Sharep
oint
App
OneDr
iveWord Excel
(Extra security)
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution