Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jan 2022 [Video]: Your Zero Trust Gameplan for 2022 by Martin Meyer

Jan 2022 [Video]: Your Zero Trust Gameplan for 2022 by Martin Meyer

Stream Link: https://www.youtube.com/watch?v=U0Z2v78Jdaw

Meetup Link: https://www.meetup.com/de-DE/Microsoft-Azure-Zurich-User-Group/events/282184749/

Martins Blog: https://www.azureblog.org

Recent incidents have shown: An on-premises attack can affect your cloud environment too. But you still want/need to manage security for the whole picture (on-premises/Cloud/Multicloud). And if you have attended any security webinars in the last two years, it would be hard not to hear about zero trust. The fancy high-level marketing slides gave us all a nice introduction into the topic and into the Zero Trust Deployment model. You may also have heard that Zero Trust is a journey and you need to start somewhere and somehow. But where and how? None of these sessions actually provide concrete answers to these questions.

This session “tries” to be different. Martin will provide a gameplan for a Zero Trust implementation. It’s time to cut some (synced) cords from onprem to make your Azure environment more secure, using divided management accounts and Microsoft security services. This session is focused on Azure Active Directory/Microsoft Security/windows-based enterprise environments.

Martin works as a Senior Cloud Engineer at scopewyse (https://www.scopewyse.com/). He focused on Azure AD, security and hybrid operations in the last couple of years and supports customers from various industries in these topics. Martin worked with Microsoft products his entire career and gained experiences in industry, banks and public sector companies.

More information about him can be found at:

Azure Zurich User Group

January 11, 2022

More Decks by Azure Zurich User Group

Other Decks in Technology


  1. Azure Zurich User Group 11.01.2022 Martin Meyer ©This entire presentation

    is under Copyright by Martin Meyer & scopewyse Your Zero Trust Gameplan for 2022
  2. Martin Meyer Senior Cloud Engineer | MCT scopewyse GmbH [email protected]

    azureblog.org @MartinMeyer832 About me | Tech Azure, Identity & Security, Networking, Azure Virtual Desktop About me | Private 38, Winterthur, “wannabe” sportsman, hiker, cook
  3. ▪ Intro / Status quo ▪ Zero Trust – where

    it started (for me) ▪ The Gameplan ▪ Conclusion Agenda
  4. Endpoints Identities Network Applications Infrastructure Data Microsoft Azure AD Microsoft

    Defender for Identity Microsoft Information Protection Microsoft Defender for Cloud Apps Microsoft Sentinel Microsoft Defender Microsoft Endpoint Manager Posture Management Microsoft Defender for Cloud
  5. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups Identities

    1/2 Tool Topic Action Link Azure AD Cloud-only Admin Accounts Cloud-only Groups Don’t (or stop) sync your Admin Accounts and groups from on-premises AD Secure access practices for administrators in Azure AD Groups in Microsoft 365 and Azure, and Which is Right for You Azure AD Least Privilege Minimum permissions / roles Best practises for Azure RBAC Securing privileged access Least Privilege Azure AD Conditional Access Use conditional access policies for different scenarios NEW: Templates! Conditional Access deployment plan Conditional Access templates Azure AD Conditional Access MFA for ALL users (no exemptions) Multi-Factor Authentication Resilient access control management strategy with Azure active Directory Azure AD Passwordless Deploy passwordless… or try at least to start… Windows Hello for business Authenticator App FIDO2 security keys Hands-on tour in Azure AD with FIDO2 keys and Temporary Access Pass https://aka.ms/passwordlesswizard https://aka.ms/mysecurityinfo
  6. ▪ Main Goal: Isolate Azure/M365 Admin Accounts & Groups Identities

    2/2 Tool Topic Action Link Defender for Identity Active Directory signals Identify, detect and investigate threats and compromised identities What is MS Defender for identity Azure AD Break Glass Admins Configure 2 Break Glass Admin Accounts Strong Password -> Not (only) stored in Passwordmanager Monitor/Alert logins Emergency access accounts Azure AD Privileged Identity Management (PIM) Active PIM for Azure AD Roles and/or Azure Resources (Eligible Cloud-only Azure AD Role Groups) Plan a Privileged Identity Management deployment Azure AD Azure AD Identity Protection Use Identity protection for risk detection and to investigate your logins Azure AD Identity Protection Azure AD Collaboration groups Use M365 Groups Decommission onprem-Distribution list Upgrade distribution lists to Microsoft 365 Groups in Outlook Azure AD M365 Licensing Group-based licensing by Cloud-Only-Groups (use Azure AD dynamic groups) Group-based licensing additional scenarios Azure AD Strategy for the future: User provisioning Think about your options Dependencies on your hr systems What is identity provisioning?
  7. Sync only what you really need to Azure AD… and

    configure Attribute filtering ;-) Azure AD Connect
  8. Good idea… ▪ DO IT, today! It’s easy.. ▪ Choose

    a naming concept, like: [email protected] (maybe don’t use admin in name anymore) ▪ Mailbox/Email-Alias should be created and/or mail-forwarding ▪ License: Azure AD Premium P2 should be in place (from synced Admins) -> if not, buy it for admins (don’t fool around with P1) ▪ Prepare Cutover -> Roles/Permissions/CA Policies need to be in place Afterwards… ▪ Remove Onprem-Admins from your Azure AD Connect Sync ▪ Adjust Onprem-Admins permissions if needed ▪ Least Privilege (good time to check unused/too high roles) / Activate PIM (good time for PIM activation) ▪ Automation: Prepare a process for Cloud-Only Admins in future, automated creation by a script Workaround… (if you do cloud-only admins tomorrow) ▪ Remove inactive Cloud-Admins Cloud-only Admins
  9. Good idea… ▪ Plan it, then do it… remove blockers

    (onprem automation scripts etc…) ▪ Cutover can be done on the fly: place new groups and fill them with members, remove on-prem groups step-by-step Afterwards… ▪ Remove Onprem-groups from your Azure AD Connect Sync (please keep your AAD clean ☺) ▪ Automation: Prepare a process for Cloud-Only groups in future, automated creation by a script ▪ Don’t forget to activate switch for role groups (works now in PowerShell too) Cloud-only groups Group Type Description Naming Concept Azure AD Role Groups 1 Group for every Azure AD Role, like: • Privileged Authentication Admin • Billing Reader aad-rol-privilegedauth-admin aad-rol-billing-reader aad-rol-application-developer RBAC Groups for: • Azure Subscriptions • Resource Groups • Resources aad-rba-subscription1-owner aad-rba-resourcegroup1-contributor aad-rba-corenet-networkadmin Azure EA Apps Groups including: • App-Name • Permission level aad-app-zoom-user aad-app-servicenow-admin aad-app-adobecloud-user
  10. ▪ Main Goal: Use Azure AD join and cloud-based device

    management to eliminate dependencies on your onprem device management Endpoints Tool Topic Action Link Azure AD Conditional Access Implement Identity and device access configurations Use CA for compliant devices Identity and device access configurations Conditional Access: Require compliant devices MEM / Intune Configuration profiles Lock down your endpoint configuration Create device profiles MEM / Intune Compliance Policies Take care of compliant devices Create device compliance policies MEM / Intune Azure AD join Endpoints registered in Azure AD How to plan your Azure Active Directory join implementation MEM / Intune Windows Hello for Business Enable and configure a more secure device login Integrate Windows Hello for Business Microsoft Defender for Endpoint Endpoint security Detect threats and vulnerabilities Attack surface reduction Automated remediation Defender for Endpoint Deployment phases Windows Autopilot Endpoint deployment Vendor sends you id’s and ships devices to end users End users can finish setup from everywhere Windows Autopilot scenarios Privileged Access Privileged Access Devices Secure Privileged Access Securing devices
  11. ▪ Main Goal: use Azure AD as identity provider for

    all your apps / eliminate dependencies on on-prem creds Apps Tool Topic Action Link Azure Enterprise Apps Identity Provider «Connect» all your apps to Azure AD (Get rid of ADFS) What is application management? Azure AD App Provisioning Azure AD B2B collaboration Activity report to move ADFS apps to AAD Azure Application Proxy Identity Provider «Connect» your legacy onprem apps to Azure AD What is application proxy? Azure AD Single sign-on (SSO) Configure SSO wherever possible -> don’t forget to activate it on AAD Connect Azure AD single sign-on Defender for Cloud apps Security Discover shadow it Manage app governance Cloud discovery Discover and identify shadow it Get started with app governance Set up cloud discovery Conditional access Modern authentication Super task until 01.10.2022: tick tack… Use Conditional Access Policies for modern auth • Monitor first • Inform users • Block Legacy Authentication Protocols block legacy authentication
  12. ▪ Main Goal: Govern and label your data, secure access

    wherever data resides or flows Data Tool Topic Action Link Microsoft365 Data Loss Prevention (DLP) Prevent unintenational sharing Learn about Microsoft 365 Endpoint data loss prevention Data loss prevention (DLP) policies Microsoft Information Protection (MIP) Azure Information Protection (AIP) Data Governance 1. Know your data: Data landscape and inventory 2. Protect your data: Build definitions and labelling 3. Prevent data loss: Detect risky behaviour 4. Govern your data: Keep data compliant Microsoft Information Protection in Microsoft 365 Azure Information Protection unified labeling client for Windows Azure Purview Unified data governance Govern data wherever it resides: (Onprem, SaaS, Multicloud) Data catalog (discovery) Data insights (assess data everywhere) Data map (automate metadata at scale) Azure Purview Azure Purview Deployment Best Practises Microsoft365 Double Key Encryption (DKE) Use your own key to encrypt sensitive data Double Key Encryption Overview
  13. ▪ Main Goal: Manage everything from the cloud… Infrastructure Tool

    Topic Action Link Azure IaaS Use Infrastructure services in the cloud Azure VMs Storage Accounts Databases Containers Azure IaaS Azure Arc Hybrid management (Multicloud and onprem) Inventory Config-, Change-, and update management Monitoring / Logging Automation Security Azure Arc Overview Azure Update Management Overview Defender for Cloud Security posture Threat management (Multicloud and onprem) Secure score Security recommendations Security alerts Defender for Cloud - An introduction Quickstart onboard machines Azure JIT / Least privilege Just in time access for VMs Just in time access usage Azure Bicep ARM Terraform Infrastructure as Code Use templates to automize infrastructure deployments Bicep language for deploying Azure resources ARM template documentation Get Started - Azure | Terraform
  14. ▪ Main Goals: ▪ Ensure devices and users aren’t trusted

    just because they’re on an internal network ▪ Encrypt all internal communications ▪ Limit access by policy ▪ Employ micro segmentation and real-time threat detection. Network Tool Topic Action Link Networks Network segmentation Many ingress/egress cloud micro-perimeters with some micro-segmentation Secure networks with Zero Trust Zero Trust Part 1: Networking Azure Web Application Firewall (WAF) Threat detection Protect your web applications OWASP-, bot protection- and custom rulesets Introduction to Azure Web Application Firewall Azure Front Door Threat detection Traffic encryption Layer 7 protection Azure Frontdoor Overview Azure Application Gateway Load balacing Layer 4 web traffic load balancing (Combine with Azure WAF) Azure Application Gateway Overview Azure Firewall Traffic filtering Threat detection Layer 3-7 threat-intelligence based filtering What is Azure Firewall?
  15. Align to Mission + Continuously Improve Responsiveness - Mean Time

    to Acknowledge (MTTA) Effectiveness- Mean Time to Remediate (MTTR) Analysts and Hunters Provide actionable security alerts, raw logs, or both https://aka.ms/MCRA
  16. ▪ Main Goal: Know your security tools… Security Tools Tool

    Topic Portal Azure AD Conditional Access Azure AD Identity Protection Identity Provider Conditional Access Policies Identity Protection https://portal.azure.com Microsoft Defender for Identity Leverage on-premises Active Directory signals https://portal.atp.azure.com Microsoft Defender Microsoft Defender for Endpoint M365 & Endpoint Security https://security.microsoft.com Microsoft Defender for Cloud Security posture & threat protection https://portal.azure.com Microsoft Information Protection discover, classify, and protect sensitive information wherever it lives or travels https://portal.azure.com Microsoft Defender four Cloud Apps Cloud access security broker https://portal.cloudappsecurity.com Microsoft Sentinel Cloud-native SIEM https://portal.azure.com
  17. ▪ Maturity model implementing security in a modern way ▪

    Ongoing story ▪ Teams working together on different topics ▪ all about policies ▪ happening in tons of different rules/policies/configurations ▪ happening in a lot of different tools Conclusion of Zero Trust