Eastin IT Security is now offering ESAE (Red Forest) Active Directory Design and Implementation services. This is a premium offering meant to enhance your ability to offer the highest level of Active Directory professional services to your clients.
What is ESAE?
Quite simply put this is Microsoft’s recommended best practices for securing Active Directory. ESAE is a well-protected bastion forest that is used to manage a production forest/domain administration functions. The main idea is to segment highly privilege Active Directory administration accounts into their own highly secure forest.
What customers should consider ESAE?
ESAE is typically implemented by large multinational firms and government entities who need the highest level of Active Directory security to protect IP, critical infrastructure as well highly sensitive data. In other instances, this would be appropriate for firms who have a significant security breach and want to secure the “keys to the kingdom” while they work to clean up their existing environment. Organizations such as Microsoft and the US State Department have implemented ESAE.
Typically only Microsoft offers ESEA professional services, but I am excited that Eastin IT Security is now working with former members of the Microsoft CyberSecurity team to bring these services to you. This essentially allows you to level the playing field and leverage industry experts when your customers need ESEA services. Our team members have:
- Designed the global ESEA standards for Microsoft CyberSecurity
- Implemented ESEA at Microsoft and government entities such as the US State Department
- Worked in sensitive environments such as the US Navy, Federal Bureau of Investigation, and Democratic National Convention Committee just to name a few
We have already received very positive feedback on these services from some of our other large regional Microsoft business partners. We hope that this premium service will allow you to enhance your standing and knowledge with your customers as well as increase your competitiveness in this growing market.
- New improvements coming to Intune to manage Android for Work. This session actually gave a good overview regarding the fragmented state of Android OS as well as the MDM challenges around it. The session discussed upcoming Intune tools to help with this problem.
- Vittorio Bertocci best speaker of day in his session Secure your web applications with Microsoft Identity. I would imagine he throws a great party as well. Nice walk through of building an asp.net app in VS 2015 using Azure AD authentication. To be upfront this session was geared more towards web developers but I stayed because I do keep up with Vittorio’s blog. He is great dynamic speaker and I enjoyed his style.
- The IoT session Explore IOT Scenarios from the field and their reference architectures was mind expanding and my head was swimming with ideas after this session. Great presentation on what could be an incredible opportunity.
My Notes below for each session
Intune Session to manage Android
- Protect identity
- App – conditional access
- Android fragmentation
- 1,294 brands
- 24,000 devices
- Great for end users but difficult to manage in enterprise
- Intune Android management
- Native Android 4.0 +MDM
- Samsung KNOX
- MAM policy for data protection – built into apps
- Companion apps
- Threat protection for Lookout
- Tour of Android and Intune
- Android for Work
- Common pain points
- missing VPN, silent app install, configurable end client
- Android fragmentation affects managebility
- Enhanced on-device management capability
- Android 6.0
- App management
- Productivity apps
- Partnership community
- Intune Support for Android for Work **Roll Out starts in October
- Enhanced device management
- App management improvements
- Security apps
- Email client app config
- Android for Work Scenarios
- BYOD (Available Oct) – Some apps owned by corp IT others by users
- Corp owned, personally enabled
- Kiosk (COSU)
- New provisioning requirements
- IT admin must onboard Itune tennant before enrollment
- Previous requirements for for Google domain are no longer a requirement
- Deploy apps (play.google.com/work)
- Android for Work and Intune MAM for data protection (See presentation)
- MAM –
- enforce corp data access requirements
- Require PIN for launching app
- Prevent data leakage
Explore IOT Scenarios from the field and their reference architectures
- Ref architecture
- Example – Car – lots of devices but all aggregated on platform gateway
- World’s largest integration project
- Azure IOT Suite – really a solution (azureiotsuite.com)
- Need to be careful about cost implications in architecture
- Problem – brownfield systems
- Old and proprietary
- BACNET is legacy protocol
- Drivers – Green Buildings
- BMS (Building management systems) and cloud
Azure IoT Hub
- Older brother is event hubs
- Event hub is one direction and is limited to 5k devices per namespaces
- IoT Hub hyper-scale solution
- Cloud scale messaging
- Two way communication
- Per device auth
- Multi-protocol support
- Communication is TLS based
- Device management
- Connect my medical device
- Allow physician to access data
- Gateway is changing
- Replace event hubs with Iot hub
- Replace service bus with event hub
- Trash bin
- Am I full?
- Remote location
- 5+ year battery life
- ¾ G Connectivity
- 1 data point per day
- Route optimization based on when bin is full during the day
- PLCs (Industrial protocol)
- 80% of projects will be industrial IoT
- Industrial IoT is hard
- Lots of protocols
- Lots of PLCs and no standards
- Lots of machine manufactures
- Front door/provisioning/Bootstrapping
- IoT fascade calls end point to determine device identity and route to correct hub
- Suitable for new, reset or offline system
- Devices needing geo-location
- Migration from IoT Hub to IoT hub
Secure your web applications with Microsoft Identity
- Vittorio Bertocci best speaker of day. I would imagine he throws a great party as well.
- Nice walk through of building an asp.net app in VS 2015 using Azure AD authentication
I attended a number of sessions today but two events stand out. First, I got to try out the new Hololens and second there were some new announcements in the Azure Identity world.
I was able to get an appointment to try out a Hololens at the Microsoft exhibit hall. For those of you who haven’t seen this before, this is another technology that you think is somewhere in the future but is here today. Hololens is based on augmented reality which allows you to view virtual objects in your everyday world. This is different from virtual reality where you are completely emerged in a different world. Think Star Wars game (augmented reality) vs. The Matrix (virtual reality).
I used the headset in Microsoft’s “living room” of tomorrow. This technology is incredible and I am certain that we will see augmented reality, at the very least, in the workplace within the next few years. By far the coolest thing I got to see was the galaxy explorer in my “living room”. I could virtually examine the solar system and a nebula all from house. I was also able to pin virtual photos and videos around my house by selecting them from the device’s camera roll. Incredible.
The possibilities for this technology are endless from virtual business meetings, education as well as entertainment. Virtual and augmented reality is going to happen. Check out this Wired article for the best state of the industry overview that I have read.
The future is now, you just need $3,000 to buy a developer Hololens.
The Identity team announced a new product today that might be an ADFS killer. Azure AD Pass-through Authentication (PTA) is expected to be released sometime in the first half of 2017 and looks to simplify the SSO and federation processes typically performed by ADFS.
- Forms based authentication for non-domain joined/outside of corporate network users (PTA)
- SSO for domain joined users on corporate network (SSO)
- No need for dedicated servers
- PTA can be installed on existing servers or DC’s
- SSO is only a computer account in AD
- No load balancers
- PTA automatically uses all available connectors no need to load balance
- No DMZ
- All connections are outbound
- No unauthenticated endpoints on the internet
- No certificates to manage
AI is very real and here. Microsoft is quite serious about bringing this to mainstream.
The sole focus of Satya’s keynote was the vision of AI everywhere, most notably, through Cortana, in Microsoft’s core cloud offerings including Azure, O365 and Dynamics. In fact that was basically it. The entire hour centered on this vision of “Democratizing AI”.
There were a number of very cool things presented most notably a Hololens app for a home remodeling project tied in to Pinterest where Cotrana used this to determine your decorating taste. Very Star Trek, but very practical and apparently something coming to the real world very soon.
Other highlights include
- If you hated the Windows Paper Clip from back in the day you might really hate the new personal assistant infused with AI to make sure you exercise, eat right and keep up with your work.
- O365 and Dynamics infused with AI to increase productivity and enhance the customer experience.
- Awkward appearance by Deion Sanders for a fantasy football app demo as well as some on stage presentations from various AI/super computer teams.
- War and Peace translated in under 2 seconds with new FPGA board
- All of Wikipedia translated in .9 seconds when full power of Azure employed
Below are my raw notes for those who are interested:
- empower every person with tools to solve big problems
- handwriting recognition
- holographic computer
- Office apps with intelligence
What is lacking is the ability to make sense of all the data being generated
- Agents – Cortana
- Reminder app to be proactive
- Health monitoring and insights
- To do list
- Keep track of key metrics
- Sticky notes
- Neural net typing to improve speed
- Skype Translator
- Word – spelling, grammar, context
- Dynamics 365 – relationship assistant (Ships 11/16) – changes that are happening with customer in news or LinkedI
- Customer support – tech support agent (bot) can escalate to real person. Bot (virtual assistant) can look up trouble shooting info for rep
- Cortana intelligence
- Machine learning (bot framework) **convenient way for user to interact. Bot needs conversational understanding. NFL fantasy football bot coming. Deion Sanders makes appearance on stage. Cortona predicts Saints win on Monday Night Football.
- Cognitive services apis – uber driver and rider recognition and verification
- Cognitive services apis – Pintrest -Lowes – see remodel at the store via Hololens – Cortana deep neural network and deep learning to match product design at Lowes. The analytics based on the dwell time in the home decor demo very interesting
- Azure -CPU scale – AI super computer in cloud (FPGA) -deployed in hyper scale data center – super charged board. Very cool translation demo. War and Peace translated in two seconds. All of Wikipedia translated in less than a tenth of second if full hyper scale used
- From silicon to cloud
For those of you not able to make it to Ignite, here are my notes and highlights from the day.
Quick take aways
- “Identity is the new perimeter”
- All Azure, all day – no MIM sessions
- Security and EMS front and center day 1
- Good-bye Silverlight in new integrated EMS console previewed in breakout session
- Mobile Application Management (MAM) vs. MDM drives users acceptance of device protection
Morning Keynote Highlights
- Yeah Microsoft!
- Satya and Adobe announce new cloud services based on Azure
- Scott Guthrie gives good overview of Azure successes with showcase customers
Favorites from today
- Windows Hello – use your face as a password, very cool. I actually saw this in action with a fellow attendee who has this working on his real work machine. Good by passwords, but how do you reset your face?
- Got a pass to try a real world Hololens on day 2. I am really looking forward to trying this out.
Other cool stuff
- EMS policies to restrict copy and paste from restricted apps demoed
- Intune Powershell to be released soon and opens interesting scenario to wipe phones when users terminated. Might be a nice tie in with Powershell MA
Ike has been at it again! Check out his latest article on MIM 2016 and setting up Privileged Access Management (PAM) in an existing Forest using the built-in PAM Tool.
What a fun interview! I had a great time chatting with Ryan Newington about all things MIM along with Powershell. Hear about:
- What’s it like to manage 200,000 + plus identities across 4 continents for a large academic institution
- How the Ryan’s Lithnet Powershell tools came about and why you should use them to manage your FIM/MIM infrastructure
- What technologies Ryan currently struggles with
- What future enhancements that he would like to see included in future versions of MIM
- New improvements Ryan is making to the Lithnet suite for the MIM Sync engine
The final part of interview is particularly entertaining. We talk about:
- Ryan’s favorite books 🙂
- How he nearly ended up in fast food management instead MIM development
- His favorite dish and milkshake at McDonald’s
All and all it was a great deal of fun and Ryan is a great person to talk with. Take a listen and I hope that you enjoy our conversation as much as I did.
More news today on the FIM/MIM third party front. Ryan Newington announced the the release today of his updated Lithnet FIM/MIM PowerShell Module. His Powershell Module is really something else and offers a significant improvement over the out the box FIM modules from Microsoft. Make this part of your toolset if it isn’t already.
Today Brian Desmond announced the release of the latest version of the FIM Powershell Modules. It looks like they have been quite busy. Take a look at all of the new features and bug fixes. Keep up the great work Brian!
No matter which side of the table your are on, an interesting article nonetheless. I have witnessed some abuses at many client sites that I have visited. On the flip side, I have seen third party talent help plug big IT holes. Where do you stand?