Skip to content

Security

Microsoft Entra ID Protection

Microsoft Entra offers a comprehensive set of security features to protect your organization's data and resources. One of these features is ID Protection, which helps you secure your users' identities and prevent unauthorized access to your organization's data. Here are some key benefits of using ID Protection in Microsoft Entra:

  • Multi-factor authentication (MFA): ID Protection enables you to enforce multi-factor authentication for all users in your organization. This adds an extra layer of security to your users' accounts and helps prevent unauthorized access.

  • Conditional access policies: With ID Protection, you can create conditional access policies that define the conditions under which users can access your organization's resources. For example, you can require users to use multi-factor authentication when accessing sensitive data or restrict access to certain applications based on the user's location.

  • Risk-based policies: ID Protection uses advanced machine learning algorithms to detect suspicious activities and risky sign-in attempts. You can create risk-based policies that automatically block or allow access based on the risk level associated with the sign-in attempt.

  • Identity protection reports: ID Protection provides detailed reports and insights into your organization's identity security posture. You can use these reports to identify security risks, monitor user activity, and take proactive measures to protect your organization's data.

By using ID Protection in Microsoft Entra, you can enhance the security of your organization's data and resources and protect your users' identities from cyber threats. If you want to learn more about ID Protection and other security features in Microsoft Entra, contact us today!

I hope this helps!

  • in Security
  • 3 min read

Security Score System

The Common Vulnerability Scoring System (CVSS) is a framework for scoring the severity of security vulnerabilities. It provides a standardized method for assessing the impact of vulnerabilities and helps organizations prioritize their response to security threats. In this article, we will discuss the CVSS and how it can be used to calculate the severity of security vulnerabilities.

What is CVSS?

The Common Vulnerability Scoring System (CVSS) is an open framework for scoring the severity of security vulnerabilities. It was developed by the Forum of Incident Response and Security Teams (FIRST) to provide a standardized method for assessing the impact of vulnerabilities. CVSS assigns a numerical score to vulnerabilities based on their characteristics, such as the impact on confidentiality, integrity, and availability, and the complexity of the attack vector.

CVSS is widely used by security researchers, vendors, and organizations to prioritize their response to security threats. It helps organizations understand the severity of vulnerabilities and allocate resources to address the most critical issues first.

How is CVSS calculated?

In CVSS Version 4.0, vulnerabilities are scored on a scale of 0.0 to 10.0, with 10.0 being the most severe. The CVSS score is calculated based on several metrics groups, including:

  • Base Metric: The Base metric group represents the intrinsic characteristics of a vulnerability that are constant over time and across user environments. It is composed of two sets of metrics: the Exploitability metrics and the Impact metrics.

  • Threat metric group: The Threat metric group reflects the characteristics of a vulnerability related to threat that may change over time but not necessarily across user environments.

  • Environmental metric group: The Environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment.

  • The Supplementary metric group: The Supplemental metric group includes metrics that provide context as well as describe and measure additional extrinsic attributes of a vulnerability.

CVSS Version 4.0 Metrics

Base Metrics

The Base metric group includes the following metrics:

  • Exploitability Metrics: These metrics describe the characteristics of the vulnerability that affect how easy it is to exploit. They include the Attack Vector (AV), Attack Complexity (AC), Privileges Required (PR), and User Interaction (UI).
  • Vulnerable System Impact Metrics: These metrics describe the impact on the system if the vulnerability is exploited. They include the Confidentiality(VC), Integrity (VI), and Availability (VA) impacts.
  • Subsequent System Impact Metrics: These metrics describe the impact on the system if the vulnerability is exploited. They include the Confidentiality(SC), Integrity (II), and Availability (SA) impacts.
Exploitability Metrics
  • Attack Vector (AV): This metric describes the context where vulnerability is exploited. It can be either Local (L), Adjacent Network (A), Network (N), or Physical (P).
  • Attack Complexity (AC): This metric describes the complexity of the attack required to exploit the vulnerability. It can be either Low (L), High (H).
  • Privileges Required (PR): This metric describes the level of privileges required to exploit the vulnerability. It can be either None (N), Low (L), or High (H).
  • User Interaction (UI): This metric describes whether user interaction is required to exploit the vulnerability. It can be either None (N), Required (R).
Vulnerable System Impact Metrics

  • Confidentiality Impact (VC): This metric measures the impact on the confidentiality of the information managed by the vulnerable system due to a successful exploit of the vulnerability. It can be either Low (L), High (H), or None (N).

  • Integrity Impact (VI): This metric measures the impact on the integrity of the information managed by the vulnerable system due to a successful exploit of the vulnerability. It can be either Low (L), High (H), or None (N).

  • Availability Impact (VA): This metric measures the impact on the availability of the services of the vulnerable system due to a successful exploit of the vulnerability. It can be either Low (L), High (H), or None (N).

Subsequent System Impact Metrics
  • Confidentiality Impact (SC): This metric measures the impact to the confidentiality of the information managed by the Subsequent System due to a successful exploit of the vulnerability. It can be either Low (L), High (H), or None (N).

References

Restrict managed disks from being imported or exported

In this post, I will show you how to restrict managed disks from being imported or exported in Azure.

What are managed disks?

Azure Managed Disks are block-level storage volumes that are managed by Azure and used with Azure Virtual Machines. Managed Disks are designed for high availability and durability, and they provide a simple and scalable way to manage your storage.

If you don't know anything about Azue Managed Disks, grab a cup of coffee( it will take you a while), you can read the official documentation to learn more about them.

Why restrict managed disks from being imported or exported?

There are several reasons to restrict managed disks from being imported or exported:

  • Security: By restricting managed disks from being imported or exported, you can reduce the risk of unauthorized access to your data.
  • Compliance: By restricting managed disks from being imported or exported, you can help ensure that your organization complies with data protection regulations.

How to restrict managed disks from being imported or exported

At deployment time

An example with azcli:

Create a managed disk with public network access disabled
## Create a managed disk with public network access disabled
az disk create --resource-group myResourceGroup --name myDisk --size-gb 128 --location eastus --sku Standard_LRS --no-wait --public-network-access disabled
Create a managed disk with public network access disabled and private endpoint enabled

Follow Azure CLI - Restrict import/export access for managed disks with Private Links

At Scale

If you want to restrict managed disks from being imported or exported, you can use Azure Policy to enforce this restriction. Azure Policy is a service in Azure that you can use to create, assign, and manage policies that enforce rules and effects over your resources. By using Azure Policy, you can ensure that your resources comply with your organization's standards and service-level agreements.

To restrict managed disks from being imported or exported using Azure Policy, you can use or create a policy definition that specifies the conditions under which managed disks can be imported or exported. You can then assign this policy definition to a scope, such as a management group, subscription, or resource group, to enforce the restriction across your resources.

In this case we have a Built-in policy definition that restricts managed disks from being imported or exported Configure disk access resources with private endpoints

Conclusion

In this post, I showed you how to restrict managed disks from being imported or exported in Azure. By restricting managed disks from being imported or exported, you can reduce the risk of unauthorized access to your data and help ensure that your organization complies with data protection regulations.

Curiosly, restrict managed disks from being imported or exported, it's not a compliance check in the Microsoft cloud security benchmark but it's a good practice to follow.

Privileged Access Management (PAM) Strategy with Microsoft Entra ID and some Azure Services

Today, I'd like to share a brief of a recommended strategy for Privileged Access Management (PAM) of other vendors with Microsoft Entra ID and some Azure Services. This strategy is divided into seven phases:


graph LR;
    A[Phase 1: Set Policy] 
    C[Phase 2: The Process of Discovery]
    E[Phase 3: Protect Credentials]
    G[Phase 4: Secure Privileged Access]
    I[Phase 5: Least Privilege]
    K[Phase 6: Control All Applications]
    M[Phase 7: Detect and Respond]

    A-->C
    C-->E
    E-->G
    G-->I
    I-->K
    K-->M
    M-->A

    classDef phase fill:#f9f,stroke:#333,stroke-width:2px;
    class A,C,E,G,I,K,M phase;

Info

Be hybrid, be secure with a single control plane, use Azure ARC to inherit the same security and compliance policies across your on-premises, multi-cloud, and edge environments as in Azure.

Phase 1: Set Policy

The first step in any PAM strategy is to establish a clear policy. This policy should define who has access to what, when they have access, and what they can do with that access. It should also include guidelines for password management and multi-factor authentication. For example:

  • Define clear access control policies.
  • Establish guidelines for password management and multi-factor authentication.
  • Regularly review and update the policy to reflect changes in the organization.

How to implement this:

  • Use Azure Policy to define and manage policies for your Azure environment.
  • Use Microsoft Entra multifactor authentication for implementing multi-factor authentication.

Phase 2: The Process of Discovery

In this phase, we identify all the privileged accounts across the organization. This includes service accounts, local administrative accounts, domain administrative accounts, emergency accounts, and application accounts. For example:

  • Use automated tools to identify all privileged accounts across the organization.
  • Regularly update the inventory of privileged accounts.
  • Identify any accounts that are no longer in use and deactivate them.

How to implement this:

  • Use Microsoft Entra Privileged Identity Management to discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

Phase 3: Protect Credentials

Once we've identified all privileged accounts, we need to ensure that these credentials are stored securely. This could involve using a secure vault, regularly rotating passwords, and using unique passwords for each account. For example:

  • Store credentials in a secure vault.
  • Implement regular password rotation.
  • Use unique passwords for each account.

How to implement this:

  • Use Azure Key Vault to safeguard cryptographic keys and other secrets used by your apps and services and rotate secrets regularly.
  • Implement Microsoft Entra ID Password Protection to protect against weak passwords that can be easily guessed or cracked.

Phase 4: Secure Privileged Access

Securing privileged access involves implementing controls to prevent unauthorized access. This could include limiting the number of privileged accounts, implementing least privilege, and using just-in-time access. For example:

  • Limit the number of privileged accounts.
  • Implement just-in-time access, where access is granted only for the duration of a task.
  • Use session recording and monitoring for privileged access.

How to implement this:

  • Use Microsoft Entra ID Conditional Access to enforce controls on the access to apps in your environment based on specific conditions.
  • Implement Microsoft Entra Privileged Identity Management for just-in-time access.

Phase 5: Least Privilege

The principle of least privilege involves giving users the minimum levels of access — or permissions — they need to complete their job functions. By limiting the access rights of users, the risk of a security breach is reduced. For example:

  • Implement role-based access control (RBAC) in Azure to grant the minimum necessary access to users.
  • Regularly review user roles and access rights.
  • Implement a process for revoking access when it's no longer needed.

How to implement this:

  • Implement Role-Based Access Control (RBAC) in Azure to grant the minimum necessary access to users.
  • Use Microsoft Entra ID Access Reviews to efficiently manage group memberships, access to enterprise applications, and role assignments.

Phase 6: Control All Applications

In this phase, we ensure that all applications, whether on-premises or in the cloud, are controlled and monitored. This includes implementing application control policies and monitoring application usage. For example:

  • Implement application control policies that dictate what applications can be run on systems.
  • Monitor application usage and block unauthorized applications.
  • Regularly update and patch all applications to reduce vulnerabilities.

How to implement this:

  • Use Microsoft Entra Application Proxy to control and secure access to on-premises and cloud apps.
  • Enable Change Tracking and Inventory in Azure Automation to track changes to your Azure VMs. Use desired state configuration to ensure that your VMs are configured correctly.
  • Implement Microsoft Intune to manage and secure your devices and applications.

Phase 7: Detect and Respond

The final phase involves setting up systems to detect and respond to any suspicious activity. This could involve setting up alerts for unusual activity, regularly auditing access logs, and having a response plan in place for when a breach occurs. For example:

  • Set up alerts for unusual activity.
  • Regularly audit access logs.
  • Have a response plan in place for when a breach occurs, including steps for containment, eradication, and recovery.

How to implement this:

  • Use Microsoft Defender for Cloud for increased visibility into your security state and to detect and respond to threats.
  • Implement Azure Sentinel, Microsoft's cloud-native SIEM solution, for intelligent security analytics.

By following these seven phases, you can create a robust PAM strategy that protects your organization from security breaches and helps you maintain compliance with various regulations.

Remember, a good PAM strategy is not a one-time effort but an ongoing process that needs to be regularly reviewed and updated. Microsoft and Azure services provide a robust set of tools to help you implement and manage your PAM strategy effectively.