AzureBootcamp2022: Your Zero Trust Gameplan by Martin Meyer

Transcript

1. Azure Bootcamp 2022
   10.05.2022
   Martin Meyer
   ©This entire presentation is under Copyright by Martin Meyer & scopewyse
   Your Zero Trust Gameplan for 2022
   

   View Slide

2. Martin Meyer
   Senior Cloud Engineer | MCT
   scopewyse GmbH
   [email protected]
   azureblog.org
   @MartinMeyer832
   About me | Tech
   Azure, Identity & Security, Networking,
   Azure Virtual Desktop
   About me | Private
   39, Winterthur, “wannabe” sportsman / hiker / cook
   

   View Slide

3. ▪ Intro / Status quo
   ▪ Zero Trust – where it started/where we are
   ▪ The Gameplan
   ▪ Conclusion
   Agenda
   

   View Slide

4. Intro / Status quo
   

   View Slide

5. 2020 / 2021 / 2022
   

   View Slide

6. Status quo: Cloud security is an efficient way to go
   

   View Slide

7. Zero Trust – where it started (for me)
   

   View Slide

8. “Improve security in different areas, using a
   policy-based approach.”
   What is the Goal of Zero Trust?
   ▪ MS Zero Trust Blog: https://www.microsoft.com/security/blog/zero-trust/
   ▪ MS Zero Trust Guidance Center: https://docs.microsoft.com/en-us/security/zero-trust/
   

   View Slide

9. ▪ https://techcommunity.microsoft.com/t5/azure-active-directory-
   identity/protecting-microsoft-365-from-on-premises-attacks/ba-p/1751754
   It all started with…
   

   View Slide

10. Endpoints
    Identities
    Network
    Applications
    Infrastructure
    Data
    Microsoft
    Azure AD
    Microsoft
    Defender
    for Identity
    Microsoft
    Information
    Protection
    Microsoft
    Defender for
    Cloud Apps
    Microsoft Sentinel
    Microsoft
    Defender
    Microsoft
    Endpoint
    Manager
    Posture Management
    Microsoft
    Defender for
    Cloud
    

    View Slide

11. The Gameplan
    

    View Slide

12. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups / Protect the logins
    Identities 1/2
    Tool Topic Action Link
    Azure AD Cloud-only Admin Accounts
    Cloud-only Groups
    Don’t (or stop) sync your Admin Accounts and
    groups from on-premises AD
    Secure access practices for administrators in Azure AD
    Groups in Microsoft 365 and Azure, and Which is Right
    for You
    Azure AD Least Privilege Minimum permissions / roles Best practises for Azure RBAC
    Securing privileged access
    Least Privilege
    Azure AD Conditional Access Use conditional access policies for different scenarios
    NEW: Templates!
    Conditional Access deployment plan
    Conditional Access templates
    Azure AD Conditional Access MFA for ALL users (no exemptions) Multi-Factor Authentication
    Resilient access control management strategy with
    Azure active Directory
    Azure AD Passwordless Deploy passwordless… or try at least to start… Windows Hello for business
    Authenticator App
    FIDO2 security keys
    Hands-on tour in Azure AD with FIDO2 keys and
    Temporary Access Pass
    https://aka.ms/passwordlesswizard
    https://aka.ms/mysecurityinfo
    

    View Slide

13. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups
    Identities 2/2
    Tool Topic Action Link
    Defender for
    Identity
    Active Directory signals Identify, detect and investigate threats and compromised
    identities
    What is MS Defender for identity
    Azure AD Break Glass Admins Configure 2 Break Glass Admin Accounts
    Strong Password -> Not (only) stored in Passwordmanager
    Monitor/Alert logins
    Emergency access accounts
    Azure AD Privileged Identity Management
    (PIM)
    Active PIM for Azure AD Roles and/or Azure Resources
    (Eligible Cloud-only Azure AD Role Groups)
    Plan a Privileged Identity Management
    deployment
    Azure AD Azure AD Identity Protection Use Identity protection for risk detection and to investigate
    your logins
    Azure AD Identity Protection
    Azure AD Collaboration groups Use M365 Groups
    Decommission onprem-Distribution list
    Upgrade distribution lists to Microsoft 365
    Groups in Outlook
    Azure AD M365 Licensing Group-based licensing by Cloud-Only-Groups
    (use Azure AD dynamic groups)
    Group-based licensing additional scenarios
    Azure AD Strategy for the future:
    User provisioning
    Think about your options
    Dependencies on your hr systems
    What is identity provisioning?
    

    View Slide

14. Sync only what you really need to Azure AD… and
    configure Attribute filtering ;-)
    Azure AD Connect
    

    View Slide

15. ▪ DO IT, today! It’s easy..
    ▪ Choose a naming concept, like: [email protected] (maybe don’t use admin in name anymore)
    ▪ Mailbox/Email-Alias should be created and/or mail-forwarding
    ▪ License: Azure AD Premium P2 should be in place (from synced Admins)
    ▪ Prepare Cutover -> Roles/Permissions/CA Policies need to be in place
    ▪ Remove Onprem-Admins from your Azure AD Connect Sync
    ▪ Adjust Onprem-Admins permissions if needed
    ▪ Least Privilege (good time to check unused/too high roles) / Activate PIM (good time for PIM activation)
    ▪ Automation: Prepare a process for Cloud-Only Admins in future, automated creation by a scripts
    Cloud-only Admins
    

    View Slide

16. Cloud-only groups
    Group Type Description Naming Concept
    Azure AD Role Groups 1 Group for every Azure AD Role, like:
    • Privileged Authentication Admin
    aad-rol-privilegedauth-admin
    aad-rol-billing-reader
    RBAC Groups for:
    • Azure Subscriptions
    • Resource Groups
    • Resources
    aad-rba-subscription1-owner
    aad-rba-resourcegroup1-contributor
    aad-rba-corenet-networkadmin
    Azure EA Apps Groups including:
    • App-Name
    • Permission level
    aad-app-zoom-user
    aad-app-servicenow-admin
    aad-app-adobecloud-user
    

    View Slide

17. ▪ Plan it, then do it… remove blockers (onprem automation scripts etc…)
    ▪ Cutover on the fly: place new groups and fill them with members, remove on-prem
    groups step-by-step
    ▪ Remove Onprem-groups from your Azure AD Connect Sync
    (please keep your AAD clean ☺)
    ▪ Automation: Prepare a process for Cloud-Only groups in future, automated
    creation by a script
    ▪ Don’t forget to activate switch for role groups
    (works now in PowerShell too)
    Cloud-only groups
    

    View Slide

18. ▪ Main Goal: Use Azure AD join and cloud-based device management to eliminate dependencies on your
    onprem device management
    Endpoints
    Tool Topic Action Link
    Azure AD Conditional Access Implement Identity and device access configurations
    Use CA for compliant devices
    Identity and device access configurations
    Conditional Access: Require compliant devices
    MEM / Intune Configuration profiles Lock down your endpoint configuration Create device profiles
    MEM / Intune Compliance Policies Take care of compliant devices Create device compliance policies
    MEM / Intune Azure AD join Endpoints registered in Azure AD How to plan your Azure Active Directory join
    implementation
    MEM / Intune Windows Hello for Business Enable and configure a more secure device login Integrate Windows Hello for Business
    Microsoft Defender for
    Endpoint
    Endpoint security Detect threats and vulnerabilities
    Attack surface reduction
    Automated remediation
    Defender for Endpoint Deployment phases
    Windows Autopilot Endpoint deployment Vendor registers hardware hashes and ships devices to
    end users. End users can finish setup from everywhere
    Windows Autopilot scenarios
    Privileged Access Privileged Access Devices Secure Privileged Access Securing devices
    

    View Slide

19. ▪ Device lives only in Azure AD
    ▪ Modern management approach
    ▪ Go full AAD Join → why not?
    Azure AD Join
    

    View Slide

20. ▪ Main Goal: use Azure AD as identity provider for all your apps / eliminate dependencies on on-prem creds
    Apps
    Tool Topic Action Link
    Azure Enterprise Apps Identity Provider «Connect» all your apps to Azure AD
    (Get rid of ADFS)
    What is application management?
    Azure AD App Provisioning
    Azure AD B2B collaboration
    Activity report to move ADFS apps to AAD
    Azure Application Proxy Identity Provider «Connect» your legacy onprem apps to Azure AD What is application proxy?
    Azure AD Single sign-on (SSO) Configure SSO wherever possible
    → don’t forget to activate it on AAD Connect
    Azure AD single sign-on
    Defender for Cloud apps Security Discover shadow it
    Manage app governance
    Cloud discovery
    Discover and identify shadow it
    Get started with app governance
    Set up cloud discovery
    Conditional access Modern authentication Super task until 01.10.2022: tick tack…
    Use Conditional Access Policies for modern auth
    • Monitor first
    • Inform users
    • Block
    Legacy Authentication Protocols
    block legacy authentication
    

    View Slide

21. ▪ Check your EA apps user
    settings
    Enterprise Apps
    

    View Slide

22. ▪ Consent phishing
    Enterprise Apps
    

    View Slide

23. ▪ Main Goal: Govern and label your data, secure access wherever data resides or flows
    Data
    Tool Topic Action Link
    Microsoft365 Microsoft Purview
    Data Loss Prevention (DLP)
    Prevent unintenational sharing Learn about Microsoft 365 Endpoint data loss
    prevention
    Data loss prevention (DLP) policies
    Microsoft Purview
    Information Protection
    (MIP)
    Data Governance 1. Know your data: Data landscape and inventory
    2. Protect your data: Build definitions and labelling
    3. Prevent data loss: Detect risky behaviour
    4. Govern your data: Keep data compliant
    Microsoft Purview Information Protection in M365
    Microsoft Purview Information Protection unified
    labeling client for Windows
    Microsoft Purview Unified data governance Govern data wherever it resides:
    (Onprem, SaaS, Multicloud)
    Data catalog (discovery)
    Data insights (assess data everywhere)
    Data map (automate metadata at scale)
    Microsoft Purview
    Microsoft Purview Deployment Best Practises
    Microsoft365 Microsoft Purview
    Double Key Encryption (DKE)
    Use your own key to encrypt sensitive data Double Key Encryption Overview
    

    View Slide

24. ▪ Main Goal: Manage everything from the cloud…
    Infrastructure
    Tool Topic Action Link
    Azure IaaS Use Infrastructure services
    in the cloud
    Azure VMs
    Storage Accounts
    Databases
    Containers
    Azure IaaS
    Azure Arc Hybrid management
    (Multicloud and onprem)
    Inventory
    Config-, Change-, and update management
    Monitoring / Logging
    Automation
    Security
    Azure Arc Overview
    Azure Update Management Overview
    Defender for Cloud Security posture
    Threat management
    (Multicloud and onprem)
    Secure score
    Security recommendations
    Security alerts
    Defender for Cloud - An introduction
    Quickstart onboard machines
    Azure JIT / Least privilege Just in time access for VMs Just in time access usage
    Azure Bicep
    ARM
    Terraform
    Infrastructure as Code Use templates to automize infrastructure
    deployments
    Bicep language for deploying Azure resources
    ARM template documentation
    Get Started - Azure | Terraform
    

    View Slide

25. ▪ Main Goals:
    ▪ Ensure devices and users aren’t trusted just because they’re on an internal network
    ▪ Encrypt all internal communications
    ▪ Limit access by policy
    ▪ Employ micro segmentation and real-time threat detection.
    Network
    Tool Topic Action Link
    Networks Network segmentation Many ingress/egress cloud micro-perimeters with some
    micro-segmentation
    Secure networks with Zero Trust
    Zero Trust Part 1: Networking
    Azure Web Application
    Firewall (WAF)
    Threat detection Protect your web applications
    OWASP-, bot protection- and custom rulesets
    Introduction to Azure Web Application Firewall
    Azure Front Door Threat detection
    Traffic encryption
    Layer 7 protection Azure Frontdoor Overview
    Azure Application
    Gateway
    Load balacing Layer 4 web traffic load balancing
    (Combine with Azure WAF)
    Azure Application Gateway Overview
    Azure Firewall Traffic filtering
    Threat detection
    Layer 3-7 threat-intelligence based filtering What is Azure Firewall?
    

    View Slide

26. ▪ Main Goal: Know your security tools…
    Security Tools
    Tool Topic Portal
    Azure AD
    Conditional Access
    Azure AD Identity Protection
    Identity Provider
    Conditional Access Policies
    Identity Protection
    https://portal.azure.com
    Microsoft Defender for Identity Leverage on-premises Active Directory signals https://portal.atp.azure.com
    Microsoft Defender
    Microsoft Defender for Endpoint
    M365 & Endpoint Security https://security.microsoft.com
    Microsoft Defender for Cloud Security posture & threat protection https://portal.azure.com
    Microsoft Purview
    Information Protection
    discover, classify, and protect sensitive information
    wherever it lives or travels
    https://portal.azure.com
    Microsoft Defender four Cloud Apps Cloud access security broker https://portal.cloudappsecurity.com
    Microsoft Sentinel Cloud-native SIEM https://portal.azure.com
    

    View Slide

27. Sanctioned and
    Managed Services
    Internet and
    Unsanctioned/Unmanaged Apps
    Private and Managed in
    the cloud or on-premises
    Managed devices
    Unmanaged devices
    BYOD
    Strongly managed identities
    Managed identities
    Anonymous and Consumer
    identities
    MFA User Admin
    Partner
    User
    Adaptive
    Access Control
    Business Critical
    Segment(s)
    Sensitive Business
    Units/Apps
    Low Impact IoT/OT
    Printers, VoIP phones,
    etc.
    High Impact IoT/OT
    IoT/OT With Life/Safety
    Impact
    

    View Slide

28. ▪ Maturity model implementing security in a modern way
    ▪ Ongoing story
    ▪ Teams working together on different topics
    ▪ all about policies
    ▪ happening in tons of different rules/policies/configurations
    ▪ happening in a lot of different tools
    Conclusion of Zero Trust
    

    View Slide

29. Questions???
    

    View Slide

30. The End
    TRUST
    

    View Slide

31. View Slide

32. www.scopewyse.com
    [email protected]
    

    View Slide