Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
ACCESS MANAGEMENT FOR OFFICE 365 Why passwords and two-factor authentication are not enough.
Access Management for Office 365
1
Introduction
Significant Risk, Inadequate Solutions
Levels of Authentication
Authentic Authentication
High Stakes
High Reward
Conclusion: Adapt and Thrive
T A B L E O FC O N T E N T S
Single-factor: Bad Guys with the Right Key
Two-Factor: Too Little, Too Late
Multi-factor & Adaptive: Contextual Kevlar
2
3
4
9
10
11
12
Access Management for Office 365
2
It’s easy to understand why Office 365 is the most widely used cloud service in the world: applications are constantly updated, it’s easy-to-use, and comes at a relatively low cost. It’s also a prime target for would-be attackers.
There are no hypotheticals here. Chances are, your business is not only already at risk—your data is already threatened. One study reports that virtually every organization experiences at least one cloud-based threat each month and the average has soared to nearly six incidents every week.
To combat these security concerns, organizations must move beyond the use of traditional username + password and enact a solution that enables them to detect and block attackers including those who may be using stolen credentials. Two-factor authentication (2FA) can help, but it simply isn’t enough.
Read on to see how Multi-Factor Authentication (MFA) with risk analysis (Adaptive Authentication) can help you properly control access to your Office 365 environment and protect your business.
More than half (57.5%) have at least one privileged user threat.1
INTRODUCTION
94%
of corporate Office 365 users have at least one insider threat per month.
Access Management for Office 365
3
81% of hacking-related breaches leveraged either stolen and/or weak passwords.2
It only takes one breach for an organization to understand why relying on the traditional username + password doesn’t cut it.
$89 billion was invested on security in 2017, yet breaches rose by 44%.
One key problem is that over 90% was spent on network and endpoint security, but only about $7 billion was spent on identity security.
58% of sensitive data in the cloud is stored in Microsoft Office documents.3
Such a wealth of valuable data—business plans, medical records, financial forecasts, etc.—makes Office 365 an appealing target for attackers.
56% of company assets on average are protected by only 2FA or MFA.
This means nearly half of assets are protected only by passwords, or by nothing at all.
SIGNIFICANT RISK, INADEQUATE SOLUTIONS
Access Management for Office 365
Single-Factor Authentication
Organizations and analysts alike have recognized for some time that the password alone is no longer effective at protecting resources.
Two-Factor Authentication
While 99% of decision-makers feel 2FA gives them the protection required to prevent breaches,4 it can be circumvented and attackers are continually evolving new ways to beat it. Modern organizations need more protection.
Multi-Factor & Adaptive Authentication
With multiple contextual risk layers to determine legitimate users vs. attackers, adaptive authentication is the best way to secure Office 365 environments and can even eliminate the use of passwords altogether.
LEVELS OF AUTHENTICATION
4
Access Management for Office 365
5
SINGLE-FACTOR: BAD GUYS WITH THE RIGHT KEY
Levels of Authentication
Single-factor authentication is woefully insufficient for protecting your Office 365 environment. Valid credentials are so easy to steal, it’s likely some of your users’ passwords are available for sale on the dark web.
Common Sources for Stolen Credentials
PURCHASE ON THE DARK WEB92% of companies have cloud credentials for sale on the dark web, letting attackers walk right in the front door. 6
RE-USED PASSWORDSUsers frequently re-use passwords for the sake of convenience; once an attacker is in one place, they can often access others.
SOCIAL ENGINEERING Pretexting, phishing, and other means of psychological manipulation are often used to solicit confidential data.
79%of Office 365 environments experience at least one compromised account each month.5
Access Management for Office 365
TWO-FACTOR: TOO LITTLE, TOO LATE
Levels of Authentication
Two-factor authentication is much better than relying on passwords alone, however attackers are now able to get around some popular methods of 2FA.
Why Popular 2FA Methods Aren’t Secure
OTP VIA MOBILE PHONESAttackers are more frequently hijacking accounts and exploiting phone-based fraud.
PUSH-TO-ACCEPTUsers have become conditioned to routinely accept without being in an authentication process, simply to remove the notification.
KNOWLEDGE-BASED QUESTIONS Answers can be easily socially engineered or obtained through social media.
HARD TOKENSCases exist where hardware tokens have been compromised.
A mad rush is on to put 2FA in front of everything, but it’s simply not enough.
6
Access Management for Office 365
7
In addition to failing to provide proper security, many two-factor authentication methods suffer from a serious second flaw: they’re just plain inconvenient.
Common Disruptions Associated with 2FA
HARD TOKENSNot only are hard tokens expensive, people don’t like having to carry them around and they are easily lost or broken.
SOFT TOKENSCan be more convenient, unless you’re stuck in an airport and your phone is still at home or the battery has died.
KNOWLEDGE-BASED QUESTIONS These questions often have multiple possible answers meaning users can get themselves locked out trying to remember how they responded.
PRODUCTIVITYSuppose you have 3,500 employees with an average salary of $50,000. If each one spends just three minutes a day supplying 2FA, that lost productivity adds up to over a million dollars a year.8
Disruptions caused by 2FA can seriously impact a company’s bottom line.
DEVICE RECOGNITION
SECUREAUTH THREAT SERVICE
DIRECTORY LOOKUP
GEO-LOCATION
GEO-VELOCITY
PHONE NUMBER FRAUD PREVENTION
Access Management for Office 365
8
A Sampling of Pre-Authentication Risk-Checks
MULTI-FACTOR & ADAPTIVE: CONTEXTUAL KEVLAR
Levels of Authentication
Multi-factor and adaptive authentication is based on the simple idea that the more layers of security you have, the more difficult you make it for attackers to gain a foothold in your network. SecureAuth offers more than 10 pre-authentication risk checks - more than any other vendor - and this means you have flexibility to fully tune your security strategy
Rather than setting up more roadblocks, SecureAuth’s multiple contextual risk layers run in the background to streamline the user experience.
Like a bulletproof vest, no single Kevlar layer can stop a bullet—or an attacker—but together they form an impenetrable barrier.
DYNAMIC PERIMETER
BEHAVIOR ANALYSIS VIA MACHINE LEARNING
Access Management for Office 365
9
SecureAuth’s unique solution is designed to quickly gain an accurate picture of who is a legitimate user and who might be an attacker. Here’s how it looks from attempt through access or denial:
Most authentication attempts will be legitimate and access, seamless. For those who pose a risk, however, the platform will deny access outright or require additional authentication.
AUTHENTIC AUTHENTICATION
LOW RISKIf the risk is low, they
will be approved
without the user even
being aware that the
risk checks took place.
MEDIUM RISKIf the risk is too high,
the user will be
prompted for an
additional method of
authentication.
HIGH RISKIf the user poses high
risk—based on factors
you choose—they
can be blocked entirely
or redirected to a
honey pot for
further investigation.
PRE-AUTHENTICATION
Many of SecureAuth’s risk checks happen pre-authentication, which prevent unwanted attempts before login is even possible.
AUTHENTICATION ATTEMPT
When a user tries to log in, the solution evaluates the risk of that attempt based on the set of factors you choose.
Access Management for Office 365
Let’s take a moment to consider some what-ifs. Attackers are continually refining their craft, and security solutions need to evolve just as quickly. What worked two or three years ago may no longer be nearly as effective as it once was. So, what happens if an attacker is successful?
HIGH STAKES
Consider what’s at stake:
YOUR COMPANY’S BOTTOM LINEThe average cost of a breach in 2018 is $7.9 million.9 The costs of some single breaches such as recent ones for Anthem and Home Depot have been well above $100M.10 11
YOUR INFORMATION The median time from compromise to discovery in 2017 was 101 days12 —plenty of time for attackers to damage or steal your assets.
YOUR CONTINUED REVENUEWill your customers leave for a competitor they perceive to be safer or more responsible?
YOUR COMPANY’S REPUTATION After a breach, how likely are customers to stay and new prospects to come?
YOUR JOBWill a breach cost you and your team their jobs?
What worked two or three years ago may no longer be nearly as effective as it once was.
10
Most comprehensive protection for access from any device, for any user
Customize the level of risk you’re comfortable with depending on different users or groups.
More risk checks than any other vendor
Built using industry-leading, standards-based technologies
Works with all Office 365 clients including legacy Microsoft Outlook and third party clients, such as Apple Mail
Supports nearly 30 authentication methods
The stakes associated with a data breach will always be high, but with the right solution in hand, your security against cyber threats will be too. Here’s a look at just some of the many benefits the SecureAuth® Identity Platform offers.
HIGH REWARD
Access Management for Office 365
11
The ability to select authentication methods
The largest MFA and Adaptive authentication options for Office 365 regardless of how users access it.
Ties into existing infrastructure
One-time authentication for multiple system access through Single Sign-on (SSO)
Streamlines user experience
Passwordless capabilities to stop inconveniencing users and burdening the help desk for resets, account unlocks
12
ADAPT AND THRIVE
Conclusion
To protect the increasing amounts of valuable and sensitive data you store in Office 365, you need adaptive authentication.
Unfortunately, older Office 365 clients and many third-party solutions support only username and password authentication, leaving organizations that rely on those clients at risk. Although recently released Office 365 clients support multi-factor and adaptive authentication, they can’t match the security and convenience that SecureAuth delivers.
When it comes to Office 365 security, you don’t have to compromise. With SecureAuth, you get strong security and a seamless user experience.
When it comes to Office 365 security, you don’t have to compromise.
Access Management for Office 365
VISIT US
ADDITIONAL RESOURCES
www.secureauth.com
SecureAuth protects Office 365https://www.secureauth.com/Office365
VIDEO - Adaptive Access Control for Office 365https://www.secureauth.com/resources/learn-how-maximize-usability-and-security-office-365
WEBINAR - Secure Access Control for Office 365https://www.secureauth.com/resources/office-365-under-attack-best-practices-secure-access
Video Case Study for ESCOhttps://www.secureauth.com/resources/esco-secureauth
Sources
1. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks2. “2017 Data Breach Investigations Report,” Verizon3. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks4. “Two Factor Fallacy: 99% Still Believe Two-Factor Authentication is Enough,” Wakefield Research5. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks6. “Cloud Adoption & Risk Report Q4 2016.” Skyhigh Networks7. “NIST 800-63B: deprecating the use of out-of-band SMS for two-factor authentication,” National Institute of Standards and Technology8. “Single Sign On (SSO) Cost Savings Calculator,” SecureAuth9. https://databreachcalculator.mybluemix.net/thankyou/explore10. “Anthem Agrees to Settle 2015 Data Breach for $115 Million,” Threatpost11. “Home Depot to Pay Banks $25 Million in Data Breach Settlement,” Fortune12. M-Trends reports from FireEye - https://www.fireeye.com/current-threats/annual-threat-report/mtrends.html
Copyright© 2019 by SecureAuthAll rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law.