Protecting company email accounts is critical to your IT security because gaining access to an email address is a cyber criminals dream. Bad actors can silently mine a compromised account for years. They will use or sell the information gathered. So how do you keep all your company devices secure when many people – some who are likely on your team – still use insecure passwords like “Pasword1234” and “LetMeIn”? The answer lies in Trusted Devices and Trusted Users.
Maybe you are diligent about security on your own accounts, research shows most people are not. How do you protect accounts across a team of people who have varying levels of tech savvy, risk avoidance, or risky behaviour?
In the good old days, your Windows server in the office did the job. It housed all files. Users logged in and were authenticated in Active Directory. Nobody worked from home. Data was restricted to the server.
Today, we all work in the cloud. Data sprawl is everywhere. Most businesses made the switch to cloud email without a moment’s thought about cloud security.
Now that cyber threats have exploded into billion dollar a year industries, you have to stop to ask yourself about your cloud and email security. Is it enough? After all, a single compromised email address can have wide reaching and expensive fallout.
What is a Trusted Device in IT?
In simple terms, a Trusted Device is one that your company owns, secures, controls administrative functions on, and has logged in a central IT management platform of some kind in order to track it. For our purposes we use and will talk about Azure Active Directory, and within it, another toolset called Microsoft InTune. InTune lets you create Trusted Devices and Trusted Users to ramp up your IT security controls.
What is Azure Active Directory used for?
Azure Active Directory (AAD) makes IT possible to list, view and manage your user accounts and computers with ease and basic controls. Think of it like a central spreadsheet that lists all your bound (authenticated) user accounts and devices.
It provides IT administrators the ability to prevent users from performing administrative tasks on the devices that you own, like installing software that could be malicious or uninstalling software meant to protect your company.
Without some kind of control list, how can you identify and authenticate your users and devices from any random person or bad actor on the internet? You can’t. You need a tool like Azure AD to start building up your cloud security. Once you have that, you can beef it up with Microsoft InTune.
What is Microsoft InTune used for?
InTune is like a series of advanced formulas in that spreadsheet (Azure AD).
Each formula is a Conditional Access Policy that can evaluate and apply If, Then and Or statements to any user, device or group in your spreadsheet.
For example, we set a policy that all our devices are encrypted. Then, if an unencrypted device attempts to access company data, the policy assesses “Is this computer encrypted. If no, then block.”
Here’s a handy summary.
List, view and manage your user accounts and computers.
Basic controls include:
2FA required on user account.
Block software installations.
Block software deletions.
A good start.
Conditions must be met to access email accounts and data. Some examples include:
No login from outside Canada (or from inside any specific country).
Encrypted devices only.
Data Loss Prevention policies that warn users if they are about to share sensitive info.
Data labelling and retention rules.
No copy, no forwarding, no downloading rules.
Top notch data security.
How does this help me?
All unmanaged connections to your company accounts and data are high risk.
Unmanaged devices are no different from a stranger’s device on the internet, as far as your company can tell.
Every business needs managed devices. Endpoint management is a term commonly used to describe the process of securing and managing devices. This may entail ensuring all company computers have antivirus on them, have all patches applied promptly via automation, and have additional threat detection tools like EDR. Trusted Devices go one step further by first binding the device to the company domain using a tool like Azure AD, which enables not just the installation of protective tools that endpoint management allows, but also administrative controls like preventing staff from installing software they downloaded online that could be loaded with malware, or deleting the software installed for endpoint protection. Then building on that, we apply data security policies with InTune.
So, while antivirus can keep some malware off of a computer, but it can’t help you specifically and explicitly say this computer is allowed to connect to my company, and that one is not. The gif below demonstrates how Azure AD and InTune help you with that.
Now that we understand that unmanaged computers are risky, and that antivirus or even endpoint management are not enough to protect the company from users risky actions, we also understand that using Azure AD and InTune to create Trusted Devices and Users can help us with cyber security and Information Protection.
We know we first need AzureAD enabled, and then we can turn on InTune to apply additional data security controls.
With InTune, once authenticated users (your Trusted Users) are in your systems, you can use policies to define how they can use and share data. You can get very specific, or keep it general. These are called Conditional Access Policies and they are incredibly powerful data security tools.
Data loss prevention and risk mitigation is being adopted more rapidly now by businesses of every size. IT Compliance solutions for COBIT, or NIST and other security frameworks can help your company stay safe, and be ready to do business in a marketplace that is increasingly looking for cyber aware partners and vendors.
Security keeps changing. TUCU helps you keep up.
Microsoft invests billions into cybersecurity tools for companies of all sizes. By using these tools and qualified IT partners like TUCU, you can immediately improve security across your organization.
Contact us today to talk about cyber security solutions for your team.