Recently, Aneesh Varghese and Tomasz Zukowski and I attended the Microsoft Ignite event in Auckland, New Zealand.
In general, this was a great conference and provided us with a vehicle for not only seeing what Microsoft is currently working on but also to see it through our customer’s eyes as many of them were in attendance. It was great to talk with them and get their views on some of the technologies discussed and also to have the opportunity to provide some further input.
The key areas that I was personally interested in were identity (of course) but also the ever changing threat landscape and BYOD.
Identity is the key to the cloud
While there were some sessions billed as being identity focused, the thing that struck me was that the sessions that I attended that weren’t identity focused invariably started with a statement that “it is vitally important to have your identity under control before you provision this service.” I think this is a very important piece of advice for customers looking to make the move to cloud services. It’s the adage of “garbage in, garbage out” in that if you do not have a clear view and clearly defined processes for onboarding, offboarding and user lifecycle, then you are possibly opening your organisation to increased risk.
For instance, if you don’t have good controls and process around your on-premise Active Directory and you then implement Azure Active Directory Connect to sync identities to the cloud, you have in effect just replicated the problems of your on-premise Active Directory to the cloud. The implication of this is that the cloud is not governed by your building security or border firewalls to stop attackers or ex-users from accessing services, so your attack surface is much greater.
BYOD, control the apps, not the device
One of the stumbling blocks for users when it comes to BYOD is that they don’t like the idea of corporate ICT having complete control over their device. Microsoft Intune Mobile Application Management (MAM) policies enable organisations to control the apps that users will use to access corporate data without the user having to enrol the device.
How this works is much like how Exchange ActiveSync policies work at present in that upon a user first accessing a corporate email system, policies are then enforced on the device such as requiring a device passcode.
Intune MAM takes this a step further by allowing admins to set additional rules such as restricting copy and paste functions between applications allowing users to access corporate information while still offering protection against data leakage.
I think this functionality has a lot of potential and the fact that it can also coexist with existing MDM solutions while giving a deeper control within applications also adds to its appeal. What I would like to see in future releases is support for more non-Microsoft apps which I believe is coming.
There is a good write-up on MAM at https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/
Hackers use the simplest means of attack
I attended a great session from Jessica Payne who describes herself as “a security person at Microsoft” on the real techniques that hackers are using to access your networks.
The key takeaway for me was that they are the same techniques they have always been using and that these techniques are available on the internet for anybody to find and use. The notion of an “advanced persistent attacker” is often just a kid in a hoody in his parent’s bedroom.
What also stuck with me is that phishing and spear phishing are still the easiest way of access as the staff are not often trained in what these attacks look like. An interesting example of this was a worker who had posted his whereabouts the last evening on social media and an attacker used this to formulate an email purporting to be from a drinking establishment the worker had visited. The email requested that the worker click on a link to verify some credit card charges as their EFTPOS machine had been having some issues. The link installed a keylogger and allowed the attacker to gather login credentials.
One of the keys to stopping these attacks from spreading once they have breached is with monitoring and alerting, but for this to be effective you have to know what to monitor and have someone monitoring the alerts who knows what constitutes something worth further investigation.
All in all, it was a very good conference, and I look forward to hopefully presenting on some of the work we are doing here in New Zealand next year – once it is out of private preview of course.