Our Information Security Manager, Greg Nott, is back with his monthly analysis of the latest cyber security trends, providing best practice measures to ensure your organisation is protected against any and all cyber attacks.
The following article addresses the latest cyber security trends, with our advice on how to stay alert against them. We want to help your organisations stay protected against calculated cyber criminals, so keep reading for Greg's insight.
What we've noticed:
The principle of ‘Least Privilege’ has been around for some time now and is straightforward in its scope – only giving people access to those things that they absolutely need to fulfil their job role. With unlimited time and resources, you could take this to the next level, defining individual policies and rules specific to each user within your organisation.
In reality, this is not practical for the vast majority of us so we work with defined roles which then allow us to assign "best fit" access rights to our users. In many systems, we are limited to a single role to assign per user, for example, "Super Admin", "Billing Admin", "Standard User" and so on. Today, we have access to more sophisticated systems like Microsoft Azure Active Directory, that allow us to assign multiple roles to a user to get as close to that best fit as possible.
Despite this probably being common knowledge to a lot of you, it is still all too common to find this longstanding functionality going unused! Instead, where a user needs anything more than standard access, organisations will grant them full Domain or Global Administrator access either because it is quick and easy to do, or they just do not know any better.
Generally, this means that these excessive privileges are assigned to a user’s normal day-to-day account and are never reviewed. This leads to too many accounts throughout your organisation having too much access, enabling them to log in to e-mail accounts and web browsers where they are exposed to malware and other attacks, indefinitely.
Could this be the case within your organisation? If so, your organisation is potentially at risk.
Securing your organisation without the significant costs
Luckily Microsoft is constantly developing their services and the new Azure Privileged Identity Management (PIM) service can really help to boost the application of Least Privilege within an organisation.
In essence, PIM allows you to assign privileged roles to user accounts, but to add caveats, including:
- Roles can be assigned permanently or just made available to eligible users meaning that they need to activate the Role when they need it.
- You can further specify if a user needs to note the reason for activating a privileged Role, or if they need to re-authenticate their log-in using Multi-factor Authentication (MFA).
- Assigned Roles can be activated for only a period of time that you can specify, so even if the account does become compromised, you can limit the damage that can be done with it
- You can also specify if a particular Role needs to be authorised by a different Administrator before being assigned to the requesting user.
What more can we do to protect our organisations?
To further secure your organisation from these risks, you can apply similar principles at the application or service level in Azure rather than the user account level using Just In Time (JIT) features.
By enabling JIT protection on a service such as a Virtual Machine in Azure, users can be granted certain levels of day-to-day access (i.e. ‘Read Only’) and then have the facility to request a higher level of access, only when needed, only for as long as needed.
Combining these principles and tools in your Azure environment will not only reduce the attack surface of your organisation but will also enhance the visibility you have of privileged access activity within your systems.
The tools discussed above are specific to Microsoft Azure, however, it is still possible to apply the same principles of Least Privilege, PIM and JIT in other ways in other systems. For a little upfront investment in budget, or perhaps only your time, you can set yourself up for a much more secure future. Although, if you don't have Azure in place, it is definitely a starting point.
It is now generally accepted best practice that any roles with any level of privileged access (above a standard user account) are assigned to a completely separate admin-only account for relevant users. Only the specific roles needed by each user should be set to this particular account. Giving everyone global admin access as default, even on a different account, is still an issue.
As a Microsoft Gold Partner, and a Tier 1 Cloud Solutions Provider, we offer Microsoft’s rigorous criteria for excellence, so you can be assured that you’re in safe, knowledgeable hands. We can help implement Microsoft Azure throughout your organisation, provide training to your team, and make significant cost savings, whilst keeping your organisation secure.