Zero Trust – At Scale
Zero Trust can be implemented with E3 but it can only be scaled effectively, with a high degree of automation, using E5. Mobile Mentor outlines the main security enhancements to a Zero Trust architecture, at scale, using Microsoft 365 E5 licenses.
Zero Trust is the modern methodology we need for the post-pandemic hybrid workforce. It offers enhanced security across all devices and applications, including BYOD (Bring Your Own Device) and delivers a frictionless employee experience regardless of location. Revisit our first article in the Zero Trust series to get a refresher on the three principles.
Zero Trust Architecture with Microsoft 365 E5
The Microsoft 365 E5 licence includes tools that help you scale your Zero Trust architecture with ease. We’ll outline the five main security enhancements, and show you how to minimise your cost impact.
Defender for Endpoint
Defender for Endpoint P1 is included in the E3 license and provides a suite of tools to protect your devices including anti-malware, endpoint firewall, web filtering, controlled folder access and device control. However, employees are fallible human beings so it is inevitable that some devices will get compromised.
When that happens, the ability to detect, analyse, investigate and remediate the threat is critical. Defender for Endpoint P2 is included in the E5 license and provides these additional capabilities:
- Endpoint detection and response
- Automated investigation and remediation
- Threat and vulnerability management
- Threat intelligence (Threat Analytics)
- Sandbox (deep analysis).
Identity and Access Management
Azure AD Premium P1 is included in the E3 license and includes Conditional Access, multiple methods for MFA, the Authenticator app, Trusted IPs and Fraud Alert. Azure AD Premium P2 is included in the E5 license and provides the following additional capabilities:
- Risk-based Conditional Access
- Access Reviews
- Identity Protection (risky sign-ins, risky users)
- Entitlements Management
- Privileged Identity Management (just-in-time access).
Defender for Cloud Apps
Defender for Cloud Apps (formerly Microsoft Cloud App Security) is only available in E5.
Most companies use far more cloud apps than they realize. Many of these apps are unapproved and not compliant with security policies. Since employees are working remotely and accessing cloud apps from BYO devices, the risk of shadow IT is very real. Defender for Cloud Apps gives you the ability to:
- Assess your app risk profile with a framework of 80 risk factors
- Expose any compliance violations (HIPAA, GDPR etc)
- Approve or deny the addition of new apps in your environment
- Apply Conditional Access App Control (reverse proxy)
- Protect sensitive data stored in cloud apps.
E3 enables you to classify data and manually apply labels to sensitive data. You can then assign policies to those labels to trigger protective actions, such as encryption or limiting access to third-party apps.
E5 enables you to fully automate this process with integration to Office 365 documents and data so you can protect sensitive information, regardless of where it is stored or who it is shared with (persistence). You can also monitor, track and report on access to sensitive data and revoke access if needed.
E5 also allows the sharing of data externally with partners and clients by defining permissions to view, edit, print or forward. Plus you can also manage your encryption keys with Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK).
For data outside Microsoft 365, use Azure Purview to automatically discover and map Azure data sources, on-premises, and SaaS data sources.
E3 enables you to manually apply retention labels and company-wide retention policies, and perform litigation hold so you can perform a basic audit. E5, on the other hand, lets you automatically apply retention policies with the following capabilities for advanced audits:
- Rules-based automatic retention policies and records management with machine learning for retention.
- Insider risk management, customer lockbox, privileged access
- Advanced eDiscovery and advanced audit
- Address regulations and assess compliance with a risk-based score.
- Third-party connections for external.
Minimising the cost
Sure, E5 comes with a higher price tag, but the uplift from E3 is a small price to pay when you think about the potential $9 million expense of your average cybersecurity breach. To minimise the cost impact, Mobile Mentor suggests:
- Start with a small number of E5 licences for the IT team to get visibility of shadow IT and associated threats.
- Consider E5 licences for the highest risk users (think your C-Suite) who receive the highest volume of phishing emails.
- Evaluate licence needs for frontline workers to see if any users can be downgraded from E3 to F3.
In part 4 of our Zero Trust series, we’ll summarise Mobile Mentor’s “The Six Pillars of Modern Endpoint Management” and link you to the complete whitepaper.
Get your regular fix of thought leadership from Mobile Mentor by joining their newsletter:
Join the Mobile Mentor Newsletter
Read the rest of the Zero Trust series to round out your knowledge:
Part 1: Underlying principles of Zero Trust
Part 2: Getting started with Zero TrustPart 4: 6 transformations to disrupt your legacy IT operations
Mobile Mentor is Microsoft’s 2021 Partner of the Year for endpoint ecosystems. Certified by Microsoft, Apple and Google, they work tirelessly with clients to balance endpoint security with an empowering employee experience.
We enable remote teams to be secure and productive. Work is an activity, not a place. We’re a Microsoft Gold partner specialising in modern work technology that enables remote teams to be secure and productive.
The cloud creates new paradigms for the technologies that support the business. These new paradigms also change how those technologies are adopted, managed, and governed. When entire datacenters can be virtually torn down and rebuilt with one line of code executed by an unattended process, we have to rethink traditional approaches. This is especially true for governance. Cloud governance is an iterative process. For organizations with existing policies that govern on-premises IT environments, cloud governance should complement those policies. The level of corporate policy integration between on-premises and the cloud varies depending on cloud governance maturity and a digital estate in the cloud. As the cloud estate changes over time, so do cloud governance processes and policies.