In PART 1 of our series on Securing the Modern Workplace using Microsoft 365 we discussed the background and high level solutions, and defined 5 specific solution areas, namely TRUSTED USER, TRUSTED DEVICE, TRUSTED APP, TRUSTED PLATFORM and TRUSTED DATA.
Today we will dive into a bit more detail on how you can ensure you have TRUSTED USERS when making use of Microsoft 365.
You may have heard the often-used slogan “Identity is the new Firewall” or “Identity as Control Plane” and this is very true. Securing the datacenter and device is no longer enough, as the systems that process your data and where you store your data are no longer in your datacenter but out there on the internet. The best place to start securing your data in the Modern Workplace is right at the from door, by securing the user’s IDENTITY. Some claim that as much as 97% of all security breaches in the last year started with a breached identity. Regardless of whether this figure is accurate or not, if you can assume somebody’s identity you often have unhindered access all devices, apps, platforms and data the user has access to. The weakest link in your security chain is HUMANS. We are animals of habit, we are often lazy, we are incredibly creative in circumventing all kinds of complex security road blocks and most importantly we are very susceptible to social engineering attacks such as Phishing. The most important step you can take to improve your security posture today is to protect your users’ identities.
Microsoft has observed a 300% increase in identity related cyber attack in 2017. Attacks are becoming more sophisticated but also more “brutal”; “next gen” malware is becoming intelligent and adaptive, password spay attacks are used en masse, phishing is wide spread, breach replay is rampant due to users having to manage accounts in multiple cloud services (password re-use) and new attacks such as content abuse, sinkhole jacking and election hacking are appearing daily. The common denominator here is IDENTITY.
Attackers start with a small footprint, for example by making use of a password spray attack where they attempt a list of often-used and common passwords against know accounts until they gain access. This is often done on the mobile device, with your identity stolen by, for example, installing and non-trusted app from the app store and giving it access to your identity. Think of a scenario where you access your corporate webmail account on your partner’s private tablet, which also has dubious free “games” or other malware installing apps installed. Once attackers have access to one, often unimportant account (often without any special privileges) they next dump the company’s global address list, meaning they now have access to a large dictionary of corporate mailboxes and thus accounts. Once they have this database, often in conjunction with social media information to determine which accounts are potentially privileged, they then start pivoting and launching slightly more sophisticated attacks, such as breach replay or phishing attacks against more specific, targeted accounts.
The message here is attacks start with a VERY SMALL loophole. Attackers typically get access to an unimportant, often old or dormant accounts and they silently work their way up until they get to the payload. The fix is simple: secure the identity layer; even the least privileged identities can give attackers an intrance. Perform regular reporting to identify old, dormant accounts and again: secure all your user identities, not only the important ones.
TIP 1: Implement Azure Active Directory PREMIUM
Identities in Microsoft 365 are protected using Azure Active Directory (“AAD”). While an easy explanation would be that AAD is “Active Directory in the Cloud“, AAD us MUCH MORE. On premise Active Directory (“AD”) was designed to service “internal” users and was not designed with internet exposure in mind. To enable AD to service users on the internet a “federation” solution (“I don’t know, ask that guy”) is added, the most widely used being Active Directory Federation Services (“ADFS”), which allows users on the internet to log in using their on-premise Active Directory credentials and receive an “access ticket” from the on-premise infrastructure. Without various additional security layers however, ADFS is simply an automated “ticketing” service. You go to the machine, buy your ticket and proceed to the turnstile. If you have a ticket, you have access. ADFS is thus primarily a Secure Ticketing Service and serves as simple “Identity Management” solution.
An automated ticketing machine and an unmanned turnstile assumes you have well behaved consumers with good intentions. The problem with this is that modern attackers are not well behaved and attacks have become very sophisticated. Identity Management alone is not enough, you need an INTELLIGENT Identity AND ACCESS Management System (“IAM”). This is where AAD comes in; while the “free” version of AAD provides a good replacement for on premise AD (Identity Management), AAD PREMIUM provide the tools to set down Conditional Rules and enforce them. It further makes use of machine learning and aggregation of data from multiple sources to understand attacks and act appropriately. It’s a “Bouncer with a PhD”.
When you purchase Office 365 (or Dynamics 365, or PowerBI or ANY Microsoft online product), you get a “free” or “basic” version of AAD. This is intended as basic identity storage solution ONLY. While there may be some small businesses out there that may be OK with running this, this free version is NOT intended to replace a mature identity management solution. If you have not arranged thing elsewhere, YOU NEED AAD PREMIUM. The good new is that all versions of Microsoft 365 include AAD premium in the base license.
TIP 2: Implement CONDITIONAL ACCESS with MFA
To ensure that your trusted users are protected, that they make use of trusted devices and apps, and that the backend platform remains trusted, Microsoft 365 provides Conditional Access as part of your Azure Active Directory “front door”. Conditional Access guards your front door and ensures nobody is it let in (either employees or third parties) unless all required security conditions are met, such as proving the user us not compromised (trusted USER), the device is compliant (trusted DEVICE), the application adheres to all required safety measures (trusted APP). Various back-end services are used to “prove” each sign-in, including Multi Factor Authentication (“MFA”), the sign-in LOCATION (IP Address), evaluation of the APPLICATION used for access and the DEVICE’s management state (is it complaint?). These factors are evaluated against the parameters you pre-determined for getting access to your platform and data, and appropriate action is taken. This cloud include allowing access, blocking access or enforcing restrictions in terms of which actions your are allowed to perform (such as only allowing view access and blocking screen capture, printing or download of files) .
TIP 3: User AAD PREMIUM PLAN 2 for sensitive or privileged identities.
Conditional Access not only allows you to define a static set of rules but is also backed by the Microsoft Intelligent Security Graph, which constantly evaluates a large amount of elements based on patterns, behaviour and numerous external data sources, and subsequently evaluates the SIGN-IN RISK. Note however that not all these features are provided out of the box. Some of these “dynamic” security measures or metrics require AAD “PREMIUM 2”, which is an absolute MUST for users that travel often, than roam across devices, that access extra sensitive data (HR?) or have extra sensitive identities (e.g. IT Admins).
This includes checks such as:
- Is it a Privileged User or Sensitive Identity logging in (for example an IT admin, HR manger or company CEO)?
- Have we seen the credentials used to log in being made public (i.e. a passwords know to be leaked on the Dark Web)?
- Is a Sensitive App being accessed (for example a HR system containing sensitive employee PII data or a SharePoint site containing secret information)?
- Is this a new, non-managed or previously unknown device?
- Has malware been detected on the device or in the data being uploaded?
- Is the IP address your are logging in from listed as a Botnet? When your identity is manged in the Azure AD cloud (not federated on premise), this check is automated.
- Would this be considered “impossible travel” (e.g. logging in from Amsterdam and 5 minutes later from a location 1000’s of kilometres away)?
- Are you using an anonymous client (such as the Tor browser)?
- Has a high number of failed sign-in attempts been detected for this user?
All these measures are to help ensure the back-end Office 365, Dynamics 365 or third-party cloud services remain “trusted PLATFORMS” and the data stored there remain “trusted DATA”.
TIP 4: Enable AAD Privileged Identity Management for Just in Time access.
For protecting “privileged” identities, such as IT Admins, Developers and Security and Compliance Officers, Microsoft has developed Privileged Identity Management (“PIM”). PIM allows you to only get admin access “Just In Time”, as and when you need it, rather than always having dangerous Global Admin or other privileged roles assigned to your account. This helps you apply least privilege more easily yet escalate to a higher privilege level when you really need it.
TIP 5: Implement AAD PASSWORD HASH SYNC!
While many believe they are improving their environment’s security by not allowing their passwords to be stored in the cloud, syncing passwords to AAD IMPROVES the security of user’s identities. Firstly the password itself is securely encrypted by making use of the AD “hash” and performing 1000 iterations of non-reversible, one-way re-encryption using a new salt value. So storing your password in the cloud IS NOT a risk, to the contrary, if you use an on-premise alternative like ADFS or OKTA, exactly the same user makes use of exactly the same password over exactly the same internet connection to access your resources BUT the level of security Microsoft can achieve both in terms of datacenter facilities and in terms op operations (for example large teams of security specialists) with AAD, vastly surpasses anything we can hope to achieve in out own environments.
To detected potential leaked credentials, AAD compares the hashed password against a large database of commonly used, unsafe and predictable passwords, including checking it against lists of passwords know to be posted on the Dark Web. This means if your employee used the same password for Office 365 as they used for a less secure third-party web site, even if this site’s password list leaked, you remain protected.
TIP 6: Use the reporting and Secure Score!
Azure AD provides you a wealth of reporting, including “risky users” and “risky sign ins”. Make it a habit to review these reports regularly. You can often attack an attack that is underway well in advanced, especially for the less sophisticated (bulk of-) attacks that use brute force to try various accounts against dictionaries of know passwords. AAD also provides you with Identity Secure Score (more on Secure Score in a future article, “trusted platform”), which provides you with a dashboard and a security rating on your live environment. This allows you to view trends and gives you concrete, real world, actionable recommendations to increase your identity security posture. More info HERE.
TIP 7: Go PASSWORD-LESS
The biggest “giant leap” you can take in securing your user identities is to go password-less. Microsoft 365 and Windows 10 includes Windows Hello, which makes authentication unique to a device and bio-metric combination and eliminated passwords completely. Implementing Windows Hello mitigates 90% (my own estimate) of the top identity targeted attacks in one small step. We will discuss this in more detail in de next article “trusted device”.
TIP 8: BLOCK LEGACY AUTHENTICATION!
Many older apps and protocols, such as POP3, IMAP, ActiveSync and more make use of legacy authentication protocols. These are no longer considered safe. These are very easy to block using AAD PREMIUM. If your application does not support Modern authentication, seriously consider implementing new, modern apps.
TIP 9: Have a been pwned?
To see whether your credentials have been compromised, check your account (including any other accounts where you have used the same password, for example personal, and accounts you ever used ON THE SAME DEVICE as your corporate account) on THIS site.
It is often said that your business’ largest capital is PEOPLE. The easiest step you can take to increase your security posture is to help them PROTECT THEIR IDENTITIES.
Stay tuned for the next 4 articles in this series, providing you the same insights as given here, from a DEVICE< APP, PLATFORM and DATA point of view.
- PART 1: Introduction to Microsoft 365,
- PART 2 (this article): Ensuring you have TRUSTED USERS,
- (coming soon) PART 3: Ensuring your users use TRUSTED DEVICES,
- (coming soon) PART 4: Ensuring only TRUSTED APPS can access your data,
- (coming soon) PART 5: Making sure you have a TRUSTED PLATFORM,
- (coming soon) PART 6: Ensuring TRUSTED DATA, independents of any other factors.
* All slides used in this article are property of Microsoft, mostly from different deep-dive sessions at Ignite.