by October 13th, 2014
Who owns the data we store in your service? Will you use our data to build advertising products? Do you offer privacy controls in your service? Do we have visibility to know where our data is stored? Can we get our data out of your service if we decide to leave?
These questions are top of mind for any organization that is considering Office 365. Luckily for you, Microsoft publishes the Office 365 Trust Center to answer those and many more questions about security on the Office 365 service.
Microsoft has 4 core tenants for its approach to earning and maintaining your trust:
1. Built-in Security
- Service-level security through defense-in-depth
- Customer controls within the service
- Security hardening and operational best practices
At the service level, Office 365 uses the defense-in-depth approach to provide physical, logical, and data layers of security features and operational best practices. In addition, Office 365 gives you enterprise-grade, user and admin controls to further secure your environment.
Physical Security – 24-hour monitoring of data centers, Multi-factor authentication, including biometric scanning for data center access, Internal data center network is segregated from the external network, Role separation renders location of specific customer data unintelligible to the personnel that have physical access, Faulty drives and hardware are demagnetized and destroyed
Logical Security – Lock box processes for strictly supervised escalation process greatly limits human access to your data, Servers run only processes on whitelist, Read the rest of this post »
by September 5th, 2014
In the past month, Microsoft has added two key new service capabilities to SharePoint Online and Rights Management that provide a more robust secure computing experience. The first is the introduction of data loss prevention and the second is the improvements in protecting content across all platforms including OS X Support.
Data Loss Prevention
SharePoint Online now provides the ability to perform a legal audit to determine the amount of risk posed by data stored on SharePoint sites and OneDrive, commonly known as data loss prevention or DLP. This capability provides the ability to identifying 51 built-in sensitive information types such as credit cards, passport numbers, and Social Security numbers. Once discovered there is the ability to perform an audit and export a report with suspect content.
There is future capabilities for policy creation that automatically detects sensitive content and applies protection, such as deletion or quarantine for review.
For more information about Using DLP in SharePoint Online, review this TechNet article
For more information about the Using 51 DLP Information Types, review this TechNet article.
Read the rest of this post »
by May 13th, 2014
# 5 – Familiarity
One of the reasons organizations have tended to stay with XP for so long is their employees are familiar with it. Like an old friend, it’s comfortable and easy to deal with. However churn among your IT administrators and other employees has changed the dynamic. Most people are now more familiar with newer operating systems. When new associates sit down in front of XP, it is likely to be dramatically different (and disappointing) than the more up to date operating systems they use at home and at their previous job.
#4 – Speed and Productivity
Windows XP typically takes at least 30 seconds to boot and often much longer. Windows 8.1 can boot in about 10 seconds. That 20 seconds can easily turn into 5 minutes or more of lost productivity every day when you walk away to do something else while XP boots.
#3 – Web Browsers and New Applications
More applications, business and personal, will be developed to be used via a web browser. It takes extra time to develop new applications which are compatible with old browser versions. Over the short term, many new applications just won’t work with XP.
#2 – Office 2013 and Office 365
Office 2013 and Office 365 ProPlus are not supported on Windows XP. Office 365 only supports software and operating systems which are still in mainstream support. The cloud and other popular software packages are leaving you behind!
#1 – Security
The XP operating system came to market in 2001. Time Warner and AOL merged that year. Although XP lasted longer than that disaster, the security implications of sticking with XP any longer could likely create a security disaster in your desktop environment. Hackers now know every way to compromise your OS. Do you think they are not already taking advantage of this potential bonanza?
Don’t put it off any longer. Perficient has the experience and talented staff to help you ease this transition.
by February 12th, 2014
SiteMinder is an enterprise-class secure single sign-on solution by CA (Computer Associates) which is employed by many large companies to secure their intranet access and provide single sign-on functionality to various intranet applications. SiteMinder has a broad support for different application frameworks which is making possible to use in heterogeneous enterprise environment.
For example, when SiteMinder is used to secure ASP.NET/IIS application then it’s normally configured as IIS handler. For example (in web.config):
<add name="handler-wa-32" path="*" verb="*" modules="IsapiModule" scriptProcessor="C:\Program Files\CA\webagent\win32\bin\ISAPI6WebAgent.dll" resourceType="Unspecified" requireAccess="None" preCondition="classicMode,bitness32" />
||SiteMinder module is intercepting every request to ASP.NET application resource and authenticating and authorizing user. If user is authenticated and authorized successfully then SiteMinder is passing the request further down the pipeline to ASP.NET.
So, how too integrate SiteMinder authentication with ASP.NET MVC authentication? SiteMinder is doing a great job for handling it on it’s own, but quite often MVC application will need to doit’s own, custom authorization in order to grant or deny user access to different resources, depending on user role.
by February 7th, 2014
||This blog post is third and final in series about MVC anti-forgery (CSRF) token.
Part 2.As we talked about it earlier, MVC have a great built-in functionality for securing form posts with anti-forgery tokens and it’s even possible make it work across multiple web applications.
However, these days modern web applications tend to have more asynchronous (AJAX) communication between browser and web server than traditional HTML form posts where the whole page is reloaded. The question is, can built-in MVC components to be used for CSRF validation when browser code is using AJAX to post to the server?
Obviously, it can’t be used directly because @Html.AntiForgeryToken only works when it’s placed inside HTML form and that form is submitted to the server. In case of AJAX post there is no form, so the AJAX controller method will not receive a form CSRF token (cookie token though will flow with the AJAX post normally). However, we can make it work with a little of extra coding…
Read the rest of this post »
by February 6th, 2014
||In the previous installment of this post series I talked about CSRF attack and how to prevent it using ASP.NET MVC built in components. Today I want to dive deeper into the framework code and show you what’s under the hood to anti-forgery token implementation in MVC.
Some time ago Microsoft took a huge step forward and open sourced complete ASP.NET MVC and Web API stack. Now developers can see what’s actually happens inside the framework and don’t have to rely solely on Microsoft documentation. The source code for MVC stack is located at http://aspnetwebstack.codeplex.com/.
As you recall, there are two components that provide CRSF protection when used together – AntiForgeryToken methjod of Html helper (@Html.AntiForgeryToken()) which should be called from inside HTML in Razor view and ValidateAntiForgeryTokenAttribute ([ValidateAntiForgeryToken]) which should be applied to controller to validate tokens. Both of these classes are actually a thin wrappers on top of the AntiForgery class. AntiForgery class is a static class which is encapsulating all functionality for generating and validating tokens. Source code could be found there. This is a public class and could be used directly if somebody will decide to implement a custom generation and validation of anti-forgery tokens. In turn, AntiForgery is using other helper classes like AntiForgeryWorker and TokenValidator. Unlike AntiForgery these classes are internal and can’t be used directly by application code.
So, why it’s important to look into internal implementation of anti-forgery token generation and validation?
Read the rest of this post »
by February 5th, 2014
Securing your web application is now more important than ever because various security attacks are growing in numbers and becoming more sophisticated and frequent. One of the most common types of attacks is Cross Site Request Forgery (CSRF) attack. In this kind of attack malicious web sites are hijacking a previously authenticated user sessions to exploit your web site.
Consider the following example: you web site is using ASP.NET Forms Authentication. User is authenticated on login page and user authenticated session is maintained using standard .ASPXAUTH cookie. Without closing the browser window or logging off your site user is visiting a malicious site which can (using social engineering, like displaying some sort of a false message to the user) now cross-post to your site (using a standard HTTP form post) and that post will be bearing a valid .ASPXAUTH cookie issued by your site. So, unless your web site employs some special measures, your web site server code will not be able to distinguish a valid post from your web site from a post from malicious site. Note, that implementing HTTPS on every page your your site will not solve this issue as malicious site can post over HTTPS too. HTTPS can only prevent the traffic between your web site and web client to be hijacked and analyzed, but in case of CSRF attack the attacker doesn’t need to analyze your traffic, it just reuses the authenticated user session.
Read the rest of this post »
by January 20th, 2014
What is Coin? Coin is a brilliant new technology that allows users to consolidate all of their cards into a single Coin card. A Coin card is not your traditional credit card. It is an electronic device the size of a credit card with a programmable magnetic strip. Any card with a magnetic strip whether that be a debit/credit card, gift card or preferred customer card, can be put on your Coin card.
The Coin card works over Bluetooth and is paired with your phone. Using your phone and an adapter supplied by Coin, a user swipes their cards which gets loaded into your Coin account. When a debit card is needed instead of a credit card, make the selection on your phone. The Coin app will send the information to your card and it will be ready for use with that specific card information. Loose your phone or your card? Have your wallet stolen? That is OK. Coin has security configurations that will deactivate the card automatically if it loses communication with your phone for too long. It sounds as if Coin has thought a lot about security, at least from the physical security point of view. What about digitally?
We live in a world where data breach is common. A new story about a large company being hacked with customer information stolen seems to happen semi-regularly. Many times the stolen data is not encrypted and this non-encrypted data contains anything from credit card information to email addresses. Is it safe to put all of my banking, credit and preferred customer information in a single location? It is a risky move to digitally putting all your eggs in one basket. If Coin was hacked and your data was stolen what would happen? It is essentially the same thing as having your entire wallet stolen.
Coin appears to be prepared for this. Coin does not state what user data is stored with them but they do state all user data in the cloud, on the mobile app or on the card itself is encrypted using at least 128-bit encryption. In addition any information transferred via Bluetooth is also encrypted so personal data could not be used if it were captured during transmission. This means that if the data is stolen from the cloud, phone or card it is virtually worthless without the decryption key.
Coin has put the right foot forward in their vision of plastic card consolidation. The strong encryption shows they are serious about data security. With the configurable lockout and deactivation features they are making every effort to physically secure the device from theft or being lost. The technology being used is not new but the way it is being used is both new and unique. If Coin is as secure as they claim and the concept takes off expect the popularity to grow exponentially along with the copy cats. The card itself is still in pre-order and is set to be released this summer. You can find out more about Coin here.
by October 8th, 2013
One of the primary methods that schools can innovate is with technology. I live in an area where they’re trying to provide technology to all students by providing laptops or tablets from kindergarten to seniors in high school, all grades K through 12. In any one school district they now have to manage these devices and make sure they are working correctly on a day-to-day basis or the students will not be able to complete their school work. The area I live in is calling this initiative the “Digital Renaissance”. Overall I think this is a great initiative, though I have several concerns.
Decision making on cost
As far as device choice goes schools are going to buy whatever they can get the best deal on. Which isn’t always going to provide the best device. This initiative is one area in which I believe Windows 8 and Surface-like devices could offer amazing benefits. I also believe device selection plays into other areas as well.
Security and consumerism in technology
The students being given devices to learn are now more like employees for the school system and should be treated as such. How will the schools secure the devices so that students can’t install applications or updates that don’t help with their studies? Most consumer-based devices will not have the features required to secure them properly and stop these “employees” from being able to improperly use these devices.
Students are going to try to find ways to use these devices in an unknown number of ways. Think of all the different ways children use smart phones and the trouble they get themselves into. To summarize, how is the school system going to filter the students’ activities on these devices? Read the rest of this post »
by September 11th, 2012
About two months ago, I was pointed to an article that talked about SharePoint Apps and how some people are starting to call them “Crapps”: SharePoint 2013 Preview – Apps or Crapps? I didn’t want to add my two cents right away because I hadn’t really had a chance to play with the App Model in SharePoint 2013 and I didn’t want to sound sycophantic.
However, now that I’ve been deeply immersed in building a complex on-premise SharePoint 2013 app for the better part of 2 months, I find myself firmly in the “major improvement” camp. In case you haven’t read Doug Ware’s article, I’ll summarize it here briefly:
Doug talks about how, in SharePoint 2010, Sandboxed Solutions were supposed to be so amazing and make everything better and it turned out that Sandboxed Solutions actually had too many limitations to be useful for a lot of work streams and that the same thing could happen with Apps. In addition, he points out that people like creating Farm Solutions, the concept of clean deletion is broken because SharePoint is not a phone, and there are no guidelines for creating apps yet. In the end, he decides that the devil is in the details with how you create the app. Read the rest of this post »