Microsoft recently made an announcement about several name changes and additions around their mobility platform. The high-level change is that the bundle of tools that was called Enterprise Mobility Suite (EMS) is now Enterprise Mobility + Security (also EMS). If you’re already familiar with the old suite of tools—Intune, Azure AD Premium, Azure Rights Management, and Advanced Threat Analytics—you already know that EMS has had a large security focus, but with the new name Microsoft has added even more focus on their user-centric security.
Shifting Focus from Devices to Users
For the past five to 10 years, Microsoft (and many other technology providers) has begun to shift from a device-centric model of IT to a user-centric model. While this change has been driven by the technological evolutions of the past decade (smartphones, cloud solutions, bring your own device, etc.), a key challenge for businesses has been allowing users to leverage the productivity gains from these innovations while maintaining security for corporate users, their devices, and corporate data. The simple idea that all the access and security control you need is the corporate file, email, and BES server behind a firewall with a VPN (and a locked physical door) has disappeared with the modern mobile era.
While the firewall still plays an important part in corporate security infrastructure, it needs new tools to allow users to be productive in a mobile world. Users are now working from multiple devices, some that are corporate owned and some that are owned by the employee. They are logging into SaaS apps that maintain independent identities for access control. And they are sharing data between the corporate environment, SaaS solutions, partners, and—all too often—personal cloud storage accounts. This has shifted the conversation from how to protect corporate physical infrastructure to how to protect corporate information and data wherever it is.
This is where the myriad mobility solutions have come in to try to fill the gap. Most of these solutions work on the principle of “containerization,” where all corporate data exists inside a container on a mobile device (or any device not controlled by the business). The primary complaint about most of these containers is they force users to use custom apps inside the container to access their email, web browser, etc. Microsoft has taken a different route to control data using controls built into the Microsoft Office apps and controls wrapped around other standard apps and/or custom line of business apps. Microsoft’s biggest advantage is that their suite of tools from the Office suite to Exchange to Active Directory are familiar to both end users and IT, and all of the functionality for EMS integrates directly with these existing tools.
The existing EMS tool set will be available as EMS E3 going forward so all current EMS customers won’t see any change in functionality with the name change. There is one name change inside the EMS suite—Azure Rights Management Service (RMS) will become Azure Information Protection (Azure IP). The new features and tools—Azure IP P2, Azure AD Premium P2, and Microsoft Cloud App Security—will be bundled with the existing tool set as EMS E5. Currently Azure AD Premium P2 and Azure IP Premium are in public preview and should be generally available later this year.
Figure 1 – Microsoft graphic for the new EMS suites
The new Azure IP Premium P2 brings some of the most exciting enhancements to the suite, most of which come from the integration of the Secure Islands acquisition at the end 2015. Since its inception, RMS has been able to protect data at the document level, so long as the user took the time to protect the document or an administrator took the time to set up a file classification server to automatically label documents based on general classification rules. Azure Information Protection will give users the ability to provide input on how a document they are working on should be labeled with the ability for administrators to offer helpful suggestions to users.
For example, a credit card label can be created by an administrator that will use the same basic regular expression rule to detect potential credit card information in a document. When the user saves the document the credit card label will be suggested to the user, but the admin can give the user the ability to override the label suggestion if they know the credit card label is a false positive according to the classification rule.
The administrator can also force the user to provide some label so that all documents have some classification even if that classification doesn’t currently enforce any Azure IP restrictions. It should also be noted that these tools are available in Outlook for email and attachments. There are too many possible configuration combinations and use cases for Azure IP for one blog post. The underlying message is that administrators can set classification and protection guides that will accommodate many different needs, while getting end users’ help in applying those guides to their documents on an individual level.
Balancing Users’ Needs & Security
The new mobile security landscape can be daunting as businesses work to address users’ needs while maintaining a secure environment. Microsoft’s integrated suite of tools can help to achieve these goals if implemented properly. Is your business dealing with the mobile security problem? Are you already licensed for EMS but don’t know how best to implement it to meet your business needs? Do you just have questions about the options available for mobile security? Credera has helped businesses to implement a mobile security strategy including the implementation of EMS and would be happy to help. Contact us at firstname.lastname@example.org.