SAAM2291BE Securing Access and Protecting Information or ...€¦ · What is Modern Auth: Simple Definition • Modern Auth is when the user authenticates to an IDP in a browser,

Camilo LoteroSenior Technical Marketing Manager

Adarsh KesariSenior Systems Engineer

SAAM2291BE

#VMworld #SAAM2291BE

Securing Access and Protecting Information in Office 365 with Workspace ONE

VMworld 2017 Content: Not fo

r publication or distri

bution

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

#SAAM2291BU CONFIDENTIAL 2



bution

Securing Access and Protecting Information in Office 365 with Workspace ONE

1 Data Loss Prevention

2 Simplified Authentication

3 Conditional Access

4 Securing Productivity Apps




bution

340MDownloads of Office Mobile Applications(Source: Microsoft, 2016)



bution

Four Pillars of Office 365 Security

Data Loss Prevention

Simplified Authentication

Conditional AccessSecuring

Productivity Apps

• At rest

• In use

• In transit

• On any device

• No passwords (SSO)

• Control Modern and Legacy Auth

• Consumer-simple MFA

• Block Unapproved Access

• Email compliance

• Email

• Content

• Browsing

Workspace ONE

+ Office 365




bution

Data Loss Prevention



bution

A New Level of Data Security

At Rest

• Passcode protection

• Device encryption

• Enterprise wipe

In Use In Transit

• Containerization

• DLP policies

• MAM co-existence

• SSL encryption

• App-level VPN




bution

Prevent Data Loss Using Native Platform Controls

• Windows Information Protection

• Passport for Work and Windows Hello

• Managed App container

• Open-in controls

• Device passcode and Touch ID

• Android for Work container

• Copy/Paste controls

• Device passcode




bution

Available Data Loss Prevention Policies

• Prevent Backup

• Allow Apps to Transfer Data to Other Apps

• Allow Apps to Receive Data from Other Apps

• Prevent “Save As”

• Restrict Cut Copy Paste with Other Apps

• Restrict Web Content to Display in Managed Browser

• Encrypt App Data

• Disable Contacts Sync

• Disable Printing

• Allow Specific Data Storage Locations – One Drive for Business, SharePoint, Box, Dropbox, Google Drive, Local Storage

• Require PIN for Access

• Number of Attempts before PIN Reset

• Allow Simple PIN

• PIN Length

• Allowed Pin Characters

• Allow Fingerprint Instead of PIN

• Require Corporate Credentials For Access

• Block Managed Apps from Running on Jailbroken or Rooted Devices

• Recheck The Access Requirements after Timeout

• Offline Grace Period

• Offline Interval before App Data is Wiped

• Block Android Screen Capture and Android Assistant




bution

Current Integration

Office 365&

Azure Cloud

AirWatch calls Graph API to configure and assign DLP for native Office apps

Microsoft cloud services enforce policies on all Office apps – managed or unmanaged

Device enrolls to manage apps and wipe corporate data




bution

Integration

Office 365

Graph API Layer

Azure APIs

Azure Active Directory

Azure Admin user permissions

AW Azure app permissions

Permission scope of token

6. Create iOS & Android DLP policyAW

7. Set specific DLP rules for policiesAW

2. Search Azure groups by name

3. Return matching Azure groups

1. Add Azure admin into AW & save

4. Select Azure groups to add in AW

5. Configure DLP rules in AW & save

Graph API request or response

AW




bution

#SAAM2291BU 12



bution




bution




bution




bution




bution

DemoOffice 365 Integration



bution



bution

Simplified Authentication



bution

Office 365 is Complex: Many Clients (Modern, Legacy, & 3rd

Party) Can Access Data and Emails. IT Must Close All the Holes

Outlook

Android

Native

iOS

Native

Boxer

Thunder

-bird

Legacy

Outlook

OneDrive

SharePoint

AppWord

Power

Point

OneNote

Excel




bution

Office 365 is Complex: Some Clients Use Modern Auth, and Some Use Legacy. IT Must Protect Both

Workspace ONE

Users can get to Office 365 using legacy or modern auth. Workspace ONE protects both

Modern auth

Legacy auth

Outlook

OneDrive

Word

Android

Native

iOS

Native

Legacy

Outlook




bution

Office 365 Requires Protection For Two Kinds of Authentication: Modern Auth and Legacy Auth

• What is Modern Auth? MSFT’s official definition: authentication that uses the Active Directory Authentication Library (ADAL) and OAuth 2.0

– ADAL and OAuth work together to provide users/apps access to protected resources through security tokens

1. User authenticates to the IDP to get a token

2. App uses the token from step 1 to get the protected resource

IDP

User/app Resource




bution

O365 Modern Authentication FlowPassive Federation (WS-Fed Passive Profiles)

2

OAuth2

Access Token

SAML

OAuth2

Access Token

OAuth2

Refresh Token

4

3

1

5

1. Client connects to O3652. Client is redirect to IdP for Authentication3. SAML Assertion is sent via redirect to O3654. Access and Refresh OAuth2 Tokens are generated

and passed to client5. Access Token is now used for accessing O365

Access Token TTL = 1hRefresh Token TTL = 15 - 90 days #SAAM2291BU CONFIDENTIAL 23



bution

What is Modern Auth: Simple Definition

• Modern Auth is when the user authenticates to an IDP in a browser, rather than putting credentials into the app itself

This is Modern Auth

– The app redirects the user to an IDP in a browser

– The user sees an IDP screen and authenticates (configurable at the IDP)

– The IDP sends the user back to the app with an auth token




bution

What is Not Modern Auth: Simple Definition

• If the user has to enter credentials directly into the app, it’s not Modern Auth


This is not Modern Auth

– The user enters credentials into app UI

– The app sends credentials to IDP



bution

Bottom line: O365 Solutions Must Protect a Complex, Powerful Suite of Apps Used Across Your Organization

• Your solution must

– Handle all ways to authenticate into Office 365

– Protect all the clients that users use to access Office 365 email and data

– Ensure corporate data doesn’t leak from user’s devices




bution

Federate Existing AD Credentials with Identity Manager

VMware Identity Manager

Existing Identity Solution(s)

Active Directory




bution

Federate Existing AD Credentials with Identity Manager

• Federates identity for single version of truth

• Works across Office 365 and all other app investments

• Integrates with existing identity solutions

• Automatic SSO based on native OS APIs

• SSO based on certificates and Kerberos authentication


Existing Identity Solution(s)

Active Directory




bution

Conditional Access



bution

Restrict Office 365 Access to Managed and Compliant Devices

Management Profile Installed

No Management


ACCESS DENIED

ACCESS GRANTED

User identity validated




bution

Compliance Policies for Comprehensive Access Control

Managed by

VMware AirWatch

Not Managed


ACCESS DENIED

ACCESS GRANTED

User identity

validated

• Integrate with on-premises AD

• Validate user identity, groups, MFA policies

• Allow access to specific users, devices, OS versions

• Check device compromised status

• Ensure device is managed by EMM

• App-agnostic identity framework across all apps (non-Microsoft apps)




bution

Conditional Access Model for Office 365

USER

Policy Framework

DEVICE

LOCATIONAPP

User

USER & GROUP

Group

Risk Score

Management

Status

DEVICE

Compliance

Device Type Compromise

Domain

Joined

Azure AD

Joined

Web

APP

Mobile Virtual

Low Security High Security

External Internal

In Network

LOCATION

Out Network

Corp Wifi 3G / 4G

Geo




bution

Leverage Your Existing Investments in the Conditional Access Workflow

AirWatch Compliant?

Domain Joined?

Azure AD Domain Joined?

Passed an MFA check?

Has a valid certificate?




bution

Workspace ONE Integrates with Best of Breed MFA, CASB, UEBA and Security Providers

Best of breed MFA

– Duo, RSA SecurID, and VMware Verify at no cost

Best of breed CASB

– Netskope, SkyHigh

Best of breed UEBA

– Gurucul

Other security ecosystems

– Mobile Security Alliance (MSA)

– AppConfig




bution

DemoAdaptive Management, Mobile SSO and Conditional Access



bution



bution

Securing Productivity Apps



bution

Office 365 Supports Many Legacy and 3rd Party Clients –Workspace ONE Keeps All Clients Secure

Boxer

OutlookAndroid

NativeiOS

Native

Thunder

-bird

Legacy

Outlook

Content

Locker(Extra security)

OneNot

e

Sharep

oint

App

OneDr

iveWord Excel

(Extra security)




bution

Accelerate your Knowledge of Workspace ONE

Date Title Session # Speaker

Tuesday, 11:00am Transformation of the Digital Workspace SAAM3157SU Tony Kueh

Tuesday, 12:30pm Introduction to Access Management in Workspace ONE SAAM2288BU Josue Fontanez

Prab Kalra

Tuesday, 3:30pm Enable Simple, Secure Access to your Horizon and Citrix Virtual Desktops

and Apps with Workspace ONE

SAAM1150BU Greg Armanini

Matt Coppinger

Tuesday, 5:00pm Securing Access and Protecting Information in Office 365 with Workspace

ONE

SAAM2291BU Camilo Lotero

Adarsh Kesari

Wednesday, 2:00pm Deployment Deep Dive: Best Practices and Troubleshooting of Workspace

ONE

SAAM2197BU Kevin Sheehan

Adarsh Kesari

Wednesday, 3:30pm Secure and Seamless Access to all of your Applications with Conditional

Access and Mobile SSO in Workspace ONE

SAAM2204BU Vikas Jain

Prab Kalra

Thursday, 10:30am VMware on VMware: Winning a Single Sign-On Solution with VMware

Workspace ONE

SAAM1321BU Robert Coggins

Josue Fontanez

Thursday, 1:30pm Simplify Management and Security of your Mobile Apps with Workspace

ONE

SAAM2294BU Vikas Jain

Vinay Jain

Also join us for Quick Talks, Expert Discussions, and Hands-on-Labs!!!



bution



bution



bution

Documents

SAAM2291BE Securing Access and Protecting Information or ...€¦ · What is Modern Auth: Simple Definition • Modern Auth is when the user authenticates to an IDP in a browser,