The path towards Zero Trust Network Access with Azure AD / M365

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello good afternoon and welcome um great Sue and uh would be absolutely fantastic if you could turn your cameras on it just gives a a nicer experience for everyone who's looking at the well certainly gives a nicer experience for me because I hate looking at screens and you know not knowing if there's anyone out there so oh and I recognize some faces as well which is absolutely great so I'm going to be talking about the the path towards zero trust uh with a particular focus on that Microsoft 365 uh you know and and Azure ad all right so that's that's the intention so I'm going to go back to now is my screen share okay so um just to give you a bit of background on myself just in case uh you've not come across me before um I started work uh on in Computing a long long time ago and I designed real-time Control Systems um I got involved in both the hardware and the software design uh mainly focused on the software in terms of we were developing very very high speed real-time controllers um I've actually worked with every version of Windows believe it or not some of the very early versions The the amount of work was just picking them up and uh so taking them across and putting them somewhere where I wouldn't have to see the floppy disks again um but I was looking for a front-end management system for our very high speed real time controllers and when NT came along I started working with that and thinking we could use it got involved with the product group uh one day the product someone in the product group gave me a stack of throbbies and say hey why don't you have a look at this and this was a very early precursor for what was to become on-prem ad um in about 1999 I got a call from Microsoft UK saying we hear you know something about um active directory and I said well I've worked with a product group on it and fed back information and they said can you come and tell us about it which was a very surreal moment but that for my my sort of real relationship with Microsoft I'm now Microsoft MVP um and um I got really drawn into identity in a very very big way around about 2002 and so and that was with Federation and it was a IBM system and no Microsoft there at all but then of course adfs came along and we're federating with with Microsoft products as well um I've been speaking at International events since 1999 absolutely loved doing that um it's very nice to report that and on you know in-person events is coming back and I was in uh Lucerne last week in Switzerland absolutely lovely location for it great um it was the workplace ninja conference really great conference really interesting to be speaking though now one of the things I like is always a challenge and I was about to give a keynote well it was the keynote was to be the following day and somebody from the company from marketing said we always like to set our speakers a challenge and I said yes and what's that and they said oh just to bring in a phrase into your presentation and this slide I developed to bring in just the phrase they wanted me to bring in and I think you'll realize what the phrase is as we're going through it's the most difficult one to bring into a normal um normal uh presentation on identity um but actually having produced this slide just to really satisfy that need I found it quite a useful slide so our Prime objective really is to protect our assets and we've been doing that for years and years so we protect um things we put them in safes we we put alarm systems around have really good locks sturdy doors and we've got a very high value Asset we will probably put that you know in a secure garage or some time making sure we've got you know all the electronics possible to stop someone stealing that asset and you know that even applies um to Farmers who have got their smooth hairless pigs that they need to protect and what are they protecting them from they're actually protect them from the Sun and they're rubbing on the the sun cream so um probably you've guessed what the uh it was the pure it was the it was the smooth hairless pig that I had to bring into the presentation but it's true if we're all about protecting assets and if we go back to uh you know Once Upon a Time days uh what we did is we built castles to protect assets and the interesting thing about the castle was you might have extremely thick strong walls you know battlements on top um but you had to have a way in and the weigh-in was really protected and we had layers of Defense on the way in uh you'd have a moat probably you would then have a portcullis and if somebody attacked got across the mode got through the port colors you then have these things called killing boxes um which you were shoveling the enemy through so you could get them but if you take it so it's it we're not under an attack situation um how did someone enter the castle they crossed the drawbridge went through the pool colors probably examined by a gatekeeper of some kind who checked out some form of credentials for that person allowed them in but once they were in they were pretty much trusted to move around the castle and we did exactly the same thing when when we designed it systems um you know we we had our Network and we have firewalls to protect the network we have our equipment and we protect our you know equipment through so surrounding we were building control but if we're using a protocol such as Kerberos service on-prem ad we authenticate once and once we've authenticated we end up with a thing called a TGT which is a ticket granting ticket and I can go back with that ticket granting ticket at any time to Kerberos server and say hey please can I have a session ticket to a particular server right and the session tickets if I was going to sell the one the actual content of that session ticket would be the same as if I was going to server two same as if I was going to server three that's in terms of the identity content the the ticket itself would be encrypted differently it would be encrypted um just for the particular server but the actual content my identity my group membership would be actually identical so I was let through the door when I logged in I got a TGT and now I can go off and get a session ticket to any server without further validation of who I am okay um also if we if we look at this scenario what we've got is we go back and say Hey can I have a session ticket please to server three and I get one right there's no consideration is ah that character John is he allowed a session ticket to server three no if I got a TGT I just get one and all of the authorization decisions have to be done by the Target system okay that sort of worked when we were you know very much isolated but now as we evolve into the 21st century we've got our users and our users um are no longer within our security boundary three so our users could be absolutely anywhere and we want them to have access to our on-premise data but equally well we might be putting data into the cloud and we want to give them access to that we might be using third-party SAS apps sort of typical example of that of course is uh Microsoft 365. we need to be able to give them access to that and then of course at one time the device we were beginning to use was within our security boundary completely controlled by our I.T department but now you know the standard is we can use um pretty much any device well there might be certain restrictions on that the idea is we're not going to stop that worker use that user working uh so they've got their phone yes we want them to be able to use that uh they've got their tablet we want them to use that they've got their you know laptop again so that's change for our users but then we've got collaboration going on and we're going to bring in partners and we want to get partners access to our data so we've got to deal with that situation and then very importantly bringing in consumers so the corporate landscape has completely changed at one time you could say users in our it system in or our identity system were employees of course now their employees their partners and their customers users worked in the office well those days are long gone especially and covid help make the huge shift that's happened um and you know and I know some companies are desperately trying to get people to come back in the office I know a lot of people who have actually moved jobs to make sure they don't have to go back in the office so the reality is users are working from anywhere and they need to be productive from anywhere so they're going to be bringing their own devices of some kind so we need to add that into the mix so devices used to be corporate owned locked down by our I.T Department no more ads for on premises now acts could actually be absolutely anywhere they could be on-prem they could be in a private Cloud they could be in a public Cloud they could be um our data that we're using or the app we're using could be a software as a service um application hackers have changed as well some hackers started off by being opportunists now they're highly funded syndicates out on National State actors and what a hacker you know ransomware attacks we've all heard of but there's a significant number of attacks going on now where it's purely to stop your organization being operational so they're not interested in encrypting your data and saying hey you know pay us all these Bitcoins and we'll unencrypt it all they're interested in Is Stopping You operating and then users access resources well um it's now very much users and workloads workloads have always been involved and the workload is is just a if you like a sense principle so it's an application or it's a managed identity in in azure so our landscape completely change we need to deal with it we need to work within this new environment there's no point in trying to change the environment this is life as it is now so what we need to do is trust nobody without continuously evaluating them so when somebody's operating we need to continuously make an evaluation so we're going to try and eliminate that the hackers getting in um but you know reality is uh you may well have somebody who's compromised your system and what you need to do is know about it okay so this term zero trust what does it really mean um and zero trust is sort of there are three primary tenets of zero trust number one is verify explicitly so we're going to continuously verify resource access so we're going to do that based on the user's identity but also on the environment so where is that user are they on-prem have they moved off-prem have they moved country right which might be an important one as well what about their device is their device healthy does it meet our compliance that we need what about their risk and when we're talking about risk we could be talking about user risk or we could be talking about signing risk so user risk is where we detect um leaked credentials so that user is definitely at risk and we need to respond to it or it could be that user is signing in from a location right so it's a sign in Risk they've never signed into from before or they might be coming out of an anonymous IP address um so they're using um some kind of tour or they could be um coming from an IP address that has been identified as maybe a command and control center IP address you know so or an address that's been compromised in some way so verifying all the time that that person is allowed to carry on accessing one of our resources the next thing we need to do absolutely is Implement least privilege and yes we'll have users you know who are at least privileged completely but them will have admins and the problem with admins is they do an administrict role that then they also do other roles as well and what you don't want is when administrator is doing their email if they if they get a you know a email that is actually trying to compromise the system what we want to do is make sure they're using lease privilege at that point in time and it's all about limiting blast radius again if we give an Administration role of some kind something goes wrong we don't want that to affect the whole of our directory we want to be able to limit that in some way so controlling that blast radius so we verify all the time uh we you use this privilege and things should go well however what you have to do also is assume breach so add you know how whatever defenses you put in you need to assume that a breach will occur so what you need is early warning of that breach so you need to be monitoring your systems doing your analytics on your systems detecting threats improving protection so as you see threats can we improve our protection and also we might well do automated remediation of some kind so those are our three tenants verifying explicitly use these privilege and assume breach where did the term zero trust came from well it's interesting actually was a it was a term that originally um coined by Forrester back in 2010 um the open group nist and and others did quite a lot of work on it Gartner came up with a similar term um which was secure access service edge and um there's considerable overlap particularly now as we take zero trust and extend that down onto the network as well so they're pretty much the same thing do we have trust and the answer is absolutely yes there has to be a point of trust if we're using bringing a user into our environment we have to trust something the key is not to trust it for too long so we need to continuously re-evaluate um I've got a sort of Industry set of references there um wait if you look at the video later you can see those um controls are going to apply to identities and when we talk about identities we're talking about users we're talking about admins and we're talking about workloads so we need to be able to control those identities endpoints um so our endpoints they might be managed all right so they might be managed they might be joined to an on-prem domain and manage through group policy right or we might have them managed in some way through our MDM solution so we've got manage and we've got also bring your own um device which is going to probably be an unmanaged although if we're going to deploy it allow corporate apps to be deployed on there and allow them to access corporate data we well may well want to control and bubble that corporate data and protect that applications um so what are applications it could be an application singular Microsoft cloud it could be an application sitting in any provider so it's software as a service provider it could be our on-prem apps and it could be our on-prem apps which are using um sort of Federated authentication protocols or perhaps using Legacy protocols and then you know we're accessing data and what we need to be able to do is manage how that data is accessed do we want to make sure that you know maybe maybe if we're downloading data we could block it completely or maybe we're only allow the download of PDFs or only download um data that hasn't been categorized as sensitive in some way and let's have an example of that categorization might be that you know there's credit card information inside the data and we might want to block that download but maybe you know other types of download we will allow that's pretty much it when we're looking at the end 365 Azure ad Focus um but if you're going beyond that then we're looking at um you know iot the internet things where we're looking at OT which is your operational Technologies that's running your production infrastructure and of course uh we're looking at networks so we've got to apply controls to all of this um there's a interesting slide which I've I've just borrowed from uh the uh the open group and um this is their sort of components of xero trust so we have our users we have our devices and what we're gonna have to do is rent though those users and devices are trying to get at our assets what we need to do is push them through a security policy enforcement of some kind and that security policy enforcement will be getting lots of signals but it will also be using threat intelligence so threat intelligence that's been gathered um from within our ecosystem but also from outside it so from the global system that maybe I identity provider is managing so the more information our identity provider has to work on the better that threat intelligence is going to be what's going to be very very important is that we wrap this and we wrap it with modern security operations so we need to uh and and those security operations will feed into the threat intelligence and we need to add governance into um frame as well and the whole idea of course is what we're doing is it's asset protection okay nice idea there's a huge amount of work involved in this um you know and the other thing is it's all about balance what we need to do is really balance the need to block out the bad guys right but still allow our users to operate I mean if I had a server and I wanted that 100 protect that server I could disconnect it with the network disconnect to the power lock it in a safe and it would work perfectly protected problem is of course it's not usable and it's about empowering our users to work but equally well protecting our assets and to do this it's going to involve absolutely everyone it's not a cheap operation there's going to be uh the need for money that's going to be need to buy in from your technical leads your Architects operations Educators we're going to have to do a lot of Education of the missing one off there is our users our users have to buy into this our users become become knowledgeable about what's going on in a really heavily protected system so it absolutely it's not a quick Journey um but before you start the journey one thing I would say is that you haven't got it turned on and I'm sure an awful lot of you have got MFA enabled please turn it on as soon as you can and you know you could say well you know we haven't got authenticators uh apps on our phones Etc well just use sms use text-based MFA although it's not the best solution it's a perfect solution for sort of low-hanging fruit attacks because a lot of attacks are they're about password sprayer tanks if you've got a targeted attack against someone and you're going to be doing things like Sim hijacking Etc then you know SMS based um is not going to do it for you but you know for your ninety percent well 99 of your personnel probably any form of MFA is better than and none well actually sorry any form of MFA for a hundred percent of your personnel is better than them the other question you should ask yourself is are you ransomware recovery ready it's the three r's really put your hand on your heart and think about it if my if the structure was totally flattened today right could I recover and what it means is by totally flattened is you've had the attacker inside your environment for quite some time they've learned everything they need to know about that environment so they know how you do your backups all right so they know how you do absolutely everything when it's time to attack and it's normally on a Friday night um the attack starts um you know they they might encrypt they might encrypt but these days it's sometimes it's just about killing your organization and you absolutely need to be able to recover from that so you need your backups air gapped so that you know that you can actually back up and restore you you know you can restore your systems so really think about that because you could spend a fortune going down the zero trust you know you get buy-in from your um you know your Chief Financial Officer you get buying at board level from everyone else you go down that route and you're spending money in big ways bringing in more bringing training on board bringing in more personality personal maybe you know security analysts and and then you get flattened and you can't recover um you've wasted a lot of money so you know make sure that you can you can absolutely recover if we look at zero trust with Microsoft what we really need to think about is what are we trying to do we are trying to decide whether our user or a workload and that's just uh using a you know a workload identity of some kind whether a user or a workload is going to be allowed to access an application and to go along with zero trust we're going to constantly reevaluate that all the time and that's our primary objective our primary objective of any identity and access management system is about authenticating users workloads to Applications right there's all sorts of things that go with it such as you know the ability to uh you know reset passwords and all the other great things we can do but our core objective is about authenticating users to Applications and so we're going to need to bring in um uh those users and know about them we're using the inner zero we need to bring them into azim and that's where we're going to authenticate them so we're bringing in our uh you know the uh the users we're authenticating them workloads through azir ID and then we can use conditional access as our policy engine and to make really good informed decisions we want to bring in a lot more information where is that user located uh what application is the client application is there a sign-in risk is there a user risk we need to bring that sort of information in and then we want General threat intelligence as well bringing that in to help us make decisions and if we make a decision and we say yes that user is allowed to access that application what we're going to do is actually create a security token of some kind to allow that access to happen but we want to bring in even more information device information so um is it a managed device bring your own device what's its Health compliance we need to get that sort of thing is there a device risk which has been identified the operating system that's in use so we gather all of this and then we're going to make a decision are we going to produce a security token which will allow access to a particular application and when we're making this decision um we're going to uh we could bring it down to a single application or a group of applications that we're controlling through a single conditional access policy we could block we could block and just say no we're going to block or we could say we need um Assurance increase so it could be MFA which you can also classify as remediation we're saying you're not you need to be two-factor authenticated you're not so we're gonna we're going to have to get you to deal with that we could do remediation particularly we've got a user risk um and what we can do is force that user to change their password right so if they've been identified as user risk probably leak credentials something like that we could get them to remediate by uh changing their password assuming we pass these tests the next thing that's going to happen is we're going to go through session controls and and the beauty of session controls is yes this user can access this application but as they are accessing it we want to control the session Behavior so we've got an extra layer on there and I'm going to come back to more details of all of this uh very shortly then in terms of zero trust with Microsoft we need some sort of security information and event management system around there and then we need governance and the governance is managing sort of privileged access resource access and and user life cycle so we need to add that into the frame as well um Microsoft 365 it's about controlling access to 365 applications but we can go beyond that very easily and with Azure ad we can bring in access to third-party apps we can bring in access to application to partner apps and we can bring X um access into our own applications and applications and and websites uh might be on-prem they might be in the cloud now if we look at the traditional security boundaries um you know if you take on-prem ad security boundary is around the Forest right so you authenticate and you've got access to anywhere in the forest if you take a um if you take a server that's sitting on the on the web it might be using forms authentication you know username and password into a full home security boundary is around that web server and its identity database all right so you're very restricted in terms of moving around and and why you restricted it's because of the Authentication Protocol so on-prem it's Kerberos and with that web server it was forms Authentication so what we need to do is to break out of this model is we absolutely need to use Federated protocols Microsoft early days very much Champions WS Federation um Samuel absolute industry standards Tamil protocol for Federation and then as we move into the more modern era it's open ID connect and open idea connect authenticates you to the front end authenticates the user to a server and oauth 2 authorizes a server to access a back-end system and it could be with the identity of the user but it could actually be using a workload identity as well so if you're developing applications and one of the Federation Federation Authentication Protocol now it should be open ID connect or two so that now gives us access to our apps and it doesn't matter where they are so our security boundary has moved it is no longer around the form's auth uh you know a database and and the web server no longer around our on-prem with actually it's around the security boundary is now all about Authentication okay you might think but hey what about supporting our you know existing applications uh they're using Windows auth that are using host header that are using non-federated protocols um well Microsoft refer to that as secure hybrid access and the idea is you have a Federated protocol that authenticates you to the Appliance the network Appliance and that Network Appliance can then do protocol conversions so I can authenticate to that Network appliance using um you know open ID connect or two and then it would translate that into maybe Windows authentication I don't do that through Kerberos constrained delegation Network appliances well you've got the Azure ad application proxy but there's lots of support for things like Acme and Citrix and F5 and z-scaler um and you know they all they all behave in slightly different ways and have different extensions um but you know what you need to do is convert from your Federated protocol to your legacy on-prem protocol now if we if we look at the authentication story um our user hits an application app says oh you're not authenticated and the app sends you off to a security token service that it trusts and in our particular case we're using Azure ID and there's an authentication request string and in that string in its simplest way it says please authenticate this user to this application right um and it won't use a particular protocol so might be open ID connect it might be WS Federation it might be saml so what happens we end up at the tenant coming in through an endpoint and the end point is specifically done for each endpoint is for each protocol so we arrive you know at the Ws Federation endpoints it's shown that and then we've got a gatekeeper gatekeeper number one and what gatekeeper number one says haha are you already authenticated and you might be because you might have um a cookie which proves that you're already authenticated to azir ad and I call that a priority pass with on Project calls we might have a refresh token which would do the same thing um we if we've got a priority pass we don't need to go through an authentication mechanism otherwise the gatekeeper needs to decide what type of user we are and we could be like a VIP user which is a user from our own organization that might be a cloud-only user it might be a user that has come from being synced from on-prem it might be a user using a username and password it might be a user using password less all right the there are more and more authentication methods might be that you're using Fido um so the gatekeeper is going to send you to the appropriate authentication Booth to get authenticated and if you guessed we'll go to the appropriate guest Booth as well we come through that and we either have strong authentication or we have single Factor authentication so we're either MFA or single Factor how do we get through with MFA well we might have already done MFA we've supplied a cookie which is a strong auth cookie and that gets us in with a strong authentication it might be that we go passwordless in which case uh we're strong authentication um it was single Factor um there could be gate gatekeeper number two could say hey to access that particular application I need you to be MFA so a decision can be made that but gatekeeper 2 does a whole lot more decisions which I will come to uh very shortly assuming we get through The Gatekeepers the next thing will be to issue a security token um which can be passed back to the application um and we'll also get a priority pass which could be a cookie which proves you're authenticated now to Azure ad so in terms of our users we could be Cloud only we could be synced up from on-prem um so we and synchronization could be about a coed connect sync or it could be VAR Azure ad Cloud sync or it could be like a combination of those two methods if we're a guest um we're going to actually be authenticated by a different IDP identity provider we're going to get authenticated somewhere else but in terms of make a conditional access decision that will be done in our own tenant so in terms of external users um we could have an external user from another Azure ad tenant we can have an external user is using a Microsoft account all right it's referred to as an MSA we might have a user that is coming uh using a Google account and we've got a federation with Gmail so we can set up and Federate directly with Gmail we can Federate directly with Facebook and then we can have what these called direct federations which is a federation to other idps so it doesn't matter it's saml based so you you might have another organization which is running you know paying you might have another one that is running OCTA and and what we can do is um using that we can actually um you know decide that we authenticate VAR Federation if we can't authenticate by our Federation Microsoft now uses a thing called OTP which I'll come back on the second so the first thing is um gatekeeper number one wants to know how you're going to authenticate well you provide your credentials and from that it can make a decision so this guy said I'm Blake Peter a Gmail the gatekeeper one says Ah we have a federation with Gmail so please go off to the correct authentication Booth all right so that's that's one possibility now if you are not coming from another Azure ad you're not using Microsoft account we don't have Federation with Gmail or Facebook we don't have any direct federations then the Microsoft solution now is the user's thing called one-time passcode and and what one-time passcode does for you it effectively emails the user a password which is used for this one time so I I must like the term it's sort of self-federation you are you are basically proofing yourself but your um uh email address um prior to OTP Microsoft did some quite nasty things with spinning up things like viral tenants Etc um but OTP is the way to go if you do not satisfy any of the other authentication methods so once once we've got everyone um going through our Azure ID the next thing is we come through the appropriate authentication Booth it's now to enforce that policy that security policy which gatekeeper two and three are going to do and if you look at CA policy and I could easily happily spend oh two or three hours on this but I want to really just give you the absolute essence of this CA policy is about it's saying if principle X and principal X could be a user it could be um an actual um workload wants to access resource y now resource y used to be just an application it can now be a workflow or an action and the action could be um that you are putting in your security details or you are registering with InTune so resource white applies not only to Applications but also workflows and then says you know principlex wants to access resource Y and conditions a to G are met and come to what they are in a second the policy applies if the policy applies you could block access right you can block it completely or you can allow access or you can say I will allow access provided requirements L to Q are satisfied and I'll come to those in a second as well now if you allow access the next thing we can do is we can put in place session controls so this is a very quick summary of this so we've got our we're creating a new group policy we've got our conditions a to G so our first condition is who does the policy apply to all right and it could be a user it could be a user by your group membership it could be an administrative role um they think or rather than just being a user it could be um you know a an actual workload identity of some kind uh which could just be an application so who does this policy apply to the next thing is for access to which application and actions so this is saying you know the policy applies going to this application could be all applications right it could be all applications except and and one of the really powerful things about initial access is the ability to exclude so we can do everything except um the next thing is the condition the risk now if you're going to do conditional access you need a P1 license if you're going to bring risk into the frame then you need a P2 license and identity protection so risk is about user risk simplest thing about think about that as leak credentials and sign-in risk so we're coming from a dodgy IP address of some kind um that would be a sign-in risk and it's very simplest thing next thing is um we consider the device that's actually being used um that then we can go on to location and location could be based um on IP address it could be based on GPS location now so you can take GPS location in we then got the Client app so you're coming from a browser you're coming from a desktop and so on the next thing is we say okay you've met all these conditions so we're going to apply this group policy to you right if you didn't meet the conditions the policy doesn't apply so now we've got the option of blocking your access uh granting your access or granting your access subject to certain requirements so for instance multi-factor you know the device has got to be compliant you've got to be joined to The Domain and joined to azir so various requirements that are set in um we might require that you do a password change so for instance if you use a risk as being detected we absolutely want to do a password change um we might say uh we would like you um to agree to a particular set of terms of use and you might have terms of use for administrators determinants of use for normal users and then you might have terms of use if you go into this application you need to sign up for different terms of use so you might have multiple terms of use that people have to agree to this is very very much a work in progress and expect to see conditional access changes as we go through it's absolutely core to zero trust it's the core setting of zero trust um you can take the signals and you can enhance them so I've already talked about um identity and session risk for that you need a P2 license you need to be using Azure ad ID identity protection if you want to bring in device compliance then you will need InTune or a third-party mdn solution of some kind um you can enhance these further with the defender products so we've got Microsoft Defender Cloud apps I'll explain a little bit more about what these guys do in a minute Defender for identity which is bringing Telemetry from on-prem and then you've got Defender for endpoint which is bringing Telemetry from the endpoints now if we decide to issue this token which allows this user to access this application the next thing we can do is bring in session controls so now we've issued a token to access SharePoint but what we can do is we can say use app enforced restrictions so now we can pass through for instance device compliance to SharePoint and SharePoint can look at the things oh that device is not compliant I'm not going to allow you in well if it's for the whole of SharePoint you might as well do it with conditional access but if it's to an individual website in SharePoint we could say oh yeah you can access this one this one and this one you don't need a compliant device but to access this site you do so we need to pass that information through to SharePoint um use conditional access app control is extremely powerful um and what that does for us is as having you know provided a token that proves the user's authentication to an application we actually pass the user it doesn't go directly to the application that actually passed through the Microsoft Defender for cloud apps proxy right and the proxy can look at what's going on in that session so you could be looking for file downloads you could be looking for accessing sensitive information and that is extremely powerful it really enhances uh conditional access because now we're looking at yes we've issued a token but now we're controlling what's going on in that session um you can set sign in frequency and you can also send um you know assistant um you know versus session tokens or cookies if you like in the browser so do we take the factor of assumed breach uh we've got to know what's going on in our system and we can use the defender products for doing that so Defender for identity brings instrumentation up from on-prem all right so we're getting um identity behavior from on-prem being brought into the cloud uh Microsoft Defender for endpoint enhances our endpoint protection so we can bring more information in from that uh you've got Defender for cloud which is dealing with you know your Azure workloads um and uh potentially other Cloud platforms as well Defender for cloud apps is um development for cloud apps is immensely powerful um but one of its most powerful components is the way of enhancing conditional access by being able to put in this session control so we've got the control of the session but it's immensely helpful for eliminating uh Shadow I.T finding out exactly what apps are being used in your environment and so on um Microsoft Defender for Office 365 is talking about emails links collaboration tools and so on so protecting against uh threats from emails and links the there's definitive list dependent for that dependent for something else and the problem is um each one had its own portal right now there's a attempt to unify everything through 365 Defender and this is going to be a One-Stop shop for absolutely all the Defenders at some point in time it's getting better and better all the time it's improving and how do we go searching how do we go threat hunting How We Do how we do art and Analytics we hopefully should be able to do it all through the Microsoft 365 Defender portal so we don't need to go off and use all the other portals question that I always get is should I still use a SIM and the answer is uh probably um because a Sim will give you that overall Global picture of not only you know what's going on exactly on-prem but going on in different clouds that you might be working with it also gives you the advantage of pulling in the event logs and bringing in all that sort of detail but um I would think about bringing in a Sim to do the overall consolidation after I'd deployed my Defender products and used my Defender products as the first you know assume breach detection um but you might well want it it depends how big your operations department is bringing Defender products is a lot of work there's a lot of learning involved and uh so you know bringing in a Sim on top of that and that would probably be uh if you go into Microsoft stable it would be Sentinel again another big piece of work now if we look at least privilege operation what we need to do is Define our our back roles we need to Define scoping for those roles as well so we're going to allow delegation over a particular set of objects if we look at identity governance P2 we get our back and privileged identity management and you will need that if you want to scope it across um uh if you're going to use administrative units um the other beautiful thing about uh the the governance package it has access packages in it which I'll talk a little bit more about second does your life cycle management it allows you also to do access reviews and then the other thing you need to think about in terms of lease privilege is managing and monitoring consent and this is where we're talking about oauth 2 consent and we're consenting to an application having access um and it could be through a delegated uh access but we want to be very sure that we haven't over consented to things um very very typical is over consent and we need to block on that as well are back yeah there's lots and lots and lots of roles but actually what you want is our back with Pim and then you can basically give someone a administrative role scoped over a particular administrative unit and then they are eligible but not active and then you make them active they do their work and they can bring themselves down from being active to just being eligible again um so you really do need uh the P2 license so that you can do the privileged identity management um and then you've got the ability of doing access reviews now one of the particular features of governance that I really like is access packages um and if you think about your tenant it's got lots and lots and lots of resources in it you know lots of applications lots of groups lots of SharePoint sites and what we want to do is when a user joins and it might be joining the company or might be joining a project we want to be able to give that user access to certain resources and we do that by creating an access package and then in terms of the signing of the user we can have policies and we can have policy for internal users and policies for external users and you can do workflow around there approvals um if you saw my previous webinar I talked about using verified IDs to prove that maybe you've done a training course before you actually get access to a package the beauty of access packages is that they are totally designed for delegation so I can have a catalog Creator catalog Creator works for a department maybe the legal department and works out all the applications all the groups all the sites that are needed for anything to do with the legal department and places them in the catalog and then you have a maybe a case administrator and what the case administrator does is manages the actual access packages which are dealing with a particularly legal case and so we we delegation to the catalog manager we've got the access package managed we've got delegation and then the access package manager can assign users to access packages or in fact the users can use my access to request access themselves so um I I just it's it's really done nicely the the delegation that goes along with this now that gives you a quick serve overview of what's involved so what we need to do is make sure that we have a really rock solid identity access management system everything is being funneled through it so we can then before making a decision as to whether we're going to allow access to an app we have got the conditional access policy enforcement engine and as I say keep an eye on that because it's being enhanced on a fairly regular basis um within within uh but in terms of taking this road is check your current environment is recoverable right make sure that you've got MSA on all right get that on um and then um once you consolidate your IM you can then evaluate every request for every resource and uh make the uh apply the appropriate conditional access policies and then at least privilege Implement that and then of course assume breach um and when you're assuming breach you're going to maybe use data labeling for information protection uh you know you're adding um your chance your defenses um to you know minimize the chance of breach but user analytics to find out what's going on maybe improve protection and do automatic remediation as well um if you're interested in all things authentications uh you know registering apps in the Azure ID understanding the Federation protocols understanding where Azure AG application proxy fits in all the slightly tricky things um about Azure ad um then my identity master class is uh the one to come on and enjoy um with um you know I've been running it for years now uh constantly constantly constantly updating it but never had a single person that didn't really enjoy it and benefit from it and full details at learn.xdseminars.co.uk um I am so sort of convinced that you will enjoy it uh there's a money back guarantee if you have a problem uh there are some booking terms and conditions um that detail about the money back guarantee that there's no complicated it's just they said you have to turn up you have to take part in and try and yeah you know get the most out of the course um but if you're interested have a look at that as well um again um look at learn.exe seminars.co.uk for all of that information um and then what would be very useful we we spent uh or I spend actually we spend an awful lot of time um putting these things together and and what would be very very useful is if you could provide um some feedback as a QR code there um if we check the chat window um the should um uh oh yes it's got in the chat window um if you if you have a look at the link that's in there so either with a QR code or with the link um and that that really um I know it's a 59 minutes so not bad timing um so that that brings us to the end of the the webinar and uh uh I can thank you all for coming I I hope you found it a useful hour while you're hanging on beyond the art so maybe maybe it was useful I'll have to uh maybe take the Assumption it was um I you know there's so much in this subject uh you could um you've gone forever thanks for watching my channel subscribe for more free training you might like to join me for my identity masterclass hopefully see you soon [Music]
Info
Channel: John Craddock Identity and Access Training
Views: 662
Rating: undefined out of 5
Keywords: John Craddock Identity and Access Training, Azure AD, Identity, Microsoft Entra, Cloud Deep-dive, Active Directory, Zero Trust, Conditional Access, Defender, Webinar, Least Privilege, RBAC, Access Packages, John Craddock, John_Craddock
Id: xVs5XeOKBbg
Channel Id: undefined
Length: 60min 28sec (3628 seconds)
Published: Mon Feb 27 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.