Securing devices begins with their enrollment using Microsoft Intune when administrators must decide what type of management they will impose on the device. Mobile Device Management (MDM) grants the organization nearly complete control over the device, requiring the user to comply with all the enterprise policies. MDM even allows an administrator to remotely wipe the entire device if lost or stolen, ensuring that any sensitive data is not compromised further.
MDM is intended primarily for use on company-owned devices; it can be problematic to some users who might not like the idea of granting the organization such comprehensive control over their personal property. For example, MDM policies might require smartphone users to sign on with a password or use another authentication mechanism every time they use their phones—which users might find inconvenient.
The alternative is Mobile Application Management (MAM), which gives administrators control over specific applications running on a device but not the entire device itself. For example, a policy in MAM might require the users to sign in when using Microsoft Exchange to access their email, but MAM cannot require them to sign in every time they turn on their phones. MAM also enables administrators to wipe company data from the phone but only the data associated with the managed applications.
Applications
Applications are the doorways through which users access the data they need, some of which might be highly sensitive. Part of the Zero Trust initiative includes ensuring that the security capabilities built into applications are deployed, such as in-app permissions and other security-related configuration settings. Administrators should also monitor applications for unusual patterns of usage or other behavior.
However, in addition to managing the organization’s applications, IT personnel have another concern. One of the biggest issues regarding application security is company employees’ use of unauthorized applications—sometimes known as shadow IT. At one time, shadow IT mostly took the form of software on personal disks brought into the office and shared among users. Today, however, unauthorized applications are more likely to be installed from the cloud or run as a cloud service.
Any application running on a device that accesses sensitive network data is a potential threat, whether it runs in the cloud or is installed locally. Administrators should take steps to detect the presence of applications that might be dangerous to the network. The process of locating shadow IT applications is called cloud app discovery. Microsoft Defender for Cloud Apps (formerly known as Cloud App Security) is the Microsoft 365 tool that does this.
Microsoft Defender for Cloud Apps is a cloud-access security broker application that scans network resources to detect the cloud applications that users are running. It also can detect unauthorized Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products that might be in use. The objective here is to detect cloud applications that have not been approved by the IT department and could threaten enterprise network security.
Leave a Reply