Your SlideShare is downloading. ×
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance


Published on

Laura E. Hunter, Microsoft …

Laura E. Hunter, Microsoft

Real-life tales from the trenches about how Microsoft IT is working to strike the right balance between enterprise requirements for security, privacy, control, and compliance, and creating a great experience for their users and customers who want to stay connected and productive no matter where they are or what device they’re using.

Published in: Technology

1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Zen & the Art of Enterprise Authentication: A Practitioner’s Viewpoint on Finding Balance Laura E. Hunter Identity Management Architect Microsoft IT @adfskitteh
  • 2. But Security is No Laughing Matter…
  • 3. It’s All About Managing Expectations
  • 4. “Why Can’t I Use Facebook to Log Onto Payroll?”
  • 5. “Employees Must Use Smart Cards At All Times!”
  • 6. “We Don’t Allow Personal Devices On Our Network.”
  • 7. Physical Smart Cards @ Microsoft Today u  Walk into Building 92 u  Present your driver’s license/passport u  Get your picture taken u  Pick a PIN u  Walk out with a smart card u  Don’t live in Redmond? We’ll mail it to your address of record. u  What’s that? You’re travelling? Uhh…too bad, so sad?
  • 8. We need to make access easy and secure!
  • 9. Multi-Factor Authentication Using Any Phone •  Works with the user’s existing phone, anywhere in the world •  Offers out-of-band protection from malware threats •  Verifies user logins, financial transactions, and more •  Features built-in support for leading on-premises applications and cloud services •  Streamlines user management and enrollment •  Backed by a scalable cloud service
  • 10. What Microsoft IT Has Learned So Far… u  Policy before technology u  “What is the assurance level of Phone Factor?” u  OOB registration experience == username & password u  Existing strong authenticators – physical/virtual smart cards u  “So how do we proof the phone number?” u  Security – Physical smart card u  Usability – “Nobody likes to use smart cards!”
  • 11. Example of a “Balanced” Policy
  • 12. “Immutable Laws of Phone Authentication” u The user must be expecting the challenge u Otherwise, the user gets trained to always succeed the auth, thus defeating the point of strong auth entirely u Corollary: the user must not be subjected to numerous auth requests in a row
  • 13. “Immutable Laws of Phone Authentication” u The calling system must be reasonably assured of the user’s identity before initiating Phone Authentication u Phone Authentication is a secondary authenticator, not primary, otherwise it’s trivial for an attacker to make a victim’s phone ring at 3:00 AM knowing only his or her username
  • 14. Other Fun Factors u  Be sure that “2FA” means what you think it means u  Soft phones u  Call forwarding u  PIN protection u  Think about international costs u  Free in the US, inbound/outbound charges elsewhere u  Phone call vs data plan vs SMS
  • 15. About Those Pesky Twitter Accounts…
  • 16. Passwords Aren’t Quite Dead Yet… u  How does the user authenticate to the portal? u  Single-factor vs Dual-factor u  Dual-factor does not prevent phishing, but mitigates the results of a successful phish u  Who controls the password? u  “What do you mean you’ve taken FaceBook off my phone?” u  “Why do I have to give my Twitter password to IT?” u  “@adfskitteh isn’t corporate, it’s mine!”
  • 17. Looking Ahead… u  Now that strong auth is easy(-ier), enforce it more broadly u Client support “shims” where needed… u  Get rid of that “bag of passwords” u Or at least ask really nicely… u  Focus on device protection u Registration, health, “device as smart card”
  • 19. © 2010 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.