VMWARE WORKSPACE ONE + MICROSOFT OFFICE 365 : ENABLING MORE SECURE COLLABORATION. A Solution for Balancing Productivity with Protection

Transcription

1 WHITE PAPER JULY 2016 VMWARE WORKSPACE ONE + MICROSOFT OFFICE 365 : ENABLING MORE SECURE COLLABORATION A Solution for Balancing Productivity with Protection

2 Table of Contents Introduction 3 The Evolution of Office and the New Security Challenges 4 Three Steps to Making Office 365 Secure with Workspace ONE 5 Enable users with self-service Ensure access is restricted Protect company data Consider Device Type and Usage 6 Corporate-owned Personal/dual-persona Unmanaged MetroBank Case Study 8 Conclusion 9 WHITE PAPER 2

3 Introduction As a cloud-based business services suite, Microsoft Office 365 provides organizations with access to web, mobile and desktop versions of traditional Office software tools (Microsoft Word, Excel, PowerPoint), cloud storage space for enterprise file sharing (via OneDrive for Business), and hosted services for communication and social (e.g. Microsoft Exchange, SharePoint, Skype for Business). By making these services available across desktop, mobile, and web platforms, Microsoft is experiencing increased adoption from both consumers and businesses while expanding the possibilities for anytime-anywhere collaboration. The cloud service has been well received across large enterprises with more than 70 percent of Fortune 500 companies having licensed Office 365. The service is also appealing to small and medium businesses that want to avoid the cost and complexities of maintaining on-premises IT infrastructure. What s whetting the appetite? With Office 365, enterprises are reaping the rewards from the efficiency in cloud-based services and the freedom to focus on their business. For example, many organizations are realizing that managing their Exchange Server on-premises does not provide any significant benefits over hosting it in the cloud. By migrating to the cloud service, they can offset many of their capital expenses on infrastructure and software licenses by adopting a more predictable subscription model. Also, their IT staff can now be repurposed to execute more strategic tasks rather than performing run-of-the-mill maintenance operations. Users can also take advantage of Microsoft s native mobile apps, which further expands the potential for remote and traveling worker use cases within an organization. Further, with a subscription model, users are assured they always have access to the latest application versions which also include new feature and security fixes as soon as they are released. Yet for all its promise of anytime-anywhere collaboration, Office 365 poses a meaningful adoption and security challenges for the IT organization. If you re opening up access to business apps from the Internet, how do you keep that data within the apps and on corporate repositories secure and off limits to unauthorized users and non-compliant devices? How do you protect data if a device is lost or stolen? How do you make it possible for users to sign in automatically, and securely, using their corporate identity? VMware Workspace ONE brings together the power of VMware AirWatch and VMware Identity Manager to accelerate and secure Office 365 deployments. In this white paper we ll explore how you can address above challenges with Workspace ONE, and enable the secure use of Office 365 across corporate-owned devices, personal devices, or unmanaged devices. 1 Microsoft, Office 365 Adoption Stats from Microsoft, June 2015; /06/17/offi -365-adoption-stats-from-microsoft/ WHITE PAPER 3

4 VMWARE WORKSPACE ONE Workspace ONE is the simple and secure enterprise platform that delivers and manages any app on any device by integrating identity, application, and enterprise mobility management. The solution includes the Workspace ONE app catalog for unified app access, VMware Identity Manager and VMware AirWatch enterprise mobility management. The Evolution of Office and the New Security Challenges For traditional on-premises services such as Exchange, SharePoint or Active Directory, users previously had to get through a firewall. Security was maintained by split-level network access control (NAC), or by implementing secured DMZ network zones. Subsequently, access to these backend repositories was granted through an gateway. With the advent of Office in the cloud and the expectations for anytime-anywhere access network security has become more complicated: Traditional access control mechanisms that are dependent on network and perimeter security models are no longer applicable for the mobile and web apps. With users accessing the apps across desktop, web and mobile platforms, IT admins need to deal with and support a large number of Office 365 clients. Unlike their desktop equivalents, mobile Office apps require greater consideration for protecting company data on the devices. For example, when the device is lost or stolen, security is compromised, or when an employee leaves the organization. As an increasing number of users choose to bring their own devices, it becomes paramount to maintain a clear separation of personal and work data, and control over how and whether company data is allowed to be shared across apps. Finally, IT needs to deliver a unified experience across OS platforms, apps and app types: o Managing Office apps across personally owned, corporate-owned, corporate-shared mobile or cloud-domain joined devices. o Managing Office apps on older on-premises desktop devices that are connected to the domain or corporate network. o Managing all other app investments, including native desktop and mobile, line of business (LOB) or internal, SaaS or web apps. WHITE PAPER 4

5 Three Steps to Making Office 365 Secure with Workspace ONE If your organization is considering Office 365, how can you best take advantage of its potential for anytime-anywhere collaboration while also maintaining secure access to and storage of corporate data? By supporting Office 365 with Workspace ONE, you can address security concerns in three steps: 1. Enable users with self-service access to apps and convenient single sign-on. Support syncing of your existing on-premises directory services to ensure access to Office 365 is restricted to licensed users only. Push Office 365 apps and configurations automatically, or deploy on-demand. Set up users for single sign-on (SSO) access to the Office apps alongside all other enterprise app investments. Support integration with existing or best-of-breed identity solutions that your organization may already be using. 2. Ensure access is restricted to authorized users and compliant devices by implementing conditional access policies. Restrict access to Office 365 applications and services, based on whether or not the device meets required level of management and company-recommened compliance criteria, such as device type used, OS version, network location, etc. Provide flexibility to require different claims rules (certificates, domain membership, VPN-based) for authentication based on the device platform (whether mobile, desktop or Web) and app requesting access. 3. Protect company data on the device, in use and in transit by deploying containerization and data protection policies. Whether it s a web app or a native app, AirWatch device management and compliance policy engine helps you control which apps can access your data and how data is shared. Leverage native platform controls to containerize apps, encrypt devices, set data loss prevention policies (open in, cut/copy/paste, etc.), and restrict access to company data on untrusted apps. Enable IT administrators as well as end-users to selectively wipe all work data and apps from lost or stolen devices. Protect data in transit with SSL encryption and per-app VPN for security sensitive deployments. WHITE PAPER 5

6 Consider Device Type and Usage Each of the security measures we just discussed will vary in significance due to the type of device you are protecting, and how those devices are being used. To explain what we mean, let s examine some use cases for each of the three principal types of devices: corporate-owned, personal (or shared), and unmanaged. 1. Corporate-owned devices Scenario A: As a new employee at Acme, John gets equipped with a smartphone and a laptop. When he boots up the laptop powered by Windows 10 operating system, he finds it s already provisioned with Office 365 and set up for single sign-on (SSO) access to all the corporate applications. And since the laptop is enrolled under management, the device is checked real-time against Acme s compliance policies. When John tries to access Office 365 apps, he is automatically signed in to the apps. The same SSO experience is extended to Office 365 web apps that he can launch - and are available alongside all other company web, SaaS, remote, and desktop apps - from within the Workspace ONE app catalog. This is because, on the backend, the Workspace ONE identity module has passed a certificate for this Windows 10 device that is used to authenticate the user into their applications. Scenario B: Acme enforces compliance policies that can be set to automatically notify users and admins, and also revoke access if users continue to remain non-compliant. The automated escalations are carried out without requiring any IT involvement. Moreover, the real-time compliance engine can be used to report if a required app is missing on the users device. When missing, the compliance engine automatically notifies John and his peers to make them aware of the Office apps that are available to them. With this approach, Acme is increasing company-wide adoption of their software investments. Scenario C: Later, while traveling, John loses his smart phone. Fortunately, he can fire up the AirWatch Self-Service Portal for end-users on his laptop and issue a remote wipe command. As a result, the work account and apps are removed from the device and the device is unenrolled and made safe from unauthorized user access. In the corporate-owned scenario above, John s experience is rooted in the following Workspace ONE capabilities: Install applications and push them automatically for an out-of-the-box enrollment experience Provide SSO access and a unified app catalog for all work apps Enforce conditional access policies to all work apps, including Office 365 apps Encrypt data at rest and in transit Wipe devices and de-provision accounts to protect sensitive information in case devices are lost or stolen, or if users leave the company. WHITE PAPER 6

7 EACH OS IS DIFFERENT Regardless of the operating system for the devices you need to manage, Workspace ONE enforces containerization of Office 365 apps to prevent data loss across all platforms. Apple ios Only trusted work apps get permissions to access work resources, but personal apps don t. And with AirWatch, you can enact policies such as requiring passwords, encryption, prevention of saving to personal data shares, and remote wiping of devices. Android Work apps sit in a container, allowing clear separation of work and personal apps for example, a user can have both a Chrome work app and a Chrome personal app. AirWatch can also prevent copy and paste between work and personal apps, disable screen capture, require device password and encryption, and enable remote wipe. Windows 10 Prevent sharing of Office 365 data between work and personal apps by requiring a device PIN, enabling device and file-level encryption, or preventing functions like copy, paste, and drag-and-drop. 2. Personal/dual-persona devices Scenario A: Acme has established a BYOD policy, and John who is comfortable with his own iphone and a Windows 10 tablet is more than happy to take advantage of it. When John receives an to review a spreadsheet containing sensitive financial data that is saved on the corporate SharePoint, he is able to quickly launch the Excel mobile app for ios and access the SharePoint Online location from within the work app. For this file, John prefers working on a larger screen, and he tries to save the file over to his personal Dropbox folder that syncs with his home PC. However, he s notified and blocked from adding the personal content share to the work app. This is due to Acme s corporate data loss prevention (DLP) policies that restrict employees to share work data on unmanaged or personal locations. Scenario B: On his Windows 10 tablet with Enterprise Data Protection policies, Word 2016 is defined as a work application. When John saves a document using the Word 2016 app, the file is automatically encrypted to Acme s primary domain. Subsequently, John cannot open the document using an unmanaged app, such as Notepad, which wasn t defined by admins as a work app. Additionally, John cannot open the encrypted work document even if he unenrolls his personal device. Scenario C: Later, John leaves the company. Because Workspace ONE has access to only company-owned information on John s BYOD phone and tablet, only the enterprise applications will be wiped from John s devices on his last day at work. In the above use cases for personal devices, John is operating within the following security parameters: Differentiate between corporate and personal data by taking action only on corporate data, preventing copy and paste between personal and corporate apps, containerizing apps and encrypting data by leveraging native platform controls Allow users to access and install all work apps on demand from a unified app catalog Allow users to flexibly choose the level of control they desire - based on the apps and resources they need access - with adaptive management Separate work and personal data based on native platform DLP capabilities; and exercises audit control with Enterprise Data Protection in Windows 10 Federate identity to VMware Identity Manager, so users are authenticated and device compliance validated before they access the web apps Apply different claims rules for authentication based on the device platform and app requesting access 3. Unmanaged devices Scenario A: John also owns an iphone that is currently not managed under any device management policies. When he goes to a native app store and downloads the VMware Workspace ONE app, the app prompts John for his corporate credentials once and asks him to set up a unique PIN that will give him access to all the work apps from a unified location. Upon recognizing John s corporate address, John s device is automatically 2 Enterprise Data Protection policies are currently in beta and available by Microsoft to Windows TAP and Insiders program members only. WHITE PAPER 7

8 routed to signing in via VMware Identity Manager. With the Workspace ONE app, John gets SSO and conditional access to all his work apps (native, remote, SaaS) from one location without requiring the device to be managed with MDM policies. Scenario B: As Acme migrates its employees to the company s new Office 365 service, admins can flexibly set Exchange ActiveSync policies. These policies coexist, auto-remove, and also let admins define enrollment windows where unmanaged devices can still sign in to the Office 365 service. Upon setting up his profile, John is automatically prompted with an enrollment providing all the necessary instructions to enroll his device into management. If John misses the designated window to complete his enrollment, the conditional access policies can be defined to revoke access to unenrolled devices, and thus cut John off from the service until he brings his device under management. Scenario C: John travels on a business trip and tries logging into the Office 365 web-apps using a shared PC at a hotel lobby. Because the terminal is considered to be an unrecognized and an unmanaged device, John finds that he is unable to sign into Office web-apps or install work apps due to the conditional access measures set by his company. John s access to services, as described above, is based on the following security measures for unmanaged devices:in the above use cases for personal devices, John is operating within the following security parameters: Provide conditional access controls and equipt IT administrators to prevent unauthorized access to corporate data and resources Maintain multiple deployments as organizations migrate to a Office 365 service and new users transition into management; and cut users off from service if their devices remain unmanaged within the transition window With conditional access policies, ensure that non-compliant and unmanaged devices are restricted from installing apps and setting up Prevent users from signing into the Office web apps and services and bypassing security measures set by the company with VMware Identity Manager MetroBank: Striking a Balance Between Collaboration and Security From its beginnings in 2010, England s MetroBank has grown rapidly - adding 27 stores by 2015 and plans to open 200 by As part of its business model, MetroBank is also intent on being an innovator in IT seeking high standards of communication and collaboration among its staff. And the Microsoft Office 365 suite plays a key role in achieving that objective. But as a financial institution, MetroBank is uniquely sensitive to data protection. And with Office 365, the bank faced several security challenges, including lack of endpoint access control especially for BYOD users; the need to monitor the actions of users and administrators across apps such as Exchange, Yammer, and SharePoint; and detecting malicious behavior and use of stolen credentials. Using AirWatch through third-party vendor Imperva Skyfence, MetroBank established secure access for Office 365. With AirWatch, MetroBank gained visibility and control over all its endpoint access, the ability to monitor actions of users and administrators across Office 365 applications, and detect and remediate security threats in real-time. Read more at: WHITE PAPER 8

9 Conclusion: Where do I start? If you re among the growing number of organizations poised to embrace cloud-based business services such as Office 365, VMware can guide you through the three stages of adoption with Workspace ONE. Phase 1: Kick off the process by scheduling a discovery session with an account manager. We can assess how your IT environment is set up today and provide direction for how you can migrate to the cloud. Phase 2: Once you ve evaluated your IT environment, you re ready to set up Office 365 Mobile Management (MEM) and establish your migration workflow. Workspace ONE supports co-existence of multiple deployments to enable phased migration of your users to Office 365 services. Phase 3: It s time for rollout. We can help you conduct end-to-end testing of implementation, provide continued enterprise support, and get all devices on-boarded. AirWatch also issues automated notifications, triggers escalation actions and supports organizations with BYO and privacy campaigns to help you encourage adoption. With Workspace ONE powered by AirWatch, user self-service activation and secure single sign-on access to Office apps, conditional access so only authorized users and devices have access to Office apps, containerization and encryption of data on the device, and support remote wipe of enterprise apps and data. These capabilities can be implemented across platforms and extended beyond the Office 365 apps for all of your app investments internal, native, SaaS apps. Learn More For more information on how to secure Office 365, download the white paper AirWatch Support for Office 365 at Support_for_Office_365.pdf Blog: Twitter: Facebook: WHITE PAPER 9

10 VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2016 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-6776-OFFICE365-WP-USLET 7/16