$30 off During Our Annual Pro Sale. View details »

AzureBootcamp2022: Your Zero Trust Gameplan by Martin Meyer

AzureBootcamp2022: Your Zero Trust Gameplan by Martin Meyer

This session is one of the sessions of Azure Bootcamp Switzerland 2022.

Recent incidents have shown: An on-premises attack can affect your cloud environment too. But you still want/need to manage security for the whole picture (on-premises/Cloud/Multicloud). And if you have attended any security webinars in the last two years, it would be hard not to hear about zero trust. The fancy high-level marketing slides gave us all a nice introduction into the topic and into the Zero Trust Deployment model. You may also have heard that Zero Trust is a journey and you need to start somewhere and somehow. But where and how? None of these sessions actually provide concrete answers to these questions.This session “tries” to be different. Martin will provide a gameplan for a Zero Trust implementation. It’s time to cut some (synced) cords from onprem to make your Azure environment more secure, using divided management accounts and Microsoft security services. This session is focused on Azure Active Directory/Microsoft Security/windows-based enterprise environments.
🙂 MARTIN MEYER ⚡️ Senior Cloud Engineer @ scopewyse

Check out Martin at: https://www.linkedin.com/in/martin-meyer832/

Azure Zurich User Group

May 10, 2022

More Decks by Azure Zurich User Group

Other Decks in Technology


  1. Azure Bootcamp 2022 10.05.2022 Martin Meyer ©This entire presentation is

    under Copyright by Martin Meyer & scopewyse Your Zero Trust Gameplan for 2022
  2. Martin Meyer Senior Cloud Engineer | MCT scopewyse GmbH martin.meyer@scopewyse.com

    azureblog.org @MartinMeyer832 About me | Tech Azure, Identity & Security, Networking, Azure Virtual Desktop About me | Private 39, Winterthur, “wannabe” sportsman / hiker / cook
  3. ▪ Intro / Status quo ▪ Zero Trust – where

    it started/where we are ▪ The Gameplan ▪ Conclusion Agenda
  4. Intro / Status quo

  5. 2020 / 2021 / 2022

  6. Status quo: Cloud security is an efficient way to go

  7. Zero Trust – where it started (for me)

  8. “Improve security in different areas, using a policy-based approach.” What

    is the Goal of Zero Trust? ▪ MS Zero Trust Blog: https://www.microsoft.com/security/blog/zero-trust/ ▪ MS Zero Trust Guidance Center: https://docs.microsoft.com/en-us/security/zero-trust/
  9. ▪ https://techcommunity.microsoft.com/t5/azure-active-directory- identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754 It all started with…

  10. Endpoints Identities Network Applications Infrastructure Data Microsoft Azure AD Microsoft

    Defender for Identity Microsoft Information Protection Microsoft Defender for Cloud Apps Microsoft Sentinel Microsoft Defender Microsoft Endpoint Manager Posture Management Microsoft Defender for Cloud
  11. The Gameplan

  12. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups /

    Protect the logins Identities 1/2 Tool Topic Action Link Azure AD Cloud-only Admin Accounts Cloud-only Groups Don’t (or stop) sync your Admin Accounts and groups from on-premises AD Secure access practices for administrators in Azure AD Groups in Microsoft 365 and Azure, and Which is Right for You Azure AD Least Privilege Minimum permissions / roles Best practises for Azure RBAC Securing privileged access Least Privilege Azure AD Conditional Access Use conditional access policies for different scenarios NEW: Templates! Conditional Access deployment plan Conditional Access templates Azure AD Conditional Access MFA for ALL users (no exemptions) Multi-Factor Authentication Resilient access control management strategy with Azure active Directory Azure AD Passwordless Deploy passwordless… or try at least to start… Windows Hello for business Authenticator App FIDO2 security keys Hands-on tour in Azure AD with FIDO2 keys and Temporary Access Pass https://aka.ms/passwordlesswizard https://aka.ms/mysecurityinfo
  13. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups Identities

    2/2 Tool Topic Action Link Defender for Identity Active Directory signals Identify, detect and investigate threats and compromised identities What is MS Defender for identity Azure AD Break Glass Admins Configure 2 Break Glass Admin Accounts Strong Password -> Not (only) stored in Passwordmanager Monitor/Alert logins Emergency access accounts Azure AD Privileged Identity Management (PIM) Active PIM for Azure AD Roles and/or Azure Resources (Eligible Cloud-only Azure AD Role Groups) Plan a Privileged Identity Management deployment Azure AD Azure AD Identity Protection Use Identity protection for risk detection and to investigate your logins Azure AD Identity Protection Azure AD Collaboration groups Use M365 Groups Decommission onprem-Distribution list Upgrade distribution lists to Microsoft 365 Groups in Outlook Azure AD M365 Licensing Group-based licensing by Cloud-Only-Groups (use Azure AD dynamic groups) Group-based licensing additional scenarios Azure AD Strategy for the future: User provisioning Think about your options Dependencies on your hr systems What is identity provisioning?
  14. Sync only what you really need to Azure AD… and

    configure Attribute filtering ;-) Azure AD Connect
  15. ▪ DO IT, today! It’s easy.. ▪ Choose a naming

    concept, like: cadmin.mm@contoso.com (maybe don’t use admin in name anymore) ▪ Mailbox/Email-Alias should be created and/or mail-forwarding ▪ License: Azure AD Premium P2 should be in place (from synced Admins) ▪ Prepare Cutover -> Roles/Permissions/CA Policies need to be in place ▪ Remove Onprem-Admins from your Azure AD Connect Sync ▪ Adjust Onprem-Admins permissions if needed ▪ Least Privilege (good time to check unused/too high roles) / Activate PIM (good time for PIM activation) ▪ Automation: Prepare a process for Cloud-Only Admins in future, automated creation by a scripts Cloud-only Admins
  16. Cloud-only groups Group Type Description Naming Concept Azure AD Role

    Groups 1 Group for every Azure AD Role, like: • Privileged Authentication Admin aad-rol-privilegedauth-admin aad-rol-billing-reader RBAC Groups for: • Azure Subscriptions • Resource Groups • Resources aad-rba-subscription1-owner aad-rba-resourcegroup1-contributor aad-rba-corenet-networkadmin Azure EA Apps Groups including: • App-Name • Permission level aad-app-zoom-user aad-app-servicenow-admin aad-app-adobecloud-user
  17. ▪ Plan it, then do it… remove blockers (onprem automation

    scripts etc…) ▪ Cutover on the fly: place new groups and fill them with members, remove on-prem groups step-by-step ▪ Remove Onprem-groups from your Azure AD Connect Sync (please keep your AAD clean ☺) ▪ Automation: Prepare a process for Cloud-Only groups in future, automated creation by a script ▪ Don’t forget to activate switch for role groups (works now in PowerShell too) Cloud-only groups
  18. ▪ Main Goal: Use Azure AD join and cloud-based device

    management to eliminate dependencies on your onprem device management Endpoints Tool Topic Action Link Azure AD Conditional Access Implement Identity and device access configurations Use CA for compliant devices Identity and device access configurations Conditional Access: Require compliant devices MEM / Intune Configuration profiles Lock down your endpoint configuration Create device profiles MEM / Intune Compliance Policies Take care of compliant devices Create device compliance policies MEM / Intune Azure AD join Endpoints registered in Azure AD How to plan your Azure Active Directory join implementation MEM / Intune Windows Hello for Business Enable and configure a more secure device login Integrate Windows Hello for Business Microsoft Defender for Endpoint Endpoint security Detect threats and vulnerabilities Attack surface reduction Automated remediation Defender for Endpoint Deployment phases Windows Autopilot Endpoint deployment Vendor registers hardware hashes and ships devices to end users. End users can finish setup from everywhere Windows Autopilot scenarios Privileged Access Privileged Access Devices Secure Privileged Access Securing devices
  19. ▪ Device lives only in Azure AD ▪ Modern management

    approach ▪ Go full AAD Join → why not? Azure AD Join
  20. ▪ Main Goal: use Azure AD as identity provider for

    all your apps / eliminate dependencies on on-prem creds Apps Tool Topic Action Link Azure Enterprise Apps Identity Provider «Connect» all your apps to Azure AD (Get rid of ADFS) What is application management? Azure AD App Provisioning Azure AD B2B collaboration Activity report to move ADFS apps to AAD Azure Application Proxy Identity Provider «Connect» your legacy onprem apps to Azure AD What is application proxy? Azure AD Single sign-on (SSO) Configure SSO wherever possible → don’t forget to activate it on AAD Connect Azure AD single sign-on Defender for Cloud apps Security Discover shadow it Manage app governance Cloud discovery Discover and identify shadow it Get started with app governance Set up cloud discovery Conditional access Modern authentication Super task until 01.10.2022: tick tack… Use Conditional Access Policies for modern auth • Monitor first • Inform users • Block Legacy Authentication Protocols block legacy authentication
  21. ▪ Check your EA apps user settings Enterprise Apps

  22. ▪ Consent phishing Enterprise Apps

  23. ▪ Main Goal: Govern and label your data, secure access

    wherever data resides or flows Data Tool Topic Action Link Microsoft365 Microsoft Purview Data Loss Prevention (DLP) Prevent unintenational sharing Learn about Microsoft 365 Endpoint data loss prevention Data loss prevention (DLP) policies Microsoft Purview Information Protection (MIP) Data Governance 1. Know your data: Data landscape and inventory 2. Protect your data: Build definitions and labelling 3. Prevent data loss: Detect risky behaviour 4. Govern your data: Keep data compliant Microsoft Purview Information Protection in M365 Microsoft Purview Information Protection unified labeling client for Windows Microsoft Purview Unified data governance Govern data wherever it resides: (Onprem, SaaS, Multicloud) Data catalog (discovery) Data insights (assess data everywhere) Data map (automate metadata at scale) Microsoft Purview Microsoft Purview Deployment Best Practises Microsoft365 Microsoft Purview Double Key Encryption (DKE) Use your own key to encrypt sensitive data Double Key Encryption Overview
  24. ▪ Main Goal: Manage everything from the cloud… Infrastructure Tool

    Topic Action Link Azure IaaS Use Infrastructure services in the cloud Azure VMs Storage Accounts Databases Containers Azure IaaS Azure Arc Hybrid management (Multicloud and onprem) Inventory Config-, Change-, and update management Monitoring / Logging Automation Security Azure Arc Overview Azure Update Management Overview Defender for Cloud Security posture Threat management (Multicloud and onprem) Secure score Security recommendations Security alerts Defender for Cloud - An introduction Quickstart onboard machines Azure JIT / Least privilege Just in time access for VMs Just in time access usage Azure Bicep ARM Terraform Infrastructure as Code Use templates to automize infrastructure deployments Bicep language for deploying Azure resources ARM template documentation Get Started - Azure | Terraform
  25. ▪ Main Goals: ▪ Ensure devices and users aren’t trusted

    just because they’re on an internal network ▪ Encrypt all internal communications ▪ Limit access by policy ▪ Employ micro segmentation and real-time threat detection. Network Tool Topic Action Link Networks Network segmentation Many ingress/egress cloud micro-perimeters with some micro-segmentation Secure networks with Zero Trust Zero Trust Part 1: Networking Azure Web Application Firewall (WAF) Threat detection Protect your web applications OWASP-, bot protection- and custom rulesets Introduction to Azure Web Application Firewall Azure Front Door Threat detection Traffic encryption Layer 7 protection Azure Frontdoor Overview Azure Application Gateway Load balacing Layer 4 web traffic load balancing (Combine with Azure WAF) Azure Application Gateway Overview Azure Firewall Traffic filtering Threat detection Layer 3-7 threat-intelligence based filtering What is Azure Firewall?
  26. ▪ Main Goal: Know your security tools… Security Tools Tool

    Topic Portal Azure AD Conditional Access Azure AD Identity Protection Identity Provider Conditional Access Policies Identity Protection https://portal.azure.com Microsoft Defender for Identity Leverage on-premises Active Directory signals https://portal.atp.azure.com Microsoft Defender Microsoft Defender for Endpoint M365 & Endpoint Security https://security.microsoft.com Microsoft Defender for Cloud Security posture & threat protection https://portal.azure.com Microsoft Purview Information Protection discover, classify, and protect sensitive information wherever it lives or travels https://portal.azure.com Microsoft Defender four Cloud Apps Cloud access security broker https://portal.cloudappsecurity.com Microsoft Sentinel Cloud-native SIEM https://portal.azure.com
  27. Sanctioned and Managed Services Internet and Unsanctioned/Unmanaged Apps Private and

    Managed in the cloud or on-premises Managed devices Unmanaged devices BYOD Strongly managed identities Managed identities Anonymous and Consumer identities MFA User Admin Partner User Adaptive Access Control Business Critical Segment(s) Sensitive Business Units/Apps Low Impact IoT/OT Printers, VoIP phones, etc. High Impact IoT/OT IoT/OT With Life/Safety Impact
  28. ▪ Maturity model implementing security in a modern way ▪

    Ongoing story ▪ Teams working together on different topics ▪ all about policies ▪ happening in tons of different rules/policies/configurations ▪ happening in a lot of different tools Conclusion of Zero Trust
  29. Questions???

  30. The End TRUST

  31. None
  32. www.scopewyse.com martin.meyer@scopewyse.com