How to secure data in Microsoft’s enterprise cloud – Part 1

[…]It went up to the cloud!
And you can’t get it down from the cloud?!
Nobody understands the cloud. It’s a f*** mystery.[…]

You’ve heard about the movie “Sex Tape” with Cameron Diaz and Jason Segel? Maybe you’ve already watched it? If you haven’t you should do so. It impressively demonstrates how important it is to secure one’s data in the cloud and to correctly apply technical features you’re given to achieve this goal. But what features are we given in Microsoft’s enterprise cloud?

First of all, I want to show you Azure Multi-Factor Authentication. MFA means that besides username and password you have to verify your authentication with an additional factor of authentication. Maybe you know authentication question such as “your first pet’s name” or “your mother’s unmarried name”. In a way this already is a kind of MFA but you will agree that this is not really smart and secure. A better way is to use a dynamic factor. Azure MFA enables you to verify your authentication via smartphone app, telephone call or a one time password (OTP) sent via push message to your mobile phone.

How does it work? After entering your user principal name you are shown your enterprise’s login page and you are prompted to enter your password. Now you are notified the way you’ve chosen and you can verify your authentication.

MFAWhat do we need? First of all we have to create an MFA provider in Microsoft Azure. You give it a name, chose if you want to pay per user or per authentication and connect it to a directory – done!

MFA ProviderNow you change to the user tab in your directory and chose Manage MFA at the bottom of the Azure window.

ManageMFAThen you select the user or users you want to enable MFA for and confirm. Alternatively you can bulk enable MFA by passing a CSV file to the routine.EnableMFACSVNow you can lean back and have a coke. Everything that follows has to be done by the user himself. The next time the respective user enters his or her credentials, he or she is prompted to set up an additional authentication factor. The user can chose what factor to use. If the user choses to use the mobile app, he or she is shown a code and a URL on the computer display to enter into the app. Nevertheless, I recommend to use the QR code scanner which is integrated in the app and to scan the QR code shown on your display.

QRAfter the app is configured, the user is contacted the chosen way which means that the user has to verify the sign in process. The next step is to enter a telephone number in case the user loses access to the mobile app. I don’t need to tell you that it won’t be the best idea to enter the mobile number at this point. Last but not least, the user can create an app password which is used in applications that don’t support MFA, e.g. Office 2013.

In my next blog post you will learn about further security features in Microsoft’s enterprise cloud and how they are properly configured in order to secure your environment. Stay tuned and see you soon,

Tom

Author: Tom Janetscheck

Cloud Security Enthusiast | Security Advocate

One thought on “How to secure data in Microsoft’s enterprise cloud – Part 1”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: