We’re a little more than a month into turning on Office 365 Multi-Factor Authentication (MFA) for everyone at CloudStrategies. My aim here is to share some thoughts and observations around the experience of using the technology across all my various devices. Is MFA a great way to secure our Office 365 tenant or a productivity buzz-kill? Within the first few days – I would have said a definite yes to both those questions. After a little more time using it every day, I still believe in the security benefits, but have warmed up enough to feel a little less productivity challenged. More than that, I feel comfortable that I’m taking reasonable and prudent measures to protect access to our systems and data while leveraging the investments we’ve already made in Office 365.
So – let’s start with level setting on what MFA is, and why I believe more and more businesses are going to deploy it sooner than later. Frequently referred to as 2-factor authentication, MFA is technology that requires that a user not only have a username and password to access technology platforms, but instead also prove that they possess something as an additional level of security before accessing systems. The classic example that’s in everyone’s wallet is a debit card. The card without the pin isn’t useful, and the pin without the card doesn’t get you money from an ATM either.
Years ago I carried an RSA SecureID token that had a rotating number on a screen that I needed to have with me at all times to access corporate platforms. The geek in me thought it was cool to carry with me on my key-chain – but the user in me quickly found it difficult to have to sign-in to a VPN before I could do any work from outside the office. Though it may have been subtle, it definitely was enough of a pain that I wouldn’t bother signing in for anything other than a very specific purpose or goal – thus discouraging me from doing as much work as I otherwise might have from outside of the office.
Today, with Microsoft’s implementation of MFA for Office 365, I have a similar feeling of security as I did with my RSA ID, but yet, for my main devices and applications, I also have a sort of “fast pass” that makes the productivity hit much more manageable.
There are two core components of MFA that end users will learn to manage. The first is very much like the RSA experience – though it primarily is delivered through an App on the end users cell phone. The second is called an App Password and can be used as a one-time code for any application that needs to access an Office 365 resource on a regular basis (in the background) – such as email clients, OneNote, calendar applications, cell phones, etc. Let’s talk about the experience of each of these parts of MFA:
For the first part, any time a user needs to access any Office 365 resource through a web browser – whether on their own device – or on a public device, they will start by signing in normally with their username and password. After doing so – instead of immediately gaining access their account, they will be prompted to provide a second level of authentication. For this, there are a few choices. The one I’ve been using has been to be prompted for a 6 digit number that I can only retrieve by launching a simple app on my mobile phone. When prompted for the code, I simply pull out my phone, launch the app, and wait for it to provide me with the number. The number is continuously changing – every 30 seconds or so, so you can never predict what it is and need to type in the number within a given time period. This works exactly like my old RSA token did – perhaps with one benefit in that when I’m home I find that my phone isn’t ever very far away from me – as opposed to where I kept my keys and RSA token – so I’d need to run to the other side of the house to retrieve it.
For all non-browser based access to Office 365 applications, a user’s regular password will no longer be enough to access the system. Because applications like Outlook, Office applications, mobile phone apps, etc. do not have a mechanism to support the entry of an Authentication Code, they will instead leverage a uniquely generated “App Password”. Office 365 can generate up to 40 unique 16 digit App Passwords that can be used for individual applications or devices. App Passwords, once generated, can never be displayed a second time. They are entered and stored in individual applications on a per device basis and once entered, applications function normally – without the need for a MFA Authentication Code. The security strength of App Passwords comes from the fact that they can be deleted at any time. The productivity benefit of an App Password comes from the fact that once entered, those applications no longer need to have a password entered for recurring access to Office 365. In the event of a breach, and once an App Password is deleted from the Office 365 console, any apps that have stored that password will no longer be able to access Office 365. Think about a scenario where a device is lost or stolen – a simple action of deleting the App Password will nullify that devices ability to provide any access to anything that shouldn’t be accessed.
Security in our lives always comes at a cost – frequently restricting access or limiting our capabilities. Microsoft’s Office 365 MFA solution provides an increased level of protection with a reasonable approach to securing systems and data. Any productivity hit is likely short lived for most users and the comfort that businesses can receive knowing that users data won’t be easily be compromised through the loss of a device or the inadvertent compromise of an individual’s password.
Have you ever considered the lifecycle of an idea?
The igniting fuel of any idea is inspiration, which can come from anywhere. Something someone sees, hears, touches, smells, or simply considers. A serendipitous series of experiences that cause something synergistic to happen inside the mind of a person. An idea.
Next the idea is discussed, probably very informally. “Have you ever thought of…” conversations are so often spur-of-the-moment events. With instant messaging technology at our fingertips we might not even be near the person we discuss our idea with. We very often just tap out a short message about our idea. Share it with someone else. Let them start thinking about it.
As the idea begins to take root in more minds it begins to sprout and grow. More people get drawn into the conversation as the idea is shared with them. Because instant messaging is so wonderfully asynchronous we no longer need to wait until people are together in the same place at the same time talking about the same thing. Thoughts about the new idea are shot back and forth between people. The thread weaves more people into it, and the idea starts growing exponentially.
With all of these thoughts shared about the idea it morphs repeatedly, expanding, growing, changing, improving, until ultimately it can no longer fit within the chrysalis of being simply an idea, it must now burst out and become a full-fledged plan that eventually becomes executed and makes the amazing transition from idea to reality.
Social Intelligence vs. Facts
We have seen powerful platform tools like email facilitate the sharing of facts. We have seen communication platforms that enable collaboration on a whole new scale.
When it comes to ideas, however, the source from which everything else begins, the sharing required to develop them must be spontaneous and highly responsive. People must have the freedom to express their thoughts if they are to contribute most positively to any idea.
- Imagine having the agility to share thoughts instantly as they occur to you, ruminate over them, continue discussing them whenever you are moved to do so.
- Imagine being able to go back and review all of the spontaneous inspirations you and your colleagues have shared going right back to the original idea.
- Imagine being able to mold the growing idea with other multi-modal tools that add sound, visuals, and other media to your thoughts.
- Imagine groups breaking off to separately develop specific parts of the idea.
- Imagine being able to return to the discussion whenever and from wherever you choose, responding to inspiration and stimuli you may encounter at any time, and picking up right where you left off.
Now imagine that all of this is documented so well that you can take all of it and work with it to create a cogent, valuable plan from all that thinking and sharing. A plan that contributes tremendously to the growth and success of your enterprise.
You’ve just imagined Yammer, a persistent chat tool that allows your organization to privately conduct the kind of informal but important interaction that takes ideas from inspiration through to implementation.
Yammer captures your institutional knowledge in a framework that is completely governed by your business rules yet open enough to support inspiration and imagination. Yammer protects and preserves this institutional intelligence even though some of the participants may leave the organization. It changes the way people work together, for the better.
Here’s an Idea!
An initiative like Yammer requires not only buy-in from the executive level, but also from the grassroots level as well. It requires the commitment to participate and to learn and grow. Your CloudStrategies Advisor can take you through the process and help you understand what to expect, and what your company will gain by making Yammer a part of your communications life. Contact us today about Yammer.
We spoke recently of VDI, virtual device infrastructure, as a viable strategy for keeping data secure while mobile users are accessing it by never really transferring it to their device. Instead, the application using the data simply runs inside the data center and only the appearance of the screen and the keyclicks from the mobile device are transferred across the network.
We also mentioned the other available strategy, containerization, and in this post we’ll cover the key concerns and concepts central to using containerization.
The Most Important Question
No matter which strategy you select the most important question is answer is whether or not it can keep enterprise apps and data completely separate from personal apps and data.
If personal apps can access enterprise data then it’s all too easy for a user to inadvertently void the value of any and all security efforts by simply transferring that data outside the corporate network using their personal email, instant messaging, or other social media app. End of story.
If the enterprise can access the user’s personal data then they have completely violated that user’s privacy. If they inadvertently destroy any of that data, say while wiping the device following the exit of the user from their employ, they have just committed an infraction of data indemnification laws that can cost the company dearly. Again, not good.
The name of the mobile “BYOD” (Bring Your Own Device) game is to preserve the user’s customary experience while keeping corporate assets and personal assets completely apart in the same device.
What Gets “Containerized?”
The earliest tools made available for management of a company’s mobile computing assets was called Mobile Device Management (MDM) software. It quickly became obvious that it was vastly insufficient to simply control password management, provide some level of encryption and remote device wipe capability. Many soon started using “MDM” to mean Mobile DATA Management. Others coined “MAM” to mean Mobile Application Management. Once again the IT industry spends more time and effort trying to name things than to make them actually work.
What can be misleading about the phrase “mobile data management” is that the data is indeed managed, but at the application level. That is, when an application is run on the mobile device a secure container is created for it and continues to exist as long as the application is still running. When the application stops, the container and the data within it are removed from the device. Some characterize VDI as being one container for all applications and all data which might be less secure, but this is a misleading characterization as no data actually transfers to the device in VDI.
Can All Apps be Containerized?
Ultimately, the answer to this question may be yes, but for the company seeking to use containerization as a strategy the right answer is “only if you make them so.” In other words, developers will need to either develop their apps to include containerization or an “appwrapper” may need to be developed to enable the application to run on a mobile device in a container. In most cases, as of now, this is not something your users will be able to just download from an app store.
Which is better, containerization or VDI?
As with most things IT, the answer absolutely depends upon your environment, your applications, your needs, and other specifics, as well as your own definition of “better.”
Your best solution is to seek advice from your CloudStrategies Advisors, who regularly design secure mobile solutions for cloud customers. They’ll ask a lot of questions, and give you the best answers.
You find yourself in a “virulent outbreak” movie. The hero bravely enters the multi-walled hermetically sealed vault in which the most deadly dangerous viruses in the world are kept. One drop could wipe out the entire human race, that kind of thing.
He takes the vial from the vault and very carefully carries it with him out of the facility to where the scientists who are going to come up with the cure are waiting. He strides into the van in which they are all waiting and watching on their monitors and places the vial on the table in front of them.
That vial, at that moment, is as vulnerable as can be imagined. Don’t blame the hero for his stupidity. Blame the scriptwriters.
It’s No Different With Data
Okay, so the security of your business data isn’t world-threatening, but it certainly threatens YOUR world if any of it is left out in the open where others can access it, and that’s exactly what can happen when someone in your company accesses your servers with their smartphone. They transfer your high-value critical business data onto their own little device. Next they can email it, instant message it, Facebook it, Skype it, or otherwise transmit it to people you never intended to have access to it. So much for all of your investments in security.
Keep the Data in Your Data Center
Let’s stop thinking for a moment about how the data moves around your network and think instead about how it gets from your network to your brain, and back again. Usually you either read it on the screen or listen to it come out of your computer in the form of audio with or without video. To get data going back from you to the network you can tap keys on a keyboard, speak into a microphone and/or into a camera.
What if the screen it was being displayed on was back inside your data center and you could just have the image of that screen transmitted to you on your device? No data leaves the data center, just the appearance of it briefly on a duplicated screen image. Your keyboard clicks and mouse or screen movements could be similarly transmitted back to the data center without any actual data going back and forth.
Not only would it avoid needing to let any data out of the data center, it would also be much faster because so little information was crossing the network. What a great idea!
Some of you are already thinking, “hey, that’s not new, that’s VDI – Virtual Display Interchange! That’s been around forever!” and you’d be correct! VDI has been re-imagined into Virtual Device Infrastructure, allowing screen contents to be properly formatted for whatever form-factor and display your device may have. Now, data centers can transmit just the screen appearance and keyclicks back and forth between you on your mobile device and your private, public, or hybrid data center infrastructure.
Your data stays in your data center and the world is once again safe and sound. Talk to your CloudStrategies Advisor today to learn how!
BYOD may popularly stand for “Bring Your Own Device” but it can quickly become “Build Your Own Disaster” if you’re not careful!
Many have commented that “MDM” which traditionally stands for “Mobile Device Management” should really stand for “Mobile Data Management” because it is the security and privacy of the data that is the largest concern.
Left unchecked, mobile users can easily obtain corporate data from the network, bring it onto their mobile device, and then share it publicly in unauthorized ways using their own private communications software, including email, text and others. This may violate not only corporate data security, but also federal and state regulatory compliance!
Containerization of Data
The primary strategy available to protect against data being shared in unauthorized ways by mobile users is data containerization in a secure workspace. This creates a distinct separation in the mobile device’s storage, between the user’s personal data and the corporation’s private data. Corporate data cannot be accessed via the user’s personal applications, and corporate applications have no access to personal data.
This extends beyond the potential time when the user and the company may separate. The corporation must then have the ability to remove all corporate data without impacting the user’s personal files in any way.
Another strategy has been used with great success because it completely avoids transferring any data from the corporate network to the user’s device. This also means that a wider variety of devices may be acceptable for use in a BYOD environment. That strategy is virtual device infrastructure (VDI.)
In VDI, the actual user session runs on a server in the corporate data center. That server manipulates data internally while running the user’s applications. Only the screen appearance of those applications is communicated to the screen of the user’s mobile device. The actual data never leaves the data center and no data is ever recorded on the user’s device.
Since the screen appearance, and the user’s keyboard and screen gestures are the only things being transported across the network, the user experience is so fast and efficient that the user perceives it as being a local session.
Publish a BYOD Policy
Just because your company has established a “Bring Your Own Device” (BYOD) initiative does not necessarily mean you must throw the doors open to all comers. The establishment and publication of a thorough BYOD policy should absolutely begin with stated and enforced requirements for acceptable devices. To be acceptable, a mobile device must be able to support the required level of encryption, user authentication, and other access security capabilities that the rest of your network adheres to. This alone will remove a tremendous burden from your security team, as they will not be required to invest significant time researching and evaluating every device that every user “throws at them.”
If possible, your policy should require compliant devices that can be managed using existing security and network management systems. The newest generation of tablet devices run a full version of Windows 8, which should make them compliant with and manageable by the majority of management and security systems in use today. Many platforms, including Microsoft System Center, now manage a wider variety of mobile operating systems than ever before, including Android and Apple iOS as well as Windows and Windows Phone.
Your Mobile Cloud Strategy
CloudStrategies enables customers to work wherever and whenever they need to, and make the experience even more robust for the user by allowing them to use their own preferred device to do so. For assistance in making BYOD work in your organization, speak to your CloudStrategies advisor today!
The answer is everything. The question is “what is really moving when you talk about ‘going mobile’?”
The first thing most people think of when you talk about mobile computing is a smartphone or a tablet, the device you actually use. It follows that ‘going mobile’ for them means changing from a desktop or laptop computer to a smartphone or a tablet. Tip of the iceberg.
What Else Changes?
Operating System – If we consider that device to be the endpoint and work our way inward, the next thing that changes is the operating system that the user encounters. On a desktop or laptop it would most likely be Windows, but on a smartphone or tablet it might be Apple iOS or Google’s Android. Even on a Windows Phone, the operating system isn’t really Windows.
Applications – Next stop is the application. For a while the popular application to use when accessing many software-based services was a web browser, but that has shifted within the last few years to the point where most services are delivered by a dedicated “native app.” This is an app that has been specially produced to run on the specific device you have, and exploit as many of its capabilities as possible. If the device is a smartphone, the buttons will be large enough for the fat-fingered among us to navigate.
In the Windows world, Windows 8 and 8.1 were designed to offer two working environments. One is the classic desktop running classic Windows application software. The other is the now-familiar tiled “modern user interface” which allows the user to tap the tiles to open “apps” that run the way you’d expect them to on a tablet. Users who yearn for the “good old days” can still get back to the familiar desktop and work there, but the Start menu has become a full-screen Start Page.
Data – One of the things that may not move much is the data. IT managers who must support mobile users on smartphone and tablet devices continue to refine their strategies for keeping the corporate data that reaches the device from mixing with the user’s personal data.
Many prefer not to ever let the data get out of the data center. Instead they have adapted Virtual Desktop Infrastructure (VDI) to run the actual apps on a server in the data center and only exchange screen appearance and keystrokes between the data center and the user device. When no data ever gets on the device, there is no need to “containerize” the corporate and personal data to keep them separated.
Network – To bridge the gap between the device and the corporate network we move our network connection from the familiar RJ-45 connected Ethernet port to a 3G or 4G/LTE wide area wireless network that ultimately connects back to the corporate network.
Data Center – Finally we get home to the data center. But, wait, this may not be our familiar data center. When going mobile, many companies are choosing to drive their mobility with cloud-delivered services, especially cloud-delivered communications and collaboration services. While large corporations may prefer to keep their infrastructure internal, many midmarket and even larger companies are choosing subscription-based cloud services that give them all the same functionality as the enterprise systems enjoy. Less internal infrastructure means lower cost. In one recent use case a multi-national consultancy estimated that their operating costs had been reduced by as much as 90%.
Phone Service – Moving phone service to become part of the cloud communication solution also dramatically reduces costs as all internal calls are routed across the company’s internal network rather than the tariff-bearing public switched telephone network.
For a glimpse into the near future of cloud-enabled mobility, start with the recent announcement by Microsoft that they are now the “Devices & Services” company. Why would the world’s largest and best known software company stop calling itself a software company? Because they see an end coming to the age of software which will be replaced by everything-as-a-service (EaaS). In this new world you can choose your device based on its speeds, feeds, form factor, creature-comfort and other features, and then select the services you need to access. Your choice of device. Your choice of services. Almost without restriction.
You can leverage the power of cloud-enabled mobile communications and collaboration capabilities today. To learn more, contact your CloudStrategies Advisor today!