Protecting Office 365 and Microsoft Azure from Emerging Threats

Protecting Office 365 and Microsoft Azure from Emerging Threats

Trust.  It’s perhaps the main element in any decision you make regarding computer & communication services for your company and yourself.  You need to feel you can trust your provider to keep your data secure, your personal information private, and your communications protected from eavesdroppers.

Millions of people trust services like Microsoft Office 365 with their most prevalent communications, including email using Exchange Online and instant messaging, voice and video over Skype and Skype for Business (formerly Lync).  While it is likely that they implicitly trust these services because they are provided by Microsoft, the world’s largest software company, you should stop to ask what it actually is that Microsoft is doing to earn this trust.  Yes, they have vast resources, but what are they doing with them?

A post on the Office Blogs from the Office 365 Team answers this question very thoroughly.  “From Inside the Cloud: What does Microsoft do to prepare for emerging security threats to Office 365?” introduces us to Chang Kawaguchi, a group engineering manager for security for Office 365, Travis Rhodes lead security software engineer for Office 365 and Vijay Kumar, a senior product manager for Office 365.  These are three of the people who spearhead Microsoft’s strategy for keeping Office 365 and Microsoft Azure cloud services secure and trustworthy.

Assume Breach

The post features an excellent short video that describes several of the security strategies employed by the group, beginning with one that would seem to just be common sense: Assume people are trying to break into your network and data at all times.  Constant vigilance.  Oddly, most people seem to assume that nobody would ever bother attacking them.  Microsoft invests heavily in an “Assume Breach” approach which causes them to constantly be on the lookout for new threats.

Color War!

Assuring viewers that no customer data is ever threatened or even touched in their work, the video describes the work of the “Red” and “Blue” teams constantly “at war” with each other to battle-test the armor that protects these systems.

The Red Team, “an internal dedicated team of “white hat” hackers from varied industry backgrounds such as broader technology industry, defense and government,” constantly conduct penetration testing on Microsoft’s systems.  Counterbalancing them is the Blue Team, “whose role it is to monitor activities within the system to detect anomalous behavior and take action. As hard as the Red team is trying to find and exploit vulnerabilities the Blue team is trying to detect, investigate and mitigate security events.”

As the post concludes, “The combined efforts of our teams go toward improving detection by evolving our machine learning algorithms for the detection of anomalous activity as well as incident response.”

Any IT manager responsible for system security will find valuable insight in this post and the included video.  Those wishing to continue to learn more should regularly visit the Red team blog.  If you have any questions about anything you read, please reach out to your CloudStrategies Advisor for more information!

Cloud Combining – Migration by Workload

Cloud Combining – Migration by Workload

Extended support for Windows Server 2003 will be withdrawn on July 14, 2015.  After that date there will be no more patches, updates, or security updates for that old version.  If you’re still running Windows Server 2003 it is now critical to start planning to move off of it and onto a more modern platform.   With most upgrades there is usually a single path, only one way to go.  This time, for the first time, you have some choices available to you!!

Even If you’re NOT Running Windows Server 2003

Whether you use Windows Server 2003, 2008, or any of the other versions released over the past decade now may be the time to make a change, especially if you want to save money, reduce support costs, and eliminate headaches.

One of your choices is, of course, the latest version, Windows Server 2012 R2.  With over 300 features that didn’t even exist back in 2003 this is a great choice for those who wish to keep running and maintaining their own servers on their own premises.  New Microsoft CEO Satya Nadella refers to Windows Server 2012 R2 as the “Cloud OS” because you can use it to enable and enjoy all the advantages of private cloud computing.

For this migration, for the first time, you have flexible choices regarding how your future state environment will look and function.  While many think it’s a matter of choosing either on-premise Windows Server 2012 R2 or Microsoft Azure cloud services, it’s really more of a matter of how you take advantage of the hybrid cloud opportunity to combine both.

Transforming Your Data Center

According to Microsoft’s marketing, “Azure is an open and flexible cloud platform that enables you to quickly build, deploy and manage applications across a global network of Microsoft-managed datacenters. You can build applications using any language, tool or framework. And you can integrate your public cloud applications with your existing IT environment.”

It is this last point that is most important to anyone transitioning away from Windows Server 2003. Since Microsoft Active Directory can span both on-premise and cloud-based servers, it becomes easy to maintain one database of security and access rights and approach the combination as a single entity.  This, in essence, creates a “Datacenter without boundaries” in which you can burst beyond the capacity of your local service to the highly-elastic resources of Azure.  Azure also provides complete data center redundancy, a level of resilience that would cost far more if you did it yourself, which is just one illustration of the cost-effectiveness of the Azure solution.  Speed and high security make it a highly desirable place to migrate your workloads.

But which workloads?  Which should go to the Azure cloud and which to your local on-premise Windows Server 2012 R2 units?

 

 

The Migration Process – Microsoft Best Practices

Microsoft recommends a simple, yet elegant, four-step migration process:

  • Discover – Catalog your software and workloads
  • Assess – Categorize applications and workloads
  • Target – Identify the destination(s) for each of your workloads
  • Migrate – Make the actual move

A potential fifth step would be the ongoing management of your new environment to constantly assure optimum performance.

Not a surprise, this closely resembles the CloudStrategies process framework of “Discover, Adopt & Manage” in which we guide clients to discover all of the assets in their IT environment, adopt new cloud structures to accommodate each, and manage all of it with newfound ease and facility.

Turn to CloudStrategies for the experience and the expertise required to perform all of these for you.  Our experience performing many such migrations benefits your project, and you will find it far less costly than training your own people to do something they will only do once.

Targets

Discovery tends to become more extensive, and more tedious, than most anticipate it will be, but it’s crucial to be as comprehensive as possible.  Missed applications and workloads can become headaches later on. Once the entire inventory has been documented, it is important to assess the applications, the workflow related to each data entity, and potential impacts upon users from various scenarios.

The four likeliest targets for your workloads are:

  • Windows Server 2012 R2 Server running on your premises
  • Microsoft Azure
  • A Cloud OS Network, likely running on your premises
  • Office 365

Obviously, productivity and communication related activities will likely be migrated to Office 365.  This may include email moving to Microsoft Exchange Online, document management moving to SharePoint Online, and instant messaging, voice, video, and shared application communications moving to Lync Online.

Choosing between the other three targets will be determine by factors including speed, ease of migration, cost, and desired functionality.  One good example would be websites, which would be better served by the speed available from the Azure data centers, as well as the elasticity of the storage, processing power and memory which could all contribute to keeping sites responsive even during times of peak demand.

What’s YOUR Cloud Migration Strategy?

Whether migrating to cloud for the first time, migrating from an expiring platform to a new one, or migrating from one cloud service to another, turn to CloudStrategies to provide the guidance, the advice, and the assistance you need to keep your migration flawless.  Contact your CloudStrategies Advisor today to learn more.

Make Microsoft Azure Your New Data Center

Make Microsoft Azure Your New Data Center

How’s this for an IT Manager’s nightmare?  Your company today announced that it had acquired its largest competitor.  Great news!!!  You’ve just been informed that you need to double the capacity of your data center… by tomorrow.

No Problem

Put the defibrillator back in the case on the wall and relax.  This will be no problem for you.  In fact, your biggest challenge will be getting the new company to give you the new workloads that need to be accommodated by your instantly expanded data center.  It’s a snap.  It’s a breeze.

It’s Azure.

Your Data Center Away from Home

No, you won’t have to find a supplier who will ship dozens of new servers to you immediately, nor recruit a team of bug-eyed techies to stand them all up overnight.  In fact, very little coffee will be required to accomplish this feat.

Microsoft Azure lets you accomplish what may be the ideal example of the hybrid cloud in action.  However many or few host servers you may be managing in your own data center you simply provision new enterprise-grade virtual machines on Azure as you need them. You can readily bring over your existing virtual machines or create new ones, each pre-populated with your choice of operating system and the enterprise apps you need.  You run these on the Azure Virtual Network, an isolated environment where you control DNS, subnets, firewall policies, private IP addresses and more.

Workloads are by no means limited to Microsoft platforms.  You can run Windows or Linux, and enterprise apps such as SAP, Oracle, SQL, and Hadoop on Azure VMs.

Make the Connection and Manage It All As One!

Connect your on-premise data center to your Azure data center as easily as connecting a branch office using the Azure Virtual Network and ExpressRoute over either a secure VPN or private connection.  You control all the networking and security parameters on Azure with the same tools as you do your own data center.  It all feels like one thing.  It’s all managed as one.

No need for additional Active Directory structures, either.  With Active Directory for Windows Server 2012 R2 and Active Directory for Azure you bring it all together in one forest.

It’s Not Just IaaS, it’s PaaS too!

Microsoft technology meets the multi-platform world on Azure.  You can develop and deploy modern applications that run on Android, iOS, and Windows which take fullest possible advantage of cloud technology.  You get some spectacular SQL and NoSQL data services, too, which give you deep insights into your data.  This is a cloud-based developers platform with serious horsepower.

And it SCALES!

Back to our original concern, growing your data center rapidly.  Need more VMs?  Just provision them.  Need more storage, processing power, memory or other resources.  Available upon demand.

Of course, you won’t be worried about establishing redundancy to assure business continuity or support disaster recovery.  With hundreds of data centers located in 17 different regions around the world, and with both Locally Redundant and Geo Redundant storage to serve your needs no matter what, Microsoft has that covered!

Time to Talk about Your Data Center in the Cloud Strategy!

Your CloudStrategies Advisor will take you through the process of migrating your workloads and applications to Azure, giving you greater scalability, sustainability, and system certainty than ever before.  Start with our Assessment program to determine just how much IT budget you can save, and just how far you can grow with Azure.

Identity Management in Hybrid OnPrem/Cloud Environments

Brad Anderson, Corporate Vice President for Microsoft’s Server & Tools Business, recently posted on the “In The Cloud” blog talking about Identity Management for Hybrid IT.  In this post, Anderson definitively states that “Simply put, hybrid identity management is foundational for enterprise computing going forward,” explaining that “the consumerization of IT would be impossible without the ability to verify and manage the user’s identity and devices; an organization’s move to the cloud wouldn’t be nearly as secure and dynamic without the ability to manage access and connect people to cloud-based resources based on their unique needs; the explosion of data would be useless without the ability to make sure the right data is accessible to the right people; and new cloud-based apps need to govern and manage access just like applications always have.”

Identity Management Here, Identity Management There, Identity Management Everywhere

Anderson talks about the need to have the same level of identity management for Software as a Service (SaaS) and other cloud applications to protect the privacy and security of users and their data.  In the Microsoft universe this equates to extending the capabilities of Windows Server Active Directory, introduced with Windows 2000 and today “the default identity management and access-control solution for over 95% of organizations around the world,” to a new set of features in their Azure cloud platform called, aptly, Windows Azure Active Directory.

According to the post, “Windows Azure Active Directory (Windows Azure AD) is your organization’s cloud directory. This means that you can decide who your users are, what information to keep in the cloud, who can use or manage that information, and what applications or services are allowed to access it.”  Sounds a lot like Windows Server Active Directory, and it is.

“Windows Azure AD complements Windows Server AD for authentication and access control in cloud-hosted applications,” explains Anderson’s team. “Organizations which have Windows Server Active Directory in their data centers can connect their domains with their Windows Azure AD. Once the identities are in Windows Azure AD, it is easy to develop ASP.NET applications integrated with Windows Azure AD. It is also simple to provide single sign on and control access to other SaaS apps such as Box.com, Salesforce.com, Concur, Dropbox, Google Apps/Gmail. Users can also easily enable multi-factor authentication to improve security and compliance without needing to deploy or manage additional servers on-premises.

Enabling a single ubiquitous identity management service across local and remote cloud-based resources and users is perhaps the most important benefit of how Windows Server Active Directory and Windows Azure Active Directory work together.  “The benefit of connecting Windows Server AD to Windows Azure AD is consistency – specifically, consistent authentication for users so that they can continue with their existing credentials and will not need to perform additional authentications or remember supplementary credentials. Windows Azure AD also provides consistent identity. This means that as users are added and removed in Windows Server AD, they will automatically gain and lose access to applications backed by Windows Azure AD.”

For users, this is a key and crucial set of solutions.  Imagine having to sign on separately for your local network and each of your cloud services.  As the use of cloud services continues to increase that would become an overwhelming challenge, and a definite security threat.  Anderson points out that “single sign-on which is a massive time and energy saver for a workforce that uses multiple devices and multiple applications per person.  It can also enable the scenario where a user’s customized and personalized experience can follow them from device to device regardless of when and where they’re working. Activities like these are simply impossible without a scalable, cloud-based identity management system.”

Running on Azure

CloudStrategies website is now running on Windows Azure.  After a few weeks of testing, we changed our DNS settings to “go live” on Azure.  This post outlines our experience to date.

CSWebsiteSeveral months ago, CloudStrategies replatformed our website to a WordPress content management system.  WordPress has offered us many benefits in capabilities and functionality.  That said, running on a standalone web-server gave us some concern and occasional availability glitches.  A website needs to be highly available.

At the same time, CloudStrategies has been working with Windows Azure to evaluate its capabilities.

It took about 5 minutes to create a new WordPress site in Windows Azure – WordPress is an App within the Windows Azure Gallery.  This process was as straight forward as one could expect – a few clicks and a blank WordPress site was running.  The process of moving our production site to Azure took just a little more work.

Researching some available WordPress site migration tools, we quickly found the WordPress Plug-In – Duplicator.

Duplicator allowed us to make a snapshot of our current site and easily move everything over to our Windows Azure site.  Duplicator worked as advertised and we would endorse it highly.  Without going into full depth, the process was as simple as uploading a zip file of our website with FTP to our Azure location as well as an “Installer” file.  Once there, you run the Installer by calling it through a web browser.  The installation requires the location of the MySQL database created in Azure and appropriate credentials.  A couple minutes later and the site was live.  The final cleanup activities included removing the installation files from the site and updating our WordPress Permalinks.

AzureManagementThe final testing and transfer steps included verifying that everything was running smoothly – which it was – and associating our domain DNS settings with Azure.  This too was straight forward and included verifying our domains within Azure using the Manage Domains link.  Azure identified some CNAME resource records to add with our DNS provider to demonstrate that we were the proper owner of our domains.  Once we added the entries, we were able to associate the domains within the Azure Management console.  From there, it was as simple as changing the DNS settings to direct web traffic to the new web server address.

Monitoring the performance of our site on Azure, we’re pleased with our initial results.  We have confidence that the built in redundancy of Azure will take care of our availability concerns and that our website should see smooth sailing ahead.

Seeing how straight forward moving our website to Azure has been, we’re looking forward to working with Azure for additional workloads for both CloudStrategies and our clients

A Way Out: Switching From Single Sign-On To Password Sync

If you’re using Office 365 with AD FS (Active Directory Federation Services) without high availability, this article could save you time, frustration and perhaps even your job. Single Sign On with AD FS provides the ability for users to sign in once to their Active Directory environment and use those same credentials to access email or other services in Office 365. While using a single set of credentials to access multiple systems is very desirable, this feature comes at a high cost for small and medium-sized businesses.

Have you ever thought how complex Single Sign On with AD FS can be? Have you had second thoughts about whether you made the right choice going down that path based on the size of your organization?  You are not alone.  Many organizations have been revisiting their Single Sign On design and searching for a better and more reliable solution for their company.  Recently Microsoft updated the directory synchronization service to provide almost the same user experience with a feature many are calling “Same Sign On”. The new release is called Window Azure Directory Synchronization with Password Synchronization.

For those of you concerned about the security of this service, it appears Microsoft has done a pretty good job architecting a secure solution to this problem. Password Sync is an extension to the directory synchronization feature implemented by the Directory Sync tool. The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reverse-engineered in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process.

Then you ask, is there a way to switch from single sign-on to password sync without breaking my network?  The answer is yes.  Many of the companies we work with are excited about this release since this feature enables users to log into Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password they use to log into your on-premises network.

The process to convert from single sign on to password sync has quite a few steps that must be completed in a specific, but very predictable order.  Cloud Strategies has successfully transitioned organizations from 120 to 2000 users from a Federated State to a Managed State (with respect to their authentication flows).  There are 2 recommended approaches to achieve this task.  An Incremental Migration can be considered if you want to incrementally transition your users from Federated Authentication to Managed Authentication. You can do this by switching users from a Federated Namespace to a Managed Namespace, then synchronizing the passwords for the converted users.  The other option is to cutover the entire organization and transition the entire namespace from Federated to Managed Authentication.

Because you’re working on a production environment, working with an experienced Microsoft partner is highly recommended.  We believe the payoff is well worth the effort, resulting in:

  • A single directory synchronization server – eliminating the need for redundant and geographically-dispersed AD FS servers.
  • Minimal dependency for on-premises hardware/data center – if Dirsync with Password Sync server dies – just replace it. There is no impact accessing cloud services with an on premise outage because the identity is a managed identity in Azure AD vs. a federated identity using AD FS 2.1.
  • No complex AD FS architectures – No AD FS Proxies, load balancers, or certificates for AD FS are required. The deployment is less complex with fewer moving parts.

It’s also important to look carefully at your short-term and long-term requirements. There are a few scenarios where Single Sign On using AD FS is preferable to using “Same Sign On” with Directory Synchronization with Password Sync. This blog is not intended to help you decide whether to choose SSO or Password Sync.  Its intention is to let you know there is an alternative to AD FS.

How can we help? CloudStrategies Discover, Adopt, and Manage Great Cloud Solutions
Drop us a note on what type of Cloud Solution that you're interested in learning more about...