Optimize Your Digital CyberSecurity Strategy for a Cloud Centric Post-Covid 19 Ecosystem - Part 1 of 3

Since March 2020 organizations across the globe have been forced to quickly adapt their infrastructure to support a dramatic shift to telework as a result of the first wave of COVID-19.

Almost immediately, employees from thousands of organizations across the globe became entirely remote. Although organizations around the world were already trending toward mobile-first strategies in some facets of their operations, few organizations were built to operate 100% remotely.

For many, COVID-19 became a catalyst for managing a remote workforce with immediacy and at scale. Needless to say, this was and continues to be a monumental and complex task with mid-size to large organizations with distributed locations and thousands of employees and devices. Since the start of the COVID-19 “ 46% of Businesses have experienced at least one security incident”.

As Canada and other countries enter the second wave of COVID-19, and to support the 2020 Cybersecurity Awareness Month, I will be providing a 3-part series of articles which will provide key strategy elements organizations should consider as part of their Digital Cybersecurity Journey as they look to enable and protect a remote workforce.

Part 1 – Establish a Human-Centric Perimeter  

Estimates by Gallup indicate that this April, 62 percent of employed Americans worked at home during the crisis, compared with about 25 percent a couple of years ago.

Many organizations were unprepared for this seismic shift and pivot away from their traditional network boundaries into the network-less environment which is public cloud.

2 Years’ Worth of Digital Transformation in 2 Months

This crisis forced organizations to implement 2 Years’ Worth of Digital Transformation in a 2 Month Period, as Satya Put it.

This increase is a significant surface attack area opportunity for cyber attackers looking to capitalize on rapid rate of change.

This shift has redefined the security perimeter. Employees are bringing their own devices and working remotely. Data is being accessed outside the corporate network and shared with external collaborators such as partners and vendors.

In order to ensure business continuity during the crisis and address remote productivity needs, remote collaboration tools became a must have for organizations to continue to operate.

This rapid shift saw the rapid adoption of collaboration platforms such as Teams to the tune of 75 million daily active users, an increase of 31 million users in just over a month. 

Identity as the Primary Gate Check to your Cloud Apps and Data

The primary security gate check for teleworkers to consume cloud collaboration platforms such as Teams is their cloud identity which is part of a Hybrid identity system. These identities are stored in a cloud directory called Azure Active Directory. 

Since the cloud identity becomes the de facto common denominator for humans to access applications and data across heterogenous devices and networks, the organization’s cloud identity directory (tenant) must be designed and implemented with a Zero Trust philosophy in mind.

A Zero Trust Model adopts 3 principles; verify the identity, ensure access is compliant and normal and enforce a least-privilege access model. These principles ensure the integrity, authenticity and authorized use of the identity corresponding to its legitimate human owner.

Below I have included 3 proven practices you should include in your Identity Design Strategy to reduce your surface attack area and increase cyber attackers' cost.

3 Proven Actions to Improve the Security Posture of your Cloud/Hybrid Identity Environment

1. Enforce MFA for everyone and block over 99.9 percent of account compromise attacks by adding an extra layer of security which enforces MFA, you can protect your organization against common password attack vectors such as Credential Stuffing and Password Spraying which will neutralize the attacker even if they have cracked the users’ passwords.

 Effort/Cost to Implement (Low)

You can implement MFA by creating a Conditional Access policy across all of your users that enforces MFA.

 Tip: Ensure you exclude your break glass accounts from your conditional access policies policies to ensure business continuity in case of an accidental lockout or other emergency access situation.

2. Block legacy Authentication Protocols

One of the most common attack vectors for malicious actors is to use stolen/replayed credentials against legacy protocols, such as SMTP, that cannot apply modern security challenges.

For MFA to be effective, you also need to block legacy authentication. This is because legacy authentication protocols like POP, SMTP, IMAP, and MAPI can't enforce MFA, making them preferred entry points for adversaries attacking your organization...

The numbers on legacy authentication from an analysis of Azure Active Directory (Azure AD) traffic are stark:

●       More than 99 percent of password spray attacks use legacy authentication protocols.

●       More than 97 percent of credential stuffing attacks use legacy authentication.

●       Azure AD accounts in organizations that have disabled legacy authentication experience 67 percent fewer compromises than those where legacy authentication is enabled.

 Effort/Cost to Implement (Low)

The easiest way to block legacy authentication across your entire organization is by configuring a Conditional Access policy that applies specifically to legacy authentication clients and blocks access. When assigning users and applications to the policy, make sure to exclude users and service accounts that still need to sign in using legacy authentication. 

Important Considerations Before You Implement this Step

●       Blocking access using Other clients also blocks Exchange Online PowerShell and Dynamics 365 using basic auth.

●       Configuring a policy for Other clients blocks the entire organization from certain clients like SPConnect. This block happens because older clients authenticate in unexpected ways. The issue doesn't apply to major Office applications like the older Office clients.

●       It can take up to 24 hours for the policy to go into effect.

●       You can select all available grant controls for the Other clients condition; however, the end-user experience is always the same - blocked access.

3. Reduce Surface Attack Area of Your Cloud/Hybrid Identity Ecosystem

●          Enable Password Hash Sync. If your organization uses a hybrid identity solution with pass-through authentication or federation, then you should enable password hash sync. You can leverage the Users with leaked credentials report in the Azure AD management which warns you of username and password pairs, which have been exposed on the "dark web”. An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync.

 ●          Restricting user consent to Apps in your Tenant. By default, all users in Azure AD can grant applications that leverage the Azure AD access to your organization’s data. While allowing users to consent by themselves does allow users to easily acquire useful applications that integrate with Microsoft 365, Azure and other services, it can represent a risk if not used and monitored carefully. Microsoft recommends restricting user consent to help reduce your surface area and mitigate this risk. You may also use app consent policies (preview) to restrict end-user consent to only verified publishers and only for permissions you select. If end-user consent is restricted, previous consent grants will still be honored but all future consent operations must be performed by an administrator. 

 Tip: Make sure users can request admin approval for new applications to reduce user friction, minimize support volume, and prevent users from signing up for applications using non-Azure AD credentials. Once you regulate your consent operations, administrators should audit app and consented permissions on a regular basis.

 ●          Enforce a Least-Privileged Access Model. Enable Azure AD Privileged Identity Management, then view the users who are assigned administrative roles and remove unnecessary accounts in those roles. For remaining privileged users, move them from permanent to eligible. Finally, establish appropriate policies to make sure when and for how long they need to gain access to those privileged roles, they can do so securely, with the necessary change control.

 Proven Practices

o  Keep your Global Admin assignment to Eligible only, not permanent and limit to 2-5 people.

o  Ensure you setup MFA enforcement to activate the Role Assignment.

o  Require 2 approvers, ideally a Management-level Approval to provide governance and segregation of duties.

o  Integrate Approval Process for High Risk Roles with your Change Approval Board to ensure proper change management.

o  Create a regular attestation process either quarterly or semi-annually that continuously validate the need for eligibility of these roles. 

 Below is a list of roles that you should also govern using a similar governance model. When using this governance model, you should consider the following formula to determine risk and governance rigor:

 High Risk Definition and Eligibility Assignment Criteria

Any roles that have downstream horizontal access across organization security posture and could lead to business continuity outages and which is used infrequently is considered a High-Risk Role and therefore requires a strict governance model similar to the one mentioned above for Global Admins.

Examples of High-Risk Roles include:

o  SharePoint administrator

o  Exchange administrator

o  Teams Administrator Role

o  Conditional Access administrator

o  Privileged Role Administrator

o  Security administrator

o  Helpdesk administrator

o  Billing administrator

o  User administrator

o  Authentication administrator

 Effort/Cost to Implement (Medium)

 Next week, I will post the 2nd part of the Series, where I will go over key Security proven practices in the Realm of Threat Management and Data Protection across end points, O365 Applications and data and then I will culminate the series with a 3rd article, where I will focus on Operationalization of Cloud Security horizontally within a Security Operations Center.

 Additional Resources

For additional resources on securing your Hybrid Identity system, go to the following link.