Azure AD Security Best Practices Explored | BeyondTrust

Of course, it’s a cloud-based product, SaaS-based product, that fully audits itself. Does this idea of continuous discovery. So just like you pressing that refresh button, Randy, we’re constantly going out and looking, Hey, any new users? Any new groups? Any new roles that we should be aware of? So that we get a good understanding and can give you recommendations on how to get to the principle of lease privilege. One of the things we say is, let’s get rid, let’s get to zero standing privileges. So, a user is a user is a user, and when they need something special, you can assign them something special. So, what I’d like to do, is give you guys, if I’m sharing my screen… Randy, can you confirm you can see my beyond insight?

Randy:

Yep. You look good.

Tim:

Okay. So, I’ve logged into Cloud Privilege Broker here, and we’ve tried to make it purposefully very simple and high level. We go through and we parse. Let’s stick to Azure. We’ll go through and collect all those roles, collect all those users, collect all those groups, and understand, what’s a human, what’s a machine account, and pull those things down, build our own internal kind of graph of what’s going on, and then assign risk scores based on what people have and what they’ve used. And that’s critical for us, is if somebody’s assigned a permission and not using it, that’s a security hole, don’t you think, Randy?

Randy:

Yep. There’s a bunch of issues here. But for sure there, yeah.

Tim:

Yeah. So, we’re assigning risk on an individual user level, and then boiling that up so that we keep track of what’s going on in your environment. And you get kind of a quick view of how I am tracking over time. You’ll see, as we process that graph of users and permissions, we’re going to make some recommendations for you. And we call them recommendations, because today it’s not the easy button. We have to be very cautious with Cloud, because as you push out new permissions, you want to make sure there’s no unintended consequences. So, we make recommendations.

So, one of the simple ones is MFA. Here’s an account where John Doe, he didn’t have MFA assigned. And we’ll tell you how to go enable that. This is an AWS recommendation, but we’ll tell you how to go enable that, and then you can go mark as completed. One of the things I did earlier was, as part of the recommendations we do, we’ll see users with a ton of permissions. Here’s somebody in Azure. It’s a Cloud monitoring service account. So let me go in and see what permissions they have. So, they’ve got permissions. And what I’m recommending here, what I’m showing you here, is these are unused permissions. So, we’ve combed through all the activity that’s happened on this user account, and then seen what they’ve done. And if they’re not using permissions, the idea is let’s pull them. And so, here’s the list of permissions assigned to this role that haven’t been used in the last three months. So, we’ll go through and give you steps.

Now here, under enable MFA, is a simple check box. But here, where we’re saying you should go remove some permissions, we’ll give you an actual custom role definition that you can copy to your clipboard. And you’ll notice there are a couple of policies here, because this user acts in a couple of different groups and roles. So, we give you the recommendation. You can copy it out of here and paste it directly in. The idea is that as we get more and more confident over time, and we use more of our AI, that we’ll be able to move ahead and allow you to use the easy button and say, I trust you, go ahead and make that change. But early in the product, I really want us to be more in an advisor role, because we don’t want to be responsible for telling you, you didn’t know about this exception, so therefore you did something wrong. So let me go back and close this panel here.

One of the things I do like to show people is, if we’re focused on Azure, I can go and look by particular principle types. So, I can say, just show me service accounts in Azure. And if they’ve got too many permissions, I see this, the Cloud monitor piece that we looked at earlier is very high, and the mainland team, they have a set of permissions that I can go see again. It looks like a lot of IAM permissions that they got assigned, that they really aren’t using, so it’s probably safer if I go and resolve that and remove that. You also have the capability here to ignore that recommendation. So, I’ll get rid of my filters here, and go back to my full list of recommendations. Let’s go back up to the top.

The simplicity of what I’ve shown you here, kind of understate what’s going on in the background. We’ve tried to make this purposefully simple and light. You can view all your recommendations. You can see what other people have done to fix recommendations. So, here’s a user, Adam Smith, that the administrator went in and set the enablement or enabled his multifactor authentication to be on. I can show just the system that went in and completed those removed permissions. And for those that really want to drill down and know more about what it’s going on, we can go into a system activity dashboard, and we can show you where people are logging in from and using Cloud Privilege Broker to understand their environment, look at who’s over privileged or underprivileged. I can see who the users of Cloud Privilege Broker are.

So, it’s a little bit more about care and feeding of Cloud Privilege Broker, but we want you to have the capability to know who’s in here, and who’s doing things through Cloud Privilege Broker. You can go in and create your own custom dashboards. We have a bunch of different tiles, and we’ll be adding more over time. And so, this runs inside your… so this is a SaaS application, and again, back up at the top, the idea is to kind of build that graph. Know who’s in your environment, know what they’re capable of doing, but almost more importantly, know what they are using, so that you can get even more secure by removing unused permissions, and shrink that attack surface down.

Really simple to connect to your environment. You create a Cloud connector. And personally, I’m not going to go create one today. You can see some connectors here. Let me change my screen size here. I’ll look at this connector. I know the one that failed a scan is on a user that is no longer permissioned to do this. So, you go in, you create the connector, you provide the client secret, you run a test and then you save your cloud connector. And it’ll go out and it’ll start to do that parsing. It’s going to slurp down the thing that I talked about, users, groups, roles, understand who’s doing what, where, what permissions are they using?

So, all in all, we want to help customers get a better handle around the permissions or entitlements that are out there in the Cloud. And that visibility of understanding who has access to what, can really give you some insights into how to reduce that attack surface. So that’s kind of the end of my demo and brings it back to our poll. Randy, would you push out that poll?

Randy:

Yes, absolutely. So, there you go. If you’d like to contact BeyondTrust for a demo or anything else. I’ve got some good Q&A here to cover while we’re at it. And this is what I was wondering too. Doug says, what is the logging that tells us who did what, and when, and with what privilege? Tim?

Tim:

Let me see that. Where is the logging that tells us who did what? So, in Azure, and I always get these confused. One is Cloud watch and the other is Cloud trail. So, both Microsoft and AWS do a very good job of auditing everything a user’s doing. And what we are doing is pulling down those audit logs, teasing out the, this GUID, going to this object GUID, using this GUID permissions, doing all that translating to build that graph. So, we’re pulling that down.

One of the recommendations we have is a review permission. So, I showed you the remove permissions, there’s also a review permission. So, say I have a Randy Franklin Smith in my directory, and I’ve enabled you to go use the Cloud, and three months have gone by and you haven’t done a single thing in the Cloud, we ask you to review that user, rather than go remove all of his permissions. Because it’s probably not a great thing to go just delete Randy Franklin Smith, because he’s not using the Cloud. We want to make sure that he understands how he can get up there, what he can do, and what applications he has access to. So, I hope that answered your question.

Randy:

And I’ve got one. You’d mentioned, hey, it’s showing us these users aren’t using their permissions. How do you determine if they’re using them or not?

Tim:

Those audits. So, every time you use a permission, just like when you went in and saw the event that said group created, of course, there’s an audit event that says, Randy Franklin Smith created a group with this name at this time, from this IP address, using this permission.

Randy:

Okay.

Tim:

So, we look at those audit events, and slurp those up, and build that graph.

Randy:

That’s fantastic.

Tim:

Yeah.

Randy:

Bob asked, what type of permissions is required in your tenant for this to a run? So, what kind of access are they giving you, right?

Tim:

Right. It’s mainly read. Then that’s why, one of the things that we didn’t want to do, and I said we’re kind of in an advisement role, we don’t have right capabilities. So, this is all read users, read roles, pull down the audit events, kind of permission. So, we’ve got a fairly detailed list of the exact entitlements that we require to run Cloud Privilege Broker, but I will say we intentionally made it very light and very read focused.

Randy:

Right. For good reason.

Tim:

Yeah.

Randy:

Mike asks, so is this hosted at BeyondTrust only? So, he must be asking like what Cloud, where does this run, right?

Tim:

Right. It is a SaaS application, so it’s not something that runs within your tenant. It runs at BeyondTrust. It’s all secure at BeyondTrust. We’ve got a full Cloud security team that’s running our Cloud Privilege Broker, and you get your tenant at BeyondTrust, and that belongs to you, and that is how we allow companies to use the SaaS app. So, it’s very similar to other SaaS apps like this.

Randy:

All right. Troy asks, commercial and government environments in Azure too? So, I think, I’m not sure, it looks like a follow on to another question, but I don’t see his original question, so I don’t know if… Troy, maybe throw that question at us again with a little more context? Go ahead.

Tim:

I think the short answer for Troy is, we are not in government Cloud today. So that is something that’s on our roadmap longer term. The first one is more commercial Azure, commercial AWS.

Randy:

Tommy asks… this is a great question, Tommy. How can you determine if you have multiple Azure accounts? And so, Tommy, that’s like asking other questions, like how many VPNs do we have?

Tim:

Yeah.

Randy:

Even how many forests do we have? There is no single place you can go to get a list of all your forests, because they’re completely independent objects. So, this is very much a policy, and a matter of having accounts payable, be able to show you all of the Microsoft charges. If you think maybe, you’ve lost control and don’t know about some Azure or Microsoft tenants out there, you’ve got to use things like… well, we know where money is going out, right? So, what are all the credit cards or other transactions being paid to Microsoft and whittle it down from there.

Tim:

Right.

Randy:

Microsoft can’t even tell you how many Azure AD accounts you have unless you’ve already linked them together.

Tim:

Right. And not to put too fine a point on it, but as the example I was using earlier, of the marketing department that subscribes to some Azure based SaaS app, if they put in their credit card and it’s coming to the marketing department, I guess that ultimately it would come through accounts payable. So, there’s probably some reconciliation there. But it’s not always the case that you can find out that you have multiple accounts. It does take a little footwork but putting all those accounts in here lets you manage all those accounts from Cloud Privilege Broker.

Randy:

Yep. Let’s see here. Dooson asks, is BeyondTrust licensed by the number of security principles in AD, or what’s the metric?

Tim:

So, what we license by is the number of subscriptions. So, if we’re talking about Azure, it’s subscriptions in Azure, it’s accounts in AWS.

Randy:

All right. Roy asks… let me just close that. Roy asks, can BeyondTrust products audit authorized administrator actions, for instance detecting if an administrator deletes an important object, can we trace who did it and when?

Tim:

Absolutely. We don’t separate out the administrator access, and we show you all the access. We’re keeping track of every action that people take against the directory, the groups, the roles, and we can present all that to you, and you’ve got a full audit trail. And just like I was filtering and sorting there, you can go in and say, show me what Barry did… There we go.

Randy:

Cool.

Tim:

Get rid of that. Today, the way it’s done is looking through the system activity and… shoot, now I’m drawing a blank because there’s a way you can… oh, there we go. Add the tile for log activity, and you can go in and see.

Randy:

I see logs.

Tim:

Yeah. So, you get the log activity, and you can parse through that. And I’m having some issue here that the tile is not… there we go. View all, there it is. So, you get this viewer, and you can go through, for the last 24 hours. Let me see for the last 90 days, what’s happened on a particular machine name, and then it’ll filter down. So, if you know the machine name, if you know other things about the event or the particular exception that happened, you can filter down to what happened on this machine, and then you’ll get the event that shows you where that came in and what’s happened.

Randy:

All right. We’ve got some more for you. Matt asks, can BeyondTrust help untangle our mix of OnPrem and online RABC, role based access control models? We’ll be tied to OnPrem for many years to come.

Tim:

Yeah. Let me tell you, the sales answer is always yes. But Cloud Privilege Broker is focused solely on Cloud, but we can also help with the OnPrem side using our other products as well.

Randy:

Yeah. Now Troy says, can BeyondTrust Cloud access be used with traditional PAM tools? I’m not sure where the integration would be there. Can you think of a scenario?

Tim:

Well, yeah, because that is something that’s on our roadmap, is how do we look at things like session management? Let’s look, what’s a live session, and can we put constraints around those. And console access, Azure AD administrative access to that console, can we broker that through Cloud Privilege Broker? That’s one of the things that’s, again, in our more longer term roadmap, that we want to help people put constraints around, so that they get to that principle of lease privilege and they can remove those standing privileges so that not everybody has rights to log into the Azure AD console and create groups and roles and follow the Randy Franklin Smith method of going through and creating user groups and roles.

Randy:

Justin asked, do you have a UK tenant?

Tim:

Today, customers are in US East. We don’t have a customer yet in the UK. It’s fairly easy for us to spin this up in different areas of the world. So shouldn’t be a problem. We don’t have one today, but we have the capability to do it fairly quickly and easily.

Randy:

Jamal asks, does your CPB integrate with CASB?

Tim:

It does not. This is a new product for us. I’m going to make a note of that, because I think that’s a question that I will get more and more often. And while I don’t have a great answer for you today, it’s something I would like to investigate more and find out what’s the best way to integrate with CASB.

Randy:

So, Ronald asked me, quite a while back, can an object be in more than one administrative unit, and my gut reaction was no, but I’ve got to test it. And guess what? Yeah, you absolutely can put an object into multiple AUs. And it is pretty simple. It’s not as big of a deal as what you might have thought, it’s just the permissions are additive, right? So, if we put Bob in an administrative unit called US, and we give the US help desk password reset authority over that. And if we also put Bob in like a department called marketing and we give somebody else authority also to reset passwords, just over marketing people, if for whatever odd reason we wanted to, then both of those would apply. Brian says, that’s the beauty of AUs, they’re not so restricting like OnPrem use. Okay, I’ll go along with that.

Tim:

Yep.

Randy:

Let’s see here. William asks about FedRAMP certification. Is that on your radar?

Tim:

It is on our radar. Currently, my thinking is probably towards the end of this year, maybe early next. BeyondTrust as a company, we have products that are FedRAMP certified, and it’s expected that this will also get that. But as you know, as probably most of the people that work in FedRAMP know, you submit your completed application. So as this application grows throughout this year, that’s more likely what we want to do, a fuller featured, next version will be FedRAMP certified.

Randy:

All right. Dan, quite a while back, said let me complicate this. We’re a higher ed organization. We use Azure, Gmail. He doesn’t mention AWS, I’m surprised. And Microsoft Office 65 is their centralized security management solution. And so, I mean, that’s what you guys are aiming to do, right?

Tim:

Yes. But I need to be fully transparent here. Today, we do Azure and AWS. We don’t do GCP today.

Randy:

Well, the other four customers that use GCP will be disappointed about that. No, just kidding. Let’s see here. I’m sure I’ll get some flak for that. I know there’s more than five people out there using GCP.

Tim:

I have seen the growth of Google Cloud for production. It used to be the realm of development. Let’s play around in the cloud, and we’ll use GCP. It’s cheap. It’s easy. But I have seen even some larger customers start to get into production uses of GCP as well. So, it’s something we have on our radar as well.

Randy:

Hey, Tim, Michael has a question about a different BeyondTrust product. I’ll just let you look at that once we send you the data and get back to Michael on that later. Scott asked, with privileged access for our Azure AD, do you have to have Azure premium? I think everything we showed you today… Oh wait, you answered that question, Tim.

Tim:

I did. But I think it’s worthwhile to give your take on it. My response was anything we talked about today, you don’t require anything higher than… I think he said he had like an E3. As you move up and pay Microsoft more, you get more tools and more Microsoft expertise and intelligence around how they can help you do that. So, you get things like PIM, right?

Randy:

Right. Yeah. So, I totally go along with that. I don’t think we showed you anything that you have to have premium for today. And that brings us to the end of our questions and the end of our time. Thank you very much, everybody. Thank you, Tim, for making all this possible, and we’ll be sending everybody a link to the recording. But thanks for your time today, and we hope it was valuable for you. Bye bye for now.

Tim:

Thanks, everybody. And thanks, Randy.

This post was first first published on BeyondTrust website by . You can view it by clicking here