Several federal initiatives such as CDM (Continuous Diagnostic and Mitigation) and TIC (Trusted Internet Connection) are increasingly becoming similar, in that identical tools and approaches such as Zero Trust can be used to meet multiple federal mandates. This convergence provides an opportunity to reduce complexity while helping agencies improve their security posture and increase IT efficiency.

This blog, the first of a four-part series on meeting federal mandates with SaaS services, explains how government agencies can implement SaaS services such as Office 365 to help achieve compliance with Department of Homeland Security’s Trusted Internet Connections (TIC) 3.0 initiative. This first blog is focused on securing a mobile perimeter.

Achieving flexibility of access while protecting data

Cloud applications and the mobile workforce have redefined the security perimeter. Accessing data from devices like phones and tablets is common for employees who often leverage their mobile platforms to access enterprise data. Some organizations have a “Bring Your Own Device (BYOD) policy that allows access from personal devices to enterprise data such as email. While this is certainly helpful to the end user, this model also presents challenges for IT security teams, who often struggle to balance flexibility of access and protection of sensitive information.

There are two possible methods when allowing mobile access with Microsoft solutions:

Creating an app container with MAM

Intune’s MAM allows organizations to create App protection policies (APP) that create an "app container", which separates the confidential enterprise data from the personal data via custom policies. Why is this important? In a BYOD scenario, the device is often not completely managed yet there is a need to control data movement and ensure that your organization's data remains protected and managed.

Intune App protection policies provide organizations the flexibility to create rules, even when other Mobile Device Management (MDM) solutions are managing the device. This allows organizations to take advantage of App protection policies without forced migrations, and works alongside, or in the absence of MDM enrollments.

App protection policies are rules that ensure an organization's data remains safe or contained in a managed app. A policy can be a rule that is enforced when the user attempts to access or move "enterprise" data, or a set of actions that are prohibited or monitored when the user is inside the app. For example, Intune App Protection can restrict the “copy and paste” of data between applications, which protects users from accidently moving sensitive data to an unmanaged application and inadvertently causing a data spill. Security teams can apply rules that prompt users for a PIN, multi factor authentication, and various other actions to increase security for data access.

Figure 1 Intune Application Protection Policies

Using Azure Information Protection to protect data

Once the applications have been "containerized" by separating personal and organizational data, customers can use Azure Information Protection (AIP) to create polices that encrypt and protect sensitive data regardless of location or device. AIP provides the ability to discover, classify, protect, and monitor organizational data via policy. AIP Provides the ability to not only discover and classify documents but provide data protection policies restricting who has access and how the user can interact with the data. AIP is not limited to mobile devices and will be referenced throughout the blog series.

Figure 2 Azure Information Protection Dashboard

Options for wiping data

A major risk to mobile computing environments is that devices are often lost or stolen, and personnel may also leave the organization causing data to spill; allowing access to sensitive information to persist. Intune allows an organization to wipe the application data without wiping the entire device, which is critical to protecting both the enterprise and the device owner in a BYOD scenario. A user’s personal data is not removed, just the sensitive organization data. This provides flexibility to an organization to decide what level of removal they wish to invoke. If the device is fully managed, the organization can wipe the entire device, or choose an app selective wipe based on their requirements.

However, if security professionals rely on device wiping alone to protect data leakage from mismanaged devices, it’s possible the device may never come online, and the device may not be wiped. One key benefit to AIP is that protection policies move with the data. Organizations can create policies that require authentication each time a user attempts to open a document. If the user fails to authenticate, the document cannot be opened.

AIP delivers the capability to create polices to expire access, prevent printing, and encrypt sensitive content regardless of the owner, device, or location. Since the policies move with the data, controls are always in place regardless of the management boundary. AIP provides a central dashboard of all the files labeled/protected in your organization, providing a view of who is accessing data and where the data is stored.

Device Management with MDM

The second option when using Microsoft Intune is device management allowing MDM. This is the most common scenario because device management provides additional security controls above and beyond app protection policies. Note: Administrators can leverage both app protection polices and device management together, as they are not mutually exclusive. After a device is enrolled into Microsoft Intune, administrators are presented several options to better secure the device. This allows organizations to deploy security and compliance policies, manage applications and monitor each device.

When accessing Microsoft cloud solutions like Office 365, authentication and access is controlled with Azure Active Directory. Since authentication is centrally controlled and Microsoft cloud solutions are natively integrated, organizations may additionally leverage conditional access policies to further block access to unmanaged devices.

Figure 3 shows the possible options for managing a device with Microsoft Intune and Conditional Access

Requiring device management as a condition of access

Alternatively, an organization can require device management for unmanaged devices to access enterprise network resources. The user(s) will be prompted to enroll their device into Microsoft Intune before access is allowed, which simplifies the enrolment process and ensures only managed devices with the appropriate policies can access sensitive data. Once a device is enrolled into Microsoft Intune, the device will be registered with Azure Active Directory to leverage identity as the control plane for both users and devices. This registration allows organizations to use device-based conditional access policies to determine device compliance before allowing access to Microsoft cloud services like Office 365; thereby adding an additional layer of security while simplifying the process of mobile content and application management.

Figure 4 Conditional Access policy options

In this blog, we looked at a number of solutions like Azure Active Directory, Microsoft Intune, and Azure Information Protection that help organizations create more secure mobile experiences, primarily by creating policies to protect data from leakage and verifying device compliance.

Be on the lookout for the next blog of the series in early January where you’ll learn more about securing the endpoint.

About the Author

Brian Tirch

Homeland Security Division CTO, Microsoft Federal

Brian Tirch has over 20 years of IT experience working in many roles throughout his career. Brian holds a BSIS degree with a concentration in networking and has been a contributing author and technical editor for several books over the years. Brian holds many industry certifications and spent 4 years as a technical trainer teaching courser like A+, Network+, and the MCSE curriculum. Before joining Microsoft Brian was one of a few hundred people in the world holding the title of MVP for Microsoft Exchange. During that time, Brian worked with industry to develop and review the certification exam material and hosted a popular blog. Most of Brian’s career has been working in the Department of Defense where he spent much of his time advising senior leaders. Brian has worked for several large companies like EMC (now Dell-EMC) and was an infrastructure Architect in the Microsoft Technology Center (MTC) for 9 years. Brian is currently the CTO for Microsoft’s Homeland Security Division where he works with senior leaders in DHS and DOE to achieve business and technical outcomes.