Protecting Identity in the Cloud

F5 Miniatura
Published February 07, 2017

A few months ago, my colleague wrote about accelerating adoption of Office 365 and the importance of security for cloud-based applications. His posts underscored the need for a secure, centralized identity and access solution that can scale seamlessly and interact with existing multi-factor authentication (MFA) while not increasing infrastructure sprawl or total cost of ownership (TCO).

I now want to dive into a solution that delivers on these requirements – an infinitely scalable identity and access solution for Office 365 that secures and centrally manages user identity and access, works with deployed authentication mechanisms (particularly multi-factor authentication (MFA) and security offerings), and consolidates infrastructure and lowers TCO. This solution – F5’s BIG-IP Access Policy Manager (APM) – delivers identity federation, flexible single sign-on (SSO), and adaptive, context-based authentication and access control for Office 365, as well as any other cloud-based or on-premises application.

F5 BIG-IP APM addresses a wide array of Office 365 use cases. Should an organization deploy Office 365, but maintain control over their user email boxes on-premises, BIG-IP APM can enable their users to enjoy single sign-on (SSO) with their Office 365 applications, while at the same time ensuring they have the appropriate authentication to their local, on-premises mailbox. BIG-IP APM simplifies the user experience via SSO to on-premises email and Office 365 applications while ensuring users and their devices attempting to access Office 365 applications are authorized to do so.

If an organization deploys Office 365, including Exchange Online, with BIG-IP APM, their users can add SSO to their Office 365 applications and hosted mailboxes. BIG-IP APM alleviates the need for the organization to move their user credentials – the company’s crown jewels – to the cloud. This lowers costs and mitigates the risk of an organization’s user credentials being lost or stolen in a cloud breach. 

Should an organization deploy Office 365 and use federated identity for authentication, the credentials of their users connecting over ActiveSync are handled in clear text within Azure cloud as part of the Active authentication flow necessary for the ActiveSync protocol, thus raising the risk of inadvertently exposing them. However, if the organization were to deploy F5 BIG-IP APM, it will encrypt user credentials before forwarding on to Office 365. In addition, BIG-IP APM can integrate with existing multi-factor authentication (MFA) and SAML identity providers (IdP) to increase access security and further mitigate risk.

BIG-IP APM also secures Office 365 access from malicious or rogue mobile devices. It enables organizations to restrict mobile user and device access to only those devices that are authenticated by their enterprise mobility management (EMM) system. BIG-IP APM also enables per-app access, integrating with most leading, already-deployed EMM and mobile device management (MDM) offerings. BIG-IP APM also allows customers to take advantage of F5’s additional security capabilities, including SSL visibility, which provides a view into and control over data managed in Office 365 through integration with leading data leak prevention (DLP) solutions.

BIG-IP APM helps organizations save time and expense by replacing Windows Proxy Autodiscovery Protocol (WPAD) and augmenting or replacing Windows Active Directory Federation Service (ADFS). ADFS makes dynamic scale difficult and costly because of the requirement of multiple, redundant servers and load balancing functionality. While ADFS has difficulty integrating with a full range of MFA solutions, BIG-IP APM has a robust MFA ecosystem.  APM is the most scalable access solution available – with the ability to scale to over 2,000,000 sessions with its largest chassis and blade combination.

F5 and Microsoft have been partnering for years. F5 has been working with Office 365 and federating users to Office 365 for over five years. And, Microsoft officially supports third-party SAML providers, stating in their product material, “Third party SAML Providers are supported with Modern Auth Office 365 clients without having the need to validate them with the Works with Office 365 program.”

By now you may see a common theme: With BIG-IP APM running in front of Office 365 you get access to Microsoft’s great productivity applications without compromising security or policy. Organizations with Office 365, whether completely in the cloud or in a hybrid manner, need a secure, centralized, scalable identity and access solution that leverages their existing, in-use authentication and security measures, but that also doesn't waste resources or increase expenses. F5’s BIG-IP APM is that solution, and more. 

Check out all the latest news and blog updates on securing your data and your credentials when deploying Office 365.