Azure / M365 are quickly becoming the central hub for all systems and applications in your company. Although both are often associated with Microsoft only, the solution goes way beyond a single brand and in reality it helps to securely integrate 3rd party apps and providers.
About Passwords
When we logon to our computers in the morning, we are usually asked for a username (Authentication) and a password. This provides access to different systems based on our identity (Authorization). As we continue our daily work, we may suddently be prompted for an additional username or password. There are many reasons this can happen, but three of them are the most common:
- Lack of integration into our corporate environment (no SSO, single-signon)
- The application owner has put forward a requirement for additonal protection because of the sensitive data involved (Salary lists, HR databases…)
- Another message we might encounter is a simple ‚Access Denied‘ without any further prompting for passwords. This basically just means that we are not authorized and need to request access via a servicedesk process or perhaps a call to IT. You might want to analyze these requests and implement role-based access, to reduce the number of helpdesk calls. But that’s a topic for another day.
Lack of integration into our corporate environment (SSO is missing)
If all your applications are hosted in a corporate data center, then the technical integration follows a standard pattern. Usually, there will be a central directory service (Active Directory or similar) and your application will offer LDAP or even Kerberos support. Integration in this case, may just mean creating a service account and adding it to the application configuration. Good project managers will also think about security groups, to decide who within the company is allowed to access the application and also how to handle on-boarding procedures.
So far, so good. However, in the IT landscape of today, many applications are hosted in the Cloud. Salesforce, Dropbox, Acrobat, Zoom… to name only a few. Now, one way to approach the issue is to have a separate user database for each of these services, each one with a different password. Madness! And why should we force the user to remember different identities and passwords? This doesn’t make things more secure, quite the opposite.
- A better and far more secure approach is to integrate all your cloud applications by using a single but secure Identity Provider. This can be done in a few simple and effective steps, as explained in my previous article.
Protecting Application Data
When we talk about ‚additonal protection‘ for sensitive information… what does that mean? The first step is as always to define ‚who‘ has access. This step is simple, since it usually means creating a security group and adding your user accounts. But there are additional questions which need to be considered. Which device will be used to access the data? Can a sales employee review all the data in the customer database? Probably the answer is yes, at least once access has been provided. But what about downloading the data and forwarding it to others by e-mail? Without alerting anyone? Is it ok to look at customer data while on holiday from an Internet Café? In these modern times of working from home or working remotely, security is paramount. Is it really ok, that a single password should provide access from anywhere without additional safeguards? As we know, passwords can be guessed and password theft is common. Wouldn’t it be better, if high-risk applications were subject to a second level of authentication, for example by confirming your identity on your mobile phone (MFA)? For example, if you had the Microsoft Authenticator App installed, you would receive a pop-up every time you logon to Salesforce.
The good news, both options are available and we haven’t even started with DLP (Data Leak Prevention). If you’re interested in the subject and would like to dig deeper, here are two articles that I would recommend:
- This article talks about how you can improve your security by activating MFA
- This article reviews how ‚Conditional Access‘ can provide fine-tuned settings not just for answering who can access an application, but also from where and on which devices and what the security requirements are.
Final thoughts
It is a lot safer to have a single password and to protect and manage a single Identity Provider in a secure and unified way. Certainly better than having multiple user accounts, each which different password requirements. If you’ve ever seen ‚Weakest Link‘ on BBC you’ll know what I mean. 🙂
So is M365 / Azure really a secure Identity Provider? Will Microsoft get to know my password? What happens if I forget my single, secure password? These are important questions, which I will answer in a future article.
Here’s a reminder of ways you can interact with us:
- ‚Hammertime‘ – Send uns your ideas and let us know what you think
- Get the ‚T-Shirt‘ – Impress friends and family while supporting our site.
ClickCoach - Approach the Coach 