Get Off of My Cloud!

Jay Kelley 缩略图
Jay Kelley
Published October 12, 2016


Companies are increasingly moving their productivity applications to the cloud with Microsoft Office 365. According to a recent Gartner report, 78 percent of companies surveyed are using or plan to use Office 365. This is in addition to companies deploying new cloud-based applications while migrating their homegrown legacy applications to the cloud. The need for flexibility and speed in moving to the cloud while keeping these productivity apps secure keeps many CIOs and CISOs up at night.

report by cloud security company SkyHigh Networks underscores this dilemma: on average, organizations deal with 2.7 threats against Office 365 per month, with 1.3 of those threats due to compromised accounts. While these numbers don’t seem very high, according to the same report, over 58 percent of sensitive data stored in the cloud is stored in Office documents.

Organizations want fast, simple, secure access to Office 365 for their users. But, the shift from on-premises data center-based apps to cloud and SaaS applications, such as Office 365, can strain existing resources and may subject users to unpredictable performance. One of the most difficult challenges for organizations that use Office 365 and SaaS applications is delivering the appropriate level and strength of identity management and access for their users.

Identity federation and single sign-on (SSO), along with multi-factor authentication (MFA), are on the front lines of defense against unauthorized or malicious access to Office 365, especially if an organization is using Microsoft Azure Active Directory as its user credential store. In fact, certain capabilities in Office 365, such as conditional access, require identity federation and SSO.

As covered in my earlier blog, the most popular method of securing Office 365 access is Federated Identity. With Federated Identity, an on-premises identity provider verifies user credentials. No password hash or synchronization with Azure Active Directory is necessary. One of the reasons that Federated Identity is so popular is that an organization’s user credentials remain on-premises and managed by the organization. Federated Identity mitigates the threat of lost of stolen credentials and simplifies integration with new or existing MFA methods. Many organizations want users’ passwords verified by an on-premises SAML identity provider (IdP), or Microsoft Active Directory Federation Services (ADFS).

While Microsoft ships ADFS as part of Windows Server 2012, it also supports third-party identity federation and SSO products. And, many of these third-party options, like ADFS, enable SSO, increase identity federation to more applications, simplify user administration and terminations, and centralize federation management, sometimes more robustly than ADFS.

As with any IT solution, before an organization makes the decision to implement an identity and access solution for Office 365, it should weigh the pros and cons. Here is a checklist of questions for IT teams to consider as they look at deploying a new identity and access solution for Office 365:

  • Will additional infrastructure need to be deployed in the network?
  • If so, how much will it cost to purchase, deploy, administer, and manage?
  • Are Application Delivery Controllers needed to load balance for fast access and uptime?
  • What is the Total Cost of Ownership (TCO) of the identity and access solution?
  • Can the solution readily and easily scale to meet the future needs of their organization?
  • Does scaling mean even more infrastructure additions?
  • Can cloud application administration be automated, or does an admin need to manually create or change rules for each cloud application? Manual processes are expensive and time consuming.
  • Can the identity and access solution work with existing security methods, such as existing device security posture checks that are performed on mobile devices by leading Enterprise Mobility Management (EMM) solutions, or work with existing MFA offerings?

Organizations need an identity and access solution for Office 365 that can leverage and utilize their existing access and security tools, and not force them to change vendors or processes. They need a solution that doesn’t add to already pervasive infrastructure sprawl, but one that also scales to address their organizations’ growth and needs.

In our next blog, we’ll explore solutions to the Office 365 secure identity and access challenge, and the many use cases it can address.