The Most Exciting New Cloud Solution is....On Premise?

Being a "Cloud Engineer" has been an interesting ride over the past 5 years. What started out as an annoying buzz-word has really taken the industry by storm, and the solutions I design and deploy for our customers have changed pretty radically since the first time I logged on to Microsoft's Exchange Online portal way back in June 2010.

At the time, offerings were simple: Google owned the front door to your email environment with Postini, and you had a very limited set of choices for actual back-end mail solutions: Microsoft's BPOS was just a hosted Exchange environment on bigger servers than your ISP could afford; Google was trying to woo customers with inexpensive full app-suite offerings (and terrible--TERRIBLE--security); and for a brief spell, Cisco had a web-based mail service. None of them offered anything like the on-prem features and capabilities in even the most rudimentary of Exchange deployments. No Data-Loss Prevention, eDiscovery, password replication with AD, nominal archiving (at best). But boy have things changed.

Now the Microsoft Cloud is a rich tapestry of products that can--CAN--fully replace the datacenter: Azure AD provides identity to Windows 10 clients, Azure virtual machines, the Office 365 suite, and tie-in to SaaS offerings from literally THOUSANDS of 3rd party applications. There's built-in business analytics, PC management, mobile-device management (now with selective wipe capabilities!), intelligent monitoring--literally everything a business would need to start today without ever deploying a physical datacenter. But that's not the world we live in.

Sure, businesses do start from the ground up today--I just finished a deployment for a company that began life with 1000 employees scattered across the globe, and we leveraged just about the entire Microsoft Cloud suite to make it happen, but it isn't the norm. Most companies have existing infrastructure. Most companies have well-established IT departments with significant financial and HR investments. And most of that is on-prem.

And that's where the most exciting set of new Microsoft Cloud solutions come in. Much has been made recently of new offerings in the Skype for Business announcements of Cloud PBX and broadcast capabilities, but to me the real meat has been in the new Enterprise Mobility Suite. At first glance, this is one of the most confusing new offerings in cloud in...maybe ever. EMS has 4 major components, and they are cloud...cloud...cloud...on-prem. And by on-prem, I'm not talking about a hybridized component that interfaces with the Azure portal: I'm talking straight-up ON-PREM, in your datacenter, which you have.

EMS provides mobile-device management. I would go so far as to say that's the main reason customers are going to implement it. MS took way too long to get into the game, but now that they're here, it's gonna be a whole lot less complicated to support mobile users. And new for this most recent iteration of products is the philosophy that we're ALL mobile users. All of our devices are mobile devices. Phone? Mobile device. iThingy? Mobile device. ...PC? Yep: mobile. It's a fundamental philosophical change to view the PC as a mobile device, and I'll admit it took me a few days to come to terms with it, but basically it allows us to use Intune equally to manage all devices. That's huge. Further, EMS's mobile management tackles mobility from multiple angles. It's not just "enrolled devices can access our apps". The device, at enrollment, must be compliant with company policies (defined in Intune). The user must also have the appropriate access(es). And what's really cool is that, depending on the app used to access mail, in some instances users/devices will skip Office 365 authentication and log on directly to Azure AD! Finally, we are actually using Azure AD for explicit authentication purposes!

We got our first hint of this capability when it was announced that Windows 10 could log on directly to an Azure AD tenant, but this has scaled up dramatically since early summer. Now it's any enrolled device and VM's within Azure, and that means you can run a whole corporation out of Azure AD. Boom: Active Directory domain controllers just became obsolete.

Except they didn't. And this is where it gets confusing. As part of the exact same product that obsolesces on-prem AD, Microsoft has unveiled Advanced Threat Analytics. ATA is, after many years of clamoring for it, Microsoft's Intrusion Detection offering. It sits fully in your datacenter--there is no cloud element to it at all. But the way it works is pretty snazzy, and I think it sets itself apart from other ID offerings in that...THERE ARE NO AGENTS.

You supply a machine (virtual or otherwise), enable port mirroring on your switch, such that all packets destined to your domain controller also get mirrored to the ATA box, you install ATA, and you go back to your regular work. There's no real configuration, and again: no agents. You get on with your life, and ATA does what the FBI legally cannot: it compiles a profile of network activities and then monitors for deviations. Every user, every workstation, every logon attempt, every data-access.

An example: Janet usually uses PC02 to access files from HR? No problem. Rock on, Janet! Bill has 3 devices and does a ton of data writes on the Finance share? Good on ya, Bill. But if, 6 weeks from now, Bill and Janet suddenly start trying to authenticate from a different subset of machines, or try to pull each other's data, ATA will generate an alert on the Attack Timeline.

This is pretty cool. The Attack Timeline is not just a simple view of who's done what. You can click on any event, drill down into it to pull specific patterns from the user, the associated device, and even what kinds of data-access deviations have been detected. This, then, further links back to any trends or shifts in these patterns, making it easier to figure out the scope and full time-scale of any problems. And it's always intelligently (and quietly) listening and learning your users' natural shifts over time. You will not, for instance, get a mailbox full of alerts just because Frank got a promotion and new access.

And back on that whole "no agents" thing. The biggest risk of running intrusion detection software is the same as running antivirus software: smart ne'er-do-wells know to first check for the existence of such things before bothering to launch an attack. But if it cannot be detected because there is nothing installed, well then: you have a leg up on their efforts. And that's critical when dealing with a problem that can take up to 8 months (on average) to manifest. The stats say that's how long an attacker typically operates within your environment before they try to do anything malicious. ATA won't wait that long. I watched a pretty cool demo wherein a Microsoft guy launched an all-too-common "steal the ticket" attack. Within about 3 seconds, it was on the attack timeline. It probably was there faster, but that's how long it took him to switch screens. ATA will also integrate with any SIEM tool(s) you may already have in place. And again: you don't do anything. You just let it run.

You just let it run...Music to any engineer's ears.

 

Comments