An internal audit a couple of years ago pointed out that our email contains restricted information. That conclusion shone a spotlight on the security of our planned Office 365. Restricted information includes things like customer data, financial data, even SEC filings before they go public. If this data is exposed, our executives can end up in quite some trouble.  Cisco IT chose to raise the bar with our Office 365 implementation. You can find out more about our vision and strategy.

This blog outlines the security architecture we’ve put in place. We approached it from three angles: user authentication, device authentication, and encryption key management.

Is it really you? User authentication

Password theft is behind 81% of breaches to Fortune 500 companies that make the news, according to the 2018 Verizon Data Breach Investigations Report.  As we moved email to the cloud there were two things we wanted to do to protect against the loss of them.

We use Single Sign-On (SSO) for all our applications at Cisco whether in the data center or on the cloud, but it’s particularly important on the cloud.  We have policy that states that passwords shouldn’t be sent to cloud vendors, and SSO fixes that.

Then, to fortify our Office 365 accounts we also require Multi Factor Authentication.  We use Duo Security for both of these.

Are you using a trusted endpoint? Device authentication

When we hosted Exchange on-premises, our users connecting from a Cisco office could use any device. With Office 365, we’re upping our game by limiting access to managed devices.  Managed devices have to pass tests such as requiring a password to unlock the screensaver, encryption, and up-to-date software and security tools such as AMP for endpoints and Cisco AnyConnect.  They’re registered in an on-premises database.

How to check that devices are registered?  Our first solution was to install a device certificate, think of a digital ‘barcode’, on devices for comparison against the database.  Running our own homegrown solution worked well but it was resource intensive, so when we acquired Duo Security, we decided to use its Trusted Endpoint feature instead.  Duo checks whether the system is managed and works with Mac and Windows laptops and mobile devices.

Encryption: “bring your own key”

If an on-premises server is under attack, you can just yank the Ethernet cable to prevent data theft while the problem is mitigated. We wanted the equivalent for Office 365.

We found the answer in Bring Your Own Key (BYOK), an optional feature in Office 365.  There are a couple of things that make this particularly appealing.  We get to generate our own keys, making sure they’re random and hard to break.  We get to add them to the system ourselves making sure that nobody took a copy during the process.  When there’s a security incident, we can just pull the keys out.  Data in the cloud remains encrypted—but there’s no key to decrypt it.  When the incident has been resolved we return the key.  The original keys are safely stored in our own datacenters on own hardware.

Add it all up—user authentication, device authentication and endpoint protection-and you get what we’re calling the Secure Digital Experience platform in Cisco IT.  Office 365 is one of the first cloud services to use the platform. Later we’ll use it to bring collaboration and security to some of the other 400+ cloud services we use.

Lessons learned

  • Explain to employees why multi-factor authentication is necessary. We’ve found that the simple answer— “because people steal passwords”—stops complaints.

Want to read more blogs in this series? Check out Kelly Conway’s Implementation Strategy Part 1 and Caroline Te Aika’s use of SAFe in Part 2.

Questions? Please type them in the comment box.