Protecting Office 365 and Microsoft Azure from Emerging Threats

Protecting Office 365 and Microsoft Azure from Emerging Threats

Trust.  It’s perhaps the main element in any decision you make regarding computer & communication services for your company and yourself.  You need to feel you can trust your provider to keep your data secure, your personal information private, and your communications protected from eavesdroppers.

Millions of people trust services like Microsoft Office 365 with their most prevalent communications, including email using Exchange Online and instant messaging, voice and video over Skype and Skype for Business (formerly Lync).  While it is likely that they implicitly trust these services because they are provided by Microsoft, the world’s largest software company, you should stop to ask what it actually is that Microsoft is doing to earn this trust.  Yes, they have vast resources, but what are they doing with them?

A post on the Office Blogs from the Office 365 Team answers this question very thoroughly.  “From Inside the Cloud: What does Microsoft do to prepare for emerging security threats to Office 365?” introduces us to Chang Kawaguchi, a group engineering manager for security for Office 365, Travis Rhodes lead security software engineer for Office 365 and Vijay Kumar, a senior product manager for Office 365.  These are three of the people who spearhead Microsoft’s strategy for keeping Office 365 and Microsoft Azure cloud services secure and trustworthy.

Assume Breach

The post features an excellent short video that describes several of the security strategies employed by the group, beginning with one that would seem to just be common sense: Assume people are trying to break into your network and data at all times.  Constant vigilance.  Oddly, most people seem to assume that nobody would ever bother attacking them.  Microsoft invests heavily in an “Assume Breach” approach which causes them to constantly be on the lookout for new threats.

Color War!

Assuring viewers that no customer data is ever threatened or even touched in their work, the video describes the work of the “Red” and “Blue” teams constantly “at war” with each other to battle-test the armor that protects these systems.

The Red Team, “an internal dedicated team of “white hat” hackers from varied industry backgrounds such as broader technology industry, defense and government,” constantly conduct penetration testing on Microsoft’s systems.  Counterbalancing them is the Blue Team, “whose role it is to monitor activities within the system to detect anomalous behavior and take action. As hard as the Red team is trying to find and exploit vulnerabilities the Blue team is trying to detect, investigate and mitigate security events.”

As the post concludes, “The combined efforts of our teams go toward improving detection by evolving our machine learning algorithms for the detection of anomalous activity as well as incident response.”

Any IT manager responsible for system security will find valuable insight in this post and the included video.  Those wishing to continue to learn more should regularly visit the Red team blog.  If you have any questions about anything you read, please reach out to your CloudStrategies Advisor for more information!

MFA – Great security enhancement or productivity buzz-kill?

MFA – Great security enhancement or productivity buzz-kill?

We’re a little more than a month into turning on Office 365 Multi-Factor Authentication (MFA) for everyone at CloudStrategies. My aim here is to share some thoughts and observations around the experience of using the technology across all my various devices. Is MFA a great way to secure our Office 365 tenant or a productivity buzz-kill? Within the first few days – I would have said a definite yes to both those questions. After a little more time using it every day, I still believe in the security benefits, but have warmed up enough to feel a little less productivity challenged.  More than that, I feel comfortable that I’m taking reasonable and prudent measures to protect access to our systems and data while leveraging the investments we’ve already made in Office 365.

So – let’s start with level setting on what MFA is, and why I believe more and more businesses are going to deploy it sooner than later. Frequently referred to as 2-factor authentication, MFA is technology that requires that a user not only have a username and password to access technology platforms, but instead also prove that they possess something as an additional level of security before accessing systems. The classic example that’s in everyone’s wallet is a debit card. The card without the pin isn’t useful, and the pin without the card doesn’t get you money from an ATM either.

Years ago I carried an RSA SecureID token that had a rotating number on a screen that I needed to have with me at all times to access corporate platforms. The geek in me thought it was cool to carry with me on my key-chain – but the user in me quickly found it difficult to have to sign-in to a VPN before I could do any work from outside the office. Though it may have been subtle, it definitely was enough of a pain that I wouldn’t bother signing in for anything other than a very specific purpose or goal – thus discouraging me from doing as much work as I otherwise might have from outside of the office.

Today, with Microsoft’s implementation of MFA for Office 365, I have a similar feeling of security as I did with my RSA ID, but yet, for my main devices and applications, I also have a sort of “fast pass” that makes the productivity hit much more manageable.

There are two core components of MFA that end users will learn to manage. The first is very much like the RSA experience – though it primarily is delivered through an App on the end users cell phone. The second is called an App Password and can be used as a one-time code for any application that needs to access an Office 365 resource on a regular basis (in the background) – such as email clients, OneNote, calendar applications, cell phones, etc. Let’s talk about the experience of each of these parts of MFA:

For the first part, any time a user needs to access any Office 365 resource through a web browser – whether on their own device – or on a public device, they will start by signing in normally with their username and password. After doing so – instead of immediately gaining access their account, they will be prompted to provide a second level of authentication. For this, there are a few choices. The one I’ve been using has been to be prompted for a 6 digit number that I can only retrieve by launching a simple app on my mobile phone. When prompted for the code, I simply pull out my phone, launch the app, and wait for it to provide me with the number. The number is continuously changing – every 30 seconds or so, so you can never predict what it is and need to type in the number within a given time period. This works exactly like my old RSA token did – perhaps with one benefit in that when I’m home I find that my phone isn’t ever very far away from me – as opposed to where I kept my keys and RSA token – so I’d need to run to the other side of the house to retrieve it.

For all non-browser based access to Office 365 applications, a user’s regular password will no longer be enough to access the system. Because applications like Outlook, Office applications, mobile phone apps, etc. do not have a mechanism to support the entry of an Authentication Code, they will instead leverage a uniquely generated “App Password”. Office 365 can generate up to 40 unique 16 digit App Passwords that can be used for individual applications or devices. App Passwords, once generated, can never be displayed a second time. They are entered and stored in individual applications on a per device basis and once entered, applications function normally – without the need for a MFA Authentication Code. The security strength of App Passwords comes from the fact that they can be deleted at any time. The productivity benefit of an App Password comes from the fact that once entered, those applications no longer need to have a password entered for recurring access to Office 365.  In the event of a breach, and once an App Password is deleted from the Office 365 console, any apps that have stored that password will no longer be able to access Office 365. Think about a scenario where a device is lost or stolen – a simple action of deleting the App Password will nullify that devices ability to provide any access to anything that shouldn’t be accessed.

Security in our lives always comes at a cost – frequently restricting access or limiting our capabilities. Microsoft’s Office 365 MFA solution provides an increased level of protection with a reasonable approach to securing systems and data. Any productivity hit is likely short lived for most users and the comfort that businesses can receive knowing that users data won’t be easily be compromised through the loss of a device or the inadvertent compromise of an individual’s password.

Protecting Data From Your Users’ Own Devices

BYOD may popularly stand for “Bring Your Own Device” but it can quickly become “Build Your Own Disaster” if you’re not careful!


Many have commented that “MDM” which traditionally stands for “Mobile Device Management” should really stand for “Mobile Data Management” because it is the security and privacy of the data that is the largest concern.

Left unchecked, mobile users can easily obtain corporate data from the network, bring it onto their mobile device, and then share it publicly in unauthorized ways using their own private communications software, including email, text and others.  This may violate not only corporate data security, but also federal and state regulatory compliance!

Containerization of Data

The primary strategy available to protect against data being shared in unauthorized ways by mobile users is data containerization in a secure workspace.  This creates a distinct separation in the mobile device’s storage, between the user’s personal data and the corporation’s private data.  Corporate data cannot be accessed via the user’s personal applications, and corporate applications have no access to personal data.

This extends beyond the potential time when the user and the company may separate.  The corporation must then have the ability to remove all corporate data without impacting the user’s personal files in any way.

Go Virtual

Another strategy has been used with great success because it completely avoids transferring any data from the corporate network to the user’s device.  This also means that a wider variety of devices may be acceptable for use in a BYOD environment.  That strategy is virtual device infrastructure (VDI.)

In VDI, the actual user session runs on a server in the corporate data center.  That server manipulates data internally while running the user’s applications.  Only the screen appearance of those applications is communicated to the screen of the user’s mobile device.  The actual data never leaves the data center and no data is ever recorded on the user’s device.

Since the screen appearance, and the user’s keyboard and screen gestures are the only things being transported across the network, the user experience is so fast and efficient that the user perceives it as being a local session.

Publish a BYOD Policy

Just because your company has established a “Bring Your Own Device” (BYOD) initiative does not necessarily mean you must throw the doors open to all comers.  The establishment and publication of a thorough BYOD policy should absolutely begin with stated and enforced requirements for acceptable devices.  To be acceptable, a mobile device must be able to support the required level of encryption, user authentication, and other access security capabilities that the rest of your network adheres to.  This alone will remove a tremendous burden from your security team, as they will not be required to invest significant time researching and evaluating every device that every user “throws at them.”

If possible, your policy should require compliant devices that can be managed using existing security and network management systems.  The newest generation of tablet devices run a full version of Windows 8, which should make them compliant with and manageable by the majority of management and security systems in use today.  Many platforms, including Microsoft System Center, now manage a wider variety of mobile operating systems than ever before, including Android and Apple iOS as well as Windows and Windows Phone.

Your Mobile Cloud Strategy

CloudStrategies enables customers to work wherever and whenever they need to, and make the experience even more robust for the user by allowing them to use their own preferred device to do so.  For assistance in making BYOD work in your organization, speak to your CloudStrategies advisor today!

The Case for the Superior Data Security of the Cloud

The Case for the Superior Data Security of the Cloud

cloud security

don’t trust the Cloud.  My data is safer in my own server room.

Odds would seem to be that you’d agree with this statement.  It’s intuitive.  If you take something that’s inside your premises and put it somewhere else, it would be less secure there.  You’d think most people would feel that way.

When it comes to the security of your data in the cloud, however, evidence starting coming in two years ago this week that more and more people felt quite the opposite.

On May 14, 2012 Microsoft issued a press release, Cloud Computing Security Benefits Dispel Adoption Barrier for Small to Midsize Business, which detailed the results of a study commissioned by Microsoft which reported that about a third of U.S. companies surveyed, “have experienced noticeably higher levels of security since moving to the cloud.  In addition, 32 percent say they spend less time worrying about the threat of cyberattacks. U.S. SMBs using the cloud also spend 32 percent less time each week managing security than companies not using the cloud. They are also five times more likely to have reduced what they spend on managing security as a percentage of overall IT budget.”

“There’s a perception that security is a barrier to cloud adoption,” said Adrienne Hall, general manager, Microsoft Trustworthy Computing. “Yet when companies embrace and invest in cloud services, they find the benefits far outweigh previous concerns. Time and money spent managing security prior to using cloud services is being reinvested by SMBs to grow their businesses and be more competitive.”

Could Cloud Security Actually Be Superior?

One thing everyone will agree upon is that truly effective data and network security costs a great deal of money.  How many small or midmarket companies, or for that matter how many major corporations, could afford to spend as much on security as Microsoft, Amazon, or Google?  How many of them are betting their entire internet business on providing truly secure and trustworthy computing resources to customers?  Clearly, the major cloud service providers are both motivated and equipped to spend what it takes to provide superior security.

Another observation which suggests that data is more secure when stored outside the organization is that, in the majority of cases in which data is stolen or corrupted by an attacker, that attacker comes from within the organization rather than outside.  Perhaps as much as 80-90% of all such data exploits come from inside.   That being the case, moving the data outside makes it harder for the majority of attackers to be successful.

Storing Your Data in the Cloud

Server virtualization, the practice of running multiple “instances” of a server operating system on one physical host server has enabled tremendous economies of scale for public cloud service providers who can “guest” many customers on one piece of hardware.  In earlier days, the one-to-one relationship between customers and server hardware units rendered a remote solution too expensive as the entire cost of the server had to be passed somehow to the customer.  Now each customer pays a small fraction of the cost of the server they share with others.


Using the analogy of living in an apartment building rather than a private home, this strategy is often referred to as “multi-tenancy.”

Naturally, there are concerns around multi-tenancy. Some are concerned that data mingling will occur between server instances from different tenants, or that there will be “data leakage” between instances.  These are the kinds of concerns that might cause some customers to hesitate to adopt public cloud services.

Tacit best practices requires constant skepticism, lets assume the worst case that today’s virtualization technology cannot fully protect multi-tenants from mingling of their data with others.  Were that the case, what would be a viable strategy to enable companies to enjoy the significant cost savings available from public cloud software and infrastructure as a service?

Encrypt the data

Any good internet-based solution encrypts data in transit from one host to another, but what about when the data is at rest in cloud storage?  The economies available from the cloud are obvious, but many people hesitate only because they’re concerned about the safety of their data when it is stored “outside our four walls.”  The solution that will allow you to take advantage of the cloud with confidence is to simply encrypt the data in cloud storage, and you keep the key.

Elad Yoran, CEO of Vaultive, whose product encrypts data at rest, explains that the responsibility for data is shared between the customer and their cloud provider along some very specific lines.  The customer is responsible for selecting the right Cloud Provider.  The Cloud Provider is responsible to properly execute on the technologies that enable security from hackers, malware, viruses, and other threats.  But at the end of the day, the customer alone has responsibility for owning and controlling their data.

Yoran suggests that the only way the customer can control the data in storage at a cloud provider’s data center is to encrypt the data and not share the key with the provider.  This way, should any data link or mingle with another instance in a multi-tenant environment, the other environment will find it to be useless gibberish.

Prevent Unauthorized Disclosure

Another compelling reason Yoran points to for encrypting data at rest is what he refers to as “Unauthorized Disclosure.”  Major cloud providers like Microsoft, Google and others make it very clear in their contract that any government subpoena for data served to them will be complied with immediately.  This means that the government can access your data without notifying you.

If your data is encrypted at the cloud provider, the government will also find useless gibberish until they obtain the key… from you!  You will still have to comply with any subpoena, but at least now you will know about the access and can react accordingly.

So if you’re considering a migration to cloud services and concerns about data leakage are holding you back, consider encrypting the data at rest.

For more insight into the security, privacy, and operational advantages of storing data in the cloud, contact your CloudStrategies Advisor today.

Who Do You Want Reading YOUR eMail?

Screen Shot 2014-02-14 at 12.54.09 PM

  • Concerned about all the recent NSA leaks?
  • Think about whose email server you’re using, and start worrying about them.

Metadata. It’s one of those words you never really thought you’d hear the President of the United States utter, yet there it is. The NSA is not capturing the content of your email, he explains, they’re just looking at the metadata. This presupposes that all US citizens are familiar with that term, and are absolutely okay with the government scanning theirs. Are you?

It is likely to be true that the majority of Americans will never suffer from anyone in the US government scanning their metadata, whatever that is, and may live their lives never knowing whether anyone did or didn’t read their email. The exposure most Americans should be more concerned with is much closer to home, in the form of their employer or their own chosen email provider.

Expectation of Privacy

Many of us don’t think twice about sending emails to our family members, friends, business associates, personal doctors, lawyers, and other professionals from our business email account. It is, after all, our email account, right?

Not right. As an employer, if you’re not advising your employees that the email system and any content travelling on it are the property of the company you’re inviting disaster. This gives departing employees the right to remove whatever they choose from your servers at any time which may be completely out of compliance with your email governance policies.

Further, you must explicitly inform them that they can have no expectation of privacy in using your company email system. Many corporations have been sued by employees when they found out that personal information had been intercepted regarding their health, their financial dealings, even their personal proclivities. Those who had properly informed their personnel that they could have no expectation of privacy won, those who did not often lost.

Properly Protect Your Post Office

Your corporate email server should be given the same respect and consideration you would exercise were you operating your own post office. Content must be completely protected while it is resident at your facility, meaning on your email server, as well as while it is travelling to its various destinations.

Part of providing this protection involves data protection services such as encryption, but some of it requires specific behaviors from people. In most cases, people must request that specific messages be sent in encrypted form, yet employees fail to make those requests. Passwords are often shared, or left vulnerable where other employees can access them. There are many stories of executives who left their systems logged in and others used them to make requests of others and to access highly sensitive information.

Your people can have no expectation of privacy, but your corporation should. Protecting all traffic moving between users and email servers, and from email servers to recipients, must always be protected both at rest and in transit to assure privacy, security, and reputation protection.

Your Cloud eMail Strategies

CloudStrategies helps clients select cloud-based email services that provide maximum privacy protection while also offering maximum user flexibility. For help creating your safe messaging strategy, contact your CloudStrategies Advisor today.

What is Multi-Tenant Data Leakage?

Screen Shot 2014-01-23 at 6.17.28 PM

  • Worried about data leakage in multi-tenant server environments?
  • It’s not all about the server. Protect your data.

One of the challenges of apartment living is that you are so subject to what happens in other apartments all around you. You’re sitting watching television when all of a sudden you feel drops of water falling on you. You look up and see that the ceiling is soaked and water is leaking down on you from the apartment above.

Many users fear that the same can happen when they are sharing a cloud-based file server with other customers of the same cloud provider. Not water, but data may be leaking. Worse, the neighbor next door may have drilled small holes in the wall and is peeking in at them.


One of the elements that creates the incredible cost-efficiency of cloud servers is the concept of multi-tenancy, which is enabled by the “virtualization” of servers. In the past, servers could only run one instance of the server operating system creating only one server that could use resources such as memory, storage, and processor power. Virtualization allowed the running of multiple server instances, creating multiple virtual machines (VMs) inside the one piece of server hardware. Cloud Service Providers could now allow many customers to share one physical server, each running their own instance.

Each customer then became a tenant of that server machine, running their own server instance in their own secured space. Of course, this quickly gave rise to speculation that data could potentially “leak” from one instance to another, or even be proactively penetrated for nefarious purposes by other server tenants. While it is difficult to find documented cases of this actually happening, the concern is very real and there is definitely a fiduciary responsibility to protect even against a suspected vulnerability.

Protecting Your Data

Many experts focus on how to better secure multiple virtual machines within a given server from each other. This is like calling in a plasterer to fix the ceiling above you to protect you from the leak. It solves the immediate problem of the broken ceiling for a moment or two, but doesn’t solve for the underlying root of the problem which is the leaking water.

In other words, it’s all about the data. The data is what you need to protect, not the server. The best and most straightforward solution is to encrypt the data. This way, even if that data does somehow become exposed through leakage, hacking, or other means, those intercepting the data only have gibberish, useless garbled bits. Without your encryption keys they cannot actually use your data.

Open Doors

Safe, reliable multi-tenant cloud servers open new doors to you to dramatically reduce costs and mitigate risks. Encrypting data stored in multi-tenant servers is the ideal way to assure that data leakage will not matter even if it does occur. Whatever you do, never share your encryption keys with your cloud provider. They never need them. They have no reason to ever see the actual data you are storing on their servers. Never.

Your Cloud Data Strategies

CloudStrategies helps clients map out and deploy highly effective encryption strategies to assure that their data is protected in multi-tenant environments. Strong control of data encryption is your best strategy to assure that prying eyes never access your information. To learn more about how to gain strong control, call your CloudStrategies Advisor today.

How can we help? CloudStrategies Discover, Adopt, and Manage Great Cloud Solutions
Drop us a note on what type of Cloud Solution that you're interested in learning more about...