office 365 tietoturvan heikon lenkki?
TRANSCRIPT
The weakest link of Office 365 security
EUNIS 2015 Dundee, Scotland
@NestoriSyynimaa
About the speaker
• Dr. Nestori Syynimaa MBCS CITP • Enterprise Architect @ CSC Ltd
• Owner @ Gerenios Ltd
• Senior-consultant @ Sovelto Plc
• MCT, MCSA (Office 365), MCE
• www.linkedin.com/in/nestori
Purpose
• Target audience: IT professionals – contains a lot of technical details
• Introduce Office 365 security principals and general security issues
• Show some security threats, forensics and mitigation
• Accessing other person’s confidential data is against the law!
• Question: What is the weakest link of Office 365 security?
3
Contents
• Office 365 security basics
• Office 365 & Azure identity scenarios
• Accessing confidential information
• (Demo)
4
Office 365 security basics
£/user/month
28.-29.5.2015 Tech Conference 2015 7
Cloud Security Surface Area
Office 365 security model
Core components
Office 365 (Azure) admin & user roles Role Description
Global admin Access to all administrative features. Only role that can be used assign admin rights to others.
Billing admin Can make purchases, manage subscriptions and support tickets, and monitor service health.
User management admin Resets passwords, monitors service health, and manages user accounts, user groups, and service requests.
Password admin Resets passwords, manages service requests, and monitors service health. Password admins are limited to resetting passwords for users and other password admins.
Service admin Manages service requests and monitors service health.
User No access to administrative features.
Identity scenarios
Office 365 scenarios Synced IdentityCloud Identity
Office 365 Azure
Active Directory
Active Directory DirSync
Office 365 Azure
Active Directory
Federated Identity
Active Directory DirSync
Office 365 Azure
Active Directory
AD FSActive Directory
Cloud
On-premise
Cloud
On-premise
Cloud
On-premise
Synced IdentityCloud Identity
Office 365 Azure
Active Directory
Active Directory DirSync
Office 365 Azure
Active Directory
Federated Identity
Active Directory DirSync
Office 365 Azure
Active Directory
AD FSActive Directory
Cloud
On-premise
Cloud
On-premise
Cloud
On-premise
Synced IdentityCloud Identity
Office 365 Azure
Active Directory
Active Directory DirSync
Office 365 Azure
Active Directory
Federated Identity
Active Directory DirSync
Office 365 Azure
Active Directory
AD FSActive Directory
Cloud
On-premise
Cloud
On-premise
Cloud
On-premise
AD FS endpoints
AD FS
On-premise
AD FS proxy
Browser
Lync
Outlook
DMZ InternetBrowser
Lync
Outlook
Active
MEX
Web
Active
MEX
Web
ActiveSyncActiveSync
Basic Authentication
AD FS endpoints
Accessing confidential information
Challenges
• We need to secure information – all the time
• Intruder needs success only once..
• Things change – we need to change too
• Definition of insanity (A. Einstein): • “..doing the same thing over and over and expecting different results”
Source of security threats
Security paths
Threat
Agents
Attack
Attack
Attack
Weakness
Weakness
Weakness
Weakness
Control
Control
Control
Asset
Function
Asset
Impact
Impact
Impact
Attack
Vectors
Security
Weaknesses
Security
Controls
Technical
Impacts
Business
Impacts
OWASP (2013)
Most Critical Web Application Security Risks
1. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Known Vulnerable Components
10. Unvalidated Redirects and Forwards
OWASP (2013)
The weakest link: Dave the Administrator
21
“DEMO”
Motivated Intruder Test:
• Accessing user’s mailbox without getting caught
Give mailbox permission
Change user password
Restoring user’s original password
Altering AD FS rules
Gaining admin rights
28
Summary
• The weakest link of Office 365 is on-premise security misconfiguration
• Cloud services requires new kind of skills
• Securing the on-premise environment is (even more) crucial • Minimum admin rights
• Identify and protect critical components
• Use BitLocker and IDM
• Provide training to your key personnel
Thank you!
@NestoriSyynimaa
linkedin.com/in/nestori
www.o365.center