IAPP CIPT – How Technology can help in achieving GDPR compliance Part 2

3. Privileged Identity Management demo (PIM)

Hi guys. In this lesson, we’ll discuss about Privilege Identity management. Asia active directory. Privilege Identity Management allows you to manage, control, and monitor access within your organization. This includes access to resources in Asia Active Directory or all Asia resources that you may see over here. So your company receives access to this cloud portal, Asia. And based on the roles you configure, you are sign different roles to different user groups.

And all these roles will have different accesses to a lot of features that you see over here, right? App services, function apps, the security part in Asia, the monitoring part in Asia, and so on and so forth. So organizations want to minimize the number of people who have access to secure information or resources because that reduces the chance of a malicious user getting that access or an authorized user inadvertently impact a sensitive resource. Organizations can give users privileged access to these resources.

For example, right now in Asia, like subscriptions or Azure Active Directory, and there is a need for oversight for what those users are doing with their admin privileges. So Azure Ad PIM helps to mitigate the risk of excessive and unnecessary access rights, what we practically are allowed to do. So if you go here into Azure Ad Directory roles, so you can see the list of roles that you can configure for this organization tenant, right? See all the roles here, like user admin, global Admin, security Administrator, privileged Role Administrator, and so on and so forth. So let’s click on Global Administrator. What this tool will allow to do. Practically, they created a concept called Eligible admin. Eligible admin means that specific user will need the privileged access only in a specific period of time.

And let’s say just for 24 hours. Let’s say you are a user from HR or from Finance Department, and you need privileged access to do some actions once a quarter, or once a year, or once in six months, or once a month. Then you don’t need to have the user assigned to a role that has full privileged admin access. Then you can be considered an eligible admin and you will receive the administrative privilege rights when you requested for the specified period amount. Right? Now, Global Administrator, if you enable this, the maximum activation duration, let’s say a user can request Global Administrator eligible admin access for a maximum of 24 hours. So the user enters into the portal, will see a button, request my privileged admin, clicks on it, and then we’ll have a workflow.

So if you do not configure here, require approval, then when the user requests it, it will be granted for this number of hours. If you select Enable Approval, then you need to specify a user who will be the approver for that request, right? So let’s put a user over here. I want Megan to be the approval for this request. I can enable admin notifications for that. So the admin user will receive a notification when this was requested and approved, and you just click save for that. What does it mean is when somebody will request Global Administrator, he can request it for 24 hours, right? So let’s go back right now. And you see here in my roles, you see all the roles over here that are right now permanently assigned as privileged Admin. So security Administrator, Global Administrator and Privileged Role Administrator. These are roles with permanently assigned, right? And these are eligible role assignments that are not. There is no assignment, so there is no user who requested to become an eligible bin right now in this moment.

So here, these are the requests that are pending denied and all the requests that were created for this organization, what was approved right now. And here you can review the access for everything that is in the online Services roles. So if you go sorry, if you go to the user side. So you can assign right now, let’s add a user and you can assign a specific user to be Global Administrator. Right now we configured the Global Administrator role we just selected. Let’s select the user, select the same Megan that we did before, and then we click OK. And right now, as you may see, let’s see where Magnes? One SEC. Now the second frame. So right now you see Megan Bone here. It’s been assigned the Global Administrator role as permanent. But this is not something that we want.

We want her to be just eligible. So right now, when you click make eligible, you practically assign the eligible role to Megan. So Megan Bone is not a permanent Global Administrator, but she may receive Global Administrator access for 24 hours when he accesses that request. Well, it’s a mistake over here that I’ve done because I put it for the Global Admin role. I’ve added also Megan as a reviewer, but you got the point. So what I’m doing right now is I’m limiting the amount of permanent assigned roles that have privileged access. And I’m making them eligible because they just need this privileged access for a shorter period of time, once a quarter, once a year, once a month.

4. Mobile Productivity policies demo (Intune)

Hi guys. In this lesson we’ll discuss about mobile productivity and how we can secure data in mobile devices. So every company gives employees a consistent experience, no matter what device they use or they want to do that, how often they use it, or what platform it runs on. Before they can allow a device to access corporate resources, sources such as email or SharePoint or Skype, they need to make sure that the device and its apps are up to date with the latest version of the OS and any security updates. Work data on the device is secured through encryption and information protection technology. The identity of the person using the device is verified through multifactor authentication. Let’s say at minimum healthy devices are encrypted, malware free, updated to the latest operating system, running the latest apps, and are not jailbroken or rooted.

So there is a requirement of any device that is used for work to be enrolled in sort of a mobile device management platform. So, as an example, I’ve chosen Microsoft Intune just because it’s part of the same Azure Portal that I’ve already demonstrated some features on. Let’s go here and search for the inch blade. So Intune can be managed from the same portal as any other feature and we will see how convenient is that, because also that conditional access can be integrated with Azure Active Directory. So Asia Active Directory and Indian will share the same conditional access policies in terms of device management. And you can manage practically for your organization or for your client with such a tool. You can manage any type of device.

Either it’s Android, it’s iOS, it’s Windows Phone, it’s Windows Ten, or it’s a Mac OS device. It can be managed through the mobile device management platform. There are two ways users can enroll a device. For example, Windows Ten users can join their device to Asia Active Directory through Workplace Join, which enrolls a device for Intune management and creates a profile that includes enforced policies and configurations. Mobile device users simply need to install the Intune company portal from their platforms, App Store and sign in to begin enrollment. This is quite simple procedure and I would say it’s similar to any other mobile device management solution you may choose. This is how Microsoft Intune looks like and all the features that you have access to when starting this blade, whether they are related to encryption, passwords security, email management or other fundamental issues. Policies are the security cornerstones of every environment. So you may see here that we have a lot of policies, device compliance, device configurations, you will see mobile apps and we’ll have policies under this, but we’ll look immediately. So using policies for conditional access, for example, helps us improve the precision of access and protection.

Policy enforcement during enrollment helps ensure that users access corporate resources from healthy devices using multifactor authentication. And for example, they are required for email provisioning on managed personal devices to enforce a six key policy. So let’s take a look at how Microsoft Intune looks like over here. So we have device enrollment and you may see different areas. Right now my demo environment is not filled in, it will show up in a minute. You’ll have different options for Apple enrollment, android for work enrollment, Windows enrollment. So every device may have a different enrollment option. In terms of Apple enrollment, you will see that we can push the Apple MDM certificate and this is a need the system requires practically to push the Apple MDM certificate. There is an enrollment program for Apple that is created by Apple and is integrated into practically all MDM solutions. And you can, by using the same certificate, push a profile to your Apple device. So different areas for Android for work, different areas for Windows enrollment. I would say these are enrollment options suitable for bulk enrollment.

So. A company that has plenty of devices that wants to enroll them in an easy and not so time consuming way. If you give the device to the user, you may ask him to download the company portal and when the user downloads, the company portal logs in, he will automatically receive the profile and the device will be automatically enrolled in Intune and managed by Intune. And it’s the same for other MDM solution also. And then the device becomes enrolled. What does it mean? It means practically there is a separation between the personal part personal applications, personal data and the business part, business data and business applications. There may be different profiles in the same application for business and for personal. For example, a user may have a business account for Dropbox, but it also has personal account for the same application. So there should be a separation between these two. The difference in Intune, usually all the MDM solutions have this sort of containers. So separation of personal and business data, intune is a bit different.

It has that separation also at the application level. So there is a container per application. Every application may have personal or business data. The good thing in that architecture is that you may use the application policies or you may protect the business data inside an application, either the device is enrolled or not. So if the device is not enrolled, but they want to use with that device business applications, you can enforce a policy at the application level with other MDM tools. If the device is not enrolled, practically you’re not allowed, let’s say, to create that container between the personal and the business data. So this is something good for income and for sure the integration with other micro products like Office 365, like Azure Ad. There are really places for this solution. If you go for and right now, sorry for that, I would say there are two important things.

So after the enrollment, so the device is enrolled or not enrolled, different ways to enroll the device what happens if the device is enrolled or not enrolled. There are two areas you will configure policies, a device compliance policy. So different features you want to enforce at the device level, different things you want to check out before giving access to business data for that device. And then application level policy, the one that I already discussed you about. So practically, before letting the user access the business part of an application or the application with a business account, I want to ensure that there is a profile associated with that application. Either the device is enrolled or not enrolled.

So if I go to device compliance over here, I may see different reports that right now are not filled for my demo environment. Device compliance monitoring reports, devices without compliance algorithms, what policies are enforced and what devices are maps to which policies and so on and so forth. But it’s also a policy area. So here I have one policy configured, but you can create plenty of policies and as you may see, this policy is created for iOS devices. Let’s open it and see what we can change and what you can create inside a policy. So, overview, right? So in the properties there is a name for sure description and the platform I have selected iOS. Let’s see, what about the settings? I have four settings email, device health properties and system security.

So in terms of email, there is require mobile devices to have a managed email profile. I can enforce that or not regarding device hold, I don’t want to allow access to jailbroken devices. So that’s why I have block over here and require the device to be or under a device threat level right now. Usually this is done with an integration with a malware assigned or risk assigned tool. Another discussion for that device properties, that’s a minimum operating and a maximum operating system version that I want to allow for the device. And in terms of system security here I have eight options. It’s more or less regarding the password, so require password to unlock mobile device, do not allow simple password, set up a password, plan a password type, expiration date, previous password to prevent reuses and so on and so forth. So these are areas I can configure here under the settings. So these are configurations per device level. So things that I can say if the device is not following this policy and this trend that I want to set up with my organization, then you will not receive access to the business data and for sure I have actions for noncompliance.

So what happens if the device is noncompliant? So I usually I send a message and I say look, you are noncompliant, you have to do that and that in order to become compliant. Otherwise you don’t receive access to your business data, it’s clear. And then assignment. Assignment means I assign this policy to a group of users which, what do you think are part of Asia Active Directory. So a user from the Active Directory comes with a device and wants to access business incorporated data and then depending who is that user, there is a policy assigned to it and there are some specific settings he needs to aware to if he wants to access the data, right? And this is how the system works. Let’s go back right now a bit into the notifications. Practically I configured templates for non compliance and what happens and what do I want to send to the user if he is non compliant. If I go right now to the devices, I can see all the devices enrolled, but right now I don’t have anything the platforms, different areas per device level. If I go to device configuration, there are some profiles I can push to different devices and I can specify some restrictions. Let’s say so iOS device restriction to block game center for example.

It’s one of these and it’s a policy that again has assignments on users and platforms and let’s go for the properties and see what we can configure. So here there are plenty of other things that I can block or allow regarding wireless connected devices. Let’s go for general right now. So here I can block screen capture, I can use different certificates, wallpaper modification, activation lock, a lot, a lot of things that go deeper, deeper at the device level that I can block for the iOS, these are specifically for iOS. If I go to the password, let’s say something similar to what we’ve seen till now, but I can, let’s say use or force the fingerprint panel or fingerprint modification. In terms of building apps, I can block the camera or FaceTime or Siri or different applications from here that practically are built in for the device by Apple. I can restrict some applications that I define by URL or I define with a bundle ID from Apple Store. In terms of wireless, I can allow the device to do different things data roaming, personal hotspot block, cellular data and a lot of details that I go granular connected devices. I can block the AirDrop or the Apple Watch pairing or the Bluetooth modification or different areas here. Regarding Domains Safari just cloud and storage, for example, it’s important because I want or not to allow the device to synchronize with icloud. Let’s say.

So different things that I can go granularly and allow and block at the mobile device level. Let’s go back right now and go for mobile apps. And right now I can create application protection policies that will tell me what to do and what to enforce per application when the device is or is enrolled or not enrolled and the device has a specific operating system. So right now I don’t have let me go. So this is the policy, let’s go to the policy settings. So again, I can require a Pin access to access this application. This application is called Data Leak Prevention Policy, right? And I can assign it to a group of users. I can say which targeted apps should follow this policy.

So it can be only one app, but it can be a group of apps like here. So I have PowerPoint, I have Excel, Word and all this, and I can click more apps and I can add the link 1 second and more apps. Oh, it’s over here, sorry for that. So I need to write the bundle ID, which I can find in the interim portal for this application. I can add it over here and specify it. And if I go back to the policy settings, right, I can prevent save us, cut, copy and paste between different tasks that I do not consider business related.

So if there were user ones from the world that has a business account to copy and paste things to a notepad, let’s say that I can block, that I can encrypt data, I can disable, printing contact things, require Pin access, corporate credentials for access, minimum Os’and, all this. So different things, again, really granular and in detail that I can configure for all the mobile devices that I want to give access to my corporate data. And by mobile device I mean also laptops, they can be considered mobile devices so forth, running Windows Ten or Mac OS. So this is angel mobile device management platform, but the same features can be configured with plenty of others or competitive solutions from other vendors. And there are the same restrictions, the same granular activities that you can go into force for the mobile devices.

• Category: Uncategorized