office 365 security: everything you need to know
DESCRIPTION
Whether you are already deployed or still considering upgrading to Microsoft Office 365, get the “need to know” about basic and advanced Office 365 security. Featuring presentations from Microsoft Office 365 Product Managers and Office 365 Deployment Experts at Avanade. Tips and Tricks for a Secure Deployment In-depth Look into Office 365’s Out-of-the-box Features Advanced Security Options: Multi-factor Authentication and Single Sign-onTRANSCRIPT
© 2014 SecureAuth All Rights Reserved
Office 365 SecurityEverything You Need to KnowJuly 10, 2014
www.secureauth.com www.avanade.com www.microsoft.com
Welcome to the Webinar
• All attendee audio lines are muted• Questions will be answered at the end of the session
• Submit brief questions on the Q&A panel
• Send longer questions or off-line topics via email [email protected]
© 2014 SecureAuth All Rights Reserved
Presented by Microsoft, Avanade, and SecureAuth Corporation
David Brandt, Microsoft
Principal Program Manager, Office 365Tim Arvanites, SecureAuth Corporation
Director of Technical SalesJimmy Soto, Avanade
Infrastructure Solutions Architect
AGENDA
© 2014 SecureAuth All Rights Reserved
Microsoft Office 365Identity Management
SecureAuth IdP “Advanced” Security Options for Office 3652-Factor Authentication and SSO
Deployment Tips and TricksThe Avanade Experience
Q & A
Trends / Issues of Modern Mobile Enterprise
© 2014 SecureAuth All Rights Reserved
Issues Facing theModern Mobile Enterprise
Rapid Movement to the Cloud and High Usage of Cloud Applications
Pressures of Mobility – BYOD and Secured Mobile Devices for Convenient User Experience
Line of Business Driving Organizations to the Cloud, but without Proper Security Measures
No one wants to be that headline
Introduction to Microsoft Office 365 Identity Management
David BrandtPrincipal Program Manager Office 365
Identity for Microsoft cloud services
User
Microsoft AccountEx: [email protected]
User
Organizational AccountEx: [email protected]
Microsoft Account Microsoft Azure Active Directory
Office 365 Identity Models
Federated identitySynchronized identityCloud identity
On-premisesdirectory
Zero on-premises servers
On-premisesdirectory
Directory sync with
password sync
On-premisesidentityBetween zero and three additional on-premises servers depending on the number of users
On-premisesidentityBetween two and eight on-premises servers and networking configuration depending on the sign-in availability requirements
Directory
sync
Federation
Identity Synchronization and Federation
On-Premises
Identity Provider
Federated sign-in
Windows Azure Active Directory
WS-Federation
WS-Trust
SAML 2.0
MetadataShibboleth
Graph API
Directory
Synchronize accounts
Exchange Web Access
SharePoint Online
Exchange Mailbox Access
Outlook, Lync, Word, etc
Authentication
Auth
ori
zati
on
Passive Auth
Active Auth
Microsoft
Office 365 federation optionsADFS Third party
WS-*Shibboleth (SAML 1.1)
SAML 2.0
Suitable for medium, large enterprises including educational organizations
Recommended option for Active Directory (AD) based customers
Single sign-on
Support for web and rich clients
Microsoft supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Suitable for medium, large enterprises including educational organizations
Recommended where customers may use existing non-ADFS Identity systems with AD or Non-AD
Single sign-on
Support for web and rich clients
Third-party supported
Works for Office 365 Hybrid Scenarios
Requires on-premises servers, licenses & support
Verified through ‘works with Office 365’ program
Suitable for educational organizations
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no shibboleth deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
For organizations that need to use SAML 2.0
Recommended where customers may use existing non-ADFS Identity systems
Single sign-on
Support for web clients and outlook (ECP) only
Microsoft supported for integration only, no identity provider deployment support
Requires on-premises servers & support
Works with AD and other directories on-premises
Works with Office 365 – Identity programWhat is it?Qualification of third party identity providers for federation with Office 365. Microsoft supports Office 365 only when qualified third party identity providers are used.
Program RequirementsPublished Qualification RequirementsPublished Technical Integration DocsAutomated Testing ToolSelf Testing work by PartnerPredictable and Shorter Qualification
http://aka.ms/ssoproviders
*For representative purposes only.
WS-Trust & WS-Federation
Active Directory with ADFS Flexibility to reuse existing identity provider investments
Confidence that the solution is qualified by Microsoft
Coordinated support between the partner and Microsoft
Shibboleth
RadiantOne
Okta
Customer Benefits
SAML (passive auth)
Full Office 365 servicePilot in hoursPersist to deploymentUser led migration
Optional integrationExtend in weeksMeet business needsCustomized to landscape
Core onboardingDeploy in daysCompanywide cloud useIT led migration
First use in hours, Onboarding in dayshttp://fasttrack.office.com
Pilot complete
Deploy Complete
WhatOffice 365 ServiceExchange, SharePoint, Lync, Office Web Apps, Office 365 ProPlus, Mobile
HowService domainCloud IdentityWeb Client
Office clientSelf Service
WhatAll Pilot Features +Shared namespace, simple coexistence, external sites
HowPilot +IT led migration *Customer domainDirectory sync
Password syncAdmin migrationsOnRamp
WhatDeploy +Federation, Hybrid Delegation, and more
HowDeploy+ *Configure adv. featuresFederated IdentityExchange HybridCorporate app store
SharePoint HybridLync Hybrid3rd party migration tools
Adopt new features
Deploy Enhance Pilot1 2 3
© 2014 SecureAuth All Rights Reserved
SecureAuth IdPfor Microsoft Office 365Advanced Security Options
© 2014 SecureAuth All Rights Reserved
What is an IdP?
An IdP (Identity Provider) establishes a circle of trust between the User and the Service Provider (applications like Office 365).
Definition
• A system that creates, maintains, and manages identity information
• Provides principal authentication to other service providers (applications) within a federation or distributed network
• Sends an attribute assertion containing trusted information about the user to the Service Provider (SP)
1. User Directed to IdP
2. IdP Authenticates User
3. User Redirected to SP with Token
© 2014 SecureAuth All Rights Reserved
Benefits of an Identity Provider
Improved User Experience
Increased Security
Complex Environments Simplified
Flexible Access Control Workflows
© 2014 SecureAuth All Rights Reserved
IdP - Improved User Experience
Single Sign-on (SSO):
• Users access their applications with a single authentication
• Flexible authentication workflows based on user, device, and location
• Custom and third-party enterprise web applications (SharePoint)
• Cloud applications, like Office 365, Google Apps, Salesforce, and more
Users access their applications with a single authentication
© 2014 SecureAuth All Rights Reserved
IdP – Increased Security
• Avoid Password Sync / Sprawl• Single Access Control Point for ALL
User’s Applications• Immediate Disable of Access• Auditing of All Application Access
Compiled in Single Location• Enforce Client Sign-in Restrictions
by Device, Login History, Network Location, Work Hours, and more
• Utilize Enterprise Multi-factor Authentication
Web Apps NetworkApps
Cloud Apps
Mobile Apps
© 2014 SecureAuth All Rights Reserved
IdP – Complex Environments Solved
Combine Multiple, Disparate Directory StoresActive Directory, SQL, Novell eDirectory, Sun One, etc.
Create Unified Access Policies Limiting Access to Resources based on:
Defined Authentication Workflows, User Access State (enabled/disabled), Network Location, Group Membership, Devices, etc.
On-premises, Cloud-based, or Hybrid Scenario
© 2014 SecureAuth All Rights Reserved
IdP – Flexible Access Control Workflows
Define Virtually any Authentication Workflow for Users
Integrated Windows Authentication (no password) for Internal UsersUsername/Password + Second Factor (optional) for External Users
Enforce Client Sign-in Restrictions by Device, Login History, Network Location, Work Hours, and moreUtilize Enterprise Multi-factor Authentication
© 2014 SecureAuth All Rights Reserved
SecureAuth IdP – Office 365Use Case
Enterprise customer with 24 AD domains utilizing browser access to Office 365 and Office applications Word, Excel, Outlook, Lync, and PowerPoint
External users – 2-Factor Authentication with SMS / Telephony / E-mail registration and 90 day device credential used for subsequent multi-factor authentications
Internal users – Windows Integrated Authentication for true Desktop SSO to Office 365
Single Sign-on experience for user to reach their other enterprise applications
Office 365 Client Access Controls limiting Outlook access to only internal network devices
Avanade’s Notes From The Field
Transformation to Office 365
Avanade Confidential – Do Not Copy, Forward or Circulate© Copyright 2014 Avanade Inc. All Rights Reserved.
Messaging Transformation Credentials• Microsoft Gold Certified Partner for “Messaging” and “Communications“
• Converted/ Implemented more than 23 million mailboxes to Exchange (from Exchange, GroupWise, Lotus Notes)
• Delivered over 2.8 million Microsoft Office 365/ BPOS seats to date
• We have 600 + Exchange 2010/13 skilled resources, including 50 MCPs, 1 MVP for Office 365, 11 MCA/MCMs • Deployed many components of Messaging infrastructure – Exchange, Outlook, Lync, Active Directory
• Unmatched premium skills – strategy, cost modeling, Mailbox rationalization and worker segmentation
• Focus on business value – not just software and hardware• Experience assisting delivery of many large complex Messaging Migration projects – On-premise
and Cloud• Structured methodology supported by Avanade Connected Methods (ACM)• Innovative toolset to accelerate efforts (Accelerate for Mailbox, End User Communication
Templates)• Innovative Re-usable Assets and QA toolset • Strategic Alliance with Quest Software• Office 365 Surround Services
• Onshore, near-shore, offshore network in 25 countries• Messaging Migration Factory with qualified Migration Engineers in Philippines and India
• Global workforce enables factory approach at fair cost – high volumes of work in rapid time frame
Global Delivery Network
Our Assets, Tools & Methods
Our Expertise
Our Experienc
e
Avanade Confidential – Do Not Copy, Forward or Circulate© Copyright 2014 Avanade Inc. All Rights Reserved.
Why take the journey with Avanade
• Avanade is currently delivering over 2,800,000 seats of Microsoft Online, which is more than any other partner
• We’re recommended by Microsoft• Our migration factory averages over 99% first-time
success rate • We support multiple messaging migration styles
allowing customers greater control in their migration experience
• Avanade has invested more in training than any other partner
• We have completed deployments using each service included in Office 365 (Exchange Online, SharePoint Online, Lync Online)
• 1st Microsoft partner to sign Microsoft Online Services Partner Advisor agreement for large enterprises
• Our Health and Value Assessment offering efficiently guides customers to achieving their goals
• Monthly meetings with Microsoft Office 365 Engineering teams as part of High Touch Partner initiative
Tangible Benefits
• 1st in certifications per employee• 1st in Exchange certifications• 1st in Lync certifications• 1st in SharePoint certifications• 1st in Active Directory certifications• 28 elite Microsoft Certified Architects
Certifications
• Microsoft Gold Certified Partner in 20 competencies, more than any gold partner
Competencies
Avanade Confidential – Do Not Copy, Forward or Circulate© Copyright 2014 Avanade Inc. All Rights Reserved.
Consideration Description
Know Requirements Ahead of Time Perform requirements gathering exercises and have agreement on what is actually needed. Compare this list to the Office 365 service descriptions and identify areas of incompatibility. Do not assume that Office 365 will satisfy every possible requirement.
Know What Is Provided, And What Is Not Have clarity of what services and features are actually offered as part of Office 365. Regularly review the Office 365 Service Descriptions for detail information regarding what is included and what are the limitations.
Remember, It Is A Shared Environment, Not A Dedicated Hosted Environment
Office 365 is not meant to adapt to the needs of its customers. The cost savings gained from Office 365 are realized by having the customers adapt to the stated service descriptions and as such only flexible customers should select Office 365.
Evaluate Customer Readiness Leverage the Microsoft utilities and Avanade experience to determine readiness to implement Office 365. Readiness tasks will be a pre-requisite before beginning the Office 365 implementation tasks.
Documentation May Be Dynamic And Is Improving Older Office 365 documentation may not have been complete or accurate. Microsoft has made an effort to update documentation and provide additional support assets for implementation, migrating to , and managing Office 365. It is possible that the latest information may not be readily available or prevalent amongst Office 365 SMEs.
Considerations Prior To Office 365 Decision
23
Avanade Confidential – Do Not Copy, Forward or Circulate© Copyright 2014 Avanade Inc. All Rights Reserved.
Consideration Description
It Is Still A Transformational Event Although the Office 365 offering is compelling, realize that the implementation and migration is still a transformational event that will require appropriate project planning and management.
Plan For Realistic Timeline and Milestones Transformation to Office 365 should planned using realistic estimates for completing the tasks based on the workload. Migration planning should consider readiness and end user support as well as duration of time needed to complete migration tasks
Keep The End User Experience In Mind The conversion to Office 365 could be a jarring experience for the end user, depending on their familiarity of current Microsoft products. Plan for end user training and communications especially even if end users are migrating from similar Microsoft technologies and especially if end users are migrating from non-Microsoft technologies.
Stay On Course, Don’t Deviate Do not deviate from the standard published Microsoft Office 365 infrastructure guidance and recommendations. Avoid leveraging un-sanctioned Microsoft options or alternative 3rd party options without validation from Microsoft.
Plan for Operational Excellence Microsoft does not provide end user support or lower tier support. Ensure that the operations team and help desk support team has the appropriate training to manage Office 365. Microsoft may be responsible for maintaining service availability but day to day administration and provisioning is still the responsibility of the Customer.
Implementation Planning Considerations
24
Avanade Confidential – Do Not Copy, Forward or Circulate© Copyright 2014 Avanade Inc. All Rights Reserved.
Conclusion• Implementation and migration to Office 365 is often simplified with an
emphasis of quick onboarding rather than averting risk
• Customers must realize that they need to adapt to Office 365; it does not adapt to the customer
• Consideration must be given for safeguarding the end user experience
• Operational excellence and support must be planned prior to migrating production resources to Office 365
• Customers benefit from the experience Avanade can provide when planning and executing an Office 365 implementation and migration
25
© 2014 SecureAuth All Rights Reserved
Questions & AnswersAvanade, Microsoft, andSecureAuth Corporation
© 2014 SecureAuth All Rights Reserved
Thank youwww.secureauth.com
Contacts
www.avanade.comwww.microsoft.com
David Brandt
Tim Arvanites
Jimmy Soto
SecureAuth Sales
Principal Program Manager
Director of Technical Sales
Infrastructure Solutions Architect
Sales
+1-425-705-1352
+1-312-985-1997
+1-732-277-4960
+1-949-777-6959
Introduction to Microsoft Office 365 Identity Managementhttp://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B222#fbid=