assurance - [Assurance] RE: Passwords and Office365
Subject: Assurance
List archive
- From: Etan Weintraub <>
- To: "" <>
- Subject: [Assurance] RE: Passwords and Office365
- Date: Wed, 6 Mar 2013 20:01:44 +0000
- Accept-language: en-US
- Authentication-results: sfpop-ironport01.merit.edu; dkim=neutral (message not signed) header.i=none
|
So, if my understanding is correct, then it is not something that would eliminate the possibility of Silver, but we must implement some type of policy and procedure for if it is compromised at the foreign system.
I.e. knowing every account that is on that system, and have a policy that if that system is compromised, they would need to notify us, and then we would require all accounts in that population to change/reset their passwords? -Etan E. Weintraub Sr. Systems Engineer Directory Architecture IT@Johns Hopkins Johns Hopkins at Mt. Washington 5801 Smith Ave. Suite 3110B Baltimore, MD 21209 Phone: 410-735-7945 E-mail: From: [mailto:]
On Behalf Of Michael W. Brogan Seems like IAP 4.2.3.6.3 is the relevant requirement: “…the IdPO must have appropriate policies and procedures in place to minimize risk from this exposure.” Michael W. Brogan Technical Lead, Identity and Access Management UW Information Technology, University of Washington 206-685-7521 From:
[]
On Behalf Of Etan Weintraub Hi all- We are in the process of implementing Office365 here at Hopkins, and based on the implementation guides, I had a question as to its impact on our ability to get Silver Assurance, so I figured I would ask here and see if anyone could give
me an answer. Basically, according to the information I can gleam, even using ADFS, at certain points (i.e. when using a mobile device to connect to the email service) the username and password are first sent to Microsoft servers, then back in to our
environment and servers for authentication. Given that the username and password would be shipped securely (we are confirming that we can turn off all non-secure access points, but believe that it is available to do), but is “intercepted” and proxied through
to our servers by the Microsoft servers, would this become an non-auditable point, and therefore potentially eliminate us from being able to get Silver? -Etan E. Weintraub Sr. Systems Engineer Directory Architecture IT@Johns Hopkins Johns Hopkins at Mt. Washington 5801 Smith Ave. Suite 3110B Baltimore, MD 21209 Phone: 410-735-7945 E-mail: |
- [Assurance] Passwords and Office365, Etan Weintraub, 03/06/2013
- [Assurance] RE: Passwords and Office365, Michael W. Brogan, 03/06/2013
- [Assurance] RE: Passwords and Office365, Etan Weintraub, 03/06/2013
- Re: [Assurance] RE: Passwords and Office365, Michael R. Gettes, 03/06/2013
- Message not available
- RE: [Assurance] RE: Passwords and Office365, Brian Arkills, 03/07/2013
- RE: [Assurance] RE: Passwords and Office365, Etan Weintraub, 03/07/2013
- RE: [Assurance] RE: Passwords and Office365, Brian Arkills, 03/07/2013
- Re: [Assurance] RE: Passwords and Office365, Steven Carmody, 03/07/2013
- RE: [Assurance] RE: Passwords and Office365, Etan Weintraub, 03/07/2013
- RE: [Assurance] RE: Passwords and Office365, Brian Arkills, 03/07/2013
- RE: [Assurance] RE: Passwords and Office365, Etan Weintraub, 03/07/2013
- [Assurance] RE: Passwords and Office365, Etan Weintraub, 03/06/2013
- [Assurance] RE: Passwords and Office365, Brian Arkills, 03/06/2013
- Re: [Assurance] RE: Passwords and Office365, Cantor, Scott, 03/06/2013
- [Assurance] RE: Passwords and Office365, Michael W. Brogan, 03/06/2013
Archive powered by MHonArc 2.6.16.