In today’s modern workplace, it is essential for security and compliance teams to know the native capabilities of collaboration and communication platforms. This knowledge will enable them to define a coherent strategy that takes into account data protection needs as well as regulations, the urbanization of the information system and the unavoidable subject of user experience.

For companies  using the highest licensing plan, Microsoft 365 E5, there is no problem: all functionalities are available. For others, the subject is much more complex.

This article is oriented for companies with more than 300 employees. For other organizations (education, associations, small and medium enterprises) the license plans are slightly different, but the information below is still applicable for most of them.

Part 1 of this article is available here.

2/ Appropriating the licensing logic

For those unfamiliar with Microsoft licensing, there are three principles governing the allocation of licenses according to the population concerned:

• An internal user of a service or benefiting indirectly from the product (e.g. dynamic group, classification of a SharePoint site, sharing of Power BI dashboards) must have the required license;
• Most administration roles require the license of the managed service to access the administration portal or associated PowerShell commands;
• External users or guest users do not need a specific license to collaborate on Office 365 content. This is made possible by the free capabilities of Azure AD. However, if a guest user is subject to Azure AD Premium features (P1 or P2), a sufficient number of licenses must be available (1 license purchased for 5 guest users).

Licenses are nominative and are per user and per month.

Please note that the same product may be available with more or less advanced functionalities depending on the level of licenses chosen. A recurrent example concerns the unified audit logs: these logs are kept for 90 days with Office E1 or E3 licenses, whereas with Office E5 licenses the duration is 365 days.

3/ Unlocking the mystery of licensing plans

As a reminder, the Microsoft licensing model consists of the following elements:

• Licensing plan: A plan that defines the services available to the publisher in the tenant. Most of the time, a license plan will be a collaborative bundle (Office 365), a security bundle (EMS) or a package (Microsoft 365);
• License: To be considered as active, and thus be able to connect to the holder, a user must at least have a;
• Service: A service is a Microsoft 365 product, feature or capability that requires a license. This license can come from several different license plans: for example Office 365 E1 provides SharePoint Online Plan 1 while Ofice 365 E3 and E5 provide SharePoint Online Plan 2;
• SKU: In Microsoft language, this term from inventory management refers to the implementation of a license that can be assigned to a user.

Office 365 collaborative bundles: natively included data protection and compliance capabilities

Collaborative licensing plans, also known as Office 365 bundles, are the basis of Microsoft 365 licensing. These plans natively incorporate increasing compliance features. Security options, however, are quite limited and must be purchased independently.

The first plan is Office 365 E1. This plan integrates all office automation services in web mode only. The compliance and security products are the bare minimum of what can be expected from an enterprise SaaS service today: Security Defaults (basic MFA), Audit Logs, Content Search and Retention Tags.

Office 365 E3 adds the thick clients of the Office Suite (now called Microsoft 365 Apps), as well as data protection features (Information Protection for Office 365 and Office DLP), Core eDiscovery and default retention policies. This licensing plan is the preferred licensing plan for standard users in today’s enterprises.

Finally, Office 365 E5 is designed for special office populations with telephony, Power BI Pro and statistics on the use of the Office 365 suite. It also integrates automatic classification (outside machine learning), compliance options for populations subject to regulations (Records Management, Customer Key, Customer Lockbox, Information Barriers, Communications Compliance) and advanced investigation options (Advanced eDiscovery and Data Investigations), as well as Office ATP and Office CAS.

Two important points to note:

• Office DLP and AIP P1 can be purchased as additional licenses for Office E1 users, in order to have data protection features similar to Office E3;
• The Multi-Geo option is an additional license, regardless of the license plan chosen.

Security bundles: additional security features

Introduced in 2014, the EMS security bundle (Enterprise Mobility Suite, then Enterprise Mobility + Security) integrates various security products. These products are designed to control identities, mobile devices and applications accessing Office 365 data.

• EMS E3: Intune, Azure AD P1, AIP 1, Advanced Threat Analytics;
• EMS E5: Azure AD P2, AIP P2, Azure ATP and Microsoft Cloud App Security.

Today, EMS E3 is a must-have for organizations that choose to go with a “Full Microsoft” strategy. Intune and Azure AD P1 provide a consistent strategy for managing access to the Office 365 platform. On the other hand, few organizations have chosen to generalize EMS E5, a bundle rather oriented for sensitive populations or administrators, due to a lack of consistency between the different security products included.

Microsoft 365 packages: a complete but expensive offer

Announced in 2017, Microsoft 365 is now the flagship product of the Redmond-based publisher. This licensing plan combines the functionalities of Office 365, the EMS suite and Windows 10:

• Microsoft 365 E3 = Office 365 E3 + EMS E3 + Windows 10 E3;
• Microsoft 365 E5 = Office 365 E5 + EMS E5 + Windows 10 E5.

Contrary to popular belief, and despite the various name changes introduced in 2020 (Office 365 Groups to Microsoft 365 Groups, Office Pro Plus to Microsoft 365 Apps), the Office 365 brand has not disappeared.

We should note that Microsoft 365 E5 is the only office automation subscription that includes Trainable Classifiers (classification via Machine Learning), Insider Risk Management or Safe Documents (extension of Windows Defender ATP to scan open documents in protected mode).

Microsoft 365 E5 Compliance and Security: A Turning Point in Security and Compliance License Management

Microsoft 365 E5 Compliance and Microsoft 365 Security were introduced in early 2020 to simplify security and compliance licensing by grouping products under consistent licensing plans. This was good news, as the situation between EMS products and legacy compliance products (e.g. Advanced Data Governance and Advanced Data Compliance) had become increasingly complex

Microsoft 365 E5 Compliance combines the full range of information protection, governance and investigation capabilities. Depending on requirements, three sub-bundles can be considered:

• Microsoft 365 E5 Information Protection & Governance: AIP P2, Microsoft Cloud App Security, Advanced Retention Policies, Records Management, Advanced Office DLP and Advanced OME, Customer Key and Trainable Classifiers;
• Microsoft 365 E5 Insider Risk Management: Insider Risk Management, Communications Compliance, Information Barriers, Customer Lockbox and PAM;
• Microsoft 365 E5 eDiscovery & Audit: Advanced eDiscovery, Advanced Auditing and Data Investigations.

Officially presented as extensions to Microsoft 365 E3, the documentation suggests that the licensing requirements would be lower. The Information Protection & Governance extension would “only” require AIP P1 and Plans 2 for Exchange Online and SharePoint Online (i.e. Office 365 E3).

Microsoft 365 E5 Security combines Azure AD P2, the Advanced Threat Protection suite (Azure ATP, Office ATP, Windows Defender ATP) and Cloud App Security. This bundle will be interesting for organizations that are not large enough to manage many security tools (MFA, EDR, AD Monitoring, Mail Gateway, CASB).

Firstline Workers focus

The Office 365 F3 and Microsoft 365 F1 and F3 licensing plans are intended for Firstline Workers:

• Microsoft 365 F1 is a licensing plan that includes EMS E3, Teams and SharePoint (content sharing and consumption only);
• Microsoft 365 F3 combines EMS E3, Windows 10 E3 and Office 365 F3;
• Office 365 F3 is a lighter version of Office 365 E1, with similar functionality (mainly Exchange, SharePoint, OneDrive, Teams and Power Platform) but much more limited storage for OneDrive and Exchange.

Microsoft defines this population as “users without a dedicated terminal, with occasional use.” Concretely, a dedicated terminal is a computer equipment with a screen of more than 10.1 inches, used by an employee for more than 60% of his working time. Examples can be medical populations, salespeople in a store, or workers in a factory.

Therefore, Fx licenses cannot be used to optimize licensing costs for populations with no advanced needs.

4/ Getting the right tools to find relevant information

There is no official roadmap that makes it easy to find one’s way between products and license levels (E1, E3, E5, F1, F3, etc.), and it seems that everything is done to steer companies towards the most expensive licenses. Therefore, it is not surprising to see companies specializing in the very specific Microsoft licensing segment (optimization consulting or management solution publishers).

How to find out what exists (official sources)

For licenses related to compliance and security products, the most comprehensive reference is the documentation “Microsoft 365 Compliance & Security Licensing Guidance“. Unfortunately, this official documentation is not exhaustive. For example, it is missing:

• Products concerned by private or public pre-versions. For example, the new Endpoint DLP requires a Microsoft 365 E5 Compliance or Microsoft 365 E5 Information Protection & Governance license;
• Details about some compliance products. For example, Office DLP is available with an additional license;
• Information related to Azure Active Directory Premium P1 or P2 features and information related to Intune.

Note that a fairly complete table, available in .pdf and .xlsx, provides a cross-reference of use cases and compliance licenses. Beware, this table can be scary!

There is not yet an equivalent official summary for security licenses. Product documentation (e.g. Intune) and licensing information pages (e.g. Azure Active Directory) remain the best sources of information.

Important point: most official sources specify that they do not constitute a sufficient contractual commitment. Only an exchange with the Microsoft TAM will confirm the availability of a specific license and the associated price.

How to find out what exists (unofficial sources)

Apart from the official documentation, I use two rather interesting sources when talking about Microsoft 365 licensing:

• Unofficial mapping of Microsoft 365 products, by Aaron Dinnage (Microsoft): this is the most complete document available on the subject;
• Details and public pricing (in dollars) of the various Microsoft 365 licensing plans, by Dan Chemistruck (Infused Innovation).

How to find out what’s available in the holder

There are three possibilities to master the licenses (unit licenses, bundles, or packages) and products acquired in an Office 365 holder.

The first and simplest is simply to use the information available in the Office 365 or Azure administration portals. However, these portals only offer basic functionalities: no actions for a large number of users, a global dashboard (licenses acquired, used and non-compliant) without granularity by country or entity, etc.

The second option is to acquire a license management or optimization tool (e.g., ManageEngine, QuadroTech, CoreView). This type of solution is more suited to SMBs than large corporations, which prefer the third option because of economies of scale.

The last option is to develop a licensing tool (based on PowerShell scripts and Microsoft Graph APIs) and a dashboard (usually on Power BI). This choice will make it possible not only to overcome the limitations of native tools, but also to delegate the control of licenses to the various IT localities in a decentralized context.

Focus on development: how to find your way among the names

The development itself is not particularly complex. On the other hand, a common problem appears very quickly – the names of the services obtained by PowerShell and Graph API are simply incomprehensible. These names often come from buyouts or internal Microsoft project names (e.g. ADALLOM for MCAS, RIGHTSMANAGEMENT for AIP P1 or SPE_E3 for Microsoft 365 E3).

By experience, it is then essential to keep an up-to-date list of correspondences between the SKU names obtained by scripting and the official names:

–        The official Microsoft list is unfortunately far from being exhaustive and is not regularly updated;

–        Several unofficial lists are maintained and available on the Internet.

5/ Seven tips to define your security and compliance licensing strategy

1. Identify your needs in terms of security (identity, threats, terminals, etc.) and compliance (data protection, regulatory compliance, etc.) for Office 365;
2. Formalize an inventory of all the security and compliance tools related to the Digital Workplace available in the enterprise (including mail gateway, EDR, classification, DLP, etc.);
3. Formalize a roadmap for security and compliance tools, consistent with the modern workplace (rationalization, native security without agents, zero trust);
4. Define a licensing model with different user profiles, in conjunction with the architectural and workplace teams. It can be interesting to favor bundles by considering medium- and long-term needs. The acquisition of unit licenses (or add-on) without global negotiation would be expensive;
5. Anticipate product targeting capabilities. Some products (such as the functionalities of Azure Active Directory or MCAS) are difficult to adapt to a complicated licensing model in an international multi-entity context;
6. Activate what is available on opportunity in the acquired bundles, avoiding duplication with existing tools in order to not interfere with the signals;
7. Keep watch. The functionalities associated with a license may evolve as a result of a development or purchase of a third-party solution. In some instances, although very rare,Microsoft will embed premium features in basic plans. The message center of the administration portal and the Security and Compliance blogs are indispensable here.

To go further, find in this article the different subjects to be dealt with during the preparation of the Microsoft 365 adventure.

Cet article A “SHORT” GUIDE TO THE JUNGLE OF MICROSOFT 365 SECURITY AND COMPLIANCE LICENSING – PART 2 est apparu en premier sur RiskInsight.

Who hasn’t already felt lost looking for information on Office 365 licensing? In this article, I will help you decipher the existing plans, as well as provide a few tips and reminders on recent announcements from the publisher.

In today’s modern workplace, it is essential for security and compliance teams to know the native capabilities of collaboration and communication platforms. This knowledge will enable them to define a coherent strategy that takes into account data protection needs as well as regulations, the urbanization of the information system and the unavoidable subject of user experience.

For companies  using the highest licensing plan, Microsoft 365 E5, there is no problem: all functionalities are available. For others, the subject is much more complex.

This article is oriented for companies with more than 300 employees. For other organizations (education, associations, small and medium enterprises) the license plans are slightly different, but the information below is still applicable for most of them.

1/ Understand the security and compliance services available

Historically focused on office automation services (with Microsoft Office) and collaboration services (with Exchange and SharePoint on-premise), Microsoft’s offering has evolved strongly by integrating not only codeless application development services (with the Power Platform), but also security and compliance bricks.

These can be grouped into seven categories:

• Security: Identity and Access Management, Endpoint Management and Threat Management;
• Compliance: Information Protection, Governance, Service Control, and Cloud Control.

Identity and access management

Azure Active Directory is the fundamental building block of Microsoft Cloud Services (Office 365, but also Azure IaaS and PaaS). It is not just a simple domain controller of the on-premises identity source in the Cloud; it is also an IAM service in its own right. Several licensing plans are available for Microsoft 365 use, whose main features are listed below:

• Azure Active Directory Basic for Office 365: Single Sign On, Manual Management of Users, Groups and Applications, Endpoint Registration, Security Defaults (basic security policies for users and administrators);
• Azure Active Directory Premium Plan 1 (or AAD P1): Azure MFA, Conditional Access, Proxy Application (exposure of on-premise applications on the Internet), Group Lifecycle (expiration, dynamic groups, classification), Advanced Password Protection (Cloud and on-premise), Integration with a third-party MFA or Identity Governance Solution;
• Azure Active Directory Premium Plan 2 (or AAD P2): Azure AD Identity Protection (assessment of connections and accounts at risk), Risk-based Conditional Access, Azure PIM (Privileged Account Management with Just-in-Time Access), Access Review, Entitlement Management (assignment of predefined rights on collaboration spaces to internal or external users).

Experience has shown that the Azure AD Premium P1 license is now a must for a number of companies. At a minimum, these companies must have the following two features: conditional access and group classification. Azure AD Premium P2 is intended for administrative populations in the first instance.

As a reminder, the functionalities available for adding or modifying objects (groups, users or terminals) vary according to the implementation mode chosen: Identity Federation, Password Hash Sync (PHS) and Pass Through Authentication (PTA).

Terminal management

Intune is the Mobile Device Management (MDM) and Mobile Access Management (MAM) solution offered by Microsoft.

The Intune MDM part is historically a mobile device management solution: deployment of applications or certificates on enrolled devices, hardening of parameters, fleet management, etc.

The Intune MAM part represents the functionalities that control the data within applications via apps protection policies. MAM can be used even in a BYOD context. It is important to note that third-party MDM solutions can be integrated with Intune MAM to control Microsoft 365 Apps (such as Office for iOS or Android), but the license will still be required to use the SDK’s functionalities.

In the context of modern management, the Intune MDM part of Intune is positioned as an Enpoint Unified Management (or UEM) solution to manage all devices (mobile or not) in a unified way. The ultimate goal is to replace the SCCM tool, also known as Configuration Manager, by positioning itself in direct competition with other MDM solutions already in place within companies.

Threat Management

The Microsoft Threat Protection suite brings together all the advanced threat prevention, detection, investigation and response capabilities of the Microsoft 365 environment: messaging, collaboration spaces, endpoints and identities.

Although the various components of the suite have historically been considered less efficient than other “pure players” in their respective segments, they have the undeniable advantage of offering unified management and correlation of indicators. However, this gap has been narrowing over the past two years, with Gartner even recognizing several components of the ATP Advanced Threat Protection (ATP) suite as leaders in their segments by the end of 2019.

There are three components:

• Office ATP: Solution to fight threats related to documents, emails and malicious links. While it is possible to add a third-party email gateway, Office ATP is the only advanced protection option for collaborative spaces (SharePoint, OneDrive and Teams);
• Windows Defender ATP: Redmond publisher’s BDU solution;
• Azure ATP: Detection and investigation solution against identity compromise, through the analysis of signals from the local Active Directory. Microsoft announced in February that it will end support for the legacy solution, Microsoft Advanced Threat Analytics (ATA), by January 2021.

Protection of information

Microsoft has recently grouped all data discovery, classification and protection functionalities under the Microsoft Data Protection Framework: Microsoft Information Protection.

At the base is the engine for identifying sensitive data. Microsoft’s engine is based on two elements:

• Sensitive Information Type (SIT): Predefined regular expressions (e.g. social security number or credit card) combined with keywords, document fingerprints (e.g. patent or form) or keyword dictionaries;
• Information Classifiers: Machine learning algorithms, with predefined or constructed models. Introduced this year and still in pre-version, the classifiers can only be used with Microsoft E5 licenses..

The current trend is to classify Office 365 data (emails, documents and now Power BI) using Azure Information Protection (or AIP). The choice of classification level can be done manually or automatically with the engine presented above. AIP has been gradually integrated into the Office 365 service package, under the name Information Protection for Office 365 (or unified classification). Although less necessary today, AIP uses the new solution as well as the non-Office 365 document coverage and classification bar in office applications.

It is also possible to classify a shared space (SharePoint site, Teams or Groups Office 365), but the classification of data and space is still decorrelated.

The actual protection of information consists of data encryption and restriction of rights (DRM). Microsoft’s proprietary protocol is Azure RMS, or Rights Management. Keys can be managed by Microsoft, in BYOK or Double Key Encryption (DKE) (HYOK equivalent for Unified Labeling presented in July 2020).

Azure RMS can be applied to data manually or by inheriting the classification level. The implementation may have a different name depending on the use case involved, but the mechanisms are identical:

• AIP or RMS for documents;
• Information Rights Management (or IRM) for SharePoint: Data downloaded from a list or library inherits protection consistent with the user’s rights;
• Office Message Encryption (or OME) for electronic messaging.

In addition to the above protection, it is also possible to apply shared space protection to harden access according to the chosen classification level, e.g. restricting endpoints or guest users.

In addition to the mechanisms attached to the data (the protection remains even when sharing or copying), it is possible to control the distribution of data through the following tools:

• Office DLP: control of the distribution of e-mails and documents;
• Communications DLP: instant messaging control;
• Cloud App Security: Extension of Office DLP capabilities to integrated SaaS applications;
• Windows Information Protection: equivalent of Intune MAM for Windows 10, aimed at separating business data from personal data;
• Windows Endpoint DLP: new DLP solution for Windows 10 presented in July 2020.

Finally, a discovery of the information can be made afterwards to locate and correct the level of protection if necessary. Again, a different solution must be used depending on the use case:

• AIP Scanner: search and classification of data on on-premises directories;
• Cloud App Security: search and classification of data on Cloud spaces;
• Windows Defender ATP: search and classification of data on Windows 10;
• eDiscovery: Cloud data search (by hijacking the original functionality).

The SDK Microsoft Information Protection can be used by third-party applications to apply classification or protection to data, or simply consume protected data.

As you can see, there are a number of tools with different names to protect organizations’ data. The important thing to remember is that users will only be directly confronted with classification and protection.

Governance

The year 2020 may be selected as the year of compliance for Office 365. Microsoft has reorganized existing products and introduced new ones to address various HR and regulatory risks. All these products are grouped together in the new Compliance Center, which replaces the equivalent part in the Security & Compliance Center.

The first group of these products is related to information retention. Retention policies (retention, legal registration, deletion, etc.) are defined via retention labels applied to a piece of data or a shared space. Labeling can be done manually, by default on containers (e.g. user mailboxes or SharePoint sites), or automatically, in the same way as privacy labels.

The products related to traceability and audit of the holder are then found. By design, the Unified audit logs can trace the actions of users or administrators. These logs, although very complete, are not exhaustive and are regularly completed. In order to increase the 90-day retention period of the unified logs, last year Microsoft introduced Advanced auditing, which offers a retention period of up to one year and more complete logs (such as all accesses to a mailbox).

In addition to logging, four products offer investigation possibilities:

• Core eDiscovery allows to extract content according to a query (e.g.: messages sent by a user containing this or that information);
• Advanced eDiscovery is an advanced feature to filter the most relevant content and provide visualization possibilities on the results;
• Microsoft Data Investigations,still in pre-version, is a clone of Advanced eDiscovery allowing to trace the context that may have led to a data leak;
• Data Subject Requestwas introduced when the GDPR came into force, in order to identify and export data related to a natural person. Again, this is a clone of Core eDiscovery, which can be searched in this context.

Note that the eDiscovery functionalities of Exchange Online (Hold, search, etc.) will gradually be phased out in favor of those of the Compliance Center.

Finally, Microsoft recently presented a whole range of products to combat internal risks (insider trading, data leakage by users on departure, discrimination, illegitimate access to data, etc.). In concrete terms, these products are designed to implement and automate existing principles in organizations’ existing HR, legal and business policies:

• Insider Risk Management is a feature to raise alerts in case of suspicious actions performed by an internal user (e.g. massive downloads performed by a user on departure, breach of security policy). The product is centered around the following axes: alert, investigation, automatic or manual remediation;
• Information Barriers allows to regulate exchanges (OneDrive, SharePoint and Teams) between internal persons, in order to technically force bans on content exchanges between entities due to regulatory requirements;
• Communications Compliance extends Office DLP’s functionality by enabling alerts when inadequate communication is detected (Teams, Mail or Yammer), such as regulatory non-compliance, non-compliance with an internal policy (e.g. harassment) or exchanges around a specific project;
• Privileged Access Management (PAM) is Azure PIM’s counterpart for operational administrative tasks. In order to perform a task, a person will have to request a privilege elevation for a defined perimeter and time;
• Customer Lockbox : is the name of the internal Microsoft process that allows a support person to access data within an organization. Customer Lockbox adds a validation step by the customer in question. In practice, this product ensures that a Microsoft employee does not inadvertently modify data, but does not protect against government requests. On the latter subject, Microsoft regularly publishes statistics.

Most of these products are still in pre-version. There is still very little feedback from the field on these solutions, which are expected to become more mature.

Control of services

In addition to the products described in the previous chapter, Microsoft provides organizations with two additional tools to comply with local regulations.

First, Customer Key allows an organization to add an overlay of encryption at the application level (Exchange Online, OneDrive, SharePoint Online and Teams), that manages the lifecycle of the keys used. This overlay is in addition to the encryption applied by construction to data at rest on Microsoft servers. However, be careful not to lose the keys, which would lead to a total loss of data.

Secondly, Multi-geo‘s functionalities ensure that data is kept at rest in a given geographical area. The challenge with this functionality is to be able to differentiate between personal and shared spaces according to the target location.

Mastering the Cloud

With Cloud App Security, Microsoft has its Cloud Access Security Broker (CASB): fighting against Shadow IT (using the APIs of supervised solutions or SaaS applications not managed via proxy log analysis), Data Protection, Detection of abnormal behavior and Analysis of SaaS application compliance.

Again, three levels of functionality are available:

• Cloud App Discovery: Accessible with Azure AD P1, this level allows you to take advantage of Shadow IT;
• Office 365 Cloud App Security: Accessible with an Office E5 license, this is an intermediate level allowing you to benefit from degraded functionalities limited to Office 365;
• Microsoft Cloud App Security: Highest level of CASB functionality.

It is important to remember here that Azure AD P1 will be required if one wishes to implement conditional access policies for connected applications (including Office 365).

With the Governance features presented above, Cloud App Security is the least exploited brick today, mainly due to the excessively high level of licensing.

Find the rest of this writing in the article “A short guide to find your way through the jungle of Microsoft 365 security and compliance licenses – Part 2”.

Cet article A “SHORT” GUIDE TO THE JUNGLE OF MICROSOFT 365 SECURITY AND COMPLIANCE LICENSING – PART 1 est apparu en premier sur RiskInsight.