How to Balance Productivity and Security in Microsoft 365 – A Crucial Read for Architects

balance Security and productivity in Microsoft 365

In legacy security models, the primary objective was to protect corporate applications and data by creating a security perimeter that could only be traversed via a corporate device with a VPN. As consumer technology has progressed, users are keen to work from personal tablets and mobile devices. Also, the evolution of the corporate workplace is seeing more organizations focus heavily on remote working. These use cases put a strain on legacy security models as they either can’t support a good user experience or cause a bottleneck due to the inability to scale. 

Many organizations are adopting SaaS-based platforms such as Microsoft 365 to meet the demands of the business. Unfortunately, some organizations do not fully consider the security configurations of the platform and either try to apply a perimeter model like they would with a datacenter or leave the organization open to potential data loss through security misconfigurations. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) even published an alert to this effect (https://www.us-cert.gov/ncas/alerts/aa20-120a

Providing users’, the flexibility to be productive on any device, whilst balancing the security of company data and applications is a challenge. Your strategy should focus on protecting the data itself at the file level, and to do so requires a multi-layered approach. 

Microsoft Enterprise Mobility + Security (EMS) is designed to protect company data stored in the Microsoft 365 cloud, as well as data stored locally on employee laptops and mobile devices. It is a multi-layered solution that combines several integrated security tools in a convenient package. 

Since our focus is on protecting the data, this is the core of our architecture. Azure Information Protection (AIP) enables users to set classification levels on the documents and files they are creating, we can’t protect the data unless we know if it is confidential or not. AIP also allows us to create autoclassification rules to ensure documents are not classified incorrectly. 

What about the device accessing the data? That is where Intune comes in to play. Company-owned devices can be fully managed at the device level regardless of where they are located. The user can sign in with corporate credentials and even take advantage of biometric technologies such as Windows Hello. Worried about viruses and malware? You also have Windows Defender Advanced Threat Protection (ATP) to take care of that. 

BYOD (Bring Your Own Device) use, such as a personal phone or tablet can be managed at the application level. Company data is stored in a secure, encrypted container away from personal files and photos. If the device is ever lost, stolen, or the user leaves the company. That data can be wiped remotely without impacting personal data on the device. You can even block copy and paste of sensitive data to apps outside of the container.  

What happens if the users’ password is stolen or compromised? That is where the advanced capabilities within Azure Active Directory (AD) come into play. A password is never enough, Multi-Factor Authentication with Microsoft Authenticator is a must. A password-less authentication is even an option now. Conditional access enables us to create granular access rules based on several factors such as: What is the user’s role? Where are they physically located (IP, country)? Is the device reported as ’healthy’ within Intune? Is the application or document they are trying to access permitted on the type of device they are using? 

If your reading this and think;” This won’t work for us, we use XYZ third-party cloud service”. This is where our last component, Cloud App Security comes into play. With most major cloud providers supporting 3rd party API access into their cloud environments, you can now have a single pane of glass to monitor, report, and protect your data across multiple cloud vendors.  

 EMS enables a modern, multi-layer security architecture that allows your company to be productive and secure on any device. We can work with you to find the best approach to balancing productivity with security in your organization. Ask us how! 

%d bloggers like this: