Nobody thinks they need their own private Post Office to send a letter. In fact, nobody has built their own Post Office since the likes of William Penn, Alexander Hamilton, and Benjamin Franklin.
Yet many corporate managers feel they must have their own on-premise server running Microsoft Exchange to provide email and other messaging services for their users.
Based merely on distributing the base cost of an Exchange Server among fewer than 50 users it becomes instantly apparent that small companies find it all but impossible to justify the cost of having their own Exchange Server.
Every analyst who tries to arrive at the exact number of users it takes to justify the expense uses wildly different variables and arrives at just as wildly different numbers. One hosted Exchange provider claims you need to have more than 400 users to justify purchasing your own, while another claims, verbatim, “Unless you’re managing 5,000 seats or more you should not be in the game. The one guarantee I can give you is that you will lose money if you’re trying to build out your own infrastructure with less than 5,000 seats.”
Those who demonstrate that the price per month per user multiplied by the number of users and then by 12 produces a large number that is far more than the price of their own Exchange Server. They often do not take into account the hidden costs of owning your own, which according to RackSpace include:
- Annual hardware costs—servers, firewalls, load balancers, operating systems, data center costs and power
- Depreciation of existing hardware and costs of hardware refreshes
- Financing of servers, storage, software, firewalls and load balancers
- Exchange licenses
- Maintenance and repair costs
- Client software (Outlook) installation and maintenance
- Storage costs—SAN, DAS or NAS
- ActiveSync or BlackBerry Mobile Messaging—BlackBerry licenses, BlackBerry admin, BES Server, SQL
- Staffing costs—staffing related to the design, deployment, hosting, administration and support of hardware, software, storage and mobile devices
- End-user administration costs—staffing related user/mailbox administration
Now try to do the math.
Time and experience have demonstrated that hosted service providers of any type always invest far more in data and network security to preserve the privacy of messaging and other data than most any individual company would, and they are doing so very effectively.
Also, the Verizon 2015 Data Breach Investigations Report clearly indicates that from 85 to 90% of all data threats are executed by an internal actor rather than from outside. That has been their report every year since 2010. The majority of the people who will most likely try to breach your email are on your premises where you want to put that Exchange Server.
So the desire for privacy of messaging data is very likely better served outside your own four walls where only 10 – 15% of the people who are trying to get at it are located!
There are many more logistic and other pragmatic reasons why your company will prefer hosted, cloud, or on-premise email. As with most things cloud, one size does not fit all. If time has come for you to upgrade, improve, or otherwise change email platforms, this is a good time to consult with your CloudStrategies Advisor for help creating your most cost-effective messaging strategy.
We’re a little more than a month into turning on Office 365 Multi-Factor Authentication (MFA) for everyone at CloudStrategies. My aim here is to share some thoughts and observations around the experience of using the technology across all my various devices. Is MFA a great way to secure our Office 365 tenant or a productivity buzz-kill? Within the first few days – I would have said a definite yes to both those questions. After a little more time using it every day, I still believe in the security benefits, but have warmed up enough to feel a little less productivity challenged. More than that, I feel comfortable that I’m taking reasonable and prudent measures to protect access to our systems and data while leveraging the investments we’ve already made in Office 365.
So – let’s start with level setting on what MFA is, and why I believe more and more businesses are going to deploy it sooner than later. Frequently referred to as 2-factor authentication, MFA is technology that requires that a user not only have a username and password to access technology platforms, but instead also prove that they possess something as an additional level of security before accessing systems. The classic example that’s in everyone’s wallet is a debit card. The card without the pin isn’t useful, and the pin without the card doesn’t get you money from an ATM either.
Years ago I carried an RSA SecureID token that had a rotating number on a screen that I needed to have with me at all times to access corporate platforms. The geek in me thought it was cool to carry with me on my key-chain – but the user in me quickly found it difficult to have to sign-in to a VPN before I could do any work from outside the office. Though it may have been subtle, it definitely was enough of a pain that I wouldn’t bother signing in for anything other than a very specific purpose or goal – thus discouraging me from doing as much work as I otherwise might have from outside of the office.
Today, with Microsoft’s implementation of MFA for Office 365, I have a similar feeling of security as I did with my RSA ID, but yet, for my main devices and applications, I also have a sort of “fast pass” that makes the productivity hit much more manageable.
There are two core components of MFA that end users will learn to manage. The first is very much like the RSA experience – though it primarily is delivered through an App on the end users cell phone. The second is called an App Password and can be used as a one-time code for any application that needs to access an Office 365 resource on a regular basis (in the background) – such as email clients, OneNote, calendar applications, cell phones, etc. Let’s talk about the experience of each of these parts of MFA:
For the first part, any time a user needs to access any Office 365 resource through a web browser – whether on their own device – or on a public device, they will start by signing in normally with their username and password. After doing so – instead of immediately gaining access their account, they will be prompted to provide a second level of authentication. For this, there are a few choices. The one I’ve been using has been to be prompted for a 6 digit number that I can only retrieve by launching a simple app on my mobile phone. When prompted for the code, I simply pull out my phone, launch the app, and wait for it to provide me with the number. The number is continuously changing – every 30 seconds or so, so you can never predict what it is and need to type in the number within a given time period. This works exactly like my old RSA token did – perhaps with one benefit in that when I’m home I find that my phone isn’t ever very far away from me – as opposed to where I kept my keys and RSA token – so I’d need to run to the other side of the house to retrieve it.
For all non-browser based access to Office 365 applications, a user’s regular password will no longer be enough to access the system. Because applications like Outlook, Office applications, mobile phone apps, etc. do not have a mechanism to support the entry of an Authentication Code, they will instead leverage a uniquely generated “App Password”. Office 365 can generate up to 40 unique 16 digit App Passwords that can be used for individual applications or devices. App Passwords, once generated, can never be displayed a second time. They are entered and stored in individual applications on a per device basis and once entered, applications function normally – without the need for a MFA Authentication Code. The security strength of App Passwords comes from the fact that they can be deleted at any time. The productivity benefit of an App Password comes from the fact that once entered, those applications no longer need to have a password entered for recurring access to Office 365. In the event of a breach, and once an App Password is deleted from the Office 365 console, any apps that have stored that password will no longer be able to access Office 365. Think about a scenario where a device is lost or stolen – a simple action of deleting the App Password will nullify that devices ability to provide any access to anything that shouldn’t be accessed.
Security in our lives always comes at a cost – frequently restricting access or limiting our capabilities. Microsoft’s Office 365 MFA solution provides an increased level of protection with a reasonable approach to securing systems and data. Any productivity hit is likely short lived for most users and the comfort that businesses can receive knowing that users data won’t be easily be compromised through the loss of a device or the inadvertent compromise of an individual’s password.
In his FY 2012 annual letter to shareholders, former Microsoft CEO Steve Ballmer first identified Microsoft as being a “devices & services” company, saying “This is a significant shift, both in what we do and how we see ourselves — as a devices and services company. It impacts how we run the company, how we develop new experiences, and how we take products to market for both consumers and businesses. The work we have accomplished in the past year and the roadmap in front of us brings this to life.”
That declaration has been further refined.
The new CEO of Microsoft, Satya Nadella, recently issued an email to all of his employees in which he declared that Microsoft would be known, going forward, as the “productivity and platforms company” in our “mobile-first and cloud-first world.” In this blog post, we’ll explore what he meant, and what it means to all of us.
Productivity & Platforms
Fundamentally, Nadella is referring to the two services that will form the foundation of the future for Microsoft:
- When he says “productivity” he is referring to Microsoft Office 365, the complete productivity suite which gives you the familiarity and power of Office with the flexibility of the cloud. With Office in the cloud, your applications and files are with you wherever you go, whether you’re working offline at your desktop, online, or on one of your devices. Edit files at your PC or Mac. Email or share files from your tablet. Join an online meeting from your phone. What you need is accessible from anywhere, right up front, and always up to date.”
- When he says “platform” he is referring to Microsoft Azure, the “open and flexible cloud platform that enables you to quickly build, deploy and manage applications across a global network of Microsoft-managed datacenters. You can build applications using any language, tool or framework. And you can integrate your public cloud applications with your existing IT environment.”
Going back just a few years, if you spoke with anyone about networks or computing you’d probably both be picturing a desktop or laptop computer with someone sitting at a desk doing productive work.
Today, you may be in your car shopping for a new appliance. Instead of driving from Best Buy to Lowe’s and to Home Depot you more than likely take out your handheld smartphone device and open the app for each of those retail stores to compare their prices on the unit you’re interested in. Perhaps you’re already in one of those stores when you find what you’re looking for and want to compare prices. You simply point your smartphone at the “QR” or bar code on the shelf-sticker for the item, scan it, and instantly obtain price comparisons from the other stores.
Then you may sign on to your bank to make sure you have sufficient funds in your checking account to make the purchase.
Needing moral support, you text a friend to ask their opinion of your intended purchase. They point out some reviews you might want to look at. You email home asking your spouse to take a quick photo of the spot you have picked out to install this appliance in to make sure it will look right there.
The next day you’re heading into work and begin checking in via email with your team members… on the same device. You go to work before you even get to work.
As you’re heading to the office you check your inbox and receive a complaint from a client that you didn’t send the file they’ve been waiting for and they need it before the start of the working day. Do you turn around and head home to retrieve it? Speed up and drive recklessly to get to work sooner?
No. You keep all your workfiles in Microsoft OneDrive, your private cloud storage service. That cloud storage is automatically replicated on your office computer so when you work on a document it is automatically saved locally and in the OneDrive cloud. Your home computer also replicates that OneDrive cloud storage, so the document was already there on your local drive to work on over the weekend at home.
Now, as you’re travelling, you access OneDrive using that same trusty handheld smartphone you’ve been using and email it directly to the client from where you are. Problem solved.
Your Productivity and Your Platform
Turn to CloudStrategies to help you architect your platform for future productivity. Much is changing not only within Microsoft but within the entire IT industry. We’re here to help you navigate through all of it, finding those innovations that are right for you and your business.
- Concerned about all the recent NSA leaks?
- Think about whose email server you’re using, and start worrying about them.
Metadata. It’s one of those words you never really thought you’d hear the President of the United States utter, yet there it is. The NSA is not capturing the content of your email, he explains, they’re just looking at the metadata. This presupposes that all US citizens are familiar with that term, and are absolutely okay with the government scanning theirs. Are you?
It is likely to be true that the majority of Americans will never suffer from anyone in the US government scanning their metadata, whatever that is, and may live their lives never knowing whether anyone did or didn’t read their email. The exposure most Americans should be more concerned with is much closer to home, in the form of their employer or their own chosen email provider.
Expectation of Privacy
Many of us don’t think twice about sending emails to our family members, friends, business associates, personal doctors, lawyers, and other professionals from our business email account. It is, after all, our email account, right?
Not right. As an employer, if you’re not advising your employees that the email system and any content travelling on it are the property of the company you’re inviting disaster. This gives departing employees the right to remove whatever they choose from your servers at any time which may be completely out of compliance with your email governance policies.
Further, you must explicitly inform them that they can have no expectation of privacy in using your company email system. Many corporations have been sued by employees when they found out that personal information had been intercepted regarding their health, their financial dealings, even their personal proclivities. Those who had properly informed their personnel that they could have no expectation of privacy won, those who did not often lost.
Properly Protect Your Post Office
Your corporate email server should be given the same respect and consideration you would exercise were you operating your own post office. Content must be completely protected while it is resident at your facility, meaning on your email server, as well as while it is travelling to its various destinations.
Part of providing this protection involves data protection services such as encryption, but some of it requires specific behaviors from people. In most cases, people must request that specific messages be sent in encrypted form, yet employees fail to make those requests. Passwords are often shared, or left vulnerable where other employees can access them. There are many stories of executives who left their systems logged in and others used them to make requests of others and to access highly sensitive information.
Your people can have no expectation of privacy, but your corporation should. Protecting all traffic moving between users and email servers, and from email servers to recipients, must always be protected both at rest and in transit to assure privacy, security, and reputation protection.
Your Cloud eMail Strategies
CloudStrategies helps clients select cloud-based email services that provide maximum privacy protection while also offering maximum user flexibility. For help creating your safe messaging strategy, contact your CloudStrategies Advisor today.
While it may seem frustrating to see these two words when using Lync, it’s actually good news. Active Directory Federation Services are busy at work protecting you and the person you’re trying to communicate with.
According to the Microsoft Windows Server website,”Active Directory Federation Services (AD FS) simplifies access to systems and applications using a claims-based access (CBA) authorization mechanism to maintain application security. AD FS supports Web single-sign-on (SSO) technologies that help information technology (IT) organizations collaborate across organizational boundaries.”
Using Lync again as the example, you can choose to open federation completely to all domains, or close it to all but those you specifically indicate as open. Leaving federation completely open renders Lync to be much like Skype, a public instant messaging, voice, video, and application sharing mechanism in which anyone can contact you unless you specifically block them.
Closed federation keeps Lync private. Until you add other domains to your list your Lync service is basically a private internal communications channel for use by others within your domain only.
“Any Any Any” Access
In addition to providing single-sign-on convenience, AD FS now provides a new Web Application Proxy which makes it easier for internal users to access corporate applications from devices which may be currently outside the corporate network, as an example when connecting through the cloud.
Also supported in multi-factor authentication and identification in which a specific code is generated that can be displayed on a token device. This code must be given along with ID and password information to gain access to network resources. By combining something you know, namely your ID and password, with something you have, the token that generates the code, you increase access security substantially over simple challenge/response services.
AD FS can also be used selectively to give a specific user access only to specific applications and resources.
AD FS Protects Cloud Users
By controlling access to networks and network resources selectively, AD FS gives cloud administrators extraordinary latitude in controlling access both to on-premise as well as cloud-located systems and services. Many improvements have been added to the Windows Server 2012 version of AD FS including improved installation, additional Powershell cmdlet tools, as well as enhanced access from personal devices, improved support for the development of modern applications, and new risk management tools.
If you’re using Office 365 with AD FS (Active Directory Federation Services) without high availability, this article could save you time, frustration and perhaps even your job. Single Sign On with AD FS provides the ability for users to sign in once to their Active Directory environment and use those same credentials to access email or other services in Office 365. While using a single set of credentials to access multiple systems is very desirable, this feature comes at a high cost for small and medium-sized businesses.
Have you ever thought how complex Single Sign On with AD FS can be? Have you had second thoughts about whether you made the right choice going down that path based on the size of your organization? You are not alone. Many organizations have been revisiting their Single Sign On design and searching for a better and more reliable solution for their company. Recently Microsoft updated the directory synchronization service to provide almost the same user experience with a feature many are calling “Same Sign On”. The new release is called Window Azure Directory Synchronization with Password Synchronization.
For those of you concerned about the security of this service, it appears Microsoft has done a pretty good job architecting a secure solution to this problem. Password Sync is an extension to the directory synchronization feature implemented by the Directory Sync tool. The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reverse-engineered in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process.
Then you ask, is there a way to switch from single sign-on to password sync without breaking my network? The answer is yes. Many of the companies we work with are excited about this release since this feature enables users to log into Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password they use to log into your on-premises network.
The process to convert from single sign on to password sync has quite a few steps that must be completed in a specific, but very predictable order. Cloud Strategies has successfully transitioned organizations from 120 to 2000 users from a Federated State to a Managed State (with respect to their authentication flows). There are 2 recommended approaches to achieve this task. An Incremental Migration can be considered if you want to incrementally transition your users from Federated Authentication to Managed Authentication. You can do this by switching users from a Federated Namespace to a Managed Namespace, then synchronizing the passwords for the converted users. The other option is to cutover the entire organization and transition the entire namespace from Federated to Managed Authentication.
Because you’re working on a production environment, working with an experienced Microsoft partner is highly recommended. We believe the payoff is well worth the effort, resulting in:
- A single directory synchronization server – eliminating the need for redundant and geographically-dispersed AD FS servers.
- Minimal dependency for on-premises hardware/data center – if Dirsync with Password Sync server dies – just replace it. There is no impact accessing cloud services with an on premise outage because the identity is a managed identity in Azure AD vs. a federated identity using AD FS 2.1.
- No complex AD FS architectures – No AD FS Proxies, load balancers, or certificates for AD FS are required. The deployment is less complex with fewer moving parts.
It’s also important to look carefully at your short-term and long-term requirements. There are a few scenarios where Single Sign On using AD FS is preferable to using “Same Sign On” with Directory Synchronization with Password Sync. This blog is not intended to help you decide whether to choose SSO or Password Sync. Its intention is to let you know there is an alternative to AD FS.