Identity and Security

GreatIdeaz has based much of its TRELLIS implementation on the Microsoft stack, and utilises many different Microsoft services both on-premises and in the Azure cloud. The following section outlines some of the various services that we use, and provides a summary of the associated Microsoft documentation and some of our own recommended best-practices.

Azure Active Directory (AAD) and Microsoft Active Directory (AD)

This provides security authentication and authorization functionality to the TRELLIS framework. AAD (Microsoft's SaaS security framework) comes in two variants:

A B2B directory is automatically created to support Office365, and can be integrated with an enterprise AD-DS directory using Azure ADConnect or Federation Services. B2B is also available as a premium service, which deploys AD servers into your Azure network. This enables a wider range of possible services, including joining virtual servers into a domain.

Multifactor authentication should be enabled for all administrative and senior management users.

Azure Identity Protection

Azure Identity management starts with Microsoft Active Directory (AD) on-premises and Azure Active Directory (AAD) in the Cloud. An AAD is created as part of the creation of an Office 365 account. AD and AAD are synchronized using Azure AD Connect. This ensures integrated single sign-on between On Premises, Office 365 and a growing list of other 3rd party SaaS applications.

Multi factor authentication can be enabled on specific users and groups in AAD B2B, as required.

Azure Identity Protection

Azure Identity Protection can be enabled within Azure.

Discovering compromised identities is no easy task. Azure Active Directory uses adaptive machine learning algorithms and heuristics to detect anomalies and suspicious incidents that indicate potentially compromised identities. Using this data, Identity Protection generates reports and alerts that help you evaluate the detected issues and take appropriate mitigation or remediation actions.

Azure Active Directory Identity Protection is more than a monitoring and reporting tool. To protect your organization's identities, you can configure risk-based policies that automatically respond to detected issues when a specified risk level has been reached. These policies, in addition to other conditional access controls provided by Azure Active Directory and EMS, can automatically block or initiate adaptive remediation actions including password resets and multi-factor authentication enforcement.

Detecting vulnerabilities and risky accounts:

Azure Identity Protection provides custom recommendations to improve overall security posture by highlighting vulnerabilities, and calculating sign-in and user risk levels.

Investigating risk events:

The service sends notifications for risk events, along with relevant and contextual information to aid investigation. It also provides basic workflows to track investigations, and easy access to remediation actions such as password resets.

Risk-based conditional access policies:

Azure Identity Protection has policies to mitigate risky sign-ins by blocking sign-in or requiring multi-factor authentication, to block or secure risky user accounts, and to require users to register for multi-factor authentication. Identity Protection leverages existing Azure AD’s anomaly detection capabilities (available through Azure AD’s Anomalous Activity Reports), and introduces new risk event types that can detect anomalies in real-time.

Azure Information Protection

Azure Information Protection (sometimes referred to as AIP) is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or in combination where users are given recommendations.

You use Azure Information Protection labels to apply classifications to documents and emails. When you do this, the classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as data loss prevention solutions, can identify the classification and take appropriate action.

The protection technology uses Azure Rights Management (often abbreviated to Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. It can also be used with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises, or in the cloud.

This protection technology uses encryption, identity, and authorization policies. Similarly to the labels that are applied, protection applied by Rights Management stays with the documents and emails, independently of the location — inside or outside your organization, networks, file servers, and applications. This information protection solution keeps you in control of your data, even when it is shared with other people.

These protection settings can be part of your label configuration, so that users both classify and protect documents and emails simply by applying a label. However, the same protection settings can also be used by applications and services that support protection, but not labeling. For these applications and services, the protection settings become available as Rights Management templates.

As soon as you activate the Azure Rights Management service, two default templates are available for you that restrict data access to users within your organization. You can use these templates to immediately help prevent data leaking from your organization. You can also supplement these default templates by configuring your own protection settings that apply more restrictive controls.

When you create a label for Azure Information Protection that includes protection settings, the program automatically creates a corresponding Rights Management template. You can then use that template with applications and services that support Azure Rights Management.

Azure Information Protection integrates with end users' existing workflows when the Azure Information Protection client is installed. This client installs the Information Protection bar to Office applications, which makes it easy for end users to select labels for the correct classification. If required, labels can also be applied automatically to remove the guesswork for users, or to comply with your organization's policies.

To classify and protect additional file types, and to support multiple files at once, users can right-click files or a folder from Windows File Explorer. When users select the Classify and protect menu option from File Explorer, they can then select a label similarly to how they use the Information Protection bar in their Office desktop apps. They can also set their own custom permissions, if required.

After a document has been protected, users and administrators can use a document tracking site to monitor who is accessing these documents and when. If they suspect misuse, they can also revoke access to these documents.

As well as providing a client for users to protect information going forward, there is also a client that can be installed on a server to scan and classify existing documents.

Azure Information Protection

Azure Key Vault

Azure Key Vault helps safeguard cryptographic keys and secrets used by cloud applications and services. By using Key Vault, you can encrypt keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) using keys protected by hardware security modules (HSMs). For added assurance, you can import or generate keys in HSMs. If you do, Microsoft processes your keys in FIPS 140-2 Level 2 validated HSMs (hardware and firmware).

Key Vault streamlines the key management process and helps you maintain control of keys that access and encrypt your data. Developers can create keys for development and testing in minutes, and then seamlessly migrate them to production keys. Security administrators can grant (and revoke) permission to keys, as needed.