Having recently passed another ISO27001 audit with BSI, I thought it would be worth doing a 2-part blog series where I will share with you some of the key Microsoft Cloud products Circle Cloud use to help provide technical enforcement for our information security policies. I am sure that most Information Security Managers and Data Protection Officers would agree that bridging the gap between the rules that are written on paper and what staff actually do in real life can be a genuine challenge.
Well, that’s where technology comes into it (particularly the Microsoft Cloud, in this case). Before getting into it, it’s worth noting that the success of technology when it comes to bolstering your organisation’s information security is dependent on how you approach it. I have known many businesses to implement information security technologies without having any policies or procedures in place, which is the equivalent of throwing the proverbial at the wall and hoping some of it sticks. In such instances, people can often be left disillusioned with the effectiveness of technology and its capabilities to solve information security challenges within their organisations. That’s because, with no underlying structure to provide context, things can become messy and underutilised, eventually falling out of use completely. It is for that reason that I have addressed this blog to those organisations with ISO27001 certification, simply because there will be a structure of basic policies and procedures in place by default.
Windows Autopilot & Single Sign on
Related ISO27001 Controls: A7 (Human Resource Security)
I have been less specific with the related clause in this instance. I have bracketed the benefits offered by Windows Autopilot and Single Sign on under Human Resources Security because how useful the two products are when it comes to employee onboarding and offboarding. However, what’s worth noting here is that the scope of what can be achieved is more far reaching. Onboarding new users efficiently requires, as a preliminary step, to have role-based access clearly defined within the organisation. For example, you wouldn’t want your salesperson having access to any financial management applications. A simple role matrix is therefore a great place to start, charting job titles against required applications.
Once you have this, the management of onboarding and offboarding according to role can be made so much simpler using Windows Autopilot and Single Sign on. In order to explain how this is so, I will give an overview of each…
Windows Autopilot: IT Departments spend significant time building and customising images that will later be deployed to devices. Windows Autopilot introduces a new approach that benefits both the user and the IT Manager.
Instead of re-imaging the device, your existing Windows 10 installation can be transformed into a “business-ready” state that can apply settings and policies and install the apps relevant to the job role. The only interaction required from the end user is to connect to a network and to verify their credentials. Everything beyond that is automated, making start-up easy, manageable, and less prone to issues or mistakes.
New devices can simply be shipped from the supplier directly to the user who only has to complete a couple of initial sign-in tasks and then wait while the relevant the preconfigured Windows image and settings is downloaded and setup for them.
Single Sign on: Single sign-on (SSO) adds security and convenience by allowing your users sign-on to their business applications using their Office 365 credentials. It does so by authenticating all logins to business applications via Azure Active Directory. With single sign-on, a user doesn't have to sign into every application they use. The user logs in once and that credential is used for other apps too.
This isn’t just useful for onboarding, however. One of the real benefits to Single Sign on is the ability to remove a user’s access to all their business applications once they leave. This saves time on offboarding, as the apps that have been grouped by job role can just as easily be removed as they are given. Gone are the days when IT Managers (and DPOs) are required to manually revoke app access on a case by case basis. With SSO, it’s a simple allow access and revoke access that is managed centrally and distributed according to role.
Microsoft Intune (Part of Endpoint Manager)
Related ISO27001 Controls: Mobile Device Policy (A6.2.1)
Although the ISO27001 standard stipulates the inclusion of certain polices, what actually goes into those policies is largely up to the organisation. Therefore, when it comes to Mobile Device Management, the standard isn’t there to determine whether you should or shouldn’t implement a Bring Your Own Device policy. That choice is for your key decision makers. After all, it’s your organisation and you are encouraged to manage it as you see fit. Such policy decisions are therefore yours to make, providing that you’ve taken into consideration the standard’s ‘implementation guidance’ and demonstrated that you’ve taken into consideration the risks associated to your choices.
So, whether it’s BYOD or not, Microsoft Intune is there to accommodate. It is a cloud-based mobile device management (MDM) and mobile application management (MAM) platform for your apps and devices. It is now directly part of the Microsoft Endpoint Management suite of applications, which we have covered in a separate blog post.
Microsoft Intune lets you control features and settings on Android, Android Enterprise, iOS/iPadOS, MacOS, and Windows 10 devices – while also integrating with other services. In Intune, devices can be managed using an approach that's right for your organisation. For company-owned devices, you may want full control on the devices, including settings, features, and security. With this approach, devices and users of these devices enrol in Intune. Once enrolled, they receive your organisation’s pre-set rules and settings through policies configured in Intune. For example, you can set password and PIN requirements, create a VPN connection, set up threat protection, and more.
For personal devices or bring-your-own devices (BYOD), users may not want their organization administrators to have full control. With this approach, users can be given options. For example, users can enrol their devices if they want full access to your organization resources. Or, if these users only want access to email or Microsoft Teams, then they can use app protection policies that require multi-factor authentication (MFA) to use these apps.
No matter where you’re at on your ISO27001 journey- whether you’re just starting out, or whether you have a more advanced system- there are Microsoft Cloud technologies available that can help you improve the enforcement of your policies. I have only managed to cover a few in this 2 part blog series, however there are many others that can bolster other areas of your ISMS. For example, Data Loss Prevention can be a great tool to technically enforce your data retention policies by forcing retention labels to all digital information assets. This is something I will be covering in a future blog post.
For now though, I hope you found this piece useful. If you have any questions around how the Microsoft Cloud can help support your information security policies and procedures, please do not hesitate to get in touch.
If you havent read Part 1 yet, Click here.