Leading regulator ensures security and compliance with Microsoft 365 SCP
The UK’s largest communications regulator, provide oversight of broadband, home and mobile phones, television, radio and the postal service. This includes radio spectrum, privacy and fraud protection, content standards, competition, advice, and complaint departments.
Beyond the normal security measures that a government body must consider, the regulator also manages spectrum auctions (which can involve very large financial transactions) and works with critical national infrastructure.
The unique nature of their work adds weight to security provisions, which was reflected in their purchase of the new Microsoft 365 Security and Compliance Package (SCP), which adds the E5 security capabilities on top of Microsoft 365 E3.
Extending existing capabilities with Microsoft 365 SCP investment
When the SCP was purchased, the organisation had an existing deployment of Intune, Advanced Threat Analytics (ATA) and Azure MFA, having already consolidated many investments with Microsoft. Content and Code were engaged to uplift these foundations to the next level of security maturity, taking full advantage of the newly-purchased capabilities, including Azure AD Conditional Access, Azure Information Protection (AIP), Office 365 Advanced Data Governance (ADG), Office 365 Data Loss Prevention (DLP), Hybrid Azure AD Join, Microsoft Cloud App Security (MCAS) and Azure ATP (AATP).
The conceptual, design and implementation activities delivered by the Content and Code Technology Enablement architects and consultants were selected from our catalogue of standard, repeatable, and constantly evolving services, which have been steadily growing over the first five years of EMS.
The initial service-level designs lay the groundwork for deeper policy creation, as best seen in MCAS, where the M365 security services come together as a whole.
For instance, an Azure AD Conditional Access Policy is triggered for home workers on their own devices (these machines are inherently untrusted). This first requires Multi-Factor Authentication (MFA), then routes these requests via the MCAS Proxy, for more granular Session Policy processing, such as blocking download or applying Rights Management protections via Azure Information Protection integration.
Enhancing security, enabling mobility, extending usability
The combined designs have taken the regulator to a position which enhances security while enabling mobility.
Data Loss risks are mitigated through a coherent access control design, which accommodates high-trust access from Hybrid Azure AD Joined devices on the corporate network, or Intune MDM-managed corporate mobile devices, down to low-trust home working and BYOD scenarios via Intune MAM and the MCAS Proxy.
Conditional Access ties this all together; it is the new control plane.
Additional layers of threat protection added by AIP
Once a user has gained the right level of access, all sensitive content benefits from additional protections provided by AIP (such as encryption, and restricting actions that can intentionally or inadvertently leak the information, like copy/paste or printing).
Ensuring GDPR compliance with data loss protection controls
The Microsoft DLP technologies also prevent unacceptable egress of this information from the Office 365 services and beyond, helping the organisation meet their GDPR compliance obligations and safeguard secrets.
Keeping corporate and personal data separate with Intune
The trusted MAM apps also prevent the transfer of information from the corporate to the personal partition of a user’s personal device. Admins now have the control to provide a seamless and secure Office experience, without compromising on end-user productivity. Granular data controls within Office apps can be enabled and enhanced conditional access policies for SharePoint, Skype and Exchange can be enforced with relative ease.
Protecting cloud apps with AIP labelling
Finally, the aforementioned MCAS Session Proxy policies can target specific controls at an AIP Label, for instance blocking download of secret information, or allowing download, but with the Rights Management protections of an AIP Label designed for this low-trust scenario.
Security is a defence-in-depth problem space, and Microsoft 365 E5 security features offer solutions in the most important layers.
Transitioning from ATA to Azure ATP
On their premises, the existing ATA deployment will transition to Azure ATP, taking advantage of evergreen releases, new threat detections, and emerging integrations with the rest of the M365 security stack.
This will come with a simplified deployment model, removing some of the port mirroring complexities that were originally necessary with ATA, and removing bulky ATA Gateway and ATA Center servers.
This programme of work has helped improve their security and compliance posture by:
- Enabling a mixture of BYOD and corporate-managed mobile devices with Intune MAM and MDM.
- Enabling secure Windows home working with the MCAS session proxy.
- Classifying and labelling sensitive information with AIP, as a trigger for Rights Management protection, helping to meet GDPR compliance objectives.
- Preventing egress of personally-identifiable information (PII) with Exchange Online DLP, Office 365 DLP and MCAS policy, helping to meet GDPR compliance objectives.
- Simplifying management of on-premises threat detection and gaining access to the most current threat protections, by moving from ATA to Azure ATP.
- Unifying access control by bring MFA, mobility management and CASB technologies together in a single control plane, with Azure AD Conditional Access.
This approach is becoming a common model (with subtle variations) among the Content and Code E5 security clients. Our standard offerings are modular, allowing an organisation to focus effort in stages, or to gradually phase out incumbent technologies.
Displacing incumbent technologies with Microsoft 365
In the past year we have helped organisations consolidate their Microsoft technology investments by displacing or co-existing with third-parties such as Good Technology, Mimecast, MobileIron, AirWatch, Boldon James and TITUS.
By standardising our offerings, we have been able to rapidly expand our technical skill by upskilling internally, rather than relying on a small market of specialists. We also continually re-invest in these services by bringing the content current each time it is delivered, keeping our advice as evergreen as the technologies it supports.
Regulators need to be secure and complaint – Microsoft 365 SCP helps avoid hypocrisy.
As a regulator, they are in the interesting position of establishing compliance requirements, rather than being purely focused on adhering to them. Nevertheless, they set themselves a standard of living up to the standards they require of others.
The M365 SCP and Content and Code’s advisory services have taken the organisation to a considered position they can defend to their peers, with the tools they need to effectively respond to modern threats, all while adapting to the changing ways of workings that today’s users demand.
Motor Giant's Production Line Rolls Faster with SharePoint Ensuring the NHS is equipped to weather the coronavirus storm remains a crucial part of the UK Government’s strategy, including meeting its critical need for ventilators. Having been called upon by Microsoft...read more
The ‘Power Platform’ is a collective term for three Microsoft products: Power BI, Power Apps and Power Automate. These three products provide businesses with the ability to easily surface, manipulate, automate and analyse data in conjunction with using Office 365 and...read more
Modernising Desktop Management - Microsoft 365 Apps for enterprise In the second part of this series, I outlined how Windows 10 is different to its predecessors. It has introduced a new servicing model, along with a new deployment methodology, and even a new licensing...read more