Authentication for Office 365

Erik Notermans

Country Manager Central and Northern Europe

Cloud, Desktop and BYOD

“Access from anywhere with anything”

By Erik Notermans

The Cloud

• Is a very public place• Everyone knows where your front door is

• Everyone knows what your username is

• Email address, just like Facebook!

• Just one password away from access!

• What is your identity worth?

It is not Rocket Science

• I know that DuPont use O365• http://www.microsoft.com/en-gb/office365/nowonoffice365.aspx

• I know the format of DuPont’s emails is firstname.lastname@dupont.com• http://www.email-format.com/d/dupont.com/

• I know that Ellen Kullman is CEO• (source: DuPont.com)

• Just one password away from access ?????

• Cloud means all access is remote access

• The office building is no longer a perimeter

defence

Practical problems with password re-use

• Twitter; Feb 2013: 250,000 passwords hacked

• LinkedIn; June 2012: 6.4 million passwords released

• Facebook; January 2012: 50,000 accounts hacked

• Facebook; 600,000 fraudulent login attempts everyday

• Sega; June 2011, 1.29 million account details stolen

• Sony; April 2011, 100 million accounts suffered data theft

Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials.

(http://www.bbc.co.uk/news/technology-13829690)

Practical problems with password re-use

Corporate Data Personal Machines

• Facebook in one window, OWA in the other.

• Same password in both?

• Mixed environment

• Is your corporate identity your social identity?

• What other cloud applications are your employees using ?

Password Vulnerability

• Passwords are particularly vulnerable because they are static.

• The same for every authentication

• We all have so many… we reuse them

1. 123456

2. 2345

3. 123456789

4. Password

5. Iloveyou

6. Princess

7. Rockyou

8. 1234567

9. 12345678

10. abc123

Rock You 2009

1. link

2. 1234

3. work

4. god

5. job

6. 12345

7. angel

8. the

9. ilove

10. sex

LinkedIn 2012

1. 5!uE2)~8

2. _34:7eW

3. $W2Nc

4. Y:l3}

5. GQNu>5$+wj

6. L*uC}n&"2Ic5V1

7. !-5$Bu0^

8. P1^&5ux(

9. [><c@2I=g

10. dn9f7#x2}/&W.)+VR'&K

Strong Passwords

Hacking Tools

Cloud, Desktop and BYOD

Best Practice = Strong Authentication

How to add additional authentication to Office 365

• Configure your O365 Domain to use ADFS

• Federation is your friend.

• User have to authenticate to YOU not Microsoft

• You retain control of credentials

• You can have your own login page

Microsoft Endorsement

“Microsoft Office 365 is live with customers for 2FA integration and only officially support two vendors. RSA and Swivel”

Steve Patrick

O365 ADFS

ADFSProxy

ExternalUser

Internet

ActiveDirectory

ADFSServer

InternalUser

Office 365

InternalUser

Applications of Swivel: Cloud

ADFSProxy

ExternalUser

InternetSwivelfilter

ActiveDirectory

ADFSServer

Swivel

Office 365

Browser-based

• Image authentication: Delivered in browser, every device has a browser.

Adding PINsafe

PINsafe protocol

5 7 2 4

1 3 6 9

One-Time Code

Security String

PIN stays the same

changes for every authentication attempt

Different every time

Strong Authentication

5 1 7 3 9 2 0 6 4 8

1 2 3 4 5 6 7 8 9 0

Device options: Browser

Image and PINsafe:

• PINpad challenge uses a 10 digit security string, and the grid can be displayed in any design• Credential different every time• User uses the mouse to click on their PIN number. Transmitted number is an OTC.• Defence against brute-force and other automated attacks

VPN Web Cloud Desktop

Mobile App Web SMS Telephony

Core

User enters the correct response to

authenticate

The core platform sends users a

challenge

The Swivel ApproachAnything anywhere with anything(subject to policies of course)

Desktop

Telephony

VPN Web Cloud

Mobile App Web SMS

Core

Adding a Device (factor)

• If the challenge can only be received on one device or the response only sent from one device, we have 2-factor authentication

Using Two-Factor

• SMS: Every mobile device can send or receive SMS.

Using Two Factor

• Mobile app.: Works on even basic smartphones. Lightweight.

Applications of Swivel: VPN

• SSL VPN

• IPSec

• RADIUS

• XML API

• AD Integration

• Swivel Knowledge Base: kb.swivelsecure.com/integrations

Applications of Swivel: VPN

Applications of Swivel: Web applications

Web:

• Swivel can secure any web site

• Browser agnostic

• Pre-built solutions for IIS and ISA

• OWA, Sharepoint

Applications of Swivel: Web applications

SharePoint:

• SharePoint

• Flexible deployment on SharePoint Applications

• Creates ‘Claims Token’

• SharePoint service protected by .NET http filter

Swivel Alternative

• A single authentication platform to meet all your needs

• Cloud, On-Premise, VPN, Virtual Desktop

• Strong and Two-factor authentication as appropriate

• Tokenless

• Easy to manage

• Easy to work with changing userbase*

Questions?