Suppose you went to your insurer and said you would like to extend your insurance. You’ve already insured your office building, your employees are insured for health and other things, but you’ve got no insurance to cover your data. You tell your insurer that you’d like to insure 20,000 Word files and 2,000 Excel spreadsheets. On top of that, you’d like to insure 12 of your employees’ user data and user identities, with cover against harm from malicious software thrown into the bargain.
You know the answer, don’t you?
No insurer would touch it with a bargepole. Fortunately, there are smart and secure solutions that can give you the security you need for both your data and your users. Microsoft’s Enterprise Mobility + Security, also known as EMS, is an IT security-related insurance you can’t buy from an insurance company.
In the past, IT security people had a very clear approach to tackling threats. You could say it was a case of “us versus them”. One solution was to protect your internal resources with multiple layers of security, with everything inside the secure zone guarded against outside threats. The firewall, the traditional solution, has been the monolith of the data security world.
However, the situation has changed, little by little, not least because employees, who are on the inside, are the vulnerable ones. The threat landscape has become so complex that you need manifold solutions to achieve adequate security.
It is not like your employees have become sloppy just like that. All IT managers are familiar with and still continue to grapple with the traditional challenge of adequate security quickly giving rise to poor user-friendliness. For example, users can become impatient after having to type in their passwords several times on various platforms in the course of a working day, which leaves them resorting to actions that jeopardize data security.
A further example was when the manager of the IT department of one of Norway’s biggest companies sent out an email to his employees asking them to click on the attached link, reportedly because he wanted them to enter the size of the item of clothing they were going to receive from the company as a Christmas present. The employees clicked on the link and registered using their usual usernames and passwords — only to receive an acknowledgement saying “Thanks, I now have access to all your data”.
It can be that easy.
Employees are not stupid
Users are so used to entering usernames and passwords in all manner of contexts that they no longer give it a second thought. Once companies and organizations realise that the security risk lies as much within their walls as it does outside, they won’t be able any more to slip back into the “us versus them” mode of thinking.
Naturally, the fact that employees can present a security challenge doesn’t mean that they’re stupid. Rather, it’s the old systems that are “stupid” as they encourage users to act carelessly.
Microsoft’s Enterprise Mobility + Security, also known as EMS, allows both security managers and employees a little space to relax: no longer will they be forced to lose sleep over reports such as that showing that up to 60 per cent of all organizations and companies were the target of ransomware attacks in 2016. Not only that, ransomware attacks doubled from 2017 to 2018.
So, what is it about Microsoft’s EMS that makes it so much smarter than previous security solutions?
EMS comes with a bundle of advantages
EMS protects your users against unauthorized login through multi-factor authentication, as it does against spam and malware. For example, user data and documents are encrypted using very specific criteria, which eliminates the need to protect your file server with a firewall.
To begin with, your employees can store their sensitive documents anywhere they like. Without protection, anyone can read such documents. If you have an EMS license, you can simply right-click on a document, designate it as company-sensitive, and your document will be protected! Naturally, you’ll still be able to decide who has access to which documents: this allows you, for example, to authorize an entire department to access the content of your documents, while keeping them out of the reach of anyone outside the secure zone.
In addition, if you use certain internal templates for Word, PowerPoint, and other applications, the EMS suite can adjust the security level for documents generated from such templates. Are your templates marked as confidential? Create rules in EMS to scan your file server before encrypting all documents whose template contains the word “confidential”.
EMS E3 versus E5
There are two versions of EMS and both are to be found in the Azure cloud universe. The older version is referred to as the E3, the new one as the E5. Essentially, the difference between the two is twofold: 1. how many rules and levels of security you, as an administrator, can automate, and 2. the E5 is slightly more expensive than the E3.
In other words, both the E3 and the E5 protect both units and users, but, whereas with the E3 you have to do some of the security work manually, the E5 sets no limits on what you can automate.
You can adjust the security level depending on the threat landscape you’ve identified for your users, and your IT manager can make all units used by your employees secure. If a user logs in from an entirely different place than they normally use, or if use patterns are detected other than those that are common for a particular user, you can take some action, such as requiring that the user confirm that they, rather than someone else, are logging on.
EMS learns from user behavior, including from any “mistakes” they may make.
This is CAS
The EMS E3 and E5 are premised on providing the best security possible without hassling your employees and without making them less aware or productive. You can use complex algorithms to ratchet up security to a level that is incredibly reliable, or you can encrypt content and protect important data without your users being bothered by the system.
One of the biggest advantages of the E5 comes under the three-letter acronym CAS, short for Cloud App Security. It is a particularly powerful and comprehensive tool. As already mentioned, CAS can scan all public areas and, within hours, protect documents according to rules set by the administrator him/herself.
The user will not notice anything and can use documents as before — even those that have been encrypted. In addition, CAS can monitor other cloud activities and sound the alert, for example, if a user suddenly begins to download all job files onto an external cloud service such as Dropbox or OneDrive. Whether one of your employees is planning to leave the company, or is just being careless about security, or whether the owner of an encrypted document falls ill or goes on holiday, EMS will remain flexible throughout. With the help of a master key, the administrator can open the document and allow other people in the company to work on it — without the owner having to be called back from holiday or forced to turn up in the office with a terrible flu bug.
FACT BOX - AZURE
Senior Consultant at Innofactor focuses on user experience and connections between people, computers and implementation of new technology. Alexander has been awarded the Microsoft MVP since 2014 and Windows Insider MVP since 2019. He has been an honorable speaker at various local seminars, TechDays Sweden, at the Nordic Infrastructure Conference (NIC) and Ignite.