Interlink Cloud Blog

Interlink Cloud Blog

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.
Eric Inch

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

"Stay Out Unless I Say So!" - The Sweetness of Azure AD Conditional Access

I talk to a lot of customers using Office 365 that would like to have granular control on who can access the hosted services and only allow access to these services from corporate owned and managed devices. Enter Azure AD Conditional Access. “Keep out.. Unless of course you meet certain conditions!”

For example, with Azure AD device access rules you can restrict access to Exchange Online to only domain joined machines.

“Wait?! What?! That sounds just like what I’m looking to do.

What does that look like?”

 

When a user attempts to access Outlook Web App from a personal computer, they go to the OWA URL and enter their username and password.


The conditional access policy will look to verify that the device being used to access OWA is domain joined and registered in Azure AD. Since the computer is a personal computer, the user is denied access.


After closer examination using the “More details” link, you can see the access rules set require the device to be domain joined for access. In the scenario of personal computers, this will show as Unregistered.

Your access to corporate resources was swatted away like Dikembe Mutumbo. “Not in my house!”

“Good Eric, that’s all great but how about the full Outlook client? I would really like to see what options we have to prevent our users from connecting their personal Outlook client to our corporate email.”


When a user attempts to connect the Outlook client on a non-domain machine, the Outlook client will open and prompt the user for authentication.


The user will enter their username and password and the authentication process will look for a registered device.


Once again the user will be gently reminded that they need to be on a corporate owned device.

“Wow Eric, I’m really impressed by Conditional Access and the device access restrictions available in the Microsoft security suite. Anything else we should know? What about users that want to access OWA from other browsers?”

 

First and foremost, under no circumstance should you ever use anything other than Microsoft technology. Ever!

But, in the event some of your users want to go against my recommendation, to access corporate resources protected with device access rules they would need to use a supported browser. Conditional access support for applications: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-supported-apps/


The behavior when attempting Outlook Web App using the Google Chrome browser would be as follows:

The user enters their username and password from a non-domain machine.

Since the user is trying to use a browser that doesn’t support conditional access, it gives the user a warning that the browser is not supported and to use Microsoft Edge or Internet Explorer.

The device based access rules are configured within Azure AD Premium and have the following options.

  • Enable Access Rules – On or Off. (self-explanatory)
  • Apply To – Specific groups that you want to scope the access rules to. You also have the ability to except specific users from the scope.
  • Device Rules – The access rules you want to enforce for access to the corporate resources.
  • Application Enforcement – “For browser and native applications” OR “For only native applications” Exchange ActiveSync – Require a compliant device to access email

For more information on Azure AD Conditional access, please read the official Microsoft blog article AzureAD Conditional Access Policies for iOS, Android and Windows are in Preview!

 

Continue reading
  5976 Hits
  0 Comments
Matt Scherocman

How Does Archiving in Office 365 Work?

Immutability is the industry-standard term for “preserving data in the system so that it is discoverable, and cannot be destroyed or altered."

With Exchange Server 2016, and Exchange Online, Microsoft enables organizations to preserve individual or all mailbox items for discovery natively, keeping those items within the Exchange infrastructure. This approach is called, In-Place hold.

One significant benefit of hold as opposed to separate, read-only storage is that items are preserved within the Exchange infrastructure, preserving more of the information including metadata and making management easier for IT admins. Users benefit because they can manage their mailboxes using the familiar Outlook interfaces. From an IT-perspective, In-Place Hold eliminates the necessity and complexity of maintaining a separate infrastructure and potentially storage for Exchange items.

Exchange gives organizations the flexibility to choose the architecture that can help meet their immutability requirements whether that is on-premises, online, or a hybrid of both, and supports the ability to store archived items in a separate physical location.

In Exchange Online, you can use In-Place Hold or Litigation Hold to accomplish the following goals:

  • Enable users to be placed on hold and preserve mailbox items immutably
  • Preserve mailbox items deleted by users or automatic deletion processes such as MRM
  • Protect mailbox items from tampering, changes by a user, or automatic processes by saving a copy of the original item
  • Preserve items indefinitely or for a specific duration
  • Keep holds transparent from the user by not having to suspend MRM
  • Use In-Place eDiscovery to search mailbox items, including items placed on hold

Additionally, you can use In-Place Hold to:

  • Search and hold items matching specified criteria
  • Place a user on multiple In-Place Holds for different cases or investigations

How does Litigation Hold work?

In the normal deleted item workflow, a mailbox item is moved to the Deletions subfolder in the Recoverable Items folder when a user permanently deletes it (Shift + Delete) or deletes it from the Deleted Items folder. A deletion policy (which is a retention tag configured with a Delete retention action) also moves items to the Deletions subfolder when the retention period expires. When a user purges an item in the Recoverable Items folder or when the deleted item retention period expires for an item, it's moved to the Purges subfolder in the Recoverable Items folder and marked for permanent deletion. It will be purged from Exchange the next time the mailbox is processed by the Managed Folder Assistant (MFA).

When a mailbox is placed on Litigation Hold, items in the Purges subfolder are preserved for the hold duration specified by the Litigation Hold. The hold duration is calculated from the original date an item was received or created, and defines how long items in the Purges subfolder are held. When the hold duration expires for an item in the Purges subfolder, the item is marked for permanent deletion and will be purged from Exchange the next time the mailbox is processed by the MFA. If an indefinite hold is placed on a mailbox, items will never be purged from the Purges subfolder.

The following illustration shows the subfolders in the Recoverable Items folders and the hold workflow process.

Archiving in Office 365

See this technet article for additional information, or you can view the general sales site from Microsoft here.

Contact Interlink today for help in defining your needs, which licensing options would be the best fit, and actually getting the service configured correctly to ensure the right data is being kept and deleted.  

Continue reading
  8161 Hits
  0 Comments
Jason Wingert

Your Biggest Business Threat is The One You Can’t See: How to Battle it With Microsoft Security Solutions

Your Biggest Business Threat is The One You Can’t See: How to Battle it With Microsoft Security Solutions

Cyber-attacks are sophisticated security intrusions that cost organizations $4 billion dollars per year. Because of the growing risk of cyber threats, Microsoft has outlined the anatomy of how a cyber breach occurs and the different response options available to regain control of a compromised system in an interactive infographic.

view the infographic microsoft security

Using research from leading IT security experts, the anatomy of a data breach demonstrates that all it takes is a small lapse in cyber security to open up your network to a series of devastating attacks.

Modern IT infrastructure requires a robust suite of security solutions that can detect threats and provide managers with appropriate response options. Understanding the anatomy of a breach can help you understand which Microsoft security products can keep your data safe.

Interlink has seen the challenges with cloud security and the solutions, and we can help keep your identities and data safe. 

Connect with Interlink Cloud Advisors today.

Continue reading
  3959 Hits
  0 Comments
Matt Scherocman

Secure Productive Enterprise – The Ultimate License Bundle– The New Enterprise Cloud Suite

Secure Productive Enterprise – The Ultimate License Bundle– The New Enterprise Cloud Suite

What is Secure Productive Enterprise? 

Companies want to continue to use the most advanced technology to enable their employees to achieve more, but all of these new and different products have resulted in a licensing headache. We hear constantly that attempting to navigate around Microsoft licensing can be challenging and frustrating. Microsoft created the Enterprise Cloud Suite (ECS) a few years ago in an attempt to simplify this process. It was a single licensing option that included E3, the Enterprise Mobility + Security Suite and Windows Desktop upgrade. Building upon this initial base Microsoft is now continuing to simplify this process with the introduction of the Secure Productive Enterprise. This will be bringing together Office 365, Windows 10 Enterprise upgrade, and the Enterprise Mobility + Security suite into a single licensing offering called the Secure Productive Enterprise. This will be replacing the Enterprise Cloud Suite and Microsoft will be introducing even more options by also offering an Office 365 E5 option in the bundle.   

Moving forward Microsoft will be standardizing packaging offers across Office 365, Windows 10 Enterprise, and the Enterprise Mobility + Security Suite by offering two tiers of the Secure Productive Enterprise: E3 and E5. This is what it will look like:

Secure Productive Enterprise

Microsoft will continue to evolve the Windows E5 edition by adding more functionality. The first difference is the introduction of Windows Defender Advanced Threat Protection for end point breach detection.

For more information, check out Microsoft's blog post Empower Your Employees with the Secure Productive Enterprise.


Interlink can help guide you through your options and help figure out what works for your users. We can help profile your users - remember that you don’t have to license everyone with the same license bundle in the cloud.  

Contact us for more information.

 
Continue reading
  4210 Hits
  0 Comments
Matt Scherocman

Six Reasons Microsoft Azure SQL Database Provides the Best Data Security Around

Six Reasons Microsoft Azure SQL Database Provides the Best Data Security Around

Companies leveraging the cloud for business have a multitude of options. They also have a lot of security concerns when transitioning their data to the cloud. Microsoft has built on the SQL Server foundation, bringing a new level of security to help ease the mind of these cloud-driven companies with six enhancements. All of which are crucial reasons to consider Microsoft Azure SQL Database as your company’s cloud platform of choice:

  1. Always Encrypted: Exactly how it sounds, Always Encrypted means your data remains encrypted…all the time to help you protect sensitive data. Data is encrypted in transit, in memory, on a disk, and during query processing.

  2. Transparent Data Encryption: For those of us constantly keeping up on compliance regulations and requirements, this encrypts databases with associated backups as well as transaction log files without needing changes to your applications. The audit trail is clear in order to stay in compliance while keeping data safe from any breach.

  3. Row-Level Security: This feature can limit access to individual rows of data based on a user's identity, role, or query execution context to ensure only the right people can view that data. This also simplifies the application code so that data isn’t accidently shared in any situation.



  4. Azure Active Directory (AD) Authentication: Different from SQL Authentication, Azure AD
    Authentication simplifies password management by allowing you to access a number of Azure services using the same identity. This does not compromise the level of security. It reduces the amount of IT time spends on retrieving lost passwords and login details while maintaining access control every step of the way.

  5. Dynamic Data Masking: Another, more sophisticated, form of encryption allows users to define masking patterns on actual database columns. For example, users can set a masking rule that masks all but the last four digits of any social security number in the result set of any query to ensure that sensitive data is truly safe.

  6. SQL Database Threat Detection: This feature alerts set users of any suspicious database activities automatically and complements Azure SQL Database Auditing, which records database events and writes audited events to an audit log in the Azure Storage account. 

    Microsoft Azure SQL Database Security

Both features are great examples of how users can monitor and quickly respond to risk. Advanced Threat Analytics is yet another approach to helping users stay ahead of sophisticated malware attacks.

Another (bonus) reason to consider Azure SQL Database that’s best shared through this diagram, courtesy of Microsoft Azure, is that SQL Server’s track record speaks for itself. When you’re in the cloud, you can’t be vulnerable and SQL Server lives up to that motto…six years running!

microsoft azure sql database unparalleded security

Data security in the cloud isn’t a set it and forget it process. It is a constant work in progress because the security risks keep changing and technology keeps advancing. Choosing Microsoft as your partner in mitigating those risks is a smart and educated decision in keeping your data safe.

Learn more about these security enhancements by downloading the Security and Azure SQL Database whitepaper and contact us at Interlink for more information.

SQL Modernization Assessment Ad

 

Continue reading
  4004 Hits
  0 Comments

Welcome to the Interlink Cloud Blog

All content provided on this blog is for informational purposes only. The owner of this blog makes no representations or warranties regarding the information from our partners or other external sources.