As the CipherPoint team increasingly leverages Office 365 and Azure, we wanted to keep a rolling list of our lessons learned in terms of security. We not only use these technologies but also provide data security solutions for Office 365 and Azure environments and often need to dig into gory details of authentication, web services format, etc. in order to truly understand how these services work.
- Read Microsoft’s transparency reports early and often. We like that Microsoft has gone out of their way to report what they do with your data. We don’t always like what we find but at least we can make an informed decision. We also give Microsoft credit for fighting to change the laws related to compelled disclosures.
- The password complexity policy for Azure AD (the default ID provider for Office 365) leaves us wanting. Our corporate policy is that passwords must be longer than 12 characters and we couldn’t enforce that with Azure AD. ShmooCon 2012 had some great research, “Encryption, Password, and Data Security” that changed our thinking about what makes a strong password.The obvious solution is to use ADFS to federate our domain controller with O365 but that isn't as straight forward and you'd think (more on that later).
- Allowing external access scares us since it requires us to trust third party authentication providers over which we have no control.
- It looks to us like the Microsoft Azure hypervisor does not support the AES instruction set but we can’t find anything on Technet or other forums that confirms or denies. We haven’t seen any performance impacts of our encryption due to this but you may have other experiences with different technologies.
More to come...especially in the area of authentication and identity tracking.