The key obstacle to Microsoft’s SaaS services, such as Office 365, becoming trusted in institutions where security protocols exceed national standards, has been identity.
Recently, the company has been working to promote a cloud-based form of Active Directory (AD) as a reliable single sign-on system, so that authentication from one reliable source can be trusted in turn by Microsoft, and vice versa.
But until enterprises sign on to the idea of “Azure AD Join,” the way their users log onto Office 365 has been through the classic Microsoft Account — a set of attributes attached to an email address.
Accessing those attributes illicitly has often proved to be a trivial affair. In 2013, security researchers discovered that a malicious server could pass off an authentication token that appeared to be a valid SharePoint token (and, by extension, an Office 365 token) simply by attaching a header to that token saying it came from a legitimate Microsoft source.
Researcher Noam Liran programmed a server in his own laboratories to pass off a legitimate looking identity token with an equally legitimate looking header. In the descriptor for that token, Liran replaced the URL of the real SharePoint server with his own server’s URL, that actually included the word “malicious” in the address twice.
“I was pretty pessimistic while doing this,” wrote Liran. “I did it just to be able to say to myself that I left no stone unturned. I really had no idea what I was about to uncover."
“And then it worked. Word regarded my Web server as the quintessential sharepoint.com, and sent its Office 365 token towards my malicious web server, solely based on the this frivolous WWW-Authenticate header that said I was sharepoint.com.”
From there, Liran continued, his malicious tool could successfully acquire, modify and even re-distribute the Office 365 authentication token of the person who thinks she’s signed in to Microsoft’s service.
It sounded like one of those wide-open gaps that Microsoft left in its operating system, during the bad-ol’ days of Windows XP. Perhaps you’ve heard of the classic “ILOVEYOU” virus — the malicious Outlook email attachment.
But maybe you’ve forgotten the incident where an automated Microsoft service looking for such a virus would identify the entire Outlook email library as a malicious file, attempt to quarantine it, and after failing to do so, delete it for safety’s sake.
News of Liran’s discovery was not taken very well at first — a signal that Microsoft might still have a blind eye toward security.
But this time, the problem wasn’t entirely with Microsoft architecture. Rather, it concerned the Web’s standard methods for passing authentication tokens, and was a problem Microsoft couldn’t solve by altering those methods on its own.
'The Last Line of Defense'
Microsoft issued the first security patch to address Liran’s issue in January 2014. But then the company began taking a very different approach than what’s typically reported, actively working with Liran and his company to seek solutions.
Liran is the Chief Software Architect at an Israel-based firm called Adallom (from the Hebrew meaning, “last line of defense,” or the point your mother indicated whenever she “had it up to here”). After Microsoft consulted with Adallom, Liran and four other Adallom engineers applied for a US patent for an authentication proxy system.
It’s a complex affair, involving the deployment of a third-party server that acts as moderator in the exchange of security tokens between a user and a SaaS service, such as Office 365 and SharePoint. But rather than act as a dumb broker, Adallom’s proxy deconstructs the tokens it receives, while it simultaneously inspects the traffic produced by the party presenting itself as the authentication server, to see whether those patterns appear legitimate.
Adallom began marketing its patent-pending technology commercially as SmartProxy. It’s not a seamless integration, and it does require businesses to install security frameworks in its own data centers.
As an extra benefit to those businesses, though, Adallom’s service continually compiles audit trails for all Office 365 usage by all users — legit or otherwise — on their networks.
Administrators can then apply best practices and data loss prevention (DLP) policies to O365 — for instance, restricting file sharing of certain documents on particular services.
Embracing the Proxy
In another era, if Microsoft liked Adallom’s idea well enough, it would have tried to copy the gist of the idea and offer it as a competitive service. But this is the Satya Nadella era of Microsoft; and last Sept. 8, the company announced it would acquire Adallom outright instead.
On Thursday, Microsoft announced that Adallom’s technology would be offered to enterprise O365 users, under the title Microsoft Cloud App Security.
“Office 365 app permissions gives you the ability to approve or revoke permissions for applications accessing Office 365,” wrote O365 partner director Rudra Mitra, in a company blog post Thursday afternoon.
“For example, you may have users who have approved their CRM application to access Office 365 contact data. If that CRM application is a non-sanctioned app that doesn’t comply with your business policy, you may want to revoke access.”
Cloud App Security will be rolled out, stated Mitra, in the third quarter of this year to subscribers on the Office 365 Enterprise E5 plan, which is Microsoft’s highest tier at $35 per user per month.
Title image, “The Old Flag Never Touched the Ground,” depicting the 54th Massachusetts Volunteer Infantry Regiment at Fort Wagner in 1863, by artist Rick Reeves. In the public domain