Securing data in a Cloud environment.

In this article I'm describing the 5 levels of security for BYOD (I know Level 0 is 6 but I'm not counting that one). These 5 levels can help your environment to work open and safe with data on an enterprise environment.

Level 0 - Lock


Don't leave phones/tablet's/laptops un-locked on your desk. This is a no-brainer.

Level 1 - Password

The Password! I'm not talking about the pattern you have to draw on your Android phone or the swipe action to unlock the phone. No, real passwords! The password creates the feeling of security for the user. However the password is also the most vulnerable. We all have the password managers and the Camel method we all talk the Breezer language as they used to call it. Passwords like P@Ssw0rd123 are not uncommon. Or we all know the Welcome01 introduction passwords or what about @ppForApplication01. Do you want to check if your password has been Pwned you can check at https://haveibeenpwned.com/passwords. My 10 cents is in the picture below, it's the best example I can give for creating a password.



Level 2 - MFA

Multi Factor Authentication (MFA). MFA is something I see a lot in organizations luckily. It's also being advised by many websites like e-mail, insurance, bitcoin wallet or your Bank so it's for the user something that's not uncommon. There are multiple ways of implementing this.
  1. SMS - Use the sms functionality to send a text message with a code in it. - This can be hazourdous because the sms doesn't link your phone to the website as an extra line of security. Anybody who receives the sms can hack your password.
  2. Call - You can let the website call you on a certain number - Again if your phonenumer is compromised you don't have that extra line of security to check what phone is receiving the call.
  3. App - Microsoft and Google both have an Authenticator app which enables users to receive or create a random number that you have to insert in the website. This method works well because you have to unlock your phone to approve hence you have extra protection and your device is linked to the site with the authenticator app once you break this connection you won't be able to verifiy using the app. These Authenticator apps work 2 ways:
    1. You receive a notification to approve or reject in your authenticator app to allow someone to access your e-mail or insurance.
    2. You have to fill in the random number being created in the App in the website.

Level 3 - Data encryption

Sure the device is "secure". But what about the data? What if your device falls in the hand of someone that's not trusted? What happens with that presentation that you shared through Twitter or Facebook? Loss of corporate data is a big problem with the whole BYOD.
Encryption comes in different sizes:
  1. Bitlocker - Encrypts the disk of the laptop or mobile device. - This is only effective when the laptop is stolen or the disk is seized.
  2. DLP - Not really encryption but more a set of rules that trigger an action (which can encrypt data). Using rules to catgorize the data and take action when the data is found. The downside however of DLP is that the more rules you have the more false positive notifications are created. Another downfall of DLP is that it has to be implemented widely to be effective. Securing the e-mail channel but not the file share or the document storage will not fix the security problem.
  3. AIP (IRM) - Works on item level so it impacts all the different channels from e-mail to file storage. Protection moves along with the document or file. - downside of this solution is that it only works with compatible apps, the document is not readable when a non-compatible app is being used.
  4. WIP - Enables users to use personal Windows 10 devices in an enterprise environment. With WIP enabled enterprise data will be automatically encrypted. Once the employee leaves the company with personal device all the enterprise data can be removed but not the personal data. WIP works side by side with AIP to ensure the full protection of corporate data. See the image below to give a clear view.

Level 4 - Device management, Intune

You want to keep control of what apps are being used when accessing company data like e-mail or files can be controlled with Intune. If something happens and you want to wipe the data you can do this with Intune. BYOD without device management will be a disaster with data disappearing to all sort of places. Conditional access is also part of the equation, that will be discussed in Level 5. 

Level 5 - Conditional access

Conditional access is a really nice one to cover all the levels of security. To give users access to company resources you can have certain policies which ask the user to have a compliant device, location or even a managed device. Maybe you want to have MFA enabled for users to be able to access the data. Or users have to be on a certain network (Not Tor). Conditional access is a umbrella covering all the levels of security.









Comments

Post a Comment

Popular posts from this blog

Azure Information Protection (AIP)

Image
Let's start with one of my favorites (till now). Azure Information Protection (or AIP). Just imagine the following example: You are working on your Word document and you want to send this document to an external person. You e-mail that document as an attachment. The person opens this document, reads it and puts it on an USB stick to take with him. The USB stick get's lost! Now the document can have fallen into the wrong hands! Now what? OK this is a little bit of a roman but hey it could happen! Active Director Rights Management  First let us go back in time to when AIP didn't exist and there was  Active Directory Rights Management Services .  This was a server role that could be installed on Windows Server 2008 R2, it exists since Windows server 2003! Back then it was called RMS. The RMS client is available  from Windows 2000 and later. So what does RMS do? To explain in simple English: Information with RMS on it has certain policies with it  that would remain
Read more

Tiles modern UI

Image
Back in SharePoint 2013 Microsoft introduced "Promoted links" a feature which enabled users to create tiles quick and easy without any custom code. Since then I've seen Promoted links being used a lot of ways, some better than others. However creating tiles with an image in the background was always a nasty thing to do. People would use the weirdest images as background to indicate what it was, totally not user friendly. Especially the choice of the color was very "weird" you would have tiles with all sort of colors and images (see image below as an example). Promoted links always had one big problem; Scaling! It's not responsive in a way you would want to have it. Since Microsoft introduced Modern UI they have also introduced the webpart "tiles". Tiles enables the user to create custom tiles within their SharePoint site, quick and easy. Cool features of the Tiles webpart. Tiles are responsive! They resize when the screen gets smalle
Read more

Azure Active Directory (AAD)

Image
In my last post I talked about Azure Information Protection (AIP). It was a way of getting a good sense of security in the Cloud. Today I want to talk about a very important feature in Azure: Azure Active Directory (AAD). AAD is a good place to start with security. Users that are allowed or prevented from logging in is your first line of defense. In preview AAD is not something radically new. Microsoft created the Management portal om the new Azure Portal to make it look and feel like the new portal. At this moment the most users will have to use the old portal for AAD but once the new management portal is out of preview we are good to go! What has changed? So who cares? It's a new Mangement portal for AAD. To be honest nothing has really changed, Microsoft just changed the look & feel of the new portal. 3 versions There are 3 versions of the AAD: Free, Basis and Premium. See the link below to decide what versions of AAD you need. Overview AAD subscriptions F
Read more