Would you store a spreadsheet with the names and salaries of everyone in your company on a “secure” spot on your file server? Of course you wouldn't because your IT security is straight out of the 1990's using Windows Server Active Directory with usernames that are easy to guess, passwords that never change and no multi-factor authentication. 

You don't have MFA enabled even though you know you should have done that a long time ago (but it is such a hassle, right?).

You'd be smart to assume some of your users have unknowingly supplied their user names and passwords through a phishing email, or a 3rd party website your company uses was hacked and overseas hackers are testing out those credentials to see if they can blackmail or extort your company with its own data.

I know you have a lot on your plate...but really, let's get serious about your IT security and modernize it with Microsoft 365. Your starting point: Azure Active Directory Premium Plan 1 + Microsoft Intune.

You love the idea of not having any servers anymore and having everything in the cloud. Me too—so we are on the same page there.

But...what about securing all of this stuff in the cloud? You probably have an inkling that this has something to do with Azure Active Directory—and you'd be right about that for sure. You also suspect this might have something to do with Microsoft Intune, and you'd be right about that too.

BUT! The problem is that at this point in your career—whether you are an actual IT manager, or a quasi-IT manager—you don't have the time or patience to spend 2-3 hours an evening 5 nights a week for the next 6-12 months watching training videos, or training for a certification exam, building out a proof of concept system, then selling your project idea to your superiors and ultimately move move your company over to a properly configured Microsoft 365 security system. Oh, and by the way...this will be your FIRST real such project...good luck with that.

Anyway, I get it. I was there myself circa 2012. I had a very nice career built on 1990's IT security which ultimately boiled down to stuff that seems so crude and basic now: Windows Server Active Directory on two domain controllers holding user accounts with usernames that are easy to guess and passwords that never change. Of course no multi-factor authentication. Remote access security was provided through the firewall with yet another set of user accounts separate from Active Directory. Protecting files from deletion was a matter of backing them up locally and in the cloud. Antivirus was managed through 3rd party apps. This type of system also assumed most everyone in the company worked under the same roof all day long.

BOY HAVE THINGS CHANGED, huh?

Now, if someone works with us, they bought into the vision of: emails, corporate chats, files, and phones in Microsoft 365 cloud services and industry specific business apps around sales, finance and operations are 3rd party web and mobile apps. Everything is a subscription per user per month, and you only pay for what you need when you need it...THAT is modern IT: cost efficient, secure, always-up-to-date, mobile, flexible.

So with that being said, how do we your keep access to your emails, corporate chats, voicemails, Word docs, Excel spreadsheets, PowerPoint slides, PDF's, photos, finance, HR and operational documents private and in your control? How do we control access to this data so your company doesn't get digitally blackmailed, extorted, ransomed or robbed?

We do this by integrating the security components of Microsoft 365. At the basic level we use Azure Active Directory Premium Plan 1 and Intune, at the advanced level we use Microsoft 365 Security and Threat Protection add-on to your Microsoft 365 subscription.

Identity is the new firewall. The concept of a hacker sitting at his house with the login prompt to your firewall or server trying out different username and password combinations to get in is 1990’s hacker nostalgia.

Attackers go after cloud "identities"–usernames and passwords—looking for ways for you to freely and willfully give them your identity: it’s so much easier to steal and threaten this way.

Once they have your identity, they can use it to go in and start seeing what they have access to and how they can exploit it to get some money from you.

They know your username in Microsoft 365 is your email address...now they just need your password. And they'd be right to assume you likely don't have multi-factor authentication enabled so logging in from another country won't be an issue.

So, if identity is the new firewall, then whatever it is that protects our identities in Microsoft 365 must be our new firewall, right? RIGHT-O you are my friend! And THAT...is Azure Active Directory PREMIUM —not the free version you got when you signed up for Microsoft 365.

Azure Active Directory Premium (Plan 1)

Azure Active Directory Premium Plan 1 (AADP1)—more about Plan 2 in a moment—is our starting point to do things the right way.

We will get multi-factor authentication (MFA) enabled which will be a huge step forward in security for your company. Now when one of your users falls victim to a phishing email scam and gives up their Microsoft 365 username and password, Microsoft 365 can challenge a strange login coming from an unknown computer in Russia when that user typically logs in from North Carolina. Without MFA in place, even though Microsoft 365 sees that happening, since YOU didn't configure MFA, Microsoft 365 has no choice but to allow that login to proceed.

Geographic Blocks

But geez...if all of your users only ever login from the United States...WHY DO WE EVEN ALLOW LOGINS ANYWHERE ELSE??? Good question. You shouldn't. This is what we setup a geographic block for: we tell Azure Active Directory to ONLY allow logins from specific countries--everything else is blocked. Taking a trip to France? No problem, we'll open up access to France for the time you'll be there and then close it back up after you come back.

Azure Active Directory Conditional Access with Microsoft Intune

AADP1 also gives us the ability to only allow access to users on the condition the device they are connecting in from meets company compliance requirements. It does this by working with Microsoft Intune. In Intune we setup a compliance policy where we specify things like a computer must have an up-to-date operating system, antimalware, be encrypted, have a lockout screen, ect. So when a user logs in, and they are authenticated with Azure Active Directory, then Azure Active Directory checks with Microsoft Intune to see if their computer or smartphone they are connecting in with passes the compliance policy.  I'm confident you don't want a valid user in your company connecting in and working with company data on a computer running Windows Vista...(they shouldn't even be using Windows 7 at this point.)

Azure Active Directory Single Sign-On

And think about all the identities (user accounts) you have out there for your company with various web-based services and applications you depend on to run your businesses. Wouldn’t it be nice to have a single identity for which you can give to an employee when they start at your company that has access to all the cloud-based services. They will only have to remember a single user account and password, and if they leave the company, a single click will disable access to all of those accounts. This is called Single Sign-On and is an important piece of your overall cloud security solution. You MUST narrow down all these different user account directories you have in your company for your own sanity as well as your security. Usually we can get our clients down to 1 or 2.

Azure Active Directory Premium Plan 2: Machine Learning Identity Protection

With Azure Active Directory Premium Plan 2 (AADP2) we get some powerful protection: Azure Identity Protection. This is where Azure Active Directory LEARNS what are normal login patterns for people in your company and then uses that information to identify a threat as low, medium, or high risk.

So let's say a user that always logs in from California, today, is logging in from Florida and passed all multi-factor authentication and conditional access checks. With AADP1, there is no further review of the situation, but with AADP2, the system knows that this is highly unusual and could be a threat, and therefore raises the sign-in risk to "high", and we configured Azure Identity Protection if it sees a high risk sign-in happening, to disconnect that user, and force a password reset. We could even configure Azure Identity Protection to simply disable the account right there pending administrator review.  In this case you used machine learning to identify a threat that otherwise would have proceeded, and then you use AADP2's automated services to handle the situation. This is the ultimate in protection...because remember...identity is the new firewall.

With AADP2 Identity Protection, we also get Azure Active Directory looking out for our identities across the Internet. As you would imagine, Azure Active Directory's reach across the global Internet is vast. So, if Azure Active Directory sees one of your users's identities exposed on the public Internet, we can configure it to immediately disable the account, or force a password reset.

If you have users on your network, you must assume breach. Then you need to put protections in place so that if a user's username and password are exposed on the Internet that your system can still block people from using those login credentials. Some of your users have, and some of your users will—unintentionally—expose their account credentials on the public Internet. Some of the 3rd party websites you use to do business where your username is your email address and your password is the same one you use with Microsoft 365...will get hacked. Let's set your security up -preferably with Azure Active Directory Premium Plan 2--so this will be an annoyance, but not a serious threat to the security and finances of your company.

Microsoft Intune—A Most Powerful Security and Management Service

Remember I talked earlier that with Azure Active Directory Premium Plan 1 we got the ability to set conditions on how a user's devices needed to be setup and configured if they wanted access to our Microsoft 365 cloud services and data? Well, let's dig into that a bit further with Microsoft Intune.

Most companies provide computers for their staff but not cell phones – though the company always allows the employee to access email and company data on their cell phone, even though at that point, they have no control over it the data – which is usually sync’d to a mobile device. The data can generally be connected to from any device and a sync’d copy made from any device. We call this “shadow IT” and they are copies of your data for which you have no control over.

Wouldn’t it be nice if:

  1. Only company computers that are digitally under company control and management are allowed to connect to your data.
  2. Computers that are not registered under company management are not allowed to connect, even if the user connecting has a valid user account.

This would be the traditional IT management model.

Or, another—more modern—alternative:

  1. Your company doesn't issue computers or smartphones to employees. Your company RENTS business access to employee's personal devices. Employees TRULY bring their own device—not just their smartphone.
  2. The employee gets to use WindowOS or MacOS, desktop or laptop, iOS or Android - whatever they are most comfortable with and the company pays them for that access.
  3. The company doesn't maintain ANY computer, tablet or smartphone inventory.
  4. The company doesn't have to slug out a computer setup every time a new person joins the company.
  5. The company doesn't manage the employee's personal devices - the company ONLY does a compliance check that the personal device the employee is using meets company compliance requirements: up-to-date OS, antivirus, encrypted hard drive, lock-out screen, ect.
  6. If the employee's personal computer is not compliant, Microsoft Intune tells them what they need to configure to make it compliant - the choice is up to the employee.
  7. The company's data can only stay the employee's personal computer or smartphone if the employee's account is active. If the employee's account is disabled, the data on the computer can be configured to no longer be accessible, and it can even be selectively removed without touching any of the employee's personal data.

I'll suggest ONE MORE scenario...the company issues VIRTUAL computers using it's license of Windows Virtual Desktop that it OWNS through it's Microsoft 365 subscription we set them up with—THAT is the real future of IT...but, I'll leave that for another video and webpage here on this site. If that sounds intriguing, we can setup a time to talk about it.

In all 3 scenarios, the company's data is protected. At Xerillion, we do not issue computers or smartphone to our team - we pay them for business access to their personal devices. We do not manage their devices - we just check for compliance. It is SO FREEING to not manage a device inventory and the employee gets to use whatever device they prefer; this is the future of device management.

Microsoft Intune Device Profiles (.i.e, getting rid of imaging)

Imagine if you had a computer setup process that didn’t involve setting up and maintaining images or laborious time-consuming manual setups; where a user could purchase a computer off the shelf, login with their Azure Active Directory account out of the box, and your IT system sent that computer instructions on how to configure itself, install Microsoft Office, and any other 3rd party desktop apps and within an hour the computer was ready to go on your computer network. For this we use Microsoft Intune Device Configuration profiles: they are your new best friend.

With Microsoft Intune, you can easily setup device profiles so that will apply your company required settings for computers. You can also define compliance policies where if a user tried to change a computer setting, their computer would be flagged at out of compliance, and not allowed to connect to company data – even if their user account is valid under your Microsoft Intune Compliance Policy.

Lastly, think about the Windows operating system itself. At the very least, the hard drive should be encrypted (free with Windows 10 Pro and Enterprise), have serious antivirus (free with Windows 10 Pro and Enterprise) the computer should be setup for updating the OS and antivirus regularly. It should be configured with an idle time lockout, and a system wipe after 10 failed logins. All of this can easily be managed with Microsoft Intune, Microsoft's cloud device management service.

Microsoft Intune Mobile App Management Without Enrollment

And how about those personal cell phones your staff connects to your company data from? What if we could allow that your staff to access their email and document from their personal devices, but not allow that data to be moved outside of company control-and without having to install anything on the employee’s personal device? This is possible with Microsoft Intune Mobile App Management Without Enrollment. On any IOS, Android, and WindowsOS Enterprise, a business can configure that company data can only be accessed by company managed apps, like Outlook, Word, Excel, and the data cannot leave the app, or moved to local storage, or moved to a user’s person DropBox account – not even copy or pasted. And if the employee leaves – all access to the data and the apps, and the data itself is immediately removed. The data is no longer available, even sync’d data, but the employee’s personal data will still work in the very same apps. Amazing.

Windows OS Update Channels (formerly "Update Rings")

If a computer is a managed company device, an important topic is - how do we manage the updates? For this we setup a Windows Update Channel and you might have some computers getting their updates earlier or later than others. The important thing is that you can configure the tempo of updates across your company such as who gets updates when AND who ISN't getting updates.

When you enroll company devices under Microsoft Intune for updates, you have this amazing visibility of how all your computers are doing with their updates. I'd say 95% of companies I speak with have no visibility on how their devices are updating, and the devices are left to fend for themselves for their updates.

And really...with both know...the updates are a KEY PART of keeping the system secure and stable. So - let's get on with it.

Windows OS Devices Health Attestation

These days with our users accessing our data through 3rd party cloud services (like Microsoft 365) and outside the management of local networks and firewalls, we need to put much more focus on the WindowsOS devices themselves. Windows has the ability to confirm it is healthy or not on startup and report that to Microsoft Intune.

Windows can:

  1. Launch software prior to the boot of the operating system that scan for viruses.
  2. Launch software that scans the code of 3rd party software drives to ensure they are digitally signed and not a virus.
  3. Confirm that the software used to load the operating system was not tampered with.

Once all the checks have been done, Windows reports or “attests” that it is healthy or not, and if NOT, we can setup an Azure Active Directory Conditional Access rule stating that the access of that device is to be blocked since accessing your company data with that device presents a risk to the privacy and security of your company data.

Azure Information Protection Security Labels

What if you had a very sensitive document, that contained information about you, your employees or your clients – salary information, personal information, financial information, passwords, ect. What if you could create a document inside of Microsoft Word, and simply classify as it as “Highly Confidential”, and in doing so, your IT security system knew that this document could only be seen by company partners or financial officers, and that protection followed this document NO MATTER WHO HAD THE DOCUMENT OR WHERE IT WAS IN THE WORLD. You could send this document to your ENTIRE STAFF, but nobody except company partners and financial officers could ever open the document. If this document were placed in the wrong company folder, it also wouldn’t matter. A disgruntled employee could copy this document, let’s call it, “Wayne Chapin Compensation Package 2017” to a USB drive, and take it home with them, and still, they could never be able to open it. Any time the document was attempted to be opened, you’d get a notice with a GPS location, and at any time, you could revoke the document entirely so even people that have permissions can no longer view the document. You can even set that the document must see an Internet connection every 7 days or it dies. You can even have documents AUTOMATICALLY classify and secure themselves based on words like “employment agreement”, “bonus plan”, ect. This is the kind of security you get with Azure Information Protection and are easily implemented.

Microsoft Cloud App Security - Insider Threat Protection

Now, what if there was a way for Microsoft 365 to learn when unusual, spooky, things are going on with your data by legitimate users? Users that legitimately have access.

Right now with your legacy file server setup, once someone has access to the sales folder, there is NOTHING to stop them from copying the whole folder to their computer before they leave the company.

With Microsoft Cloud App Security, Microsoft 365 uses machine learning to find a baseline of user behavior with your data and if it sees someone doing suspicious things like huge copies, deletions, external sharing we can disconnect the user and send then an email about why they were booted out AND an email to the network administrator...that should scare them. We can also simply warn the person that their actions are being logged. Hey, sometimes people do make innocent mistakes and we just need to guide them a little to avoid an embarrassing situation for the company, and a job-ending mistake for them.

Microsoft Defender Advanced Threat Protection

Now, what if there was a way for Microsoft 365 to create a baseline of behavior of how apps work on our company computers. Wouldn't you like to know if there was some zero-day app that is doing concerning things like moving from computer to computer across your network, trying to hook itself into Outlook, Teams of the operating system itself? This is what Microsoft Defender Advanced Threat Protection (ATP) does for us. Just like Azure Identity Protetion, and Cloud App Security where it used machine learning to monitor, manage and ADDRESS threats, machine learning is used to monitor how apps behave on your computer and if it sees something spooky, we can configure the system to fire off an alert or even disconnect the computer.

Microsoft 365 Safe Links and Safe Attachments

Inside Microsoft 365's email service, Exchange Online, you get good reliable malware and spam scanning. But you have something available to you that is so much more powerful: Safe Links and Safe Attachments.

If you enable Safe Links and Safe Attachments, you have greatly increase the security and stability of your company's IT.

With Safe Links, any link in side any email is replaced with a "proxy" link. The email looks exactly the same, but if you hover over the link you'll see it was replaced with something that says "Microsoft SafeLink". Microsoft 365 retains a pointer to the original link and ONLY if you actually click on the link does the security service kick in. If the link looks like it is from your bank, but Microsoft sees it goes to Hong Kong, it will block the connection and your identity...and data...remains safe.

With Safe Attachments, all email attachments—even the ones that passed through the malware filter and spam filter—are pulled aside into a virtual container. Inside the virtual container they are "detonated"—essentially replicating a user double-clicking on the attachment, and if the attachment tries to do things like install itself in Outlook, Teams or the operating system in a concerning way—or anything that looks suspicious—the attachment will not be allowed through and the user will get a message indicating what happened. Again, all of this took place even after the attachment passed through antivirus and spam scanning.

Microsoft 365 Business Premium

So, if you wan to get a good basic security system in place, then your starting point is putting each user on a subscription of Microsoft 365 Business Premium. In addition to cloud services for email, corporate chat, files, video conferencing, we also get Azure Active Directory Premium Plan 1 and Microsoft Intune. This is a solid foundation and available to use for up to 300 users. After 300 users, we have to use Microsoft 365 E3.

Microsoft 365 Identity and Threat Protection Bundle Add-On

If you REALLY want to set your business up for success and get your security right from the start, I HIGHLY the Microsoft 365 Identity and Threat Protection Bundle Add-on to your Microsoft 365 Business Premium subscription, or your Microsoft 365 E3 subscription. This add-on takes all the advanced security pieces of Microsoft's top cloud services subscription - Microsoft 365 E5, and allows us to bring those advanced security services into a Microsoft 365 Business Premium or Microsoft 365 E3 subscription. You get the 3 big ones: Microsoft Cloud App Security, Microsoft Defender Advanced Threat Protection, and Azure Identity Protection Premium Plan 2. These 3 services user machine learning to set a baseline of behavior for sign-ins, applications on your computers, and user behavior with your data to determine if you have an insider threat. It is a $12/user/month add-on and well worth it.

Firewalls

We are getting to the end here, but let’s talk firewalls.

A firewall is an important part of IT security and network performance, but I’m afraid it is becoming less and less relevant over time. The days where everyone is in the office all day long, sitting behind the protection of a firewall is gone, and going fast. People are either traveling more outside of the company firewall control, or working from home more – also outside of the control of the company firewall. And, as more and more IT moves from behind the firewall to up in the cloud – it is easy to start wondering how much firewall is really adding to security. Your IT guy might enjoy having it, but if 20-30% of your staff is hardly in the office, and your data and apps are in the cloud, that firewall isn’t doing much for you.

A better focus will be on managing the individual devices, configuring them in a way to reduce leakage or shadow copies of company data, and reduce exposure to malware at the endpoint.

Training

Don’t forget the security training…please.

All of your users need to be aware of what a scam email looks like and aware of simple ways to keep themselves from being the victim of an attack.

Having all this low-cost, sophisticated technology can only do so much for you, but simple ongoing short video-based training for your company is really all it takes to keep your users up to speed on IT security.

At Xerillion, we have a video-based training system we provide for our clients that covers all the technology in the Office 365 product family; this is a very easy way to get up to speed fast on things like Outlook, Word, Excel, PowerPoint, Windows, Office 365. The videos are 1 to 4 minutes long, easy to work on them when you get to them with quizzes along the way. One important skill path in the training platform is on security; it is excellent and makes the users very aware of what to look out for. Security training should be a part of all of your uses onboarding training for your company.

Working from Home – Where Traditional IT Management Breaks Down

Giving your employees the ability to work from home is a big morale booster – though it is up to you to do it right and ensure your staff can operate just as productively as if you were at the office. If you have an IT company that knows how to properly implement Microsoft 365 and its associated security technologies, you’ll find you have employees getting more done, more efficiently, and HAPPIER, because they can work just as easily from home as they do in the office – and you’ll be comfortable that your data is secured, fully in your control, while you get kudos from your team for being a forward thinking boss.

I know all the things above was a lot to go over. If it sounds about like where you want to be with your IT and you like Microsoft, then you’ll like working with Xerillion, a Gold Tier 1 Microsoft cloud solution provider.

Let us help you get into the new world of modern IT security and management.

Wayne signature

Wayne Chapin
President
Xerillion
847-995-9800

Where Xerillion really shines, is their ability to custom tailor their services to client needs.

The single largest benefit to my company, since moving to Office 365, has been the reliable access to email. Prior to Xerillion migrating our email domain to Office 365, we experienced a lot of errors, bounced emails, and did not have the bandwidth to troubleshoot all of these issues. I no longer have to worry about whether or not my email will go down, and can instead focus on the strategic and operational aspects of my firm. Where Xerillion really shines, is their ability to custom tailor their services to client needs. Xerillion is nimble and responsive due to their size and expertise in Microsoft solutions.

Jayson Chitwood Principal
vytl LLC

We continue to be impressed with the resourcefulness and responsiveness of Xerillion's team.

The install of Office 365 was seamless and went without a hitch. The conversion was done in a timely manner and we did not experience any disruptions, which was an extremely important element of the project. One of the greatest benefits, is for those of us that access our emails remotely with laptops- it became as seamless as using our cellphones. Xerillion's breadth of technical resources, is extremely refreshing, as they are able to handle IT issues immediately. All in all, we are all very pleased with the decision we have made to outsource our IT support to Xerillion, and we continue to be impressed with the resourcefulness and responsiveness of their technicians.

Anton Gfesser President
Trendler

Radco recently migrated to Office 365 with Xerillion's guidance. Office 365 was a strategic move & has been a stable solution.

Xerillion's responsiveness to our IT issues is unparalleled. They take the time to actually listen to the issue we are experiencing, and then put together a strategic plan to remedy the situation, all within a quick turnaround. Recently, Radco migrated to Office 365 with Xerillion's guidance. Office 365 has been a stable solution comparative to our previous issues with emails not being received by the recipients. Moreover, if it's a simple help desk question, you help us out right away. This has been very helpful to several of our employees who need to get moving or printing right away. Everything from contacting your support desk to the planning of our IT infrastructure is handled in a professional manner. If someone is on the fence about choosing Xerillion as their IT firm, I would say you have nothing to lose, Xerillion's IT support is superior and they stand behind their 100% satisfaction guarantee.

Liz Allen Radco

Quick response time & peace of mind with Office 365.

Xerillion's IT support staff have been first rate in being available, answering questions, and keeping the IT aspect of our small practice operational in a cost effective manner. With Xerillion's advice and guidance, the changeover to Office 365 has been sound. Having our applications in the cloud with the intrinsic abilities of cloud based applications and data to be protected, backed up, stored, and updated. At my stage the benefits are "peace of mind" elements. Probably akin to preventative healthcare steps. Xerillion's support and Office 365 has enabled me to operate my practice one more year and that's had some benefits for me as well as a number of patients who were grateful that were still able to receive benefits of my expertise. Thank you Xerillion!

David Loiterman MD Practice Owner