Podcast Microsoft Security and Compliance, Part One
New ways of working require new approaches to cybersecurity.
By Insight Editor / 25 May 2021
By Insight Editor / 25 May 2021
Many organizations rely on several solutions to safeguard their data, devices and users, but this can introduce unnecessary complexity into the IT environment. Anna Donnelly and Joe Flynn of Insight Connected Workforce discuss how Microsoft solutions simplify and centralize security — even in hybrid workplaces.
To experience this week’s episode, listen on the player above, watch the conversation below, or scroll down to read a complete transcript. You can also subscribe to Insight TechTalk on Apple Podcasts, Pandora, and Spotify.
Audio transcript:
[Music]
Anna
My name is Anna Donnelley. I'm a Services Product Manager that's focused on Microsoft solutions for our digital workplace. And today we're going to be talking a little bit about Microsoft's E5 licensing and some of the benefits around that and what we see in regard to our customers. With me today is Joe Flynn. Why don't you go ahead and introduce yourself.
Joe
Thank you, Anna. My name is Joe Flynn, Director of Services within Insight's Connected Workforce.
Anna
Awesome. So, where E5 and Microsoft licensing is concerned, we see a lot of it. We sell a lot of Microsoft licensing as one of their largest resellers. Are a lot of our customers buying their E5 licensing or upgrading to E5 license for Microsoft 365 or Office 365 with a real understanding of what they're getting? Do you think Joe?
Joe
I do agree. And if you look at the customers we deal with today, being the largest EA reseller, many of the customers are purchasing the bundled SKU, whether it's M365 E3, a lot of them are doing the E5 and in most times, it is because they're getting a great price point. They're getting a lot of features which they probably don't understand what they all do and/or exactly what's all included, but that's the problem there. The confusion starts kicking in because as you go through the EA renewals, most EAs are handled by procurement and most procurement are probably not the most technical or should be technical savvy people and that's where IT comes in. But once that contract is signed, the confusion and the scare sets in even more because your customers are spending millions of dollars and now you have IT and/or execs trying to determine what is it they bought. What's included in that SKU that they're buying versus the E3 versus E5? But then more importantly, how are they getting the value and/or the ROI out of what they've just purchased. So not only getting it implemented but also getting it consumed because even though I can set up the technology, you still got to get it configured for all the end-users and the infrastructure to take advantage of.
Anna
So, if customers aren't really aware of what they're buying with their licensing, how do you really explain the differences? How do they make those types of the kinds of decisions that they need to make in order to get some return on their investment?
Joe
Now great question. And if I concentrate on E5 and where I see the value, now remember E5 comes with Power BI. It comes with Teams Voice and also comes with a lot of security products. I do agree Power BI and Teams Voice are definitely valuable tools. Most customers are not ready for Teams Voice and at least we do see the increase. Over the past six months, Teams Voice and customers looking into it evaluating has gone through the roof. But if I step back and say, what is the value for most organizations from an ROI perspective, it's going to be the security aspect of what comes in that bundled SKU. Many companies, they have multiple security tools. And if you think of dealing with multiple security tools, you're now increasing complexity within your environment and your infrastructure and not only around what's deployed but supporting that infrastructure, keeping your employees up to date on how to support that infrastructure. But then you're also decreasing employee experience. And when I say decreasing employee experience just to give you an example, we'd worked with a couple of customers. One specifically had mentioned they had 18 security products on their endpoints. And as far as IT was aware and security was aware, everything was perfectly fine. But the moment you started engaging with their end users and on what their experience was on those devices, it was horrendous. And the end user said they could barely work throughout the day. So, adding that complexity, this is where the E5 SKU comes in. In a recent public statement by Microsoft, they state that the E5 SKU can replace up to 40 solutions. Imagine that, 40. So now we can consolidate, gain ROI in the consolidation alone but then also we get the best part of what the Microsoft ecosystem has. And I do say as an ecosystem because the benefit of the E5 SKU is you have E5 security stack on the Office 365 side of like DLP, SafeLink, Safe Attachments. You have E5 on Windows 10 which is Device Guard, Credential Guard and Defender, the antivirus and the cloud-based machine learning parts of antivirus. And then you have E5 on the EMS stack which deals with protecting the identity, protecting the data, protecting the device. The benefit of that ecosystem is that everything talks to each other. So, if something is compromised on one side, it can notify everything else. And then actions can be flagged whether you're flagging it to limit what a user can do or you're going to prevent a user from doing something or the benefit of whole machine learning and AI is automatic remediation of what's going to happen within your environment. Try doing that across five or 40 different tool sets in your organization trying to accomplish the same thing.
Anna
Oh, so you said there was a customer that had15 solutions just on an endpoint and Microsoft E5 Security can replace up to 40. That's crazy. I can't imagine, well, I can imagine what the end user experience might be like for those folks. So, I mean, that leads me to my next question. How does this actually work in real life? What kind of experience should they expect if they are taking advantage of everything in the E5 license then?
Joe
Absolutely and let's talk through a scenario that many may be dealing with today. If we look at the hybrid workforce, right we, as we've been, companies are shifting. We went from a year ago to being all remote. Now as the vaccine is being rolled out in the pandemic, hopefully right, it's coming to an end. We now have companies not only having users stay remote, we have companies where users are coming back into the office, but then we have that hybrid worker where users could be traveling to and from the office. Maybe a couple of days in the office, a couple of days out of the office or maybe you have that sales force that's constantly going back to traveling on a plane. If we look at that instance, we can take it to where we can configure what type of security settings, conditions, policies be applied based on where that user is. So, we don't have to worry about specifics on that device. We can protect at the door. We can protect at the device and protect the data. So, for instance, let's do a conversation. If we talk through an end user called Nancy. Nancy today is in the office. And the fact that she's in the office and we have everything from an E5 configured that that's a trusted location, because most offices you have to badge in, most offices you're connected to a corporate Wi-Fi or you're simply plugged into the ethernet. We can assume she's trusted. So, at that point in time, she can access resources. She can get to the cloud technologies. We don't have to prompt her for multi-factor authentication. We can kind of make it a much easier for her and from an experience perspective. Now let's say the following week Nancy travels abroad. She's traveling throughout the world. And she happens to be sitting in a coffee shop that who knows where she was traveling at that point in time. When she opens up her laptop and tries to access those same cloud tools with the E5 stack, we have the ability now to prompt her for multi-factor authentication. So again, we're protecting at the door. we're making sure she is who she is. We have the ability to determine if she's in a risky location based on the IP address she's coming from. has that IP address or that location been known, be known publicly to have malware, to have threats, to have attacks come from it? And if that's the case, you may want to prevent what she can do. But once she gets past the identity protection, now we have the ability to now look at the device layer. Is she accessing it from a compliant corporate-owned device? Is her device up to date with patches? Is everything regarding that device where the company requires it to be to access the corporate data? Once we get through all of that, now we have the ability to dive deeper and now protect the data she's accessing. So, for instance, she goes access a confidential document. Anna let's say she wants to send it to you but yet you're external to us as a company. We have a means with Azure Information Protection to determine is that document sensitive? Can she send it out of the company? And then if she does send it out to the company, we can either allow her if that's what the policy is, block it, or we can allow it and even audit it. So, who is she sending it to? Have they opened it? We can even pull it back. So, we can say, we don't want anyone to have access to this. So, whoever she sent it to previously is never going to have access to this going forward. So then think about an experience. We're able to protect from the office to the traveler to even the home worker. But most importantly, we're able to go back to protecting at the door, protecting at the device and then diving in deeper and protecting the data. Because at the end of the day, it shouldn't matter what device we're using. We should make sure that user is secure and we're making sure that user is who they are. Because if for instance, if their password got out, anybody could be logging in as them. And that's why you always have to do your due diligence of multi-factor authentication and other things. But then more importantly, the data. This data we have in companies as we progressed to the hybrid workforce collaboration, data's going everywhere. It's being sent in email. It's being sent in Teams. It's being sent wherever you could think of. So as a corporation, you really want to know where that data is going. And that's where the E5 security stack can come in handy.
Anna
Right.
Joe
Now we know in a security and this is my side, and the infrastructure side can be deployed day in and day out, right? We help customers with this conversation all the time. But I'd love to hear your take being on more of the adoption side is what do companies have to think about when they go through the E5 SKU, where do the end users come into that conversation from an E5 stack?
Anna
So, there's a couple of things. If we go back to your story about the customer who had 15 solutions on the endpoint and things were really slow. You're never going to get any end user to care necessarily about whether or not they are working securely if they can't work with the technology that you're giving them. And I do think that that is one of the huge benefits of E5 is that it provides a seamless end-user experience, a truly seamless end user experience no matter where that end user is at and really encourages them to use the technology in the way that you would intend them to use it instead of making things so impossible that they're trying to go, you know, outside of wherever they're at to get additional assistance, whether that is with a, you know non-compliant device or anything else. So, I think that's the first key to getting end users adoption and really understanding that their return on investment is to give them a great experience. And where the rest of that is concerned, it's enabling your employees to do the right thing in particular, where security is concerned. And I'm going to provide you with my very favorite analogy about end-user security and end-user security programs courtesy of someone else that we work with who's one of our resident experts in security here at Insight. And it really resonates with me having a new teenage driver in my home. So, you know, you can buy a car that's got all of the safety features that are available. That you can have a backup camera and lane departure alerts and blind spot detection and all of that all the way to technology. Awesome. Right? But if you're not going to teach that person how to drive, if you don't teach them the rules of the road, if you don't teach them how to brake and how to change lanes, all of the things that my son has been kind of dealing with lately in his new foray into driving, there's still going to really be a lousy driver, right? If you, even though you've invested all this technology in being in the car, being safe, if you're not teaching them what they need to know, it doesn't really matter, does it?
Joe
Right.
Anna
And it's the same for cybersecurity, right? If you're not investing and effectively teaching your end users best practices for keeping your organization straight, safe, the investment is really just not going to help you. Especially if you consider that an overwhelming majority of security breaches and most of the studies that you see are well above 90%, they occur because of human error. So, whether it's, you know, well malware or phishing or anything else, you really have to empower your users to make the right decisions. And that means addressing security in a way that is really going to resonate with them. The old way of putting, you know, training in front of them that may or may not be very engaging, that isn't talking about the reasons why they need to care, that isn't empathizing with the situation that they are in, the old way of doing that is not as effective as some of the new things that are out there either between training programs that are using multiple ways of getting to your end users and teaching your end users the right behaviors or phishing campaigns that are truly engaging that again empathize with your users that aren't just treating the transaction as you did this thing wrong right?
Joe
Awesome.
Anna
So, I think those two aspects are really important to make sure you're providing a great experience if you want them to be safe and then make sure that you're giving them the right information that they need in a way that they're actually going to consume it.
Joe
Well said. Couldn't have said it better myself. So, thank you for joining us on today's "Tech Talk" and feel free to reach out to Insight if you have questions around E3 versus E5 or how to get the value out of the E5 SKU that you potentially may have already purchased. Have a great day.
Anna
Great. Thanks.
[Music]