SAAM2291BE Securing Access and Protecting Information in ... · Securing Access and Protecting...

Peter Björk, @thepebPrincipal Systems Engineer

Adarsh Kesari, @adarshkesariSenior Systems Engineer

SAAM2291BE

#VMworld #SAAM2291BE

Securing Access and Protecting Information in Office 365 with Workspace ONE

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2



bution

Securing Access and Protecting Information in Office 365 with Workspace ONE

1 Data Loss Prevention

2 Simplified Authentication

3 Conditional Access

4 Securing Productivity Apps

CONFIDENTIAL3



bution

340MDownloads of Office mobile applications(Source: Microsoft, 2016)



bution

Four Pillars of Office 365 Security

Data Loss Prevention

Simplified Authentication

Conditional AccessSecuring

Productivity Apps

• At rest

• In use

• In transit

• On any device

• No passwords (SSO)

• Control Modern and Legacy Auth

• Consumer-simple MFA

• Block Unapproved Access

• Email compliance

• Email

• Content

• Browsing

Workspace ONE

+ Office 365

5CONFIDENTIAL



bution

Data Loss Prevention



bution

A New Level of Data Security

At Rest

• Passcode protection

• Device encryption

• Enterprise wipe

In Use In Transit

• Containerization

• DLP policies

• MAM co-existence

• SSL encryption

• App-level VPN

7CONFIDENTIAL



bution

Prevent Data Loss Using Native Platform Controls

8CONFIDENTIAL

• Windows Information Protection

• Passport for Work and Windows Hello

• Managed App container

• Open-in controls

• Device passcode and Touch ID

• Android for Work container

• Copy/Paste controls

• Device passcode



bution

9

Available Data Loss Prevention Policies

• Prevent Backup

• Allow Apps to Transfer Data to Other Apps

• Allow Apps to Receive Data from Other Apps

• Prevent “Save As”

• Restrict Cut Copy Paste with Other Apps

• Restrict Web Content to Display in Managed Browser

• Encrypt App Data

• Disable Contacts Sync

• Disable Printing

• Allow Specific Data Storage Locations - One Drive for Business, SharePoint, Box, Dropbox, Google Drive, Local Storage

• Require PIN for Access

• Number of Attempts before PIN Reset

• Allow Simple PIN

• PIN Length

• Allowed Pin Characters

• Allow Fingerprint Instead of PIN

• Require Corporate Credentials For Access

• Block Managed Apps from Running on Jailbroken or Rooted Devices

• Recheck The Access Requirements after Timeout

• Offline Grace Period

• Offline Interval before App Data is Wiped

• Block Android Screen Capture and Android Assistant

CONFIDENTIAL



bution

Current Integration

Office 365&

Azure Cloud

AirWatch calls Graph API to configure and assign DLP for native Office apps

Microsoft cloud services enforce policies on all Office apps – managed or unmanaged

Device enrolls to manage apps and wipe corporate data

CONFIDENTIAL



bution

Integration

Office 365

Graph API Layer

Azure APIs

Azure Active Directory

Azure Admin user permissions

AW Azure app permissions

Permission scope of token

6. Create iOS & Android DLP policyAW

7. Set specific DLP rules for policiesAW

2. Search Azure groups by name

3. Return matching Azure groups

1. Add Azure admin into AW & save

4. Select Azure groups to add in AW

5. Configure DLP rules in AW & save

Graph API request or response

AW



bution

12



bution

CONFIDENTIAL13



bution

CONFIDENTIAL14



bution

CONFIDENTIAL15



bution

CONFIDENTIAL16



bution

DemoOffice 365 Graph APIs



bution



bution

Simplified Authentication

19



bution

Office 365 is complex: many clients (modern, legacy, & 3rd party) can access data and emails. IT must close all the holes

CONFIDENTIAL20

Outlook

Android

Native

iOS

Native

Boxer

Thunder

-bird

Legacy

Outlook

OneDrive

SharePoint

AppWord

Power

Point

OneNote

Excel



bution

Office 365 supports different authentication methods

21CONFIDENTIAL

Workspace ONE

Users can get to Office 365 using legacy or modern auth. Workspace ONE protects both

Modern auth

Legacy auth

Outlook

OneDrive

Word

Android

Native

iOS

Native

Legacy

Outlook



bution

Office 365 Modern Authentication - overview

• What is Modern Auth? MSFT’s official definition: authentication that uses the Active Directory Authentication Library (ADAL) and OAuth 2.0

– ADAL and OAuth work together to provide users/apps access to protected resources through security tokens

CONFIDENTIAL22

1. User authenticates to the IDP to get a token

2. App uses the token from step 1 to get the protected resource

IDP

User/app Resource



bution

O365 Modern Authentication flow

23

2

OAuth2

Access Token

SAML

OAuth2

Access Token

OAuth2

Refresh Token

4

3

1

5

1. Client connects to O3652. Client is redirect to IdP for Authentication3. SAML Assertion is sent via redirect to O3654. Access and Refresh OAuth2 Tokens are generated

and passed to client5. Access Token is now used for accessing O365

Access Token TTL = 1hRefresh Token TTL = 15 - 90 days

Passive Federation (WS-Fed Passive Profiles)



bution

O365 Legacy Authentication flow

24

2

3

1

1. Client connects to O365 and pass username and password

2. O365 connects to idP and pass username/PW for validation

3. Username and password is validated4. User are granted access

Basic Authentication in Office 365

4



bution

What is Modern Auth: simple definition

• Modern Auth is when the user authenticates to an IDP in a browser, rather than putting credentials into the app itself

CONFIDENTIAL25

This is Modern Auth

– The app redirects the user to an IDP in a browser

– The user sees an IDP screen and authenticates (configurable at the IDP)

– The IDP sends the user back to the app with an auth token



bution

What is not Modern Auth: simple definition

• If the user has to enter credentials directly into the app, it’s not Modern Auth

CONFIDENTIAL26

This is not Modern Auth

– The user enters credentials into app UI

– The app sends credentials to IDP



bution

Conditional Access



bution

Restrict Office 365 Access to Managed and Compliant Devices

CONFIDENTIAL28

Management Profile Installed

No Management

VMware Identity Manager

ACCESS DENIED

ACCESS GRANTED

User identity validated



bution

Compliance Policies for Comprehensive Access Control

CONFIDENTIAL29

Managed by

VMware AirWatch

Not Managed

VMware Identity Manager

ACCESS DENIED

ACCESS GRANTED

User identity

validated

• Integrate with on-premises AD

• Validate user identity, groups, MFA policies

• Allow access to specific users, devices, OS versions

• Check device compromised status

• Ensure device is managed by EMM

• App-agnostic identity framework across all apps (non-Microsoft apps)



bution

Conditional Access model for Office 365

USER

Policy Framework

DEVICE

LOCATIONAPP

User

USER & GROUP

Group

Risk Score

Management

Status

DEVICE

Compliance

Device Type Compromise

Domain

Joined

Azure AD

Joined

Web

APP

Mobile Virtual

Low Security High Security

External Internal

In Network

LOCATION

Out Network

Corp Wifi 3G / 4G

Geo

CONFIDENTIAL30



bution

Conditional Access – Admin interface

31



bution


32



bution


33



bution

Workspace ONE integrates with best of breed MFA, CASB, UEBA and security providers

CONFIDENTIAL34

Best of breed Multi-Factor Authentication (MFA)

• Duo, RSA SecurID, and VMware Verify at no cost

Best of breed Cloud Access Security Broker (CASB)

• Netskope, SkyHigh

Best of breed User and Entity Behavior Analytics (UEBA)

• Gurucul

Other Identity Solutions

• Microsoft ADFS

• Ping Identity

• Okta

Other security ecosystems

• Mobile Security Alliance (MSA)

• AppConfig

…and many, many more..



bution

DemoAdaptive Management, Mobile SSO and Conditional Access



bution



bution

Securing Productivity Apps



bution

Office 365 supports many legacy and 3rd party clients—Workspace ONE keeps all clients secure

CONFIDENTIAL38

Boxer

OutlookAndroid

NativeiOS

Native

Thunder

-bird

Legacy

Outlook

Content

Locker(Extra security)

OneNot

e

Sharep

oint

App

OneDr

iveWord Excel

(Extra security)



bution



bution

SAAM2291BE Securing Access and Protecting Information in ... · Securing Access and Protecting...

Documents

Transcript of SAAM2291BE Securing Access and Protecting Information in ... · Securing Access and Protecting...