SAAM2291BE Securing Access and Protecting Information or ...€¦ · What is Modern Auth: Simple...
Transcript of SAAM2291BE Securing Access and Protecting Information or ...€¦ · What is Modern Auth: Simple...
Camilo LoteroSenior Technical Marketing Manager
Adarsh KesariSenior Systems Engineer
SAAM2291BE
#VMworld #SAAM2291BE
Securing Access and Protecting Information in Office 365 with Workspace ONE
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
#SAAM2291BU CONFIDENTIAL 2
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing Access and Protecting Information in Office 365 with Workspace ONE
1 Data Loss Prevention
2 Simplified Authentication
3 Conditional Access
4 Securing Productivity Apps
#SAAM2291BU CONFIDENTIAL 3
VMworld 2017 Content: Not fo
r publication or distri
bution
340MDownloads of Office Mobile Applications(Source: Microsoft, 2016)
VMworld 2017 Content: Not fo
r publication or distri
bution
Four Pillars of Office 365 Security
Data Loss Prevention
Simplified Authentication
Conditional AccessSecuring
Productivity Apps
• At rest
• In use
• In transit
• On any device
• No passwords (SSO)
• Control Modern and Legacy Auth
• Consumer-simple MFA
• Block Unapproved Access
• Email compliance
• Content
• Browsing
Workspace ONE
+ Office 365
#SAAM2291BU CONFIDENTIAL 5
VMworld 2017 Content: Not fo
r publication or distri
bution
Data Loss Prevention
VMworld 2017 Content: Not fo
r publication or distri
bution
A New Level of Data Security
At Rest
• Passcode protection
• Device encryption
• Enterprise wipe
In Use In Transit
• Containerization
• DLP policies
• MAM co-existence
• SSL encryption
• App-level VPN
#SAAM2291BU CONFIDENTIAL 7
VMworld 2017 Content: Not fo
r publication or distri
bution
Prevent Data Loss Using Native Platform Controls
• Windows Information Protection
• Passport for Work and Windows Hello
• Managed App container
• Open-in controls
• Device passcode and Touch ID
• Android for Work container
• Copy/Paste controls
• Device passcode
#SAAM2291BU CONFIDENTIAL 8
VMworld 2017 Content: Not fo
r publication or distri
bution
Available Data Loss Prevention Policies
• Prevent Backup
• Allow Apps to Transfer Data to Other Apps
• Allow Apps to Receive Data from Other Apps
• Prevent “Save As”
• Restrict Cut Copy Paste with Other Apps
• Restrict Web Content to Display in Managed Browser
• Encrypt App Data
• Disable Contacts Sync
• Disable Printing
• Allow Specific Data Storage Locations – One Drive for Business, SharePoint, Box, Dropbox, Google Drive, Local Storage
• Require PIN for Access
• Number of Attempts before PIN Reset
• Allow Simple PIN
• PIN Length
• Allowed Pin Characters
• Allow Fingerprint Instead of PIN
• Require Corporate Credentials For Access
• Block Managed Apps from Running on Jailbroken or Rooted Devices
• Recheck The Access Requirements after Timeout
• Offline Grace Period
• Offline Interval before App Data is Wiped
• Block Android Screen Capture and Android Assistant
#SAAM2291BU CONFIDENTIAL 9
VMworld 2017 Content: Not fo
r publication or distri
bution
Current Integration
Office 365&
Azure Cloud
AirWatch calls Graph API to configure and assign DLP for native Office apps
Microsoft cloud services enforce policies on all Office apps – managed or unmanaged
Device enrolls to manage apps and wipe corporate data
#SAAM2291BU CONFIDENTIAL 10
VMworld 2017 Content: Not fo
r publication or distri
bution
Integration
Office 365
Graph API Layer
Azure APIs
Azure Active Directory
Azure Admin user permissions
AW Azure app permissions
Permission scope of token
6. Create iOS & Android DLP policyAW
7. Set specific DLP rules for policiesAW
2. Search Azure groups by name
3. Return matching Azure groups
1. Add Azure admin into AW & save
4. Select Azure groups to add in AW
5. Configure DLP rules in AW & save
Graph API request or response
AW
#SAAM2291BU CONFIDENTIAL 11
VMworld 2017 Content: Not fo
r publication or distri
bution
#SAAM2291BU 12
VMworld 2017 Content: Not fo
r publication or distri
bution
#SAAM2291BU CONFIDENTIAL 13
VMworld 2017 Content: Not fo
r publication or distri
bution
#SAAM2291BU CONFIDENTIAL 14
VMworld 2017 Content: Not fo
r publication or distri
bution
#SAAM2291BU CONFIDENTIAL 15
VMworld 2017 Content: Not fo
r publication or distri
bution
#SAAM2291BU CONFIDENTIAL 16
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoOffice 365 Integration
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Simplified Authentication
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 is Complex: Many Clients (Modern, Legacy, & 3rd
Party) Can Access Data and Emails. IT Must Close All the Holes
Outlook
Android
Native
iOS
Native
Boxer
Thunder
-bird
Legacy
Outlook
OneDrive
SharePoint
AppWord
Power
Point
OneNote
Excel
#SAAM2291BU CONFIDENTIAL 20
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 is Complex: Some Clients Use Modern Auth, and Some Use Legacy. IT Must Protect Both
Workspace ONE
Users can get to Office 365 using legacy or modern auth. Workspace ONE protects both
Modern auth
Legacy auth
Outlook
OneDrive
Word
Android
Native
iOS
Native
Legacy
Outlook
#SAAM2291BU CONFIDENTIAL 21
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 Requires Protection For Two Kinds of Authentication: Modern Auth and Legacy Auth
• What is Modern Auth? MSFT’s official definition: authentication that uses the Active Directory Authentication Library (ADAL) and OAuth 2.0
– ADAL and OAuth work together to provide users/apps access to protected resources through security tokens
1. User authenticates to the IDP to get a token
2. App uses the token from step 1 to get the protected resource
IDP
User/app Resource
#SAAM2291BU CONFIDENTIAL 22
VMworld 2017 Content: Not fo
r publication or distri
bution
O365 Modern Authentication FlowPassive Federation (WS-Fed Passive Profiles)
2
OAuth2
Access Token
SAML
OAuth2
Access Token
OAuth2
Refresh Token
4
3
1
5
1. Client connects to O3652. Client is redirect to IdP for Authentication3. SAML Assertion is sent via redirect to O3654. Access and Refresh OAuth2 Tokens are generated
and passed to client5. Access Token is now used for accessing O365
Access Token TTL = 1hRefresh Token TTL = 15 - 90 days #SAAM2291BU CONFIDENTIAL 23
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Modern Auth: Simple Definition
• Modern Auth is when the user authenticates to an IDP in a browser, rather than putting credentials into the app itself
This is Modern Auth
– The app redirects the user to an IDP in a browser
– The user sees an IDP screen and authenticates (configurable at the IDP)
– The IDP sends the user back to the app with an auth token
#SAAM2291BU CONFIDENTIAL 24
VMworld 2017 Content: Not fo
r publication or distri
bution
What is Not Modern Auth: Simple Definition
• If the user has to enter credentials directly into the app, it’s not Modern Auth
#SAAM2291BU CONFIDENTIAL 25
This is not Modern Auth
– The user enters credentials into app UI
– The app sends credentials to IDP
VMworld 2017 Content: Not fo
r publication or distri
bution
Bottom line: O365 Solutions Must Protect a Complex, Powerful Suite of Apps Used Across Your Organization
• Your solution must
– Handle all ways to authenticate into Office 365
– Protect all the clients that users use to access Office 365 email and data
– Ensure corporate data doesn’t leak from user’s devices
#SAAM2291BU CONFIDENTIAL 26
VMworld 2017 Content: Not fo
r publication or distri
bution
Federate Existing AD Credentials with Identity Manager
VMware Identity Manager
Existing Identity Solution(s)
Active Directory
#SAAM2291BU CONFIDENTIAL 27
VMworld 2017 Content: Not fo
r publication or distri
bution
Federate Existing AD Credentials with Identity Manager
• Federates identity for single version of truth
• Works across Office 365 and all other app investments
• Integrates with existing identity solutions
• Automatic SSO based on native OS APIs
• SSO based on certificates and Kerberos authentication
VMware Identity Manager
Existing Identity Solution(s)
Active Directory
#SAAM2291BU CONFIDENTIAL 28
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access
VMworld 2017 Content: Not fo
r publication or distri
bution
Restrict Office 365 Access to Managed and Compliant Devices
Management Profile Installed
No Management
VMware Identity Manager
ACCESS DENIED
ACCESS GRANTED
User identity validated
#SAAM2291BU CONFIDENTIAL 30
VMworld 2017 Content: Not fo
r publication or distri
bution
Compliance Policies for Comprehensive Access Control
Managed by
VMware AirWatch
Not Managed
VMware Identity Manager
ACCESS DENIED
ACCESS GRANTED
User identity
validated
• Integrate with on-premises AD
• Validate user identity, groups, MFA policies
• Allow access to specific users, devices, OS versions
• Check device compromised status
• Ensure device is managed by EMM
• App-agnostic identity framework across all apps (non-Microsoft apps)
#SAAM2291BU CONFIDENTIAL 31
VMworld 2017 Content: Not fo
r publication or distri
bution
Conditional Access Model for Office 365
USER
Policy Framework
DEVICE
LOCATIONAPP
User
USER & GROUP
Group
Risk Score
Management
Status
DEVICE
Compliance
Device Type Compromise
Domain
Joined
Azure AD
Joined
Web
APP
Mobile Virtual
Low Security High Security
External Internal
In Network
LOCATION
Out Network
Corp Wifi 3G / 4G
Geo
#SAAM2291BU CONFIDENTIAL 32
VMworld 2017 Content: Not fo
r publication or distri
bution
Leverage Your Existing Investments in the Conditional Access Workflow
AirWatch Compliant?
Domain Joined?
Azure AD Domain Joined?
Passed an MFA check?
Has a valid certificate?
#SAAM2291BU CONFIDENTIAL 33
VMworld 2017 Content: Not fo
r publication or distri
bution
Workspace ONE Integrates with Best of Breed MFA, CASB, UEBA and Security Providers
Best of breed MFA
– Duo, RSA SecurID, and VMware Verify at no cost
Best of breed CASB
– Netskope, SkyHigh
Best of breed UEBA
– Gurucul
Other security ecosystems
– Mobile Security Alliance (MSA)
– AppConfig
#SAAM2291BU CONFIDENTIAL 34
VMworld 2017 Content: Not fo
r publication or distri
bution
DemoAdaptive Management, Mobile SSO and Conditional Access
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
Securing Productivity Apps
VMworld 2017 Content: Not fo
r publication or distri
bution
Office 365 Supports Many Legacy and 3rd Party Clients –Workspace ONE Keeps All Clients Secure
Boxer
OutlookAndroid
NativeiOS
Native
Thunder
-bird
Legacy
Outlook
Content
Locker(Extra security)
OneNot
e
Sharep
oint
App
OneDr
iveWord Excel
(Extra security)
#SAAM2291BU CONFIDENTIAL 38
VMworld 2017 Content: Not fo
r publication or distri
bution
Accelerate your Knowledge of Workspace ONE
Date Title Session # Speaker
Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh
Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez
Prab Kalra
Tuesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops
and Apps with Workspace ONE
SAAM1150BU Greg Armanini
Matt Coppinger
Tuesday, 5:00pm Securing Access and Protecting Information in Office 365 with Workspace
ONE
SAAM2291BU Camilo Lotero
Adarsh Kesari
Wednesday, 2:00pm Deployment Deep Dive: Best Practices and Troubleshooting of Workspace
ONE
SAAM2197BU Kevin Sheehan
Adarsh Kesari
Wednesday, 3:30pm Secure and Seamless Access to all of your Applications with Conditional
Access and Mobile SSO in Workspace ONE
SAAM2204BU Vikas Jain
Prab Kalra
Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware
Workspace ONE
SAAM1321BU Robert Coggins
Josue Fontanez
Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace
ONE
SAAM2294BU Vikas Jain
Vinay Jain
Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution