Enterprise Mobility + Security. A licensing blog post.

“If you have built castles in the air, your work need not be lost; that is where they should be. Now put the foundations under them.”

The great Henry David Thoreau released Walden in 1854 about something completely different of course, but I am taking the liberty to use this quote in a cloud computing context.

In almost every project I am in, I get this one question: Should we choose EM+S E3 or EM+S E5? And it really is a good question. The license cost is almost double in E5, and yet, the two licenses seems to contain a lot of the same stuff. Most of the time I can tell the customer what is gained by going for E5, but let’s look at some of the important differences here. Licensing can be extremely confusing, and Microsoft is in no way the worst company here. 


The Cloud and getting there, in a secure way. 


It is so easy to move services to the cloud and sometimes we forget that suddenly that super expensive firewall we bought and set up in our data center, doesn’t secure our data as much as it used to. But this also goes for a lot of those of you who have yet to move anything (officially) to the cloud. Most of you have probably heard the term Shadow IT. How your users start storing information in services like Dropbox or personal OneDrives for instance, probably in good faith. To have a backup of the files, or to be able to reach them from anywhere or even to share files with people outside the company. And then suddenly, just like that, you no longer have control even though you still have all your services on-premises and that fancy firewall.

But can you really get control of company data that are stored around in different cloud services, you ask? And the answer is yes. Well, you cannot get control over the files already there, but you can start now, and make sure it doesn't continue to happen.
Legacy security (Photo: Pixabay)

The Enterprise and Mobility + Security package brings together some useful tools in one package and to make this a little more confusing, it is available in several variants. We often talk about EM+S E3 and E5 where E3 is the more basic package. Here are a few of the things you only get in E5:

  1. Risk Based Conditional Access (Captures risk behavior and, for example, asks for Multi Factor authentication (MFA), or password change if something suspicious happens.),
  2. Privileged Identity Management (Allows you to work with one account all the time and verify identity with e.g. MFA when doing something administrative.)
  3. Automatic classification and labeling (sensitivity labels according to content in files)

and last but not least Cloud App Security and Azure Advanced Threat Protection.

Each of these products would require their own blogpost, so I will just give you a very simplified overview of them and mention some of the functionality.

Microsoft Cloud App Security (MCAS) is Microsoft's solution to gain control of cloud activity. It provides a simple interface where one can look at and create rules for different types of behavior (There are quite a few predefined and very useful rules already) and some of the actions that should be considered risky in the cloud. MCAS is closely integrated with other technology (Windows Defender ATP, AIP, Intune, etc.) and protects the information in the cloud. One example of the many awesome things we can use MCAS for is to track sharing of sensitive data and automatically remove external sharing if sensitive data (or data that is labeled sensitive) is detected.

Azure Advanced Threat Protection uses Machine Learning and AI to capture suspicious behavior (this user suddenly does something he does not usually do) or other things that might make us suspect attacks/viruses. This is a great tool against security threats like ransomware for instance. We no longer just use signature files for updated detection of virus/malware, but Machine learning makes it possible to detect suspect behavior and take action against it, before we even realize that something is happening.


A lot of security included. (Photo: Microsoft.com)

So, back to the original question: Should you get EM+S E3 or E5, I can answer without a doubt: That depends. Helpful right? Well, it is true. No two users are the same, no two groups of users are the same. For some it makes perfect sense to get E3, but for others, the automation in E5 is reason enough for getting that. We sometimes make a distinction between what a user is working with, more than which department he/she is in. In departments like Legal or HR, we often suggest E5, set up some automatic rules and try to make them as secure as possible, but that does not mean that others cannot have great benefits from an E5 license. If they work with content that is very sensitive, E5 might be a good solution. In departments that seldom work with sensitive data, we can use E3 for instance. Sometimes a Proof of Concept/Demo/trial will show the need for a certain license and can be very helpful. 

I have always said that If you look at the price of good security against the potential cost of bad security, and how bad things can get if we lose our data it might be possible to make an informed choice. Also, we need to look at which features we need. When things like MCAS, ATP and more is included in the E5 package, it may no longer be so expensive. At least if it helps us avoid a really devastating attack. 

It can also be interesting to know that we can buy the security individually by going for one (or both) of the new licenses Microsoft sells. https://www.microsoft.com/en-us/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/

  • Identity & Threat Protection - Contains e.g. ATP and Cloud App Security for $ 12 per month.
  • Information Protection & Compliance - Contains e.g. information security with Azure Information Protection for $ 10 per month.
As you can see, it doesn’t take much before the E5 license is worth the money. Another question is what will happen to the licenses when Microsoft moved information protection to the Office Portal (and license), and I will update this post when we know more about that.



Comments

Popular posts from this blog

Using Do not Forward or Encrypt Only as the results of a Sensitivity Label