A number of years ago I was asked to quote on a some work for a company offering security services to a major company. Through our discussions I was quite surprised the email address was the same address used by the user to remotely access their computer services. In fact they were very proud of their systems and the ability to log in from anywhere in the world. To me I felt this was a significant exposure. With the email address known publicly the only piece of information required to access their systems was a password. To me that was too big an exposure.
Fast forward about ten years and in my review of Office 365 I’ve been struggling to set up a user and use what is known as an alias as the public email address. From what I can see the user’s email address is their username. Once again the only piece of information required to access a user’s information is a password. I can’t find a way where the users email address is not shared.
Once I realised this I started to realise this is true for the majority of the online services and how people use them in general. Google’s services use the email address as the username. Again all that is required is the password and you have access to all the material stored online.
To me this simply isn’t good enough. The username to sign on and administer or use an account should in my opinion not be a public email address.
There is little wonder so many peoples’ online accounts are getting hacked. If hackers need to determine both the username and password this reduces the chance of being hacked considerably. Giving hackers half the information is significantly increasing your exposure. Recently quite a few hacked password databases have been made public and it is surprising how many people use similar or easily determined passwords.
With email my actual account username is not made public and all the public ever see is an alias. This is a much safer way to work. With cloud services now offering your spreadsheets, your documents and your systems as well as your email, the amount of information you are now starting to share online has increased significantly and you should make sure you are fully aware of the exposure.
If all that stands between your information and a hacker is a password, then I’d be worried.
Kelvin Eldridge
www.OnlineConnections.com.au
Monday, August 15, 2011
Office 365 and Google's cloud services could be reducing the security of an organisations information.
Subscribe to:
Post Comments (Atom)
Hi Kevin
ReplyDeleteI am the Office 365 Product Manager in Australia and I would like to give you some information around the two-factor authentication that is available with Office 365. There is some more detail available on our service descriptions: http://community.office365.com/en-us/w/sso/294.aspx.
If you plan to use strong authentication with single sign-on in Office 365, the following strong authentication scenarios are supported:
•Requiring strong authentication when users log on to their corporate network, whether the user is logging on from within or from outside the corporate network. In this case, you should simply rely on your existing infrastructure for this requirement. No further deployment is required except for AD FS 2.0. NOTE; This mechanism is not support for Outlook during the Beta.
•Requiring strong authentication when users sign in to web applications from a non-domain joined machine, such as a home PC or internet kiosk. However users logging into the corporate network or accessing services within the corporate network do NOT require strong authentication mechanisms to sign in.
Pease do not hesitate to contact me if you need anything more.
Isabel Boniface
isabelbo@microsoft.com
Thanks Isabel for sharing the additional information.
ReplyDeleteI should probably add that my interest is in micro, home and small business owners who may want a single Office 365 account. The situation for me isn't about logging in to a corporate network but using cloud based service to host my information or a clients information.
Once you begin storing not only your email online, but also your documents, spreadsheets, presentations and other files you increase the amount of information others have access to outside of your control.
I have found any options which would give me a stronger level of user access to the standard cloud service. In addition I haven't found a way for the user's email address (their log on username) not to be shared via email and should be able to be hidden from the public in some way.
A couple of small changes to Office 365 would make Office 365 better in my opinion. Of course there are other things I'd change but I don't like to ask for too much at once;-)
Right now without those changes I'm finding Office 365 hard to incorporate into my business. That makes it hard for me to recommend Office 365 to my clients at this stage.
To be specific you can set up an additional email address for a user but you can't make that email address their primary email address.
I have public email addresses which I make available on the internet and private email addresses I provided to known contacts such as customers and suppliers. With spam being a real problem you need to be able to use a different public email address to your private email address. With hacking being rampant, having your email address as your username and forcing that as public is just asking for trouble.
Hacking is a real problem. I've spoken to people I know who have had their Twitter, PayPal and other accounts hacked so it is a real and present problem.
Having the user's email address as the log on and not able to remove that address from public view is a limitation that is unacceptable to me.
I have found I can set up and send an email using a different email address but in the email headers it always references my sign on username email address thus making it public. There is no reason to have "on behalf of" appear in the from email address once you have certified you are indeed the owner of the email address.
For me both of those issues are show stoppers.
Again thank you for taking the time to write. Once those two issues are fixed I'll be better positioned to start promoting and supporting Office 365. If they aren't fixed then I'm stuck as I don't think this is good enough for my clients and to me that is a real shame because there are features of Office 365 which could potentially improve their facilities.
There are many areas I'm willing to change and compromise on so I can make Office 365 work for a range of clients, but that "on behalf of" is a serious limitation that concerns me.
Kelvin Eldridge
www.OnlineConnections.com.au
PS. I have spent quite a few hours testing and trialling different approaches to get around these problems. I'm always willing to admit it might be a knowledge limitation. If it is great, but that also means it will probably be too hard for others to work out.