Before making the migration to Office 365, your corporate information was in all likelihood firmly housed in your corporate networks, inaccessible to anyone without (potentially) your VPN details (i.e. a set of URLs, certificates and profile files). This, coupled with multi-factor authentication (MFA), gave you some confidence your data was being accessed only by the appropriate users. But your information is now in Office 365 where—in theory—anyone can get to it, given the right credentials. This obviously represents a challenge to the integrity of corporate data.
For the purposes of this article, we’ll assume your information is already protected by multi-factor authentication (MFA)—the base functionality that comes with Office 365 or Azure AD Premium. Beyond this initial security measure is the question of how much you like having your data distributed to devices you don’t control. MFA simply controls who can access data, not where the data can be accessed and saved.
So, without utterly inconveniencing your users to the extent they do nothing outside of working hours and on corporate devices, how should you go about implementing a policy to keep a hold on your data?
The Solution: Conditional Access
Conditional Access is a fairly recent addition to the security lineup, and new capabilities are being added all the time. If your users have an Office 365 E3 license, an EMS +E3 license may be added to it—the key component that enables two valuable features. First, the license grants access to Microsoft Intune so you can manage mobile devices (this will be the subject of a future post). Second, licensees get an Azure Active Directory Premium P1 license, which unlocks Conditional Access, among other things. For the sake of completeness, even more features can be leveraged by adding the EMS +E5 to your E3 or E5 license. As with all things licensing, check with a Microsoft partner so your company isn’t buying too much or paying for individual components when a cheaper package is available—especially since Intune and Azure AD Premium P1 and P2 licenses are available as standalone licenses.
Implementing Rules for Conditional Access on O365
Okay. Let’s say you’re licensed for EMS +E3. What do you do now? Take a look at your MFA capabilities. The Office 365 ‘version’ includes a number of capabilities; take a look here for the differences between the Office 365 capabilities and the Azure Active Directory additions. You can enhance security and the user experience by establishing a list of Trusted IP Addresses. But if you know certain devices on your corporate campus are legitimate, is there a need to enforce MFA? Perhaps you have a Wi-Fi profile deployed and the only way you issue them is through a device enrollment mechanism. In this case, adding yet another authentication step may be unnecessary. But of course, once the device leaves the work campus, you want to ensure people trying to gain access are indeed who they say they are.
It is possible to block access to applications such as Teams and Outlook on home PCs. But you should carefully review whether such a step is necessary or in-line with your business security requirements. If you want to allow access to data from home devices but don’t want the inevitable data leak an OST file causes, then be sure to implement a policy that encompasses those services but only grants access from approved devices. In this example, granting access to devices is the appropriate mindset. Microsoft’s best practices for Conditional Access, suggest avoiding a blocking policy. This type of policy requires that end users on unmanaged devices access the Office 365 resources using only the web interface. But in the case of Outlook on the Web (OWA), the policy also forbids file downloads, letting users open attachments only in the browser window, rather than in Word or Excel, say. Naturally, the use of Digital Rights Management to prevent unauthorized printing or forwarding etc. of content is another very important step in the overall management and security of information within Office 365.
The best approach is to incorporate a capability of Conditional Access—the ability to take a device joined to the on-premises Active Directory—and ensure only Windows 10 devices tagged as “Hybrid Azure AD Joined” get access to services using native applications. For example, a domain-joined Windows 10 laptop will grant access to Outlook, Teams etc. without calling for MFA when in the corporate offices. At home, this user would be challenged for MFA and all access will be granted. But when the same user tries to use the family Windows 10 PC he will find that although he can authenticate with MFA, he cannot connect to Outlook. The only way he can access his email is by clicking the Outlook link in the Office 365 browser window.
The two measures described above are basic, but nonetheless important, steps in restricting which devices can access Office 365 resources, thereby providing an increased level of confidence to the information security team that data is not being synchronized and saved on devices that aren’t under corporate control.
Office 365 is new frontier for many companies; Anexinet specializes in helping companies transition to 365. For more information on O365, you may want to check out these blog posts. And if you’re feeling overwhelmed by the complexity of Office 365 migration, please reach out to us. We’d love to help you out.