The use of modern public cloud offerings dramatically changed the way we look at digital security. Traditional security models can no longer be applied to mitigate the threats we face these days.

Traditional security models are generally based on perimeter security. We build a castle, dig a moat, implement a drawbridge and assign guards to defend our perimeter. Within this castle our valuables are stored and protected by the thick layer of perimeter security. Nothing comes in or out without someone knowing exactly what is going on.

This works for traditional on premise IT environments where we have control over who accesses our data and from which device they do this. For example a mainframe environment, not accessible from outside the building, or a service based computer environment (RDS) where, if remote access is allowed, we have control over who is able to do this and keep our data within the perimeter where we still have control of the data flow. We sometimes lower the drawbridge but still enforce a strict policy of what comes in and what goes out.

Where a traditional IT environment looks and feels secure, the opposite is true. In modern workplaces users expect a certain level of flexibility. They want to access information any time, any place and anywhere. If we do not provide such functionality or lock the system down where such functionality is limited, users will find another way to achieve their goal, thus creating what we call shadow IT.

If we go back to our castle metaphor and compare it to the modern workplace, we have to lower the drawbridges and swap the guards for a friendly host that provides guidance (we can access x but not y). Anybody can access the castle, but not everyone may access our valuable assets. This new model brings a whole new set of risks to the table; the perimeter / IT environment is no longer the main attack vector. Instead, attackers target users and their devices directly, as they have direct access to the “castle” and to some extend the valuables we try to protect. This generally happens through (targeted) malware, phishing, or social engineering.

This is exactly what we need to focus on in a modern cloud environment. We have the ability to provide a free flow of information, users can access information any place, anytime, anywhere without daunting login procedures through VPN connections, certificate exchanges and hardware tokens. We have to focus on safely storing our assets (valuables) and ensure that their security and integrity are guaranteed.

How does this impact the average managed service provider? In general the situation is as follows:

  • As an IT Partner you have limited influence on end user security awareness
  • You are held responsible by stakeholders for anything that happens to the customer data
  • You are able to influence technical countermeasures
  • There is no longer a predefined “perimeter” you can secure

With Microsoft Azure and Office 365 we can provide both the required functionalities and implement the corresponding security countermeasures to ensure responsible usage of our assets and reduce the impact.

When looking at the available resources within Microsoft Azure and Office 365 you will be flooded with possibilities. To scope the available security services focus on the following:

  • Identities
  • Devices
  • Information

For each of these items, Microsoft provides specific tools, each with their own security features.

 

Identities

With Azure Active Directory (AAD) Microsoft provides a fully featured Identity and Access (IAM) platform. We can leverage the power of AAD to provide the first layer of security for our web applications, PaaS Resources and general access to the user environment. Azure Active Directory provides several key security features such as:

  • Multi Factor Authentication
  • Risk Based Conditional Access
  • Role Based Access Control
  • Password Management
  • Azure Identity Protection

 

Devices

If we look at device security (both smartphones and workstations) Microsoft provides two key products:

  • Azure Active Directory to register the device
  • Microsoft Intune (part of the Enterprise Mobility and Security Suite) to manage the device

Device security in particular is something new compared to our traditional security model. We now have a device (anywhere) that has access to company information. Essentially, we are using Microsoft Intune to control information outside of our castle. We can use Intune to force Multi Factor Authentication (with Azure AD), Isolate corporate data, wipe specific data and leverage the power of rights management (Azure information protection).

For example: a user accesses our environment. A few moments later, the same users tries to access the environment again but from a different location, time zone and device. We may assume that this is malicious activity.

Based on the information we have on the registered device and the user, Azure Active Directory will assess a risk and can prevent the user from logging in or request additional information to login (Multi Factor Authentication).

 

Information

With Azure AD and Intune we are able to manage the identity and the environment. With Azure Information Protection we can manage our information even when they are available outside of our presumed secure perimeter.

Azure Information Protection integrates with both documents and E-Mails. Based on your own classification, you are able to label documents and messages and apply policies based on that classification. Office 365 will automatically recommend a label based on the content or a user can choose a label. This requires a fair amount of awareness on the user side however, recommendations will give a pointer in the right direction.

For example: a message contains a social security number; Office will recommend a label (say “classified”) and will apply it to the message. At this point a predefined policy will be applied. Within this policy we can limit the actions that can be performed after the message or document is sent. We can prevent the document from being printed, we can encrypt it or revoke access altogether (remotely).

 

Azure Security Center and OMS

To secure our IT environment we can configure Azure Security Center and protect our cloud and on premise resources. Azure Security Center provides real time insight on security recommendations based on the deployed resources.

Azure Security Center  also provides threat management and will take preventive action when a known threat is detected. Essentially, Security Center will provide you with real time security monitoring and a continuous assessment of your security profile.

In combination with Operation Management Suite and the Compliancy and Security module we can manage, evaluate and improve our security based on the provided alerting and recommendations. Some notable key features of Azure Security Center:

  • Integration with third party security solutions
  • Management of cloud and on premise resources
  • Just in time VM Access control
  • Adaptive threat prevention
  • Threat detection
  • Visibility malicious activity within resources
  • Intelligent detection based on malicious activity (for example: unauthorized or unexpected elevation of privileges)

To summarize: Traditional security models no longer provide sufficient protection for modern IT (cloud) environments. Users expect nothing less than unlimited and easy access to their resources. Microsoft Azure and Office 365 do not only provide you with the tools to protect your environment but can also help you leverage the power of a modern cloud environment by improving your security altogether.

Wesley Haakman
Azure & Security Architect @Intercept