office 365 tietoturvan heikon lenkki?

The weakest link of Office 365 security

EUNIS 2015 Dundee, Scotland

@NestoriSyynimaa

About the speaker

• Dr. Nestori Syynimaa MBCS CITP • Enterprise Architect @ CSC Ltd

• Owner @ Gerenios Ltd

• Senior-consultant @ Sovelto Plc

• MCT, MCSA (Office 365), MCE

• www.linkedin.com/in/nestori

Purpose

• Target audience: IT professionals – contains a lot of technical details

• Introduce Office 365 security principals and general security issues

• Show some security threats, forensics and mitigation

• Accessing other person’s confidential data is against the law!

• Question: What is the weakest link of Office 365 security?

3

Contents

• Office 365 security basics

• Office 365 & Azure identity scenarios

• Accessing confidential information

• (Demo)

4

Office 365 security basics

£/user/month

28.-29.5.2015 Tech Conference 2015 7

Cloud Security Surface Area

Office 365 security model

Core components

Office 365 (Azure) admin & user roles Role Description

Global admin Access to all administrative features. Only role that can be used assign admin rights to others.

Billing admin Can make purchases, manage subscriptions and support tickets, and monitor service health.

User management admin Resets passwords, monitors service health, and manages user accounts, user groups, and service requests.

Password admin Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users and other password admins.

Service admin Manages service requests and monitors service health.

User No access to administrative features.

Identity scenarios

Office 365 scenarios Synced IdentityCloud Identity

Office 365 Azure

Active Directory

Active Directory DirSync

Office 365 Azure

Active Directory

Federated Identity

Active Directory DirSync

Office 365 Azure

Active Directory

AD FSActive Directory

Cloud

On-premise

Cloud

On-premise

Cloud

On-premise

Synced IdentityCloud Identity

Office 365 Azure

Active Directory

Active Directory DirSync

Office 365 Azure

Active Directory

Federated Identity

Active Directory DirSync

Office 365 Azure

Active Directory

AD FSActive Directory

Cloud

On-premise

Cloud

On-premise

Cloud

On-premise

Synced IdentityCloud Identity

Office 365 Azure

Active Directory

Active Directory DirSync

Office 365 Azure

Active Directory

Federated Identity

Active Directory DirSync

Office 365 Azure

Active Directory

AD FSActive Directory

Cloud

On-premise

Cloud

On-premise

Cloud

On-premise

AD FS endpoints

AD FS

On-premise

AD FS proxy

Browser

Lync

Outlook

DMZ InternetBrowser

Lync

Outlook

Active

MEX

Web

Active

MEX

Web

ActiveSyncActiveSync

Basic Authentication

AD FS endpoints

Accessing confidential information

Challenges

• We need to secure information – all the time

• Intruder needs success only once..

• Things change – we need to change too

• Definition of insanity (A. Einstein): • “..doing the same thing over and over and expecting different results”

Source of security threats

Security paths

Threat

Agents

Attack

Attack

Attack

Weakness

Weakness

Weakness

Weakness

Control

Control

Control

Asset

Function

Asset

Impact

Impact

Impact

Attack

Vectors

Security

Weaknesses

Security

Controls

Technical

Impacts

Business

Impacts

OWASP (2013)

Most Critical Web Application Security Risks

1. Injection

2. Broken Authentication and Session Management

3. Cross-Site Scripting (XSS)

4. Insecure Direct Object References

5. Security Misconfiguration

6. Sensitive Data Exposure

7. Missing Function Level Access Control

8. Cross-Site Request Forgery (CSRF)

9. Using Known Vulnerable Components

10. Unvalidated Redirects and Forwards

OWASP (2013)

The weakest link: Dave the Administrator

21

“DEMO”

Motivated Intruder Test:

• Accessing user’s mailbox without getting caught

Give mailbox permission

Change user password

Restoring user’s original password

Altering AD FS rules

Gaining admin rights

28

Summary

• The weakest link of Office 365 is on-premise security misconfiguration

• Cloud services requires new kind of skills

• Securing the on-premise environment is (even more) crucial • Minimum admin rights

• Identify and protect critical components

• Use BitLocker and IDM

• Provide training to your key personnel

Thank you!

@NestoriSyynimaa

linkedin.com/in/nestori

www.o365.center