The traditional Network Manager
The traditional network manager has an on-premise network that they manage themselves. They control, usually through something like CC4 and the Microsoft Active Directory, the users and devices allowed on this network.
All the devices (computers) are on-premise and are only taken away for short periods (home-use laptops etc). The majority of you have worked in this manner for years - and you are comfortable with the control and security this gives you. You can control the BYOD (bring your own device) solutions too as part of this.
More importantly, your data is on-premise and you control and manage the backups of this data.
A change in thinking....
As you start to move towards the Cloud and consume services such as Office 365 (O365) and G-Suite (and then RM Unify) the device is no longer under your control.
Any device (computer, laptop, phone, tablet, games console etc) can be used to access these Cloud-based resources - Apps are readily available - and at this point you need to change how you secure your data.
Identity is key here - as we no longer have the control over which devices are being used to access the data, we have to control who from the school is accessing the data (and then what extra checks are needed before they gain access - a simple password is often not sufficient).
Scenario – a hybrid-Cloud approach
Here is a common scenario that we are seeing more of. Schools moving to a Hybrid-Cloud approach - so a network still on-prem (e.g. CC4 with Windows 10 clients) but then more and more school data residing in the Cloud.
User data that used to be in their "N:" drive (for those familiar with CC4 - the Active Directory maps the N: drive to the user's home folder) is now being stored in OneDrive. Thus, the user can access this data easily at home or at school.
The school is also moving some of their shared data to the Cloud and managing it in SharePoint. Finally, they are using Intune for Education to separately manage W10 devices via the Cloud - managing policies on these, deploying simple applications and Windows Store apps etc. These devices will then pick up any policy or application change whenever they are connected to the Internet.
With the data now in the Cloud the school needs to protect that data - again this is where Identity provides the security layer.
You no longer control which device is capable of accessing the data – but what you can control is the user accessing the data and what happens when they try to access this data.
For example:
- if accessing emails (perhaps the staff only), mandate that they use MFA (multi-factor authentication)
- if accessing school financial data, they must be located on an IP within the school on-prem range
- if accessing via an unmanaged device (e.g. their own phone) then mandate a PIN code as additional security
What can RM offer here?
RM has a number of configuration and installation services to help you realise your Cloud vision and security. For example:
- configuration of Intune for Education (including Application & Information Protection policies for both managed & unmanaged devices)
- configuration of O365 security services for your tenancy
- Azure AD Condition Access & Identity Protection configuration
So, you can see that we have to leverage multiple technologies here to provide a baseline set of security restrictions for data that is managed in the Cloud. Your security needs will also then drive the licensing that you need from Microsoft for this:
- Conditional Access & Identity Protection do need A3 or above licensing (this bundle includes the Azure AD Premium features)
- Customers taking the free A1 option will have fewer options in terms of security configuration
RM can help with your needs here - hardened protection for A1 customers (e.g. App & Information protection via Intune, Exchange Online Protection) and then add the advanced protection described above for A3 and above (MFA, Identity Protection etc).
The Cloud
Finally it’s worth noting that “the Cloud” means different things to different people. Above I’ve highlighted a particular scenario that we are starting to see emerge from our customers. RM can help you in many ways in your journey to the Cloud.
Further Reading
- https://docs.microsoft.com/en-us/intune/app-protection-policy
- https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview
- https://docs.microsoft.com/en-us/microsoft-365/enterprise/sharepoint-file-access-policies
A PDF file showing the key concepts from an O365 / data perspective: