Authentication for Office 365
Erik Notermans
Country Manager Central and Northern Europe
Cloud, Desktop and BYOD
“Access from anywhere with anything”
By Erik Notermans
The Cloud
• Is a very public place• Everyone knows where your front door is
• Everyone knows what your username is
• Email address, just like Facebook!
• Just one password away from access!
• What is your identity worth?
It is not Rocket Science
• I know that DuPont use O365• http://www.microsoft.com/en-gb/office365/nowonoffice365.aspx
• I know the format of DuPont’s emails is [email protected]• http://www.email-format.com/d/dupont.com/
• I know that Ellen Kullman is CEO• (source: DuPont.com)
• Just one password away from access ?????
• Cloud means all access is remote access
• The office building is no longer a perimeter
defence
Practical problems with password re-use
• Twitter; Feb 2013: 250,000 passwords hacked
• LinkedIn; June 2012: 6.4 million passwords released
• Facebook; January 2012: 50,000 accounts hacked
• Facebook; 600,000 fraudulent login attempts everyday
• Sega; June 2011, 1.29 million account details stolen
• Sony; April 2011, 100 million accounts suffered data theft
Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials.
(http://www.bbc.co.uk/news/technology-13829690)
Practical problems with password re-use
Corporate Data Personal Machines
• Facebook in one window, OWA in the other.
• Same password in both?
• Mixed environment
• Is your corporate identity your social identity?
• What other cloud applications are your employees using ?
Password Vulnerability
• Passwords are particularly vulnerable because they are static.
• The same for every authentication
• We all have so many… we reuse them
1. 123456
2. 2345
3. 123456789
4. Password
5. Iloveyou
6. Princess
7. Rockyou
8. 1234567
9. 12345678
10. abc123
Rock You 2009
1. link
2. 1234
3. work
4. god
5. job
6. 12345
7. angel
8. the
9. ilove
10. sex
LinkedIn 2012
1. 5!uE2)~8
2. _34:7eW
3. $W2Nc
4. Y:l3}
5. GQNu>5$+wj
6. L*uC}n&"2Ic5V1
7. !-5$Bu0^
8. P1^&5ux(
9. [><c@2I=g
10. dn9f7#x2}/&W.)+VR'&K
Strong Passwords
Hacking Tools
Cloud, Desktop and BYOD
Best Practice = Strong Authentication
How to add additional authentication to Office 365
• Configure your O365 Domain to use ADFS
• Federation is your friend.
• User have to authenticate to YOU not Microsoft
• You retain control of credentials
• You can have your own login page
Microsoft Endorsement
“Microsoft Office 365 is live with customers for 2FA integration and only officially support two vendors. RSA and Swivel”
Steve Patrick
O365 ADFS
ADFSProxy
ExternalUser
Internet
ActiveDirectory
ADFSServer
InternalUser
Office 365
InternalUser
Applications of Swivel: Cloud
ADFSProxy
ExternalUser
InternetSwivelfilter
ActiveDirectory
ADFSServer
Swivel
Office 365
Browser-based
• Image authentication: Delivered in browser, every device has a browser.
Adding PINsafe
PINsafe protocol
5 7 2 4
1 3 6 9
One-Time Code
Security String
PIN stays the same
changes for every authentication attempt
Different every time
Strong Authentication
5 1 7 3 9 2 0 6 4 8
1 2 3 4 5 6 7 8 9 0
Device options: Browser
Image and PINsafe:
• PINpad challenge uses a 10 digit security string, and the grid can be displayed in any design• Credential different every time• User uses the mouse to click on their PIN number. Transmitted number is an OTC.• Defence against brute-force and other automated attacks
VPN Web Cloud Desktop
Mobile App Web SMS Telephony
Core
User enters the correct response to
authenticate
The core platform sends users a
challenge
The Swivel ApproachAnything anywhere with anything(subject to policies of course)
Desktop
Telephony
VPN Web Cloud
Mobile App Web SMS
Core
Adding a Device (factor)
• If the challenge can only be received on one device or the response only sent from one device, we have 2-factor authentication
Using Two-Factor
• SMS: Every mobile device can send or receive SMS.
Using Two Factor
• Mobile app.: Works on even basic smartphones. Lightweight.
Applications of Swivel: VPN
• SSL VPN
• IPSec
• RADIUS
• XML API
• AD Integration
• Swivel Knowledge Base: kb.swivelsecure.com/integrations
Applications of Swivel: VPN
Applications of Swivel: Web applications
Web:
• Swivel can secure any web site
• Browser agnostic
• Pre-built solutions for IIS and ISA
• OWA, Sharepoint
Applications of Swivel: Web applications
SharePoint:
• SharePoint
• Flexible deployment on SharePoint Applications
• Creates ‘Claims Token’
• SharePoint service protected by .NET http filter
Swivel Alternative
• A single authentication platform to meet all your needs
• Cloud, On-Premise, VPN, Virtual Desktop
• Strong and Two-factor authentication as appropriate
• Tokenless
• Easy to manage
• Easy to work with changing userbase*
Questions?