Microsoft Office 365 is a key element of your current IT infrastructure. What does this mean for your management, security, reporting and auditing? In this session, Quest invites you to explore their hybrid AD management and security solutions.
9. But the risk with these approaches is …
Assume Microsoft
has it all covered
Put in more hours
Use native tools or
PowerShell
Charge ahead
Unexpected delays
& additional work
Your team already
lacks time and
resources
Yes they’re free …
but have critical
gaps
Unknown hurdles
& compromised
security
14. From On-Premise with Cloud
Hybrid Report
Hybrid Audit +
Recover
Search
Hybrid Manage
• Investigate AD security Incidents
• Continuously test your AD business
continuity plan
• Recover from a security incident
• Improve your RTO
• Secure access to AD/Azure AD
• Enforce permission
• Implement least-privilege access model
• Reduce surface attack area in AD/Azure
AD
• Prevent unauthorized access to
sensitive resources
• Remediate unauthorized activities
• Who has access to what sensitive
data in AD/Azure AD/O365
• Who has elevated privileged
permissions in AD/Azure AD/O365,
servers
• What systems are vulnerable to
security threats
• Detect suspicious privileged AD
activities
• Alert on potential AD/Azure AD/O365
insider threats
• Notify in real time of unauthorized
intrusions against AD/Azure AD/O365
• Detect and alert on brute-force
attacks
IT Security Search & Recovery Managers Enterprise Reporter
Active Roles Change Auditor
From On Premise
15. Components in IT-Security Suite + Demo
IT-Security Search
Change Auditor
(Security Auditing)
Knowledge Portal
SQL Reporting Service + IIS
Enterprise Reporter
(‘Snapshot’)
InTrust
(Event Gathering)
• BS ISO/IEC 27002:
2005 *
• COBIT *
• GDPR
• FISMA
• COSO
• HIPAA
• PCI
• SOX
• ……….
Recovery Manager
(Recovery of AD objects/attributes)
Active Roles Server
(Directory management)
From On Premise
19. From Cloud with On-Premise
Your go-to SaaS dashboard for tackling Microsoft challenges in a hybrid world
From The Cloud
20. Why Quest On Demand?
Fast, easy setup – No installation, no upgrades,
no complex configuration —
no sweat!
Secure and reliable SaaS –ISO/IEC27001:2013,
ISO/IEC 27017:2015 and ISO/IEC 27018:2019
certified.
Rapid innovation – we keep pace with Microsoft
updates so you don’t have to!
From The Cloud
22. 2019 Market Guide for Cloud
Office Migration Tools
40 out of 40
Use of cloud-to-cloud migration tools is growing prominent as
organizations undergo acquisitions, mergers and divesture as
well as shifts in their digital business strategies.
Gartner, Inc.
Figure 3. Look for Features and Functionality That Go Beyond
Replicating the On-Premises Environment
Gartner, Market Guide for Cloud Office Migration Tools, Gavin Tay, Adam Preset, Joe Mariano, 28 February 2019. This graphic was published
by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document
is available upon request from Quest. Gartner does not endorse any vendor, product or service depicted in its research publications, and does
not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of
the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed
or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein
with permission. All rights reserved.
Quest is the only vendor listed with all 40
features and functionality supported.
23. Quest® On Demand Migration
Your go-to SaaS dashboard for tackling Microsoft challenges in a hybrid world
From The Cloud
24. Migration Scenarios Supported
Migrate multiple Office 365
tenants to a single target
tenant for consolidation or
restructuring.
Multiple Tenants
Use Migration Manager for AD to
migrate On-premise AD and then
match accounts with On Demand
Migration for tenant migration.
AD Hybrid Tenants*
Migrate Azure AD, Exchange
Online, and OneDrive from
one Office 365 tenant to
another.
Tenant to Tenant
MMAD
From The Cloud
25. What sets ‘On Demand’ Migration apart?
Hybrid
Support
Hybrid support
Mail
Mail data
migration
OneDrive
OneDrive data
migration
SharePoint
SharePoint data
migration
Teams
Teams data
migration
Groups
Group
migration
Free Profile
Updates
Update
profiles
World Class
Support!
Perfect
Support
From The Cloud
29. Comparing Quest with Azure AD recycle bin
Azure AD and Office 365 recovery Recycle Bin
Restore multiple attributes at one time
Restore Azure AD Groups and group
membership
Granular restore of user attributes –
i.e. O365 license type
Restore hard deleted objects which bypassed the
recycle bin
Difference reporting with restore capability
Search and restore capability
From The Cloud
31. Quest® On Demand Audit
Your go-to SaaS dashboard for tackling Microsoft challenges in a hybrid world
From The Cloud
32. Comparing Quest with native auditing
Critical auditing requirement Native
Alert on suspicious events regardless of whether they occur on prem or cloud X
Cut through raw data and see only what is important for the change/activity X
Flexible search on any event or any field, including by actor, changed
attributes, activity details or cloud-only objects X
Normalize view of all user activity, on prem and in the cloud X
Keep audit data for up to 10 years to satisfy internal policies and external
compliance regulations X
From The Cloud
34. Quest® On Demand Group Management
Your go-to SaaS dashboard for tackling Microsoft challenges in a hybrid world
From The Cloud
35. + More
secure
+ Unburdens IT
Increases
user productivity +
From The Cloud
On Demand Group Management
36. Key benefits
Increased visibility by managing groups via a single console
Keep order in your environment with rules for group creation, naming, attestation,
expiration, etc.
Confidently offload administrator workloads to end users using a self-service UI
Empower users to create and manage their own groups within a pre-selected framework
in the self-service UI
Continually validate group membership through automated attestation
Enable users to quickly recognize and request access to resources connected to Azure AD
From The Cloud
So how do we give you the time to shift your team’s focus from administration to innovation?
We provide solutions in five primary areas – areas that impact your business every day and are becoming increasingly complex because of Cloud, Mobility, Security, and Big Data.
They are:
ESM
MSFT Platform Mgmt
Database Mgmt
Data Protection
And Performance Mgmt
If you’re like most organizations, once your team has made the decision to take the leap to Office 365, you are anxious to just charge ahead. Whether it’s tackling internally or engaging your consultant or systems integrators and charge forward. We know that many organizations simply put in more time or throw more resources at a project.
Meanwhile, many companies continue to handle compliance and migration issues separately from security. Some are using native tools or point solutions to move to the cloud. Others are writing custom scripts with PowerShell.
Throughout this process many simply rely on Microsoft. And yes, Microsoft takes the security of the Office 365 platform very seriously and has made significant investments in service level security that protect Microsoft’s cloud-based applications from intrusions.
But there are many risks with these approaches including:
Many of the issues companies are facing in moving to the cloud are the direct result of charging forward without understanding the impact of old decisions on security, risk, and the health of the environment. This approach can bring forward legacy decisions and may be compromising security by handing out too much privilege and access in the cloud environment.
Let’s talk about putting in more time. While that gets the job done in the short term, it’s certainly not sustainable for your team who is most likely already stretched. And, there’s not always additional budget to add more resources or augment your staff with consultants.
Native tools – whether for migration, reporting, recovery, auditing – yes they’re free, but they have critical gaps in functionality.
And finally, relying solely on Microsoft is a risky proposition. Microsoft takes ownership of platform security and Office 365 customers themselves (that’s you) are responsible for the safe and compliant use of the application. Users can still perform high-risk actions and account credentials can be compromised. Assuming Microsoft has it all covered, may result in unexpected delays and additional work.
Here is our value proposition for ZeroIMPACT Migration.
Migrations are labor intensive and fraught with risk. If not done correctly, they can be a real drain on time, resources and budget. But Quest ZeroIMPACT migration solutions help minimize the associated risk, cost, time and complexity.
To say it another way, we ensure ZeroIMPACT! That means zero impact on:
Users – enabling them to continue working
Help desk – avoiding a flood of calls and tickets
IT – helping them get this project done quickly and easily
Above all, zeroimpact on the bottom line – ensuring that the overall business is without disruption
We have a vast portfolio of migration products that address many of the scenarios our customers encounter, including Office 365, AD Migration, Exchange, SharePoint, OneDrive, Lotus Notes, google and more
But in our many years of experience helping customers, we know that successful migrations are more than just the tools moving stuff from A to B. We know that migration success must include proper planning, a coexistence strategy and a vision toward the future environment.
So we've built a value proposition—our ZeroIMPACT methodology – around 4 key pillars that help customers be more successful and differentiate us in the market.
Quest Software can help:
Prepare for the transition – assess what they have, clean up what they don’t need and plan –this is where we first introduce attaching management tools like UCCS, Enterprise Reporter and Change Auditor.
Change Auditor for AD – Before the migration, get visibility into who has access to what to identify possible security gaps and unauthorized access. During the migration, you quickly determine whether a change was made by the migration tool or by a user, so you can spot any problems. After the migration, monitor AD for improved security and compliance.
Change Auditor for AD Queries - Identifies and inventories application servers that are dependent on AD domains being migrated so that you can fix or redirect them to the new domain controllers.
Enterprise Reporter - Understand what should and should not be migrated with a comprehensive assessment of your current environment, including active vs. inactive users and groups, what users and files you have, and when a user last logged in or resources were accessed.
Recovery Manager– Ensure you have a back-up plan in the event that something goes wrong during the migration (server failure, network glitch, etc.). Quickly recover individual items that have been accidentally or incorrectly changed or deleted during the migration. Or quickly recover an entire forest in the event of a major disaster or corruption during migration.
Recover missing or corrupted email in minutes to keep the migration running on schedule.
Migrate with ZeroIMPACT on the entire organization.
Quest can help customers Coexist to keep users on multiple messaging platforms working together seamlessly. Many of you have probably used our Migration Suite and Coexistence Manager products.
Finally, Quest can help customers centrally MANAGE the environment to get the most out of their new platform from day 1. Many of the same tools you used to help prepare can now be used to manage your environment (along with many additional mgmt. solutions) to further reduce complexity and risk. Again, we’re including our management tools as part of our migration story.
We’ve been in the migration business for 15 years but we still ran a 5 month technical preview to find out the main concerns companies are facing today with tenant migration. We’ve actually addressed the key asks and I’ll show you what they are.
Note License Management due to release November 2019
Fast, easy setup – Onboard with ease and start auditing in minutes. No installation, no upgrades, no complex configuration — no sweat!
Secure and reliable SaaS — Quest On Demand delivers the security standards, service level and scalability that you need. ISO certifications include ISO/IEC27001:2013, ISO/IEC 27017:2015 and ISO/IEC 27018:2019.
Rapid innovation — We keep pace with Microsoft updates so you don’t have to. Quest On Demand automatic updates deliver new features, customer-requested enhancements and security patches quickly and without any effort on your part.
We’ve been in the migration business for 15 years but we still ran a 5 month technical preview to find out the main concerns companies are facing today with tenant migration. We’ve actually addressed the key asks and I’ll show you what they are.
<IMPORTANT NOTE to Quest sales: You may NOT edit this slide in any way, shape or form per our contract with Gartner. Any edits made and shared publicly could violate our terms and forfeit our distribution rights to this Market Guide.>
Gartner, Market Guide for Cloud Office Migration Tools, Gavin Tay, Adam Preset, Joe Mariano, 28 February 2019.
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from One Identity.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Currently there are no native tools to help customers with tenant to tenant migration. Once they get to Office 365, they will grow and we’ve heard from customers about scenarios where they need help either merging or consolidating their Office 365 tenants.
We considered all these factors and build On Demand Migration or ODM to accommodate these common scenarios.
Tenant to Tenant - Migrate Azure AD, Exchange Online, and OneDrive from one Office 365 tenant to another.
*Hybrid AD Tenants – We can use Migration Manager for AD to migrate On-premise AD and then match accounts with On Demand Migration for tenant migration and we can also offer PSO to achieve this.
[NOTE: Hybrid capability sets Quest apart from many competitors]
Multiple Tenants - Migrate multiple Office 365 tenants to a single target tenant for consolidation or restructuring.
Do any of these fit your organization now? How about in the future?
There are many reasons to choose Quest for your tenant to tenant migration, but here are some things that set us apart from the rest. We have:
Hybrid AD and Hybrid Exchange support
OneDrive Provisioning
Group Migration
Profile updating at no extra cost
World class support!
Core SaaS platform with common UI experience
Finally, Quest on Demand is built in the cloud for the cloud – We are cloud born! This means we can pivot easily to adapt to user requests and feedback. We don’t have to do any heavy lifting.
Every migration should start with a good recovery plan. What’s more, every move to a cloud environment should begin with a solid recovery plan! Let’s face it, if you lose access to your user id, you lose access to your cloud apps – and that’s how it should be, unless it’s unplanned.
Azure application instances-service principal (add that to chart)
B2B/B2C
Hard-deleted security groups
Limitations of Microsoft Azure Recycle bin – PoSH or O365 UI
Not all objects stored in Recycle Bin
Azure AD Groups\Group Membership
Azure AD user attributes
Nested Azure AD Groups
Recycle Bin Expiration and Hard Deletes
Any Azure AD objects stored in the Recycle Bin that expired (30 days) or have been hard deleted (by-passed the Recycle Bin) can not be restored
Limited Recovery of Recycle Bin
No ability to restore multiple users at a time from UI
No ability to restore multiple attributes of users
Reports
Show list of cloud only objects
Show list of objects synchronized on-prem (ADC)
Differences report that shows all Azure users changes compared to backups and ability to roll back
With Office 365 adoption on the rise, group sprawl remains a top concern for our customers. With On Demand Group Management continually cleaning up groups can become a thing of the past, and admins can finally regain peace of mind and control of Azure AD and Office 365 groups.
[rep instructions: This is an optional slide that drills down deeper into the native auditing limitations]
++++++++++++++++++++
Native Office 365 and Azure AD auditing tools are riddled with gaps and complexity.
There are multiple screens and consoles all with different views and no consolidated view of on-prem and cloud activity.
For example, the Office 365 Audit Log service does NOT capture events from on-premises Microsoft servers for organizations with a hybrid setup, such as Active Directory domain controllers, Exchange Server and SharePoint Server in addition to Office 365.
Difficult to configure auditing
Have to configure audit policies for on premises separate from cloud workloads
No way to monitor audit policies in case they change or are disabled by other administrators
Limited alerting, searching and reporting
Alerting is inconsistent across on premises and cloud workloads
Not possible to search audit activity across on premises and cloud
Cannot search based on actor (i.e. who initiated the activity) or many other important fields (see details below the +++++++++++)
Difficult to interpret events
Audit data is very raw (contains SIDs, GUIDs and other IDs), lacks friendly display names and the format is constantly changing
There is no normalized format of what fields are displayed, so event formats will vary depending on the event or cloud workload you are looking at.
Limited history of audit data
Audit data only retained for a limited time before it is permanently lost
For cloud workloads the retention period varies based on workload and subscription type. Retention but can be as short as 7 days, and Microsoft can change retention periods at any time
For on premises workloads the retention period varies based on the volume of activity
The limited data retention has significant implications for organizations that must comply with legal or regulatory retention requirements that dictate retention of this data for much longer periods. And it hinders your ability to investigate security incidents because you lack sufficient historical evidence to search
See Microsoft retention policies:
Office 365: https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-compliance
Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-reports-data-retention
+++++++++++++++++++
Limited search capabilities
Cannot search by specific User and Group attributes that were changed
Cannot search by before and after change values
Cannot search by Activity Details field
Cannot search by Activity Synchronization type (e.g. identify only changes that were not produced by Azure AD Connect)
Cannot search by User Synchronization Status (e.g. identify only changes that occurred to Cloud Only user accounts)
Can only search by the target listed in the event (Change Auditor allows you to search for targets by their display name, UPN or SAMAccountName)
Cannot combine multiple criteria into a single search (e.g. Who + Date + attribute + User Synchronization Status)
When we launched Change Auditor version 7.0.3 in August 2019, the big news of that release was the integration with Quest On Demand Audit to create a new, complete hybrid auditing solution unlike any other in the market – the On Demand Audit Hybrid Suite for Office 365.
On Demand Audit Hybrid Suite for Office 365 provides a single view of user activity across hybrid Microsoft environments, giving you visibility to all changes taking place, whether on premises, Azure AD or Office 365 workloads such as Exchange Online, SharePoint Online and OneDrive for Business.
The new suite is delivered as a subscription service that gives you licenses to BOTH Change Auditor and On Demand Audit, and you can easily pair them together in just a few clicks.
Change Auditor is the industry’s leading solution for in-depth, high fidelity auditing of on-prem Microsoft environments. It provides real-time auditing, alerting and forensics on all critical configuration, user and administrator changes across on-prem AD changes and logons, File servers, Exchange, SharePoint and more. Most cloud-based auditing products fail to provide you a view of your on premises activity, and those that do (e.g. SIEM tools) rely on native event logs for on premises activity and lack the fidelity of auditing that Change Auditor provides.
On Demand Audit then consolidates and correlates Change Auditor’s on-prem audit data together with cloud activity from Azure AD and O365 workloads such as OneDrive for Business, Exchange Online and SharePoint Online.
With Change Auditor and On Demand Audit combined, you get a single view for your on-prem and cloud audit data with responsive search, interactive data visualization and long-term storage.
With Office 365 adoption on the rise, group sprawl remains a top concern for our customers. With On Demand Group Management continually cleaning up groups can become a thing of the past, and admins can finally regain peace of mind and control of Azure AD and Office 365 groups.
Get full control of groups across your organization — all in a single application — so you never have to worry about what’s out there. Plus, mitigate security and compliance risks with robust creation policies so you can manage resources and group naming rules, attestation, expiration, approval workflows and more.
Conceptual diagram of the functionality that sits in Admin UI and Self-service UI of On Demand Group management.
Real-time audits
Detailed audit logs are created in real-time, capturing every change as it occurs in the environment
Single pane of glass
Change Auditor’s console allows you to view audit activity from every platform in a single user interface, allowing you to track a user’s activity across the entire environment
In additional Active Directory Change Auditor supports Azure AD, O365 Exchange (with on-prem Exchange module), O365 SharePoint and One Drive for Business (both with on-prem SharePoint module), Azure AD sign-ins (with on-prem Logon Activity module), file activity (Windows, EMC, NetApp, FluidFS), AD Queries (LDAP), Skype for Business, and SQL Server
Proactive alerts
Create email alerts when critical events are detected (e.g. a user is added to a built-in administrators group), or use SNMP to forward to an external application
Object protection
Create final line of defense protection from changes to critical AD, Exchange and file objects so that even privileged users cannot modify them (e.g. prevent users from being added to the Domain Admins group)
Compliance reports
Run out of the box reports to evaluate compliance against regulations such as SOX, HIPAA, and PCI-DSS
Security forensics
Use Change Auditor’s powerful UI to comb months or years of user activity, or IT Security Search for quick forensic exercises to determine root cause of an environmental issue or security breach
While this is a fairly simple example of an AD breach, the point is that there could be dozens of individual indicators of the breach.
Any one of these indicators on its own (e.g. the user logs on at an unusual time for that user) is not necessarily suspicious in and of itself. However when looked at in context with other activities taking place in the same time frame (e.g. the user log on at an unusual time was preceded by 8 failed logon attempts, did not take place from the user’s standard workstation, multiple logons to other accounts occurred from the same IP address, and were followed by a number of suspicious AD changes) you can establish a pattern of suspicious user behavior that is deserving of further investigation.
How do you filter through the noise of hundreds of millions of audit events to find suspicious activity?
How do you establish behavioral baselines so that anomalies become apparent?
How can you get better security insights into the activity of my privileged users?
How can you leverage my existing audit investment to detect suspicious insider activity and external attacks?
Actual production results from a healthcare provider with over 80,000 users
Change Auditor Threat Detection analyzes 200 different event types which comprise millions of actual events a day in most environments
35 threat indicators apply insight into the Change Auditor audit data to identify behavioral anomalies
Threat indicators are correlated into SMART alerts, for which there are 19 across Active Directory, authentication and file activity
(1-2 minutes total)
TRANSCRIPT
Just to wrap up from a summary perspective ... Talked about a couple of solutions. I spoke about active roles. Active roles is really designed for account administration. Automating the user and group management, creation in active directory. Again, taking that and then how you're going to extend that into your Cloud infrastructure. From a directory management perspectives, that can provide exchange recipient management, distribution list management, and really that least privileged access control from that directory perspective. Really limiting what that particular view is. Then from security perspective, obviously, this is really a firewall around your active directories. Least privileged based access control, using that proxy accounts. So when you have those internal/external threats, they really aren't even going to have any native permissions within their environment.
(1 min)
TRANSCRIPT
The aspect of managing the GPO that we've talked about today comes from our GPO admin solution. Essentially, this is a platform tool that we've created that allows you to manage your policies with the confidence that I was trying to relate to you earlier. Be able to put you in the position to roll back changes, have check in and check out capability so that people aren't trying to edit the same policy at the same time. But then allow the flexibility to put the solution in to your work workflow and so ... Maybe it's executing a script while you check in a GPO so that it can open up a help desk ... All of these things come together to create what we call GPO admin.
Quickly search through large amounts of audit data
Simplify searching with event normalization
Cross reference state and change information
Granularly compare and restore AD data online
Full-forest recovery from a central console
Automate lab creation from production AD