Company Size: 100
Industry: Cyber Security Publication
Endpoint Solutions: Microsoft Intune (Windows), Jamf Pro (macOS)
Endpoint Security: Jamf Protect (macOS), Sophos (Windows)
Email and SSO Solutions: Microsoft 365, Azure SSO
Network Stack: Cisco Meraki
The What:
This client focuses on empowering and informing cyber security professionals through various forms of media such as publications and podcasts. They engaged us In 2019 as a newly formed organization that had yet to set up its NYC offices. Along with their major office move, the client was also acquiring divisions of existing companies and needed a way to integrate them into their operations seamlessly. The challenges posed to Advisory were:
- Set up a new network for the client.
- Automate new user onboarding and offboarding.
- Set up a structure for machine management (both Macs and PCs), identity security, and network security.
- Provide ongoing support for teams spread across four major cities in the United States.
- No physical infrastructure. Everything has to be a full cloud.
Our Solution:
In thinking about the challenges we faced, we broke down the needs into three distinct buckets:
- Network Security
- Endpoint Security
- Identity Security
Each one of these items needs a holistic and customized solution and our goal was to then tie those all together.
The Network Setup
Knowing that the client was on a quick growth trajectory that spanned beyond New York’s borders (and our immediate physical reach), we needed a scalable solution to integrate each geographic location within the broader client’s portfolio without the need for on-the-ground technical knowledge. For this, we chose to implement Cisco Meraki, a best-in-class, cloud-managed, network hardware manufacturer. Advisory project managed the wiring work that the new space needed and conducted extensive heat mapping tests to optimize the WiFi signal across glass walls and exposed HVAC ducts. After the new wiring was complete, we stood up a new Meraki network that would become the standard for all future offices. We utilized five MR-33 Meraki access points and an MX-84 firewall for network security. We were able to construct the network so that it supports various endpoints like computers, VoIP phones, and personal devices without affecting the bandwidth available for the team.
The Endpoint Setup
The next challenge was solving for onboardings, offboarding, and machine management. Since the client didn’t have any form of internal IT infrastructure, we were starting from scratch. While this presented a challenge, it also provided us the opportunity to stretch the limits of what software can accomplish. Over the course of two months, we were able to build a nearly zero-touch experience for new and existing employees. On the Windows side, we leaned heavily on Microsoft’s Azure / Intune infrastructure. With just a simple login to their company email account, a new user’s computer begins to set itself up automatically. This includes security protocols, approved company apps, and access to shared content under the client’s umbrella.
On the Mac side, we leveraged the power of Apple’s Business Manager platform in tandem with Jamf Pro, a mobile device management platform. Mac users would simply need to open their new machine and connect to WiFi. The device enrollment protocols would seamlessly and automatically handle account creation, implement security protocols, install company apps and provide access to company resources.
We standardized on Jamf Protect for macOS and Sophos endpoint security for the Windows computers to ensure that the machines were protected whether they were in the office or out on the road. This gave us a unified security dashboard through which we monitor the health and security of the devices regardless of any operating system.
Identity Security
To tie everything together, and because the client has standardized on a Microsoft 365 backend, we opted to implement Azure SSO for all identity management tools and apps. This added an additional layer of security to all of the resources that the client takes advantage of so that only employees with active accounts are able to access these systems.
We integrated the majority of company apps so that users could access them without credentials as long as they could authenticate with the multi-factor process that protected their accounts. This has served to greatly minimize password loss and account recovery interruptions and has provided an extremely easy, scalable, and secure way to provision and remove systems access for users.
Closing Thoughts
As a cloud-first company, the client presented us with an opportunity to build a truly decentralized setup that made scaling across new acquisitions extremely fluid. We had the luxury of designing, deploying, and supporting a scalable and secure system from the ground up.
