MFA – Great security enhancement or productivity buzz-kill?

MFA – Great security enhancement or productivity buzz-kill?

We’re a little more than a month into turning on Office 365 Multi-Factor Authentication (MFA) for everyone at CloudStrategies. My aim here is to share some thoughts and observations around the experience of using the technology across all my various devices. Is MFA a great way to secure our Office 365 tenant or a productivity buzz-kill? Within the first few days – I would have said a definite yes to both those questions. After a little more time using it every day, I still believe in the security benefits, but have warmed up enough to feel a little less productivity challenged.  More than that, I feel comfortable that I’m taking reasonable and prudent measures to protect access to our systems and data while leveraging the investments we’ve already made in Office 365.

So – let’s start with level setting on what MFA is, and why I believe more and more businesses are going to deploy it sooner than later. Frequently referred to as 2-factor authentication, MFA is technology that requires that a user not only have a username and password to access technology platforms, but instead also prove that they possess something as an additional level of security before accessing systems. The classic example that’s in everyone’s wallet is a debit card. The card without the pin isn’t useful, and the pin without the card doesn’t get you money from an ATM either.

Years ago I carried an RSA SecureID token that had a rotating number on a screen that I needed to have with me at all times to access corporate platforms. The geek in me thought it was cool to carry with me on my key-chain – but the user in me quickly found it difficult to have to sign-in to a VPN before I could do any work from outside the office. Though it may have been subtle, it definitely was enough of a pain that I wouldn’t bother signing in for anything other than a very specific purpose or goal – thus discouraging me from doing as much work as I otherwise might have from outside of the office.

Today, with Microsoft’s implementation of MFA for Office 365, I have a similar feeling of security as I did with my RSA ID, but yet, for my main devices and applications, I also have a sort of “fast pass” that makes the productivity hit much more manageable.

There are two core components of MFA that end users will learn to manage. The first is very much like the RSA experience – though it primarily is delivered through an App on the end users cell phone. The second is called an App Password and can be used as a one-time code for any application that needs to access an Office 365 resource on a regular basis (in the background) – such as email clients, OneNote, calendar applications, cell phones, etc. Let’s talk about the experience of each of these parts of MFA:

For the first part, any time a user needs to access any Office 365 resource through a web browser – whether on their own device – or on a public device, they will start by signing in normally with their username and password. After doing so – instead of immediately gaining access their account, they will be prompted to provide a second level of authentication. For this, there are a few choices. The one I’ve been using has been to be prompted for a 6 digit number that I can only retrieve by launching a simple app on my mobile phone. When prompted for the code, I simply pull out my phone, launch the app, and wait for it to provide me with the number. The number is continuously changing – every 30 seconds or so, so you can never predict what it is and need to type in the number within a given time period. This works exactly like my old RSA token did – perhaps with one benefit in that when I’m home I find that my phone isn’t ever very far away from me – as opposed to where I kept my keys and RSA token – so I’d need to run to the other side of the house to retrieve it.

For all non-browser based access to Office 365 applications, a user’s regular password will no longer be enough to access the system. Because applications like Outlook, Office applications, mobile phone apps, etc. do not have a mechanism to support the entry of an Authentication Code, they will instead leverage a uniquely generated “App Password”. Office 365 can generate up to 40 unique 16 digit App Passwords that can be used for individual applications or devices. App Passwords, once generated, can never be displayed a second time. They are entered and stored in individual applications on a per device basis and once entered, applications function normally – without the need for a MFA Authentication Code. The security strength of App Passwords comes from the fact that they can be deleted at any time. The productivity benefit of an App Password comes from the fact that once entered, those applications no longer need to have a password entered for recurring access to Office 365.  In the event of a breach, and once an App Password is deleted from the Office 365 console, any apps that have stored that password will no longer be able to access Office 365. Think about a scenario where a device is lost or stolen – a simple action of deleting the App Password will nullify that devices ability to provide any access to anything that shouldn’t be accessed.

Security in our lives always comes at a cost – frequently restricting access or limiting our capabilities. Microsoft’s Office 365 MFA solution provides an increased level of protection with a reasonable approach to securing systems and data. Any productivity hit is likely short lived for most users and the comfort that businesses can receive knowing that users data won’t be easily be compromised through the loss of a device or the inadvertent compromise of an individual’s password.

Who Do You Want Reading YOUR eMail?

Screen Shot 2014-02-14 at 12.54.09 PM

  • Concerned about all the recent NSA leaks?
  • Think about whose email server you’re using, and start worrying about them.

Metadata. It’s one of those words you never really thought you’d hear the President of the United States utter, yet there it is. The NSA is not capturing the content of your email, he explains, they’re just looking at the metadata. This presupposes that all US citizens are familiar with that term, and are absolutely okay with the government scanning theirs. Are you?

It is likely to be true that the majority of Americans will never suffer from anyone in the US government scanning their metadata, whatever that is, and may live their lives never knowing whether anyone did or didn’t read their email. The exposure most Americans should be more concerned with is much closer to home, in the form of their employer or their own chosen email provider.

Expectation of Privacy

Many of us don’t think twice about sending emails to our family members, friends, business associates, personal doctors, lawyers, and other professionals from our business email account. It is, after all, our email account, right?

Not right. As an employer, if you’re not advising your employees that the email system and any content travelling on it are the property of the company you’re inviting disaster. This gives departing employees the right to remove whatever they choose from your servers at any time which may be completely out of compliance with your email governance policies.

Further, you must explicitly inform them that they can have no expectation of privacy in using your company email system. Many corporations have been sued by employees when they found out that personal information had been intercepted regarding their health, their financial dealings, even their personal proclivities. Those who had properly informed their personnel that they could have no expectation of privacy won, those who did not often lost.

Properly Protect Your Post Office

Your corporate email server should be given the same respect and consideration you would exercise were you operating your own post office. Content must be completely protected while it is resident at your facility, meaning on your email server, as well as while it is travelling to its various destinations.

Part of providing this protection involves data protection services such as encryption, but some of it requires specific behaviors from people. In most cases, people must request that specific messages be sent in encrypted form, yet employees fail to make those requests. Passwords are often shared, or left vulnerable where other employees can access them. There are many stories of executives who left their systems logged in and others used them to make requests of others and to access highly sensitive information.

Your people can have no expectation of privacy, but your corporation should. Protecting all traffic moving between users and email servers, and from email servers to recipients, must always be protected both at rest and in transit to assure privacy, security, and reputation protection.

Your Cloud eMail Strategies

CloudStrategies helps clients select cloud-based email services that provide maximum privacy protection while also offering maximum user flexibility. For help creating your safe messaging strategy, contact your CloudStrategies Advisor today.

What is Multi-Tenant Data Leakage?

Screen Shot 2014-01-23 at 6.17.28 PM

  • Worried about data leakage in multi-tenant server environments?
  • It’s not all about the server. Protect your data.

One of the challenges of apartment living is that you are so subject to what happens in other apartments all around you. You’re sitting watching television when all of a sudden you feel drops of water falling on you. You look up and see that the ceiling is soaked and water is leaking down on you from the apartment above.

Many users fear that the same can happen when they are sharing a cloud-based file server with other customers of the same cloud provider. Not water, but data may be leaking. Worse, the neighbor next door may have drilled small holes in the wall and is peeking in at them.


One of the elements that creates the incredible cost-efficiency of cloud servers is the concept of multi-tenancy, which is enabled by the “virtualization” of servers. In the past, servers could only run one instance of the server operating system creating only one server that could use resources such as memory, storage, and processor power. Virtualization allowed the running of multiple server instances, creating multiple virtual machines (VMs) inside the one piece of server hardware. Cloud Service Providers could now allow many customers to share one physical server, each running their own instance.

Each customer then became a tenant of that server machine, running their own server instance in their own secured space. Of course, this quickly gave rise to speculation that data could potentially “leak” from one instance to another, or even be proactively penetrated for nefarious purposes by other server tenants. While it is difficult to find documented cases of this actually happening, the concern is very real and there is definitely a fiduciary responsibility to protect even against a suspected vulnerability.

Protecting Your Data

Many experts focus on how to better secure multiple virtual machines within a given server from each other. This is like calling in a plasterer to fix the ceiling above you to protect you from the leak. It solves the immediate problem of the broken ceiling for a moment or two, but doesn’t solve for the underlying root of the problem which is the leaking water.

In other words, it’s all about the data. The data is what you need to protect, not the server. The best and most straightforward solution is to encrypt the data. This way, even if that data does somehow become exposed through leakage, hacking, or other means, those intercepting the data only have gibberish, useless garbled bits. Without your encryption keys they cannot actually use your data.

Open Doors

Safe, reliable multi-tenant cloud servers open new doors to you to dramatically reduce costs and mitigate risks. Encrypting data stored in multi-tenant servers is the ideal way to assure that data leakage will not matter even if it does occur. Whatever you do, never share your encryption keys with your cloud provider. They never need them. They have no reason to ever see the actual data you are storing on their servers. Never.

Your Cloud Data Strategies

CloudStrategies helps clients map out and deploy highly effective encryption strategies to assure that their data is protected in multi-tenant environments. Strong control of data encryption is your best strategy to assure that prying eyes never access your information. To learn more about how to gain strong control, call your CloudStrategies Advisor today.

A Way Out: Switching From Single Sign-On To Password Sync

If you’re using Office 365 with AD FS (Active Directory Federation Services) without high availability, this article could save you time, frustration and perhaps even your job. Single Sign On with AD FS provides the ability for users to sign in once to their Active Directory environment and use those same credentials to access email or other services in Office 365. While using a single set of credentials to access multiple systems is very desirable, this feature comes at a high cost for small and medium-sized businesses.

Have you ever thought how complex Single Sign On with AD FS can be? Have you had second thoughts about whether you made the right choice going down that path based on the size of your organization?  You are not alone.  Many organizations have been revisiting their Single Sign On design and searching for a better and more reliable solution for their company.  Recently Microsoft updated the directory synchronization service to provide almost the same user experience with a feature many are calling “Same Sign On”. The new release is called Window Azure Directory Synchronization with Password Synchronization.

For those of you concerned about the security of this service, it appears Microsoft has done a pretty good job architecting a secure solution to this problem. Password Sync is an extension to the directory synchronization feature implemented by the Directory Sync tool. The Active Directory Domain Service stores passwords in form of a hash value representation of the actual user password. The Password hash cannot be used to login to your on-premises network. It is also designed so that it cannot be reverse-engineered in order to gain access to the user’s plaintext password. To synchronize a password, the Directory Sync tool extracts the user password hash from the on-premises Active Directory. Additional security processing is applied to the password hash before it is synchronized to the Azure Active Directory Authentication service. It is important to note that this feature does not provide a Single Sign-On (SSO) solution because there is no token sharing / exchange in the Password Sync based process.

Then you ask, is there a way to switch from single sign-on to password sync without breaking my network?  The answer is yes.  Many of the companies we work with are excited about this release since this feature enables users to log into Azure Active Directory services (such as Office 365, InTune, CRM Online, etc.) using the same password they use to log into your on-premises network.

The process to convert from single sign on to password sync has quite a few steps that must be completed in a specific, but very predictable order.  Cloud Strategies has successfully transitioned organizations from 120 to 2000 users from a Federated State to a Managed State (with respect to their authentication flows).  There are 2 recommended approaches to achieve this task.  An Incremental Migration can be considered if you want to incrementally transition your users from Federated Authentication to Managed Authentication. You can do this by switching users from a Federated Namespace to a Managed Namespace, then synchronizing the passwords for the converted users.  The other option is to cutover the entire organization and transition the entire namespace from Federated to Managed Authentication.

Because you’re working on a production environment, working with an experienced Microsoft partner is highly recommended.  We believe the payoff is well worth the effort, resulting in:

  • A single directory synchronization server – eliminating the need for redundant and geographically-dispersed AD FS servers.
  • Minimal dependency for on-premises hardware/data center – if Dirsync with Password Sync server dies – just replace it. There is no impact accessing cloud services with an on premise outage because the identity is a managed identity in Azure AD vs. a federated identity using AD FS 2.1.
  • No complex AD FS architectures – No AD FS Proxies, load balancers, or certificates for AD FS are required. The deployment is less complex with fewer moving parts.

It’s also important to look carefully at your short-term and long-term requirements. There are a few scenarios where Single Sign On using AD FS is preferable to using “Same Sign On” with Directory Synchronization with Password Sync. This blog is not intended to help you decide whether to choose SSO or Password Sync.  Its intention is to let you know there is an alternative to AD FS.

Exchange Online mailboxes grow to 50 GB!

What’s bigger than Huge?

For the last several years we’ve been telling clients that Microsoft’s Exchange Online mailboxes are HUGE.  By just about every measure, a 25 GB mailbox limit makes this a fair and accurate statement.

The end of last month, with little fanfare, Microsoft announced that they would be doubling the size of mailboxes within Office 365 service plans.  This brings the typical 25 GB limit up to 50 GB!

Stephen Brown, a Microsoft Product Marketing Manager on the Exchange team, posted a blog post on August 29th announcing details of the changes.

Pricing for Office 365 service plans will not change as a result of the increase.  Microsoft is providing the increase as a commitment to continuously deliver value to Office 365 customers.  The increase has already started rolling out and will continue through November.  There is nothing that you need to do to take advantage of the new mailbox size.

In addition to primary mailbox sizes, shared mailboxes and resource mailboxes are also doubling in capacity to 10 GB.

The following table summarizes the new mailbox sizes by plan:





Multi-Tenancy – What it Means to You – What you Need to Ask

CloudStrategies’ mission is to help clients take fullest possible advantage of the incredible cost savings available from cloud computing, and to do so in a completely secure, private and compliant manner.

One of the primary ways in which cloud computing creates these economies is through sharing of resources, including shared servers, shared storage, even shared applications.  This is similar to having many tenants in a building sharing common space such as hallways, elevators, storage facilities and utilities.  Accordingly, in the cloud computing environment this sharing is referred to as “multi-tenancy.”

Multi-Tenancy Based on Service Type

The economies available from Infrastructure-as-a-Service (IaaS) are derived in large part by virtualizing servers and allowing many clients to share a physical machine that is running multiple instances of a server operating system.    CloudStrategies only works with cloud providers who have demonstrated their ability to manage their virtualization implementation to assure proper segregation, segmentation, and isolation.  This  assures each tenant that their resources are completely protected from other tenants on the same hardware.

Software-as-a-Service (SaaS) providers allow access to their applications by many users from many different organizations.   When CloudStrategies evaluates SaaS providers we look for strong authentication and authorization provisions, security policies that insure controlled access to each users’ data, and encryption of the data in storage.

Questions We Ask-And You Should Too


Just as you exercise due diligence when making any purchase, you must ask questions of the cloud serviceCs Apartment Building providers you intend to contract with.  Ask them how they protect your data in storage, and how they assure that the only people who can access your data are those you approve.  What are their provisions for user authentication and access authorization?  Talk with them about the virtualization systems they use to provide multiple server instances.  How do they go about assuring that each server instance is completely segregated from others on the same physical server device?  Since cloud infrastructure is ever-changing and ever-growing, discuss their use of automation and how it enables them to keep ahead of capacity and configuration changes.

At CloudStrategies, we pride ourselves on partnering closely with our clients in addressing their data management issues utilizing state-of-the-art software and hardware tools.  This gives us peace of mind knowing that our clients have the most current, advanced, and secure data management solutions available.

How can we help? CloudStrategies Discover, Adopt, and Manage Great Cloud Solutions
Drop us a note on what type of Cloud Solution that you're interested in learning more about...