Cloud security: A shared responsibility
Let's go straight to the point with a question of conscience. Where is data better protected: in the public cloud or in a local environment? A nine out of ten chance that the answer will still be: in a local environment. However, the opposite is true.
According to Gartner, “Virtually all public cloud use is within services that are highly resistant to attack and, in the majority of circumstances, represent a more secure starting point than traditional in-house implementations. Only a very small percentage of the security incidents that have affected enterprises using the cloud have been due to vulnerabilities on the part of the provider. And what’s more: through 2020, 95 percent of cloud security failures will be the customer’s fault.”
“Through 2020, 95 percent of cloud security failures will be the customer’s fault.” Gartner
Now that the end user is becoming the crucial factor for cloud security, service providers have a major business opportunity to protect valuable data and applications from end user organisations. How can service providers use the cloud to prevent errors from end users? And, more specifically, what difference can Azure Identity and Access Management make?
At Insight, we believe that cloud security is a shared responsibility. Large cloud providers such as Microsoft offer all underlying policies for infrastructure, access, security and compliance for their public cloud. On the other hand, end-user organisations are also responsible for security and must enforce a clear end-user policy on responsible use and cloud risks to prevent cyberattacks.
Cloud security as big market opportunity
That is exactly where service providers have a big market opportunity with Microsoft Azure. As an intermediary between the public cloud and the end-user organisations, they have the expertise and knowledge to become the trusted advisor for their customers on end-user security. With Azure Identity and Access Management they can place a higher priority to security than most of their customers can for network traffic, operating system, firewall configuration, platform and identity management. The need for data protection is urgent and immediate. Service providers are now in a position to take the lead.
Gamarue, an example
First an example of the importance of identity and access management in today's digital world. The end of 2017 was a milestone in cyber security. Microsoft security researchers, along with law enforcement agencies worldwide, announced the disruption of what is possibly the most serious malware to date: Gamarue. Gamarue, which had been active since 2011, was used in networks of infected computers that are collectively called the Andromeda botnet. Over the years, it was used to spread 80 different malware variants and was present on an average of one million systems per month that sent spam, installed malware, and performed other criminal activities.
Gamarue is a terrifying example of how a bot can become so widespread and violent to gain access to millions of user credentials. The most important reason? Weak passwords or insufficient password management by end users.
Azure Identity and Access Management
With Azure Identity and Access Management, service providers have a range of methods at their fingertips to improve cloud protection for their customers' end users; the vulnerability spot for modern organisations. A closer look at four security methods that can be activated immediately in Azure.
More info Planning a cloud-based Azure Multi-Factor Authentication and Quickstart: Require MFA for specific apps with Azure Active Directory conditional access.
1) Increase security for credentials with Multi-Factor Authentication and Azure AD Conditional Access.
Multi-Factor Authentication (MFA) adds a second layer of security to the username and password with an additional authentication factor via a mobile phone or hardware token to confirm signing in to Office 365 and Azure. Conditional Access (CA) is used to enforce the use of MFA. For example, users are allowed to login with only their username and password from within the corporate network (intranet), but will be required to use the second factor of authentication (MFA) when they try to access their e-mail, HR app or other sensitive company data from outside the network (extranet).
2) Apply damage control with Azure Role-based Access Control (RBAC) and Privileged Identity Management.
In the event that the data is nevertheless affected, the damage can be limited by applying fine-grained access management to Azure resources with Role-Based Access Control. With RBAC, decisions are made about who has access to which resources. Azure RBAC has approximately 70 built-in functions, and, should these not meet the specific needs of your organisation, there is ability to create custom roles for Azure resources. The starting point is to manage for the least privilege and only allocate the amount of access needed to get normal work done.
Privileged Identity Management (PIM) adds the ability for administrators to manage, control and monitor access to resources. For example, by granting temporary access to certain user groups (financial auditors, temporary staff) by defining just-in-time privileged access or by setting start and end dates. But also, by receiving notifications or conducting access reviews.
More info RBAC for Azure resources documentation and Start using PIM
3) Use corporate AD credentials to improve security with Azure AD sign-in for Azure VMs
Azure AD increases security and simplifies credentials management through the ability to create a single corporate Azure account to connect to individual VMs without the need for separate local accounts. Users have one corporate account to log in; Administrators do not have to worry about individual logins or deletion of logins when people leave the company.
More info: Log in to a Linux virtual machine in Azure using Azure Active Directory authentication (Preview).
4) For programmers: Provide codeless access with AD managed identities for Azure resources
When developing and building new applications, managing the login data in the code is always a challenge. Credentials must be kept securely and must not be exposed in source control. From now on, programmers can actually program with an automatically managed identity in Azure AD. This identity can be used to authenticate any service that supports Azure AD authentication, without any credentials in the code. Identities can be assigned to the system or to the user. The analogy below of the car driving up to the garage explains the concept. Good to know: The managed identity feature for Azure resources is free with Azure AD for Azure subscriptions, so no extra cost.
5) More password options
The stronger and more complex passwords are, the higher the protection level. Yet the most used password is still "123456," followed by "password". Azure AD Password protection sets rules and policies to prevent users from creating unsafe passwords or passwords that were previously compromised. Administrators can create lists that recognise weak passwords and do not allow them.
And the next phase in authentication is already coming. The new adagio is: Go passwordless! Azure AD enables new authentication methods that combine something that you have, such as a mobile phone or a security key, with something that you are, which is usually a biometric factor such as recognition of face, fingerprint, or iris.
Be competitive with Azure
Service providers must keep pace with all the rapid changes and improvements that are taking place in IT today to stay ahead of the competition. Azure offers a wealth of options. Certainly, security measures are in place in the data centres of service providers to protect the valuable data of their customers. Azure Cloud adds security measures that do not exist in the local environment. In addition to the options mentioned above, for example, consider the benefits of machine learning and artificial intelligence for cloud security. For example, if an attack occurs in Asia, Azure has security measures in place that analyse the threat within minutes and apply it to other applicable regions within seconds, preventing further infections. Individual companies usually do not have the resources to proactively monitor security and will always follow a more reactive approach.
Insight can help
Service providers can easily apply the Azure Identity and Access Management procedures. It is already there on Azure: developed, proven and ready for use. However, we understand that there may well be questions. Or a need to discuss opportunities or to get advice. In these cases, it is good to know that Insight is always there to help. For all questions about technical support, business challenges, licenses and more. A dedicated team of cloud consultants is eager to invest all their expertise and knowledge with you to get started or continue with Azure Identity and Access Management.