access management - secureauth · 2019-05-31 · access management for ofﬁce 365 2 it’s easy to...

ACCESS MANAGEMENT FOR OFFICE 365 Why passwords and two-factor authentication are not enough.

Access Management for Office 365

1

Introduction

Significant Risk, Inadequate Solutions

Levels of Authentication

Authentic Authentication

High Stakes

High Reward

Conclusion: Adapt and Thrive

T A B L E O FC O N T E N T S

Single-factor: Bad Guys with the Right Key

Two-Factor: Too Little, Too Late

Multi-factor & Adaptive: Contextual Kevlar

2

3

4

9

10

11

12


2

It’s easy to understand why Office 365 is the most widely used cloud service in the world: applications are constantly updated, it’s easy-to-use, and comes at a relatively low cost. It’s also a prime target for would-be attackers.

There are no hypotheticals here. Chances are, your business is not only already at risk—your data is already threatened. One study reports that virtually every organization experiences at least one cloud-based threat each month and the average has soared to nearly six incidents every week.

To combat these security concerns, organizations must move beyond the use of traditional username + password and enact a solution that enables them to detect and block attackers including those who may be using stolen credentials. Two-factor authentication (2FA) can help, but it simply isn’t enough.

Read on to see how Multi-Factor Authentication (MFA) with risk analysis (Adaptive Authentication) can help you properly control access to your Office 365 environment and protect your business.

More than half (57.5%) have at least one privileged user threat.1

INTRODUCTION

94%

of corporate Office 365 users have at least one insider threat per month.


3

81% of hacking-related breaches leveraged either stolen and/or weak passwords.2

It only takes one breach for an organization to understand why relying on the traditional username + password doesn’t cut it.

$89 billion was invested on security in 2017, yet breaches rose by 44%.

One key problem is that over 90% was spent on network and endpoint security, but only about $7 billion was spent on identity security.

58% of sensitive data in the cloud is stored in Microsoft Office documents.3

Such a wealth of valuable data—business plans, medical records, financial forecasts, etc.—makes Office 365 an appealing target for attackers.

56% of company assets on average are protected by only 2FA or MFA.

This means nearly half of assets are protected only by passwords, or by nothing at all.

SIGNIFICANT RISK, INADEQUATE SOLUTIONS

[email protected]


Single-Factor Authentication

Organizations and analysts alike have recognized for some time that the password alone is no longer effective at protecting resources.

Two-Factor Authentication

While 99% of decision-makers feel 2FA gives them the protection required to prevent breaches,4 it can be circumvented and attackers are continually evolving new ways to beat it. Modern organizations need more protection.

Multi-Factor & Adaptive Authentication

With multiple contextual risk layers to determine legitimate users vs. attackers, adaptive authentication is the best way to secure Office 365 environments and can even eliminate the use of passwords altogether.

LEVELS OF AUTHENTICATION

4


5

SINGLE-FACTOR: BAD GUYS WITH THE RIGHT KEY


Single-factor authentication is woefully insufficient for protecting your Office 365 environment. Valid credentials are so easy to steal, it’s likely some of your users’ passwords are available for sale on the dark web.

Common Sources for Stolen Credentials

PURCHASE ON THE DARK WEB92% of companies have cloud credentials for sale on the dark web, letting attackers walk right in the front door. 6

RE-USED PASSWORDSUsers frequently re-use passwords for the sake of convenience; once an attacker is in one place, they can often access others.

SOCIAL ENGINEERING Pretexting, phishing, and other means of psychological manipulation are often used to solicit confidential data.

79%of Office 365 environments experience at least one compromised account each month.5


TWO-FACTOR: TOO LITTLE, TOO LATE


Two-factor authentication is much better than relying on passwords alone, however attackers are now able to get around some popular methods of 2FA.

Why Popular 2FA Methods Aren’t Secure

OTP VIA MOBILE PHONESAttackers are more frequently hijacking accounts and exploiting phone-based fraud.

PUSH-TO-ACCEPTUsers have become conditioned to routinely accept without being in an authentication process, simply to remove the notification.

KNOWLEDGE-BASED QUESTIONS Answers can be easily socially engineered or obtained through social media.

HARD TOKENSCases exist where hardware tokens have been compromised.

A mad rush is on to put 2FA in front of everything, but it’s simply not enough.

6


7

In addition to failing to provide proper security, many two-factor authentication methods suffer from a serious second flaw: they’re just plain inconvenient.

Common Disruptions Associated with 2FA

HARD TOKENSNot only are hard tokens expensive, people don’t like having to carry them around and they are easily lost or broken.

SOFT TOKENSCan be more convenient, unless you’re stuck in an airport and your phone is still at home or the battery has died.

KNOWLEDGE-BASED QUESTIONS These questions often have multiple possible answers meaning users can get themselves locked out trying to remember how they responded.

PRODUCTIVITYSuppose you have 3,500 employees with an average salary of $50,000. If each one spends just three minutes a day supplying 2FA, that lost productivity adds up to over a million dollars a year.8

Disruptions caused by 2FA can seriously impact a company’s bottom line.

DEVICE RECOGNITION

SECUREAUTH THREAT SERVICE

DIRECTORY LOOKUP

GEO-LOCATION

GEO-VELOCITY

PHONE NUMBER FRAUD PREVENTION


8

A Sampling of Pre-Authentication Risk-Checks

MULTI-FACTOR & ADAPTIVE: CONTEXTUAL KEVLAR


Multi-factor and adaptive authentication is based on the simple idea that the more layers of security you have, the more difficult you make it for attackers to gain a foothold in your network. SecureAuth offers more than 10 pre-authentication risk checks - more than any other vendor - and this means you have flexibility to fully tune your security strategy

Rather than setting up more roadblocks, SecureAuth’s multiple contextual risk layers run in the background to streamline the user experience.

Like a bulletproof vest, no single Kevlar layer can stop a bullet—or an attacker—but together they form an impenetrable barrier.

DYNAMIC PERIMETER

BEHAVIOR ANALYSIS VIA MACHINE LEARNING


9

SecureAuth’s unique solution is designed to quickly gain an accurate picture of who is a legitimate user and who might be an attacker. Here’s how it looks from attempt through access or denial:

Most authentication attempts will be legitimate and access, seamless. For those who pose a risk, however, the platform will deny access outright or require additional authentication.

AUTHENTIC AUTHENTICATION

LOW RISKIf the risk is low, they

will be approved

without the user even

being aware that the

risk checks took place.

MEDIUM RISKIf the risk is too high,

the user will be

prompted for an

additional method of

authentication.

HIGH RISKIf the user poses high

risk—based on factors

you choose—they

can be blocked entirely

or redirected to a

honey pot for

further investigation.

PRE-AUTHENTICATION

Many of SecureAuth’s risk checks happen pre-authentication, which prevent unwanted attempts before login is even possible.

AUTHENTICATION ATTEMPT

When a user tries to log in, the solution evaluates the risk of that attempt based on the set of factors you choose.


Let’s take a moment to consider some what-ifs. Attackers are continually refining their craft, and security solutions need to evolve just as quickly. What worked two or three years ago may no longer be nearly as effective as it once was. So, what happens if an attacker is successful?

HIGH STAKES

Consider what’s at stake:

YOUR COMPANY’S BOTTOM LINEThe average cost of a breach in 2018 is $7.9 million.9 The costs of some single breaches such as recent ones for Anthem and Home Depot have been well above $100M.10 11

YOUR INFORMATION The median time from compromise to discovery in 2017 was 101 days12 —plenty of time for attackers to damage or steal your assets.

YOUR CONTINUED REVENUEWill your customers leave for a competitor they perceive to be safer or more responsible?

YOUR COMPANY’S REPUTATION After a breach, how likely are customers to stay and new prospects to come?

YOUR JOBWill a breach cost you and your team their jobs?

What worked two or three years ago may no longer be nearly as effective as it once was.

10

Most comprehensive protection for access from any device, for any user

Customize the level of risk you’re comfortable with depending on different users or groups.

More risk checks than any other vendor

Built using industry-leading, standards-based technologies

Works with all Office 365 clients including legacy Microsoft Outlook and third party clients, such as Apple Mail

Supports nearly 30 authentication methods

The stakes associated with a data breach will always be high, but with the right solution in hand, your security against cyber threats will be too. Here’s a look at just some of the many benefits the SecureAuth® Identity Platform offers.

HIGH REWARD


11

The ability to select authentication methods

The largest MFA and Adaptive authentication options for Office 365 regardless of how users access it.

Ties into existing infrastructure

One-time authentication for multiple system access through Single Sign-on (SSO)

Streamlines user experience

Passwordless capabilities to stop inconveniencing users and burdening the help desk for resets, account unlocks

12

ADAPT AND THRIVE

Conclusion

To protect the increasing amounts of valuable and sensitive data you store in Office 365, you need adaptive authentication.

Unfortunately, older Office 365 clients and many third-party solutions support only username and password authentication, leaving organizations that rely on those clients at risk. Although recently released Office 365 clients support multi-factor and adaptive authentication, they can’t match the security and convenience that SecureAuth delivers.

When it comes to Office 365 security, you don’t have to compromise. With SecureAuth, you get strong security and a seamless user experience.

When it comes to Office 365 security, you don’t have to compromise.


VISIT US

ADDITIONAL RESOURCES

www.secureauth.com

SecureAuth protects Office 365https://www.secureauth.com/Office365

VIDEO - Adaptive Access Control for Office 365https://www.secureauth.com/resources/learn-how-maximize-usability-and-security-office-365

WEBINAR - Secure Access Control for Office 365https://www.secureauth.com/resources/office-365-under-attack-best-practices-secure-access

Video Case Study for ESCOhttps://www.secureauth.com/resources/esco-secureauth

Sources

1. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks2. “2017 Data Breach Investigations Report,” Verizon3. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks4. “Two Factor Fallacy: 99% Still Believe Two-Factor Authentication is Enough,” Wakefield Research5. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks6. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks7. “NIST 800-63B: deprecating the use of out-of-band SMS for two-factor authentication,” National Institute of Standards and Technology8. “Single Sign On (SSO) Cost Savings Calculator,” SecureAuth9. https://databreachcalculator.mybluemix.net/thankyou/explore10. “Anthem Agrees to Settle 2015 Data Breach for $115 Million,” Threatpost11. “Home Depot to Pay Banks $25 Million in Data Breach Settlement,” Fortune12. M-Trends reports from FireEye - https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html

Copyright© 2019 by SecureAuthAll rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.

access management - secureauth · 2019-05-31 · access management for ofﬁce 365 2 it’s easy to...

Documents