Your SlideShare is downloading. ×
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance

148
views

Published on

Laura E. Hunter, Microsoft …

Laura E. Hunter, Microsoft

Real-life tales from the trenches about how Microsoft IT is working to strike the right balance between enterprise requirements for security, privacy, control, and compliance, and creating a great experience for their users and customers who want to stay connected and productive no matter where they are or what device they’re using.

Published in: Technology

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
148
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Zen & the Art of Enterprise Authentication: A Practitioner’s Viewpoint on Finding Balance Laura E. Hunter Identity Management Architect Microsoft IT @adfskitteh
  • 2. But Security is No Laughing Matter…
  • 3. It’s All About Managing Expectations
  • 4. “Why Can’t I Use Facebook to Log Onto Payroll?”
  • 5. “Employees Must Use Smart Cards At All Times!”
  • 6. “We Don’t Allow Personal Devices On Our Network.”
  • 7. Physical Smart Cards @ Microsoft Today u  Walk into Building 92 u  Present your driver’s license/passport u  Get your picture taken u  Pick a PIN u  Walk out with a smart card u  Don’t live in Redmond? We’ll mail it to your address of record. u  What’s that? You’re travelling? Uhh…too bad, so sad?
  • 8. We need to make access easy and secure!
  • 9. Multi-Factor Authentication Using Any Phone •  Works with the user’s existing phone, anywhere in the world •  Offers out-of-band protection from malware threats •  Verifies user logins, financial transactions, and more •  Features built-in support for leading on-premises applications and cloud services •  Streamlines user management and enrollment •  Backed by a scalable cloud service
  • 10. What Microsoft IT Has Learned So Far… u  Policy before technology u  “What is the assurance level of Phone Factor?” u  OOB registration experience == username & password u  Existing strong authenticators – physical/virtual smart cards u  “So how do we proof the phone number?” u  Security – Physical smart card u  Usability – “Nobody likes to use smart cards!”
  • 11. Example of a “Balanced” Policy
  • 12. “Immutable Laws of Phone Authentication” u The user must be expecting the challenge u Otherwise, the user gets trained to always succeed the auth, thus defeating the point of strong auth entirely u Corollary: the user must not be subjected to numerous auth requests in a row
  • 13. “Immutable Laws of Phone Authentication” u The calling system must be reasonably assured of the user’s identity before initiating Phone Authentication u Phone Authentication is a secondary authenticator, not primary, otherwise it’s trivial for an attacker to make a victim’s phone ring at 3:00 AM knowing only his or her username
  • 14. Other Fun Factors u  Be sure that “2FA” means what you think it means u  Soft phones u  Call forwarding u  PIN protection u  Think about international costs u  Free in the US, inbound/outbound charges elsewhere u  Phone call vs data plan vs SMS
  • 15. About Those Pesky Twitter Accounts…
  • 16. Passwords Aren’t Quite Dead Yet… u  How does the user authenticate to the portal? u  Single-factor vs Dual-factor u  Dual-factor does not prevent phishing, but mitigates the results of a successful phish u  Who controls the password? u  “What do you mean you’ve taken FaceBook off my phone?” u  “Why do I have to give my Twitter password to IT?” u  “@adfskitteh isn’t corporate, it’s mine!”
  • 17. Looking Ahead… u  Now that strong auth is easy(-ier), enforce it more broadly u Client support “shims” where needed… u  Get rid of that “bag of passwords” u Or at least ask really nicely… u  Focus on device protection u Registration, health, “device as smart card”
  • 18. THANK YOU! @ADFSKITTEH
  • 19. © 2010 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.