CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
-
Upload
cloudidsummit -
Category
Technology
-
view
184 -
download
1
description
Transcript of CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Finding Balance
Zen & the Art of Enterprise Authentication: A Practitioner’s Viewpoint on Finding
Balance
Laura E. Hunter Identity Management Architect Microsoft IT @adfskitteh
But Security is No Laughing Matter…
It’s All About Managing Expectations
“Why Can’t I Use Facebook to Log Onto Payroll?”
“Employees Must Use Smart Cards At All Times!”
“We Don’t Allow Personal Devices On Our Network.”
Physical Smart Cards @ Microsoft Today
u Walk into Building 92
u Present your driver’s license/passport
u Get your picture taken
u Pick a PIN
u Walk out with a smart card
u Don’t live in Redmond? We’ll mail it to your address of record. u What’s that? You’re travelling? Uhh…too bad, so sad?
We need to make access easy and secure!
Multi-Factor Authentication Using Any Phone
• Works with the user’s existing phone, anywhere in the world
• Offers out-of-band protection from malware threats • Verifies user logins, financial transactions, and more • Features built-in support for leading on-premises
applications and cloud services
• Streamlines user management and enrollment • Backed by a scalable cloud service
What Microsoft IT Has Learned So Far…
u Policy before technology u “What is the assurance level of Phone Factor?”
u OOB registration experience == username & password
u Existing strong authenticators – physical/virtual smart cards
u “So how do we proof the phone number?”
u Security – Physical smart card
u Usability – “Nobody likes to use smart cards!”
Example of a “Balanced” Policy
“Immutable Laws of Phone Authentication”
u The user must be expecting the challenge
u Otherwise, the user gets trained to always succeed the auth, thus defeating the point of strong auth entirely
u Corollary: the user must not be subjected to numerous auth requests in a row
“Immutable Laws of Phone Authentication”
u The calling system must be reasonably assured of the user’s identity before initiating Phone Authentication u Phone Authentication is a secondary
authenticator, not primary, otherwise it’s trivial for an attacker to make a victim’s phone ring at 3:00 AM knowing only his or her username
Other Fun Factors
u Be sure that “2FA” means what you think it means u Soft phones
u Call forwarding
u PIN protection
u Think about international costs u Free in the US, inbound/outbound charges elsewhere
u Phone call vs data plan vs SMS
About Those Pesky Twitter Accounts…
Passwords Aren’t Quite Dead Yet…
u How does the user authenticate to the portal?
u Single-factor vs Dual-factor
u Dual-factor does not prevent phishing, but mitigates the results of a successful phish
u Who controls the password?
u “What do you mean you’ve taken FaceBook off my phone?”
u “Why do I have to give my Twitter password to IT?”
u “@adfskitteh isn’t corporate, it’s mine!”
Looking Ahead…
u Now that strong auth is easy(-ier), enforce it more broadly
u Client support “shims” where needed…
u Get rid of that “bag of passwords” u Or at least ask really nicely…
u Focus on device protection u Registration, health, “device as smart card”
THANK YOU! @ADFSKITTEH
© 2010 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.