On September 1, 2014, a successful hack of a celebrity’s iCloud account was heavily publicized. In the aftermath of this type of event, it is normal for consumers of similar services from other ISVs, most prominently, Office 365 from Microsoft, to look for assurance from their IT department of the comparative security of their online computing policies and procedures. Fortunately, a white paper is directly available from Microsoft which speaks to these concerns.
This white paper was published in May, 2014, and is titled Security in Office 365. For readers who have not had an opportunity to review this white paper, much of the information in the first 12 of the 24 pages in the document is taken up with a description of the data security architecture Microsoft has implemented for Office 365, and some of the automated tools built specifically to safeguard the process of consuming data from this cloud, SaaS offer.
On page 13, Microsoft specifically addresses “Secure end-user access”. Mention is made of Azure Active Directory and more information about this method of user authentication can be found via a search with Microsoft’s Bing Search engine.
A point of debate with regard to the iCloud hack mentioned at the top of this post is two-step verification. This white paper describes “multi-factor authentication” options for Office 365. Notably absent is any recommendation about whether or not organizations with a public tenancy on Office 365 should use this feature. In this writer’s opinion, consumers should be led towards a “right decision” on topics like user authentication, and the defense options available to SharePoint, SharePoint Online, and Office 365 administrators. On the other hand, the absence of a recommendation can be understood as, unfortunately, this type of verbiage can be crafted into a point of exposure to law suit, culpability, etc. for a cloud, SaaS ISV like Microsoft.
Also noticeably absent from the white paper is any discussion of the need for Office 365 tenants to implement an operational risk management policy to support the automated tools and features already built into Office 365. Once again, and for the very same reasons just mentioned with regard to whether or not it would be helpful for Microsoft to recommend an approach, this writer can understand why the need for procedures is not addressed in this white paper.
Nevertheless, it is strongly recommended service administrators implement policies and procedures to support the user access controls described in this white paper. Readers should not be lulled into a complacent attitude about the need for supportable, proven procedures to ensure the security of personnel availing of online services like Office 365. Automated tools are not enough. Secure procedures are, and will be definitely required.
©Rehmani Consulting, Inc. & Ira Michael Blonder 2014 All Rights Reserved