As I’ve explained before I like to do mail in the morning before I leave the house. Finding myself running behind, I was keener than usual to do my morning triage from the car. I call up Outlook Voice Access using Voice command, but OVA told me “Your pin has expired. You must change it to continue… Aargh ! There’s no voice change of pin and whizzing down the M4 is not the place to change an 8 digit pin, and update the phonebook entry voice command uses. (Yes, to be legal I have to store my pin the phone book). If my phone is compromised, so are my messages. Exchange enforces a 4 digit PIN on the phone, that never changes.
I started wondering “Do OVA PIN changes do any good ?”. and “How much of a security breach can result from someone getting into Outlook Voice Access ?”. Someone could forward my mail – they can spam people with voice messages – both these leave a trail in Sent Items. The could re-arrange my diary or set my voice mail message to something frivolous. They can’t get to anything moved out of my inbox by rules, or anything protected by rights management and what’s left is, frankly, too dull to be worth breaking into. That thinking led on to something Steve Riley talked about at Tech-ed IT-Forum, and something Steve Lamb has been saying on the recent road show. There are two attributes in protecting information, controlling Possession of it and ensuring confidentiality.
Controlling possession centres on access control, and much of our attention focuses on defence of passwords. Automatic account lock out protects against someone trying to guess my password (or try every word in the dictionary). It’s also a gift to anyone wanting to mount a denial of service attack.. Then we try to make passwords unguessable: length and complexity requirements also increase the time it takes to find passwords by a brute force on the accounts database; but if someone is able to copy the accounts database from a Microsoft data-centre, undetected, then getting my password is quite low on the list of worries. Guesses, dictionary attacks or brute force methods are theoretical, not real world risks. Passwords get compromised because a user tells someone, they leave a note or get tricked into it, in which case does changing a domain password every 6 weeks really help ? It’s going to be an average of 3 weeks before it gets changed, plenty of damage could be done in that time.
People are beginning to recognise “Security Theatre” when they see it – I’ve heard other people say what I’ve been saying since 2002… “Airport security” doesn’t make us more secure, those long queues for screening are a target. I love Hugh’s Cartoon “Business is run buy the people who hire and fire I.T. Departments” (I don’t think he meant HR). Is “security” the excuse for IT impeding the business? If you work in IT department which doesn’t enable the business to it’s job better, how long before your job gets off-shored ?
Before anyone starts quoting me as the Microsoft person who says password security doesn’t matter, it does matter: but assume that if you reliably authenticate users then everything will be OK, and sooner or later a wrong action by an authenticated user will be your undoing. Stories which are in the news of late have been failures of confidentiality not authentication. Protecting confidentiality means some kind of encryption possibly as part of rights management, and I’ll save discussion of that for another time.
Authenticating users doesn’t mean they won’t put confidentiality at risk or that we can trust their PCs. In a world where people expect to work anywhere – and I’ve quoted Darren Strange (“The millennials are coming”) and Sharon Richardson (“The natives are leaving“) on why that’s increasingly the case – how far can we trust the PC being used ? (Quarantine and Network Access Protection help here). When I talked about Terminal services on the road-show, I asked Steve to talk about the idea of “VPNs – now considered harmful” because they publish whole networks not services. By contrast the new features of Terminal Services in Server 2008 mean we publish applications. Exchange and Office communication server lead the way on this and 2008 terminal services will help other things catch up. Interestingly, terminal services now allows us to identify trusted servers and send default credentials without prompting the user to enter them; it takes friction out of the process.
I don’t think Microsoft is unique in using external companies to provide some services (I’ve grumbled here about our Travel tool). The idea that I need to connect to the corporate network, to validate to use an external service is stupid. Instead of my account easing things for me, it’s just one more hoop for me jump through. So… when I got the following in my mail my heart sank
Currently … each Microsoft Subsidiary manages payroll independently resulting in inconsistent employee experience… the UK is one of the first subs to change to [our new global payroll provider] our aim is to improve the employee experience by delivering consistent, user friendly services worldwide… … your pay slip can now be retrieved from [external URL]
As I said, my heart sank. What kind of doublethink allows the sender to write “We are changing things to make your experience consistent” ? He has form in this regard, so I read it as spinning a cost saving measure which will make life a little worse: more hoops to jump through, more grief etc …. but actually no ! It’s the first partner I’ve needed to use with support Active Directory Federation Services (on the corporate network the logon below should be transparent)
This post originally appeared on my technet blog.
When I put new words to the Blue monster, I used the way Terry Pratchett got one of his characters to write it. I have a shelfful of his books, including some very rare unsigned ones. I like his wit, and there are some great allegories to draw on. 
James O'Neill's Blog 