Every organization aims to reduce their infrastructure's attack surface, ensuring it's both secure and reliable.
In the evolving cybersecurity landscape, Identity has become the new security perimeter. A compromised user often initiates a catastrophic cyber-attack. A crucial part of this identity system is Azure Active Directory (Azure AD), a single point for authentication and authorization that’s critical to an organization's zero trust strategy.
Today, we outline some quick wins to reduce Azure AD's attack surface that require minimal testing for production rollout.
🔒Segregate productivity and cloud administration accounts - Using the same account for productivity and administration tasks puts security at risk. Deprivilege any identity used for both and create separate in-cloud administration accounts.
🔒Securely manage Emergency access accounts - Ensure you have at least two emergency access accounts created following best practices. Monitor sign-in and all audit activities using Azure AD audit logs.
🔒Multifactor Authentication for privilege accounts - As an immediate step, enforce MFA for all highly privileged users. Using MFA and conditional access policies will increase the time and cost for hackers.
🔒Zero Trust Principal for managing SaaS applications via conditional access - Always verify, use least privilege access, and assume breach. Organizations can start a pilot with apps already integrated with Azure AD.
🔒Evaluate Azure AD SSO for applications - SSO brings convenience and security to users. As a first step, consider new applications for integration.
🔒Enable Identity Governance in Azure AD - Identity governance helps define "who can access what" systematically. Start evaluating this feature for new access to be granted.
🔒Detect user and sign in risks via Azure AD Identity Protection - Identity protection helps determine user/sign in risk, enabling organizations to make appropriate decisions.
🔒Enforce least privilege via Azure RBAC - Over privileged identities are often seen in compromise scenarios. Privilege Identity Management (PIM) provides time bound access, adding additional controls and context when activating a role.
🔒Eliminate weak passwords using Password Protection - Azure AD password protection allows an organization to prevent the use of weak passwords.
🔒Restricting User Consent - Users can grant permissions to applications to access a protected resource using consent. Microsoft recommends restricting user consent for verified applications only.
🔒Continuous Monitoring of Azure AD and connected systems - Monitoring is critical since Identity systems are the backbone of the infrastructure.
Want to learn more? 💡
MS Docs: https://learn.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
#CyberSecurity #AzureAD #ZeroTrust #Microsoft #Microsoft365 #SIEM #XDR #MicrosoftSecurity #MSPartnerUK #Azure #SOC #identitysecurity
Which one of these wins require an Upgrade from E3 to E5?