Unlocking Office 365 without a password How to Secure Access to Your Business Information in the Cloud without needing to remember another password.
Introduction It is highly likely that if you have downloaded this ebook you are thinking about the security of your company s information in the cloud. You want the benefits and power of cloud productivity, helping your organization to save time and money and free up valued resources. At the same time you want it to be simple. And safe. The last thing you want is an incident that puts your business at risk. With more workers on the go, your business information is likely accessed by more people and from more places and platforms than ever before. This increased access also raises the opportunity for attack. With the threat landscape of today, cybercrime is carried out by highly organized, financially motivated professional criminals. So it s vitally important to make sure the approach you take to safeguarding access considers how to balance security against usability for your staff and partners. Office 365 provides secure access across platforms and devices through innovative technology coupled with a comprehensive approach to security to protect your systems and data in their environment. But much of it hinges on the strength and protection of a user s password. The rest of this ebook will explore why requiring your users to remember another passwords just isn t the most effective way to protect your business information in Office 365, and demonstrate several alternatives to make it easier for your staff to access their information in the cloud more safely.
61 % of people reuse the same password on multiple websites. So what happens if another site is compromised and that password is the same one used for Office 365? 1 1 CSID Password Habits Report - http://www.csid.com/wp-content/uploads/2012/09/cs_passwordsurvey_fullreport_final.pdf 3 P a g e
The Challenge The news is riddled with stories of compromised websites that have exposed users to great risk. Sites like LinkedIn, eharmony, Sony and DropBox demonstrate that we put far too much trust into cloud providers without considering the impact and liability we may face if our passwords were stolen. This problem isn t new. For the past five years there has been at least one serious breach every month that has impacted and inconvenienced users. It won t go away anytime soon. The combination of poor password management by many cloud providers and the simple negligence by users in maintaining discipline against password reuse is just too much to bear. When users have to enter credentials in more than five different prompts every day, over any given month they may have to know twenty different passwords. They are lucky if they remember five 2. NUMBER OF PASSWORDS REMEMBERED 5% 6% 7% 28% 54% 1 to 5 6 to 10 11 to 15 16 to 20 20+ 2 CSID Password Habits Report - http://www.csid.com/wp-content/uploads/2012/09/cs_passwordsurvey_fullreport_final.pdf 4 P a g e
Microsoft s Enterprise Solution Federation In an effort to battle password fatigue Microsoft offers its customers the option to federate their identity with their office systems. Called Active Directory Federation Services (ADFS), it provides a great way for people to use the same password that they do at work in Office 365. That means one less password to remember, and means the company can control and maintain password policy and maintenance decisions at the office. These benefits come at a cost. According to a Forrester research 3 study on The Total Economic Impact of Microsoft Office 365, for single sign-on (SSO) and identity federation to Office 365 a company would spend over $10,000 for hardware, maintenance and in-house hosting over a three year period, with over 80% of that cost incurring in the first year. Combined with the evidence that deployment of ADFS can be difficult, for many smaller organizations this is just not feasible. A survey conducted in the Office 365 admin group on LinkedIn, found that 71% of respondents needed more than 2 full days to setup ADFS. TIME NEEDED TO DEPLOY ADFS 45% 16% 26% 13% Around 4 hrs About 1 day Around 2 days More than 3 days 71 % needed more than 2 days to setup ADFS. 3 http://download.microsoft.com/download/4/a/d/4ad0bc3b-1345-41b7-be3c-d6ea3bfd0176/tei of Office 365 - midmarket.pdf 5 P a g e
90 % of Office 365 customers are small businesses with fewer than 50 employees. * Taken from Microsoft s Look Who is using the Cloud 4 infographic 4 http://www.microsoft.com/en-us/news/imagedetail.aspx?id=ceab62bf6b15335c6fa078be0f9cf13ec035ab43 6 P a g e
Microsoft s SMB Solution The Office 365 AddIn Knowing that a majority of Office 365 customers are in smaller businesses and don t have the infrastructure or expertise to run ADFS, Microsoft has approached this market with the introduction of its Office 365 AddIn for Windows Server Essentials. This essentially provides a capability in which the local on-premise server can synchronize accounts and passwords to Office 365 through a special integration wizard. This goes a long way to address the basic fundamental need to maintain identity between the on-premise server infrastructure and Microsoft s Cloud Services. However, password policy conflicts in earlier versions may make this cumbersome since passwords updated in Office 365 are NOT synchronized back to the on-premise server infrastructure. So it is possible that the credentials may not match between sites, confusing users and increasing administrative costs as you diagnose and manage the separate password systems. The Bigger Problem While ADFS and the Office 365 AddIn for Windows Server Essentials do answer the problem of having to remember another password to access Office 365, it doesn t actually make the experience more secure. If anything, depending where users access Office 365 it could actually be riskier to the business. If malware from the vile and villainy of the Internet is installed on a device that a staff member uses to access business information in Microsoft s Cloud Services, when they enter their password it may be collected and compromised. At this point, not only do they have a credential to Office 365 in the cloud, but also to your office systems on-premise. If you permit remote access through the likes of Remote Web Access (RWA), Remote Desktop Services (RDS) or VPN you may have just opened the back door to allow a perpetrator full access to your business by acting as that user. You wouldn t know any different. Password synchronization doesn t actually make your experience more secure. 7 P a g e
The Alternative Two-Factor Authentication If passwords aren t the best way to protect business information in the cloud, what would be better? You may have noticed that as of late, cloud-based companies like Google, Dropbox, PayPal and even Microsoft have agreed that a better form of authentication is the use of two-factor authentication (2FA). There are many forms of 2FA everything from SMS and text messaging to systems that call you back for confirmation over the phone. The easiest method to adopt though is to combine a PIN that only a user knows with a one-time-password (OTP) that is dynamically generated for the user at the time of login. The combination of knowing a PIN and having the OTP gives you two factors to prove you are who you say you are when needing to access services and information in the cloud. Or in some cases, even when on-premise. Generating the OTP can be done in many ways. You can use traditional hardware keyfobs that produce the OTP on what is called a token. A more popular method being adopted lately is through an app on a smartphone, typically called a SoftToken. Acting just like a hardware keyfob, it generated the OTP for you as you need it. The benefit of SoftTokens come from the fact that most users these days have smartphones and would rather use them than carry around an extra hardware device on their keychain. Using AuthAnvil to provide 2FA to Office 365 with a SoftToken is exactly how Scorpion Software does it. The AuthAnvil Solution Scorpion Software, a Kaseya company, offers 2FA for Office 365 through two key products that are part of AuthAnvil Password Solutions AuthAnvil Two Factor Auth and AuthAnvil Single Sign On. AuthAnvil Two Factor Auth provides the engine that delivers the authentication subsystem that validates a user s PIN and OTP against their account. AuthAnvil Single Sign On provides the single sign-on (SSO) subsystem and federation capabilities that Office 365 needs to configure and communicate with your users on-premise. Both products are installed on a Windows Server hosted on a server you control on-premise or in your own private cloud or data center. This gives you the ability to maintain control of your cloud security on systems that you own and manage. AuthAnvil is capable of running on 8 P a g e
entry level servers like Windows Server Essentials and Small Business Server, all the way up to highly-available clustered Windows Servers with Network Load Balancing (NLB). AuthAnvil SoftTokens are capable of running on popular smartphones running Windows Phone, Apple iphone, Google Android and RIM Blackberry. You can also run it on Windows desktops and even USB-based Yubikeys. With an app on your phone, you can log into Office 365 without needing to know or remember a password. You can have the one-timepassword generated when you need it. Constraints with 2FA in Office 365 By its very nature the concept of a one-time-password (OTP) is that it can only ever be used once. That makes it difficult to use with applications like Microsoft Lync or Outlook that caches your password and uses it multiple times when it needs to reach Office 365. This is just as difficult for applications running on your smartphones and tablets that accesses your email and documents in the cloud. On its own using two-factor authentication (2FA) with such applications may result in a poor experience for users as you would need to enter a new OTP almost every time you needed to check email, or communicate with colleagues and customers. This gets worse as you use multiple devices. If an application stores this one-time-password it conflicts when a different device authenticates and updates the session with a different one. So if your Windows Phone polls for mail and then you try to read a new message on your ipad, it could void the password on your phone, requiring you to enter a new OTP the next time you try to check your mail. This dueling for access control becomes cumbersome and just frustrates users. Most 2FA solutions that do work with Office 365 through ADFS fall back to use the Active Directory credential to get around this. So while you can use 2FA for web based access, onpremise Office applications fall back to using a Windows credential which exposes your business to unnecessary risk. Most 2FA solutions cannot work with rich clients like Microsoft Office, Lync and Outlook. AuthAnvil can. AuthAnvil addresses this differently to reduce this risk to an acceptable level. 9 P a g e
How AuthAnvil Solves the 2FA Constraints in Office 365 Knowing that being constantly prompted for a new OTP is a poor user experience, Scorpion Software designed a system to use unique ActiveSync keys that meet the password complexity requirements for a strong password. This key is not coupled to a user s account at your office. In fact, ActiveSync keys are unique to the user within AuthAnvil, and can be monitored and managed by the user right in their profile in their personalized AuthAnvil Single Sign On portal. You can further protect this key by enforcing the need for users to provide their AuthAnvil passcode (their PIN + OTP) when they wish to reveal this key so they can enter it into application that support ActiveSync. Like Outlook. Lync. And their smartphones and tablets. These ActiveSync keys act like a traditional password and work as a cached credential. However, because they are not tied to your office systems even if they were somehow compromised or stolen you are not at risk at your office from an adversary using this credential to gain access to your local systems and information. Even better, AuthAnvil enforces the use of randomized stronger passwords of up to 16 characters, helping to increase the security effectiveness and eliminate the use of weak passwords. This helps to balance security and usability so users can leverage the benefits of Office 365 without increasing risk to your business by using your work passwords in the cloud like you would with ADFS. Scorpion Software can help you deploy 2FA in Office 365 in just a few of hours. 10 P a g e
Next Steps Within this ebook you have hopefully learned how you can unlock access to Office 365 without your users needing to remember another password. How to maximize your security while actually making it easier for them to access Office 365. But you re also likely thinking there s a lot more to learn to put together an effective strategy to secure your Office 365 deployment with AuthAnvil. We can help, you can request a one-on-one consultation with Scorpion Software to learn how. Like this ebook? Share it with your peers! 11 P a g e