I'll agree that for your specific case, you may be just fine.īut I don't think that you should recommend the same option to others - who most likely don't have your experience and/or limited usage. Posted via CB10Ok, now I understand your previous statement. I will answer for myself, but each organization should establish its own policies based on its risk appetite, cost-benefits analyses, threat environment and overall cyber risk profile. ![]() ![]() It's akin to choosing not to lock a car door outside a rural house at the end of a long driveway far off the road, when you own a vigilant guard dog who alerts you of any visitors, keep nothing you couldn't easily replace in your car, and live in an area with a very low crime rate.Įxcellent question. All (including me!) agree that Microsoft is correct to force a transition away from Basic Authentication, but they also concur with my analysis that my current controls are adequate for my threat profile. (Security Monitoring).įinally, I have discussed my threat profile and security posture with other information security professionals whom I respect. I run no apps from BlackBerry World or side-loaded Android apps, (Minimize Attack Surface)Ħ) I have extensive automated security monitoring set up on my accounts and get real-time notifications of all logins and login attempts. These offer limited opportunities for hackers by design, were extensively audited and penetration tested, and received high-level security certificates. (Physical Endpoint Security and Network Security)ĥ) I run my BB10 stock with only BlackBerry's native built-in apps, such as the Hub. ![]() I am aware of most social engineering attack methods used to steal credentials, and I guard against them carefully (Security Awareness and Training)Ĥ) I use my BB10 phone only on WiFi through a secure VPN that I also control, and it is password locked anytime it's not in my hands. (Principle of Least Privilege Segregation of Duties)Ģ) Each account has a complex and unique app password so that, even if it were exposed, it could not be used on another device (Multi-factor Authentication - more or less, since the device is something I have in my possession)ģ. Below are some of my risk mitigating practices, with the relevant security principles in parentheses.ġ) None of the Exchange accounts I use on my BB10 are the Admin account for any of my services. In the case of my use of Basic Authentication for the Cloud Exchange accounts for my personal businesses, I consider the likelihood of an attacker compromising any of the accounts synched to my BB10 device with my stolen credentials to be quite small, and the impact of any compromise that might occur to be limited in magnitude. )Īt the end of the day, all risk decisions come down to making an informed inference about both the impact and the likelihood of a loss event. I will answer for myself, but each organization should establish its own policies based on its risk appetite, cost-benefits analyses, threat environment and overall cyber risk profile.įortunately, I am the sole owner of the four or five businesses tied to my Cloud Exchange account, so I am the only person to whom I have to justify my choice. Posted via CB10As an Exchange Admin, do you choose to allow the less secure authentications? If yes, How do you justify that?Īs an Exchange Admin, do you choose to allow the less secure authentications? If yes, How do you justify that?Excellent question. I now know my personal end-of-life date for my Z10, which will be 9-1/2 years old when I finally retire it from daily use, This is excellent news for me in the short term, but it also sets an absolute end date on my use of BB10 and my Z10 as my personal business Exchange client. So, if you currently use EAS on BB10, and your Cloud Exchange admin allows both Basic Authentication AND use of third party clients, you should still be able to sync email, contacts, calendar, tasks, and notes through October of next year. So, this serves as confirmation that Exchange ActiveSync (EAS) for grandfathered Office 365 Cloud Exchange accounts with active basic authentication users will not be disabled until October of next year. We announced in 2019 that we would be retiring Basic Authentication for legacy protocols, and in September 2021, we confirmed that we would begin to disable Basic Authentication for in-use protocols beginning October 2022.We previously communicated this change via Message Center: MC191153 (Sept. "MC298404 | November 16 - We're making some changes to improve the security of your tenant. As a Cloud Exchange admin, I recently received the following message from Microsoft:
0 Comments
Leave a Reply. |