Finding the value in the Microsoft E5 platform approach to cybersecurity

Author: Tom Bond

The value and total cost of ownership (TCO) of Microsoft E5, if utilized correctly, can enable both cost savings and operational efficiency.

For a business seeking to provision industry-leading collaboration and the correct security posture to support the modern workplace, the Microsoft E5 subscription combines toolsets to bolster the user experience, as well as enhancing cybersecurity.

“We can’t afford E5, it’s far too expensive!”

These are words I’ve heard countless times, and it’s no secret that the headline cost of Microsoft 365 E5 licensing can mount up, but the TCO tells a very different story. Let’s dig just a little deeper and examine the Microsoft 365 E5 bundle, its included products and true cost. 

Whilst every business is different, there are many common strands. We need to collaborate, often in different time zones, thousands of miles from each other. We know that the old ways of working, with everyone based solely in offices, are now gone – Covid made sure of that.

It’s no secret that the Microsoft 365 setup, with the traditional Office applications, plus collaboration gems such as Teams, SharePoint, OneDrive and others, makes a compelling case for many businesses, enabling the remote working paradigm we now see. Modern security challenges present a much tougher challenge, especially combined with the explosion in endpoint devices. Modern working has expanded far beyond the Windows PC, to add Macs, tablets and phones, both of Android and iOS flavours. Now, we find ourselves securing and managing very different devices, both on-premise and remote.

We’ve lost our network perimeter of old – our reliable moat, protecting our castle, is no more. We have data in more places than ever before – on-premises, file shares, cloud storage, Sharepoint, Teams. This rich ecosystem of interconnected tools helps collaboration, but securing this data becomes a nightmare.

The world of Information Security – so long the bastion of firewalls and network devices – is now awash with buzzwords and acronyms, like SIEM, SOC, SOAR, XDR, CSPM and many more. The question is inevitably asked, “Which tools do I need to secure my business?”

The answer is simple – “All of them.”

We find ourselves in a world where the age-old curse of system sprawl has intensified, with no realistic way to stop it. We must now work out how we secure a disparate array of applications, spread across many service providers, and without the back-end access we once used to simplify the task.

With the loss of the network perimeter during the rush to Cloud, as a user we see beauty – we can connect to our services from anywhere, using many different endpoints, and at any time. All we need is a username and password...

As an IT department, we see terror. Our users can connect to any service from anywhere, whenever they like, regardless of whether IT is available to monitor and assist. Attackers can attempt a breach from anywhere in the world, and all they need is a username and password…

A new way is needed, and that new way is zero-trust.

Zero-trust access – the removal of implicit trust based on factors such as network location or IP – relies upon three things – explicit verification of identity, least-privilege access throughout the enterprise, and the assumption of a breach with each layer of security.[1]

Identity is the key building block, as well as a key differentiator between vendors, because as we secure the other areas of the enterprise, we rely on its security and integration in order to be manageable and to provide a secure authentication mechanism. Data that can enhance authentication and authorisation exists everywhere but is often unused. We need to use as much as possible – location, device, authentication type, behavioural monitoring, desired data access and others provide a good picture of what the user (or attacker) is attempting to access.

As with all security areas, there is often a trade-off between convenience for the end-user and security posture to be achieved. Using the Zero-trust principles, we must strive for regular and robust challenges as users access systems and data, but since we also need multifactor authentication (MFA), this can rapidly deteriorate the user experience.

Since we must also assume a breach, many organisations simply annoy their users with frequent, intrusive, authentication prompts, but there is a better way. By utilising data from other sources, we can verify more transparently. Using Conditional Access rules, XDR data, CASB data, location and risk pattern analysis, with Microsoft, we can build policies which are more granular and reduce the number of prompts for users. We can also manage and apply these policies across all endpoint devices found in a typical enterprise; the Windows-only standpoint of old is very much history.

Microsoft also provides the building blocks to begin our move away from passwords. We can leverage passwordless authentication types such as FIDO2 keys, Windows Hello for Business and certificates. Moving away from the password is considerably more secure and provides a better user experience.[2] These authentication methods are more resistant to phishing attacks, and since they normally are tied to biometrics on the endpoint, offer a better user experience. Microsoft also uses them to bring self-service password reset, meaning that the potential drawback of users forgetting passwords, is mitigated.

Whilst users do have adjust, they enjoy the improved experience quickly, and then benefit from the enhanced security without ever knowing. This combination of enhanced security and UX is only possible through the integration and processing of many different streams of security data.

Moving out from identity, Microsoft’s E5 licensing provides a fully featured zero trust foundation. Management of devices via Endpoint Manager allows for configuration and deployment of XDR via Windows Defender, with output monitoring and log data integrated into the risk and compliance engines, and with simple integration into the Microsoft Sentinel SIEM only a few clicks away. The Device Compliance rules in Endpoint Manager also feed seamlessly into conditional access rules, providing a simple way to configure and check devices, both BYOD and corporate.

The Defender for Cloud Apps product introduces a Cloud Access Security Broker (CASB), monitoring and securing applications but integrating with Azure AD, Defender for Identity and Azure AD Identity Protection, to enable administrators to see per-user views of activity & risk and set granular access policies.

Within the Azure space, role-based access control (RBAC) is supported, using Azure AD groups, which can be dynamic and have roles assigned. The Azure Privileged Identity Manager (PIM) setup allows these role escalations to be carefully checked, logged and challenged, which allows organisations to remove full-time, high-privilege admin accounts and shift to a least-privilege, on-demand model. Of course, this data feeds back into the identity and risk setup via Azure AD.

Data has not been forgotten either, with the Microsoft Purview product set covering data lifecycle management and integrating into the other products. Leveraging the Windows endpoint, both with native capability and deployed enhancements, it is possible to secure data through the enterprise, from Sharepoint, Teams and file shares, through to the desktop.

The result of the Microsoft 365 E5 license is an ecosystem which provides the vast majority of the building blocks of the modern enterprise. Organisations choose E5 for an array of different reasons, and security is rarely at the forefront of that choice because part of the migration journey to the cloud is to change mindset away from the perimeter, which occurs during and after adoption, as the technology becomes familiar.

As those organisations review their security posture, gaps inevitably emerge. A security assessment from a vendor such as Orange Cyberdefense helps to understand and prioritise those gaps and evaluate potential solutions. Traditionally we have used Best of Breed products in each area, but M365 E5 is sufficiently comprehensive as to provide a balanced, whole alternative. In a zero-trust model, the integrated approach of E5 allows better access decisions to resources than a siloed approach.

For example, suppose we wish to deploy a secure remote access product on a firewall. At its most basic, we deploy the client and then configure the firewall to check username and password, perhaps with an IP range and a security group for a user’s department. If the user is in the right group, in the right location with the right password, we grant access.

How much more secure would this be if we also tie in the risk information available to us? By integrating with the Azure AD suite for identity, we can now verify that the user is on a compliant device (corporate-owned if we prefer), has no user risk attached, and has an updated machine, with the correct antivirus and patch levels, as well as enforce MFA.

With the integration of data sources, we have arrived at an access decision with vastly more evidence, and thus a stronger security posture. To arrive at this solution with Best of Breed, we must deploy XDR, patch management, identity and network products and then ensure they are correctly integrated.

If we use Microsoft E5, deployment of endpoint security items is largely automated, and integration is taken care of with just a few clicks.

Of course, there are many nuances to this, but the key point is that if we can integrate more data into our access level decision making, we increase our security level. This integration provides a big-picture view, which in turn helps us assess the situation should a breach or major threat occur.

When we compare this to a siloed approach, we must acknowledge that defence in depth is greater with multiple vendors, though risk must be examined holistically. Keeping up with attacks on the modern attack surface requires automation and integration, which are simpler to achieve with a platform approach such as Microsoft. Integration between vendors is possible and is growing somewhat easier as industry responds to the challenge, but Microsoft does this almost out of the box.

Of course, such a platform is not without management overhead – many products coming together to provide such granular detail is relatively new, and organisations face a different challenge to that of old. Any adoption of cloud technology brings a significant skill change from the on-premises world of old. Firms must find new skills, so it is in their interest to reduce this burden as much as possible.

The Microsoft platform has a similar look and feel throughout its admin experience, hinging on the Azure and Office 365 management experiences. The similarities assist significantly when finding the configuration items needed, and though Microsoft’s drive for new and enhanced features can prove confusing, overall, there is significant benefit to the consistent look and feel of the suite.

That said, the M365 E5 environment does need skilled humans on hand to process alerts and determine false positives. This helps the system learn and enables firms to be proactive in their approach. Microsoft does not offer anything themselves in this arena, partnering with service providers such as Orange Cyberdefense to introduce managed services.

Orange Cyberdefense’s service portfolio includes proactive and reactive management for the Microsoft Defender XDR products, Microsoft Sentinel SIEM, and the Endpoint Manager environment, together with alert handling, investigation, triage and alerting. This allows firms to outsource management of large swathes of their Microsoft environment, as well as establish a 24x7 SOC to keep on top of the alerts.

Both Microsoft and Orange use the per-user pricing model so when combined, we gain the tools and security needed by the modern business, and include administration by qualified experts, 24x7x365.

Thus, Microsoft 365 E5 offers a combination of high-class productivity applications, across many platforms, and with the tools necessary to secure them. When compared with a Best Of Breed solution set, we see the platform approach ahead with implementation costs, licensing scalability and integration. It is the simplest way to achieve the promise of cloud – work anywhere, at any time, and be secure too, and all the while costing less than other approaches.

[1] learn.microsoft.com/en-us/security/zero-trust/zero-trust-overview

[2] learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password