Authentication for Office 365 Erik Notermans Country Manager Central and Northern Europe

Cloud, Desktop and BYOD “Access from anywhere with anything” By Erik Notermans

The Cloud Is a very public place Everyone knows where your front door is Everyone knows what your username is address, just like Facebook! Just one password away from access! What is your identity worth?

It is not Rocket Science I know that Dell use Salesforce CRM (source: Salesforce.com) I know the format of Dell s is (source: my inbox) I know that Michael Dell is CEO (source: Wikipedia) Just one password away from access ????? Cloud means all access is remote access

It is not Rocket Science I know that DuPont use O365 I know the format of DuPont’s s is I know that Ellen Kullman is CEO (source: DuPont.com) Just one password away from access ????? Cloud means all access is remote access The office building is no longer a perimeter defence

Virtual Desktop Data stays in network Performance advantages Security Advantages Ipads etc go missing! Browser-based access, multiple device/OS support. However, very high level of access Lots of benefits for the “good citizen” Not quite so good if a bad-guy gets in VDI turns your corporate desktops into a cloud service Available to anyone and anywhere with the right credentials Albeit a private cloud

Bring Your Own Device What can it mean More remote access, because people will want to bring and take their own device. Corporate data accessed from personal machines Bring your own malware Bring your own operating system Bring your own device capabilities Bring any device (BAD!) What does that mean for your authentication system?

Practical problems with password re-use Twitter; Feb 2013: 250,000 passwords hacked LinkedIn; June 2012: 6.4 million passwords released Facebook; January 2012: 50,000 accounts hacked Facebook; 600,000 fraudulent login attempts everyday Sega; June 2011, 1.29 million account details stolen Sony; April 2011, 100 million accounts suffered data theft Sega explained that it had reset all passwords and urged customers to change their log-on details on other services and websites where they used the same credentials. (

Practical problems with password re-use

Corporate Data Personal Machines Facebook in one window, OWA in the other. Same password in both? Mixed environment Is your corporate identity your social identity? What other cloud applications are your employees using ?

Password Vulnerability Passwords are particularly vulnerable because they are static. The same for every authentication We all have so many… we reuse them Password 5.Iloveyou 6.Princess 7.Rockyou abc123 Rock You link work 4.god 5.job angel 8.the 9.ilove 10.sex LinkedIn !uE2)~8 2._34:7eW 3.$W2Nc 4.Y:l3} 5.GQNu>5$+wj 6.L*uC}n&"2Ic5V1 7.!-5$Bu0^ 8.P1^&5ux( 10.dn9f7#x2}/&W.)+VR'&K Strong Passwords

Hacking Tools

Cloud, Desktop and BYOD Best Practice = Strong Authentication

Bring Your Own Operating System Sensible BYOD will have some boundaries An authentication system that works with all operating systems (fixed and mobile) Cannot rely on installed clients, flash etc. Flexible user challenge-response, based on the application or device

How to add additional authentication to Office 365 Configure your O365 Domain to use ADFS Federation is your friend. User have to authenticate to YOU not Microsoft You retain control of credentials You can have your own login page

Microsoft Endorsement “Microsoft Office 365 is live with customers for 2FA integration and only officially support two vendors. RSA and Swivel” Steve Patrick

O365 ADFS ADFS Proxy ADFS Proxy External User External User Internet Active Directory Active Directory ADFS Server ADFS Server Internal User Internal User Office 365

Internal User Internal User Applications of Swivel: Cloud ADFS Proxy ADFS Proxy External User External User Internet Swivel filter Swivel filter Active Directory Active Directory ADFS Server ADFS Server Swivel Office 365

Browser-based Image authentication: Delivered in browser, every device has a browser.

Adding PINsafe

PINsafe protocol One-Time Code Security String PIN stays the same changes for every authentication attempt Different every time Strong Authentication

Device options: Browser Image and PINsafe: PINpad challenge uses a 10 digit security string, and the grid can be displayed in any design Credential different every time User uses the mouse to click on their PIN number. Transmitted number is an OTC. Defence against brute-force and other automated attacks

VPNWebCloudDesktop Mobile AppWebSMSTelephony Core User enters the correct response to authenticate The core platform sends users a challenge The Swivel Approach Anything anywhere with anything (subject to policies of course)

Desktop Telephony VPNWebCloud Mobile AppWebSMS Core Adding a Device (factor) If the challenge can only be received on one device or the response only sent from one device, we have 2-factor authentication

Using Two-Factor SMS: Every mobile device can send or receive SMS.

Using Two Factor Mobile app.: Works on even basic smartphones. Lightweight.

Applications of Swivel: VPN SSL VPN IPSec RADIUS XML API AD Integration Swivel Knowledge Base: kb.swivelsecure.com/integrations

Applications of Swivel: VPN

Applications of Swivel: Web applications Web: Swivel can secure any web site Browser agnostic Pre-built solutions for IIS and ISA OWA, Sharepoint

Applications of Swivel: Web applications SharePoint: SharePoint Flexible deployment on SharePoint Applications Creates ‘Claims Token’ SharePoint service protected by.NET http filter

Swivel Alternative A single authentication platform to meet all your needs Cloud, On-Premise, VPN, Virtual Desktop Strong and Two-factor authentication as appropriate Tokenless Easy to manage Easy to work with changing userbase*

Questions?