Cloud computing is just another server managed by someone else right? Well, that depends. Since when talking about cloud services from Microsoft the managed part is a co-effort. Meaning that some responsibilities are shared, and some are Microsoft sole responsibility, and some are your responsibility. Let’s talk about that from a security perspective.
What is Zero Trust?
With the cloud your perimeters are endless and with the click of a button can be extended with the addition of a new application, device or collaboration. So how do we keep our borders protected when the borders keep expanding? With Zero Trust!
There are a couple principles that together make up the zero-trust model. The first being explicitly verify. That sounds very vague but look at it from data standpoint. You take all data available to you and then decide if access is granted or denied or additional information and/or action is required. In a cloud era that could be the location the user is logging in from in combination with the sensitivity of the application they are trying to access.
The second principle is least privileged access. Meaning that you only get access for that what you need to fulfill your role and/or task. Need to manage SharePoint Online? Then you will request SharePoint access for a fixed timeframe and within that timeframe you get privileged access. After that the rights are (automatically) revoked and you go back to being a regular joe without privileged access. This limits the amounts of privileged accounts on your environment and the potential security risks if such an identity is compromised.
The last principle is about assuming breach, this means that you take an active role in threat detection and make sure that if any resource is compromised that there is no fallout to other services and resources. This can be done by segmenting networks as well as user rights so that the scope of a compromise is always limited.
Why should you care?
We started this blog with the fact that you have responsibilities when it concerns the (Microsoft) cloud environment. In practice this means that applying the zero trust principals is something that you have to take action for it to be implemented. By design the cloud native environment is secure but as soon as you start creating accounts and granting rights and access to application you need to apply that in a zero-trust way.
You should care because these accounts show certain behavior and if that behavior changes over night, then that user needs to be challenged. Please verify that you are Average Joe that is suddenly trying to login from Spain where you normally do that from The Netherlands. And no, just the correct password isn’t going to cut it this time, we require approval from the managed authenticator application on your mobile phone. Failed to verify? Access for that login attempt is blocked even if the password is correct, your admin has been notified and if the threat is severe enough your account is automatically blocked.
Where to start?
A great place to start is with the Security Defaults from Microsoft, these are preconfigured security settings related that require all users and administrators to use multi factor authentication (MFA) and blocking legacy authentication protocols. This could even be your default setting if your Office 365 tenant has been created in 2020. If this is not the case, then start by determining the possible impact of the measurements by discussing MFA with end-users and check within Azure Active Directory if legacy protocols are being used for sign-in activity.
If MFA is a harder sell because it requires the private mobile number or phone from a colleague because part of the workforce doesn’t get a mobile phone, then implementing those security defaults can be done for specific users. To be able to scope the measurements to groups and users the Azure Active Directory Premium license is required. This also allows to block legacy authentication for all users expect that one service account that still requires it. Better 99,9% coverage then no coverage at all.
Zero trust isn’t an end state it’s a state of mind. Meaning anything you do from now on should be within that mind frame. Upgrading or buying a new accounting system? Only if it integrates with Azure Active Directory so Multi Factor Authentication can be applied. Your service partner requests global admin for user management? Let’s start with user administrator for when required.
Struggling to start?
Wortell provides security assessments where in a couple days we assess your cloud environment and make recommendations based on the identified risks for mitigation. By providing prioritization based on user and technical impact you will have a roadmap related to security for the next few months based on your own maturity and ambitions. Interested? Let’s talk.
Written by: Thomas Schrader, IT Security Strategy Consultant @Wortell
