How to keep company data secure, in a ‘mobile first, cloud first’ environment












It’s a  Brave new world, a mobile first, cloud first world of technology. In that world there are many new ways of consuming data, on many new devices. Data security is of paramount importance to any user, IT Pro, Small Business or Enterprise, it is a universal requirement of making that data available.

The operating system, platform and delivery method of the data should not cause any increase in the risk to it. In short the corporate entity must have complete control over the access to, consumption of and removal of data in terms of users, devices and platforms at all time.









That’s a fairly big ask. It is also one of the primary barriers to adoption of cloud technologies and people centric IT (PC_IT).

What is Microsoft’s approach to this rather thorny issue then?

As you might imagine, Microsoft has a number of methods of achieving this end game. The adoption of these depends whether you are either fully cloud, hybrid or fully on-premises for your infrastructure and data requirements. One thing is for sure, they certainly have it covered.

For an on premises scenario with a number of BYOD and corporate issued smartphones and tablets, the solution involved a number of products including Windows Server 2012 R2, Windows Intune and System Center Configuration Manager (2012 R2). The elements of the Server platform that assist with this solution are Active Directory Domain Services (AD DS), Dynamic Access Control, Active Directory Rights Management Services (AD RMS), Active Directory Federation Services (ADFS) and the all new Web Application Proxy.

For a Microsoft Azure based solution, the new Enterprise Mobility Suite (EMS) is designed to cater for most of the same functionality. The EMS consists of Azure Active Directory Premium (for Hybrid identity management and Multi Factor authentication as well as other added functions), Windows Intune and Azure Rights Management Services.

The Hybrid cloud customer would be able to take advantage of all these products to manage their data.

As an additional portion of goodness, Windows Server 2012 R2 also comes with Workplace join and Work Folders.











If all of this isn’t enough security, Microsoft also has a scalable and robust Virtual Desktop Infrastructure solution for a whole number of different scenarios that can actually prevent the data leaving the corporate network at all, whilst still giving remote users the ability to enjoy a standard interface and experience. (These include Session Virtualisation, Desktop Virtualisation, both pooled and personal and with Microsoft App-v the ability to stream applications too.)

The final piece of the jigsaw is the new Azure RemoteApp which is currently in preview that now allows a cloud based solution for application virtualization. (RemoteApp is also available for your on premises Windows Servers too).

It is important to point out that the overall People-Centric IT vision is not restricted to data security and management but has a three-pronged approach to PCIT. That of Enabling end users, Unifying the environment and Protecting data. Take a look at the PCIT whitepaper here.

So assuming you have visited the links and read the whitepaper (which after all is why they are linked…), you now know the field but what about the practicalities and what scenarios are covered by this.

Gosh Ed, that’s 500 words where you have pretty much just listed solutions to data security in a whole bunch of scenarios. How do we use these and how do we choose what to use in what situation?

The rest of this post is dedicated to three examples of when to use these solutions. I will then go on to a more detailed technical explanation in a series of future posts dedicated to each solution.

So, Scenario 1.

An iPad user wants access to their corporate intranet and files and folders, some of which are business critical data files. What can we do to allow this access, but control the device and ensure the data is secured?

The iPad has the facility to download the profile settings and join a workplace environment without being domain joined formally. This would allow access to a company portal for access to websites and applications.













Using Windows Intune, an administrator can enforce polices for security and data wipe on the iOS device. Securing the data



For access to secure data or applications incompatible with iOS, then a Virtual desktop could be used (Microsoft VDI) or a Microsoft Azure VM to keep the data off the device and allow access to the application on an incompatible operating system.


Scenario 2

An  Android SmartPhone user wants access to work email and files and folders for work use.

Windows Intune will secure the data and allow remote wipe of the device and or the data if required. Policies may be applied by the administrator to ensure that the device has a password and that encryption is also enforced.


Scenario 3

A  Windows RT 8.1 Tablet user wants to use a non-domain joined Tablet for work access to email and applications as well as work folders for data.

The combination of Windows Server 2012 R2 and the EMS suite will allow the administrator to provide workplace join, work folders and software deployment as well as endpoint protection for the device. Additional polices may be applied with Windows Intune to enforce rules and security of the data and to remotely wipe the device / data if required.

In a ‘Mobile first, cloud first’ world of devices and data, security is always a concern but the solutions available from Microsoft allow complete control of data access, security, integrity and removal. Don’t forget of course EMS is powered by Microsoft Azure and you can control your Azure subscription with, yes you guessed it PowerShell!

Watch this space for the detailed technical solutions for the three scenarios above, with a special one for the Web Application Proxy all on it’s own. This ground breaking server role replaces the Active Directory Federation Services Proxy role and also does so much more!

Comments are closed.