Microsoft’s Enterprise Mobility and Security offerings are additional sets of security services that can be purchased to help control, audit and protect the data and users of Microsoft’s Azure and Office 365 products.
If you’re an enterprise that is concerned about data breaches, ransomware or insider threats, it’s unlikely that you would not upgrade your base (E3) Azure license to the slightly more expensive but worthwhile E5.
Get the Free Pen Testing Active Directory Environments EBook
Note: It’s a licensing distinction, not a technical one, but the EMS E5 features listed below are the same as those you receive from Azure AD Premium P2.
Bluntly speaking, if you’re an organization large enough to have an actual IT department and not a “Julie in accounting is good with computers so she handles that stuff in her spare time” department, the base security and management options of Office 365 will not be sufficient.
How to get Detailed reports of Office 365 File, Email and Active Directory Permissions
If you’re accustomed to having detailed insight to your file sharing, email, and Active Directory permissions and activity, as Varonis customers are, the (lack of) default security functionality in the base Office 365 license will shock you.
The following feature lists are organized to help you make sense of the different native Microsoft Office 365 security tool capabilities available at each license level. These capabilities are actually provided by a number of different applications and services which are included with the different tiers, so there are varying degrees of cohesion and coverage with them.
In particular, if you need to secure both cloud and on-premises infrastructure, you should check out the additional capabilities added by Varonis (listed below).
E3 features NOT in the base license
(ProPlus and E1)
Single Sign On
- SSO across Office 365 + Azure services
- Ability to develop apps to consume the SSO
Advanced Security Reporting
- Auditing and Alerting
- Search, hold and export data held in the organization’s Office 365 stores
- Access revocation
- Prevent accidental sharing of sensitive information
- View DLP Reports showing content that matches policies
E5 Features not in E3
Risk Based Conditional Access
- Limit data access based on location, device, user state, and application sensitivity.
- Limit a kiosk application to only run from designated workstations
- Block outside access to BI apps
- Enforce web applications only running on company hardware
- Machine Learning based detection of suspicious patterns of data access.
- Leverage larger Azure touchpoints for risk identification (brute forcing)
- Identify abnormal data access patterns that might indicate malware
- Contextual Multi-Factor Authentication challenges
- Issue MFA requests to modify data (update email/password) in an app but don’t issue a challenge to view the data
- Issue MFA challenge on a session / periodic (once per week) basis
Privileged Identity Management
- Better overview of which users are assigned privileged and admin roles in Azure resources and Azure AD
- Get a 10,000 foot view of who has the capability of making changes in your infrastructure
- On demand just in time admin access users
- Grant and pull back admin rights for specific workflows
- Administrator Assignment alerts
- Find out when a new admin is added at 2:30am on a Saturday
- Admin approval requirements for roles
- Have the CTO/Director of IT approve new admin right grants
- Audit + track admin right grants
- Admin role auditing
- Track what changes have happened with the admin group overall
- Classify and label data based on sensitivity
- Identify data in files that are potentially dangerous.
- Carry label based sensitivity protection through the enterprise
- As different systems interact with the data, you can restrict access, require MFA challenge, etc based on what classification label is applied.
Microsoft Cloud App Security
- Monitor usage of SAAS apps on your network
- Block Shadow IT SAAS apps
- Enforce addition/removals from SAAS apps
- Limit cloud app usage based on user, device and location
- Better secure potentially weak SAAS apps
How to secure your move to Office365 Security Varonis
Moving from an on-premise to a hybrid environment with Office365 is inherently tricky. Make things easier on yourself by using Varonis to:
- Clean up your existing user accounts
- Lock down your current file permission and sharing strategy
- Skip moving stale and abandoned data to the cloud
- Quarantine sensitive information.
Post-move, Varonis lets you monitor your on-premise and Office365 resources in a single unified view. Without that capability, it’s almost impossible to track lateral data movement through your environment without manually stitching together logs. Which significantly increases your response time to a suspected data breach or other security event.
Enforcing Least Privilege
- Allow data owners to manage permissions
- Assign permissions based on historic usage
- Model permissions structures before applying
- BiDirectional view on permission and permission sources
- Get transparency into permissions views
- Understand exactly who owns what
- Fine grained rule definition and alerting
- User Account Behavioral Identification (Users, Admins and VIPs naturally behave different)
- Regulating bodies don’t care where they data is located, so you need to cover both cloud and on premise as well as the localities your data is physically stored in.
Get Started Securing Office 365
If you’re interested in seeing where your file permissions are open, your sensitive data exists and which administrator who quit three years ago still has access to your network, you should get a free risk assessment from Varonis.
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.