Here we cover some of the best security practices and tools you can use to immediately improve your security against attacks on identity and attempts to steal information.
Cyber Security Risks
The following list shows some of the risks and threats to all cloud solutions:
Advanced Persistent Threats (APT) – they have more spare time, resources, and determination
Spear Phishing and Whaling – fooling people into malicious activity, on a daily basis
Embarrassing Data Leakage – ever accidentally sent data to the wrong person ?
Insider Threat – how can you identify and protect from malicious users that have authorised access ?
Innovation vs Shadow IT – use them both to your advantage
When we consider how these risks present them selves, we can use two base categories:
- Rogue Code: either a bug in the software you are using, which can be exploited, or malware that has been installed through various methods. These are deployed in large quantities and can mostly be thwarted by keeping up to date with software patching (both the OS and your applications), as well as implementing Advance Threat Protection technologies that scan attachments and also ensure users do not click on links to malicious websites.
- Malicious User: these are skilled individuals that are actively trying to attack and exploit vulnerabilities in your security defences. They may use social
Developing Secure Solutions
The following items cover some of the key considerations when creating, implementing, or refreshing technology platforms:
Help kill off passwords
- They are like the key-fob into the building, easily lost and easily used
- Should not be trusted as the only identification method for sensitive data access
Read Only by default
- Confirm real-time human interaction before giving trusted access
- Especially for high impact systems and information
Embrace “Assume breached”
- The statistics are scary, and its not going away anytime soon
- Be more creative than they are !
Identity is the new gateway
- Secure identities will solve a lot of cyber-security issues
Implementing Secure Solutions
Each of the following will be discussed briefly here, and followed up with a more detailed post in the future:
- Local Admin Password (LAP)
- Azure Active Directory (AAD)
- Business Guests (B2B)
- Conditional Access Policies (CAP)
- Privileged Identity Management (PIM)
- Privileged Access Workstation (PAW)
- Advanced Threat Analytics (ATA)
- Azure Information Protection (AIP)
1. Local Admin Accounts & Passwords (LAP)
Local admin account
Q: When was the password last changed ?
Q: How do you do this across the whole business ?
A: the ”Local Admin Password Solution”
Users with local admin rights
Q: Is this still required ?
Q: Do you do this on your own PC ?
A: NEVER use everyday account – provide a secondary (local) account
2. Azure Active Directory (AAD)
AAD is the centre of identity and access management for all Azure and Office 365 workloads. You can connect your on-premises Active Directory domain (running on Windows Server), or you use the native cloud capabilities, either way you should aim to get all application authentication to occur via AAD. The scalability and advanced security functionality of AAD can not be matched by any on-premises solutions. Read here for more information about Azure AD.
3. Business Guests (B2B)
This new functionality of AAD allows you to invite business guest, consultants and other external partners, to gain access to your resources by inviting them with their own accounts, instead of creating an internal account. This can save on licensing costs, administrative over head (they look after their own passwords), and increases security by providing a separation between internal-trusted accounts, and external accounts that may require more restrictions. These accounts appear in your directory and can be assigned to groups, conditional access policies, and enforced by multi-factor authentication (even if they don’t use it in their own domains).
Through a simple invitation process, the external user will receive an email with a unique link. Once they click on the link there external account is linked to the guest account in your directory. When they logon, they do so with their own userid and password. The external userid can be a company email address, or their personal accounts (gmail, outlook etc.). This image shows the type of configurable email they will see:
4. Conditional Access Policies (CAP)
Another new feature of AAD Premium is the ability to assess the specific details of every logon attempt to determine the level of risk, before allowing the user to proceed to the application – and this works for every cloud application presented via AAD (including on-premises app via app-proxy!).
Conditional access policies can target specific groups of users, devices, and applications (both local and cloud), as well as IP address ranges. The policies can then enforce one or more of the following conditions (or simply block the access altogether):
- Require Multi-Factor Authentication (MFA)
- Require the device to be domain joined
- Require a compliant device
The following chart is an example of the type of restrictions that may be enforced for a specific user group:
5. Privileged Identity Management (PIM)
This solution is both simple and powerful; by allowing an administrator to activate their permissions, securely, when required, and automatically removing them when no longer required. Each activation is audited, prompting the administrator to provide justification. The controls enabled by this solution will revolutionise the way permissions are administered across your Azure and Office 365 environment.
This image shows what an administrator will see when they activate one of their available roles:
This chart shows an example of various policy settings that can be applied for each role:
More roles are being added, ensuring every part of your cloud infrastructure can be finely controlled. We recommend purchasing the AAD P2 licenses for each administrative account to enable this feature. Read here for more information about PIM.
6. Privileged Access Workstation (PAW)
Microsoft provides very specific guidance on how to configure and use this solution. This implementation goes against what a lot of IT Pro’s have been taught so far: instead of logging onto a PC as a user, and elevating privileges for applications that require them – administrator accounts should only be allowed to log onto specifically harden PCs that are not used to access email or other productivity apps. Systems are then restricted to ensure sensitive access can only be gained from these specifically hardened PAW machines. This solution is used by Microsoft to protect their most sensitive internal information, and can apply to several scenarios in any business:
Administrative Privileges: the PAWs provide increased security for high impact IT administrative roles and tasks. This architecture can be applied to administration of many types of systems including Active Directory Domains and Forests, Microsoft Azure Active Directory tenants, Office 365 tenants, Process Control Networks (PCN), Supervisory Control and Data Acquisition (SCADA) systems, Automated Teller Machines (ATMs), and Point of Sale (PoS) devices.
High Sensitivity Information workers: the approach used in a PAW can also provide protection for highly sensitive information worker tasks and personnel such as those involving pre-announcement Merger and Acquisition activity, pre-release financial reports, organizational social media presence, executive communications, unpatented trade secrets, sensitive research, or other proprietary or sensitive data. This guidance does not discuss the configuration of these information worker scenarios in depth or include this scenario in the technical instructions…
7. Advanced Threat Analytics (ATA)
Securing access to systems requires many layers of defence. ATA is focused on securing the corporate network by monitoring all activity that occurs on the Active Directory Domain Controllers. The solution collects and analyses all Active Directory related traffic and collects relevant events from SIEM solutions and will alert immediately when known issues are found. ATA then automatically learns all entities’ behaviours (over a period of time), builds an organizational security graph, and detects abnormal behaviour, protocols attacks, and weaknesses. The solution reports all suspicious activities using a simple, functional, actionable timeline with recommendations for the investigation and remediation activities.
8. Azure Information Protection (AIP)
This solution provides the ability to apply labels and classifications to documents, which can then be used to apply protective measures such as encryption (If you have heard of, or used, Azure Rights Management (RMS), this is now part of the AIP product), and Data Loss Prevention policies (DLP) in Exchange, SharePoint, and other file storage and collaboration solutions.
The solution can be deployed very quickly to provide instant access to the protection capabilities on an individual basis (for both email and documents), and then designed and implemented with policies that apply across the organisation and for specific business collaboration scenarios.
If you implement everything in this post you will increase your defences across identity, devices, applications and data. There will always be more you can do, but starting here is both practical and affordable.