office 365 security: everything you need to know

© 2014 SecureAuth All Rights Reserved

Office 365 SecurityEverything You Need to KnowJuly 10, 2014

www.secureauth.com www.avanade.com www.microsoft.com

Welcome to the Webinar

• All attendee audio lines are muted• Questions will be answered at the end of the session

• Submit brief questions on the Q&A panel

• Send longer questions or off-line topics via email [email protected]


Presented by Microsoft, Avanade, and SecureAuth Corporation

David Brandt, Microsoft

Principal Program Manager, Office 365Tim Arvanites, SecureAuth Corporation

Director of Technical SalesJimmy Soto, Avanade

Infrastructure Solutions Architect

AGENDA


Microsoft Office 365Identity Management

SecureAuth IdP “Advanced” Security Options for Office 3652-Factor Authentication and SSO

Deployment Tips and TricksThe Avanade Experience

Q & A

Trends / Issues of Modern Mobile Enterprise


Issues Facing theModern Mobile Enterprise

Rapid Movement to the Cloud and High Usage of Cloud Applications

Pressures of Mobility – BYOD and Secured Mobile Devices for Convenient User Experience

Line of Business Driving Organizations to the Cloud, but without Proper Security Measures

No one wants to be that headline

Introduction to Microsoft Office 365 Identity Management

David BrandtPrincipal Program Manager Office 365

Identity for Microsoft cloud services

User

Microsoft AccountEx: [email protected]

User

Organizational AccountEx: [email protected]

Microsoft Account Microsoft Azure Active Directory

Office 365 Identity Models

Federated identitySynchronized identityCloud identity

On-premisesdirectory

Zero on-premises servers

On-premisesdirectory

Directory sync with

password sync

On-premisesidentityBetween zero and three additional on-premises servers depending on the number of users

On-premisesidentityBetween two and eight on-premises servers and networking configuration depending on the sign-in availability requirements

Directory

sync

Federation

Identity Synchronization and Federation

On-Premises

Identity Provider

Federated sign-in

Windows Azure Active Directory

WS-Federation

WS-Trust

SAML 2.0

MetadataShibboleth

Graph API

Directory

Synchronize accounts

Exchange Web Access

SharePoint Online

Exchange Mailbox Access

Outlook, Lync, Word, etc

Authentication

Auth

ori

zati

on

Passive Auth

Active Auth

Microsoft

Office 365 federation optionsADFS Third party

WS-*Shibboleth (SAML 1.1)

SAML 2.0

Suitable for medium, large enterprises including educational organizations

Recommended option for Active Directory (AD) based customers

Single sign-on

Support for web and rich clients

Microsoft supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Suitable for medium, large enterprises including educational organizations

Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD

Single sign-on

Support for web and rich clients

Third-party supported

Works for Office 365 Hybrid Scenarios

Requires on-premises servers, licenses & support

Verified through ‘works with Office 365’ program

Suitable for educational organizations

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no shibboleth deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

For organizations that need to use SAML 2.0

Recommended where customers may use existing non-ADFS Identity systems

Single sign-on

Support for web clients and outlook (ECP) only

Microsoft supported for integration only, no identity provider deployment support

Requires on-premises servers & support

Works with AD and other directories on-premises

Works with Office 365 – Identity programWhat is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.

Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification

http://aka.ms/ssoproviders

*For representative purposes only.

WS-Trust & WS-Federation

Active Directory with ADFS Flexibility to reuse existing identity provider investments

Confidence that the solution is qualified by Microsoft

Coordinated support between the partner and Microsoft

Shibboleth

RadiantOne

Okta

Customer Benefits

SAML (passive auth)

http://aka.ms/ssoproviders

Full Office 365 servicePilot in hoursPersist to deploymentUser led migration

Optional integrationExtend in weeksMeet business needsCustomized to landscape

Core onboardingDeploy in daysCompanywide cloud useIT led migration

First use in hours, Onboarding in dayshttp://fasttrack.office.com

Pilot complete

Deploy Complete

WhatOffice 365 ServiceExchange, SharePoint, Lync, Office Web Apps, Office 365 ProPlus, Mobile

HowService domainCloud IdentityWeb Client

Office clientSelf Service

WhatAll Pilot Features +Shared namespace, simple coexistence, external sites

HowPilot +IT led migration *Customer domainDirectory sync

Password syncAdmin migrationsOnRamp

WhatDeploy +Federation, Hybrid Delegation, and more

HowDeploy+ *Configure adv. featuresFederated IdentityExchange HybridCorporate app store

SharePoint HybridLync Hybrid3rd party migration tools

Adopt new features

Deploy Enhance Pilot1 2 3

http://fasttrack.office.com/


SecureAuth IdPfor Microsoft Office 365Advanced Security Options


What is an IdP?

An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider (applications like Office 365).

Definition

• A system that creates, maintains, and manages identity information

• Provides principal authentication to other service providers (applications) within a federation or distributed network

• Sends an attribute assertion containing trusted information about the user to the Service Provider (SP)

1. User Directed to IdP

2. IdP Authenticates User

3. User Redirected to SP with Token


Benefits of an Identity Provider

Improved User Experience

Increased Security

Complex Environments Simplified

Flexible Access Control Workflows


IdP - Improved User Experience

Single Sign-on (SSO):

• Users access their applications with a single authentication

• Flexible authentication workflows based on user, device, and location

• Custom and third-party enterprise web applications (SharePoint)

• Cloud applications, like Office 365, Google Apps, Salesforce, and more

Users access their applications with a single authentication


IdP – Increased Security

• Avoid Password Sync / Sprawl• Single Access Control Point for ALL

User’s Applications• Immediate Disable of Access• Auditing of All Application Access

Compiled in Single Location• Enforce Client Sign-in Restrictions

by Device, Login History, Network Location, Work Hours, and more

• Utilize Enterprise Multi-factor Authentication

Web Apps NetworkApps

Cloud Apps

Mobile Apps


IdP – Complex Environments Solved

Combine Multiple, Disparate Directory StoresActive Directory, SQL, Novell eDirectory, Sun One, etc.

Create Unified Access Policies Limiting Access to Resources based on:

Defined Authentication Workflows, User Access State (enabled/disabled), Network Location, Group Membership, Devices, etc.

On-premises, Cloud-based, or Hybrid Scenario


IdP – Flexible Access Control Workflows

Define Virtually any Authentication Workflow for Users

Integrated Windows Authentication (no password) for Internal UsersUsername/Password + Second Factor (optional) for External Users

Enforce Client Sign-in Restrictions by Device, Login History, Network Location, Work Hours, and moreUtilize Enterprise Multi-factor Authentication


SecureAuth IdP – Office 365Use Case

Enterprise customer with 24 AD domains utilizing browser access to Office 365 and Office applications Word, Excel, Outlook, Lync, and PowerPoint

External users – 2-Factor Authentication with SMS / Telephony / E-mail registration and 90 day device credential used for subsequent multi-factor authentications

Internal users – Windows Integrated Authentication for true Desktop SSO to Office 365

Single Sign-on experience for user to reach their other enterprise applications

Office 365 Client Access Controls limiting Outlook access to only internal network devices

Messaging Transformation Credentials• Microsoft Gold Certified Partner for “Messaging” and “Communications“

• Converted/ Implemented more than 23 million mailboxes to Exchange (from Exchange, GroupWise, Lotus Notes)

• Delivered over 2.8 million Microsoft Office 365/ BPOS seats to date

• We have 600 + Exchange 2010/13 skilled resources, including 50 MCPs, 1 MVP for Office 365, 11 MCA/MCMs • Deployed many components of Messaging infrastructure – Exchange, Outlook, Lync, Active Directory

• Unmatched premium skills – strategy, cost modeling, Mailbox rationalization and worker segmentation

• Focus on business value – not just software and hardware• Experience assisting delivery of many large complex Messaging Migration projects – On-premise

and Cloud• Structured methodology supported by Avanade Connected Methods (ACM)• Innovative toolset to accelerate efforts (Accelerate for Mailbox, End User Communication

Templates)• Innovative Re-usable Assets and QA toolset • Strategic Alliance with Quest Software• Office 365 Surround Services

• Onshore, near-shore, offshore network in 25 countries• Messaging Migration Factory with qualified Migration Engineers in Philippines and India

• Global workforce enables factory approach at fair cost – high volumes of work in rapid time frame

Global Delivery Network

Our Assets, Tools & Methods

Our Expertise

Our Experienc

e


Why take the journey with Avanade

• Avanade is currently delivering over 2,800,000 seats of Microsoft Online, which is more than any other partner

• We’re recommended by Microsoft• Our migration factory averages over 99% first-time

success rate • We support multiple messaging migration styles

allowing customers greater control in their migration experience

• Avanade has invested more in training than any other partner

• We have completed deployments using each service included in Office 365 (Exchange Online, SharePoint Online, Lync Online)

• 1st Microsoft partner to sign Microsoft Online Services Partner Advisor agreement for large enterprises

• Our Health and Value Assessment offering efficiently guides customers to achieving their goals

• Monthly meetings with Microsoft Office 365 Engineering teams as part of High Touch Partner initiative

Tangible Benefits

• 1st in certifications per employee• 1st in Exchange certifications• 1st in Lync certifications• 1st in SharePoint certifications• 1st in Active Directory certifications• 28 elite Microsoft Certified Architects

Certifications

• Microsoft Gold Certified Partner in 20 competencies, more than any gold partner

Competencies


Consideration Description

Know Requirements Ahead of Time Perform requirements gathering exercises and have agreement on what is actually needed. Compare this list to the Office 365 service descriptions and identify areas of incompatibility. Do not assume that Office 365 will satisfy every possible requirement.

Know What Is Provided, And What Is Not Have clarity of what services and features are actually offered as part of Office 365. Regularly review the Office 365 Service Descriptions for detail information regarding what is included and what are the limitations.

Remember, It Is A Shared Environment, Not A Dedicated Hosted Environment

Office 365 is not meant to adapt to the needs of its customers. The cost savings gained from Office 365 are realized by having the customers adapt to the stated service descriptions and as such only flexible customers should select Office 365.

Evaluate Customer Readiness Leverage the Microsoft utilities and Avanade experience to determine readiness to implement Office 365. Readiness tasks will be a pre-requisite before beginning the Office 365 implementation tasks.

Documentation May Be Dynamic And Is Improving Older Office 365 documentation may not have been complete or accurate. Microsoft has made an effort to update documentation and provide additional support assets for implementation, migrating to , and managing Office 365. It is possible that the latest information may not be readily available or prevalent amongst Office 365 SMEs.

Considerations Prior To Office 365 Decision

23


Consideration Description

It Is Still A Transformational Event Although the Office 365 offering is compelling, realize that the implementation and migration is still a transformational event that will require appropriate project planning and management.

Plan For Realistic Timeline and Milestones Transformation to Office 365 should planned using realistic estimates for completing the tasks based on the workload. Migration planning should consider readiness and end user support as well as duration of time needed to complete migration tasks

Keep The End User Experience In Mind The conversion to Office 365 could be a jarring experience for the end user, depending on their familiarity of current Microsoft products. Plan for end user training and communications especially even if end users are migrating from similar Microsoft technologies and especially if end users are migrating from non-Microsoft technologies.

Stay On Course, Don’t Deviate Do not deviate from the standard published Microsoft Office 365 infrastructure guidance and recommendations. Avoid leveraging un-sanctioned Microsoft options or alternative 3rd party options without validation from Microsoft.

Plan for Operational Excellence Microsoft does not provide end user support or lower tier support. Ensure that the operations team and help desk support team has the appropriate training to manage Office 365. Microsoft may be responsible for maintaining service availability but day to day administration and provisioning is still the responsibility of the Customer.

Implementation Planning Considerations

24


Conclusion• Implementation and migration to Office 365 is often simplified with an

emphasis of quick onboarding rather than averting risk

• Customers must realize that they need to adapt to Office 365; it does not adapt to the customer

• Consideration must be given for safeguarding the end user experience

• Operational excellence and support must be planned prior to migrating production resources to Office 365

• Customers benefit from the experience Avanade can provide when planning and executing an Office 365 implementation and migration

25


Questions & AnswersAvanade, Microsoft, andSecureAuth Corporation


Thank youwww.secureauth.com

Contacts

www.avanade.comwww.microsoft.com

David Brandt

Tim Arvanites

Jimmy Soto

SecureAuth Sales

Principal Program Manager

Director of Technical Sales

Infrastructure Solutions Architect

Sales

[email protected]

[email protected]

[email protected]

[email protected]

+1-425-705-1352

+1-312-985-1997

+1-732-277-4960

+1-949-777-6959

Introduction to Microsoft Office 365 Identity Managementhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B222#fbid=

office 365 security: everything you need to know

Technology