AZ-304 Microsoft Azure Architect Design – Design for Risk Prevention for identity

1. What is Risk?

So we’ve been talking about identity and security in this last set of sections and one thing we should talk about is the risk, the risk of things happening when it comes to identity, what can happen? How do you mitigate against it? How bad would it be? Now, let’s start off with a general definition of risk. And I looked around the web here and I thought, okay, how would you define risk in the most simplest terms when it comes to business, anything that could have a negative effect on the business is a risk. So the fact that interest rates could rise could be a risk. The fact that it could rain for the next 30 days straight could be a risk. The fact that this winter is going to be better or worse than normal could be a risk. Employee quitting could be a risk.

We’ve got if you sat down and listed all of the things that could negatively impact your business, you’re going to use up several sheets of paper. There are just tons of risks out there. But over time, people have decided that you can’t just treat every single potential risk equally. You would just do nothing but worry all day, do nothing but defend against risk. And you wouldn’t be making progress in your business. You wouldn’t be selling to customers, you wouldn’t be producing products. And so you need to basically combat all the things that could go wrong with these two questions. How likely is it to happen and how bad would it be if it did happen? And so you could basically plot that along a graph and you could say, well, the risks that really, really I should really mitigate against, the priority risks, if you will, are the ones that are most likely to happen and the ones that are worst together. So that qualifies under both those categories. That’s a pretty big risk.

So we look at these four statements. These four statements are basically part of this quadrant. If it’s very likely to happen or it’s got really severe consequences, it could bankrupt your business, it could end your business. That is something that you should prioritize and it requires immediate action. If it’s only likely to happen, but not very likely to happen, and it’s serious but not life threatening, if you will, that is still a risk, but it’s not something that you can’t go past today from addressing. If something is just possible and if it happens, it’s not that bad, that becomes an acceptable risk. And if something is not likely to happen ever, and if it does happen, you’re not going to really blink too much. Well, then that’s sort of a low risk. You can just almost ignore it, acknowledge it exists, but ignore it. So when we’re looking at these risks, don’t get offended.

Don’t go down the list and just go get worried. We’re going to have to basically mitigate the important risk, the unacceptable risk, the immediate action risks. And then if something is a risk, wouldn’t be that serious, then we can basically accept those risks. Now, it is, I believe, impossible to have no risk. So first of all, the whole benefit of being in business is that you’re taking a risk and you’re getting a reward. If there was absolutely no risk to it, the reward would be so small as to not be worth it, first of all. Second of all, there’s just so much that can happen and a lot of it’s out of our control, right? If a competitor opens up in our retail business, a competitor opens up immediately next door and our business cuts in half overnight, well, that is something we can’t control.

Unless you can go to your next door landlord and say, sign me a contract that you promise never to have a competitor next to me, they’re going to open up across the street. So you can’t have no risk when it comes to business. And so that’s why we’re trying to classify these risks and accept risks that are acceptable and mitigate risks that are unacceptable. So what are the things that could happen when it comes to identity? Now, we’re talking specifically in this case about your identity risk. And identity risk is essentially your user ID and passwords get hacked. Somebody is able to get access to your system that is not the person who they say they are, or they get access to a level of authentication authorization that they don’t know. Even if they are who they say they are, they’re able to elevate their privileges.

So those are the two types of risk we’re talking about. So if your user ID and passwords get hacked and people are able to get into your system that you don’t know who they are, you could suffer financial costs, right? I mean, we’re looking at different Bitcoin exchanges that have gotten hacked or banks or there is an actual financial cost to getting hacked. You can pay financial penalties. You could end up having to refund your customers. You could lose customers, lots of different things. There’s also the data loss. So not only did you actually lose actual dollars if your database gets out on the Internet, a lot of people consider their data to be a financial asset and that to be their competitive advantage. And so if a list of all your customers names and email addresses made it online, well, your competitors would be contacting them and saying, I can do better.

I can beat that price. I can. So you’ve got actual not only financial losses, but data losses is a risk. Hackers can also wreak havoc to your system and bring your system down. We get people who are encrypting systems and demanding a ransom of certain cities, I believe it’s the city of Baltimore that had their systems hacked and they’re being forced to pay a ransom in order to get their access back. And so certainly that’s a huge risk as well. You’ve got companies who’ve had to actually go out to the public and do a May occulpal and the CEO resigns or people get arrested. Your reputation in the marketplace can suffer if a particular hack gets performed against you. So if you’re an organization that in some respect trades on your goodwill and trades on trust, if that hack gets public, you lose that trust. And if you try to cover it up and it gets public eventually anyways, you lose even more trust, right? So those are the things that can happen.

If you get hacked, then obviously your customers get affected as well. And so is my data safe? Did I get hacked? Even if you got some sort of minorly hacked, but you end up having to force people to change their passwords, that causes some customer confusion in the marketplace. Company executives have been known to be pulled in front of Congress. You get governments and police forces and other people that are interested now. So suddenly you’re going to be talking to people you may not want to be talking to. There’s laws in various places like the GDPR in Europe, where if data gets breached, you have to follow certain standards. You have 48 hours to report this to the customers, you have to report it to authorities, and now you’ve got additional compliance costs. That’s another consequence. Now there’s a lot more than that. And that might sound large and scary as well, but that sort of drives home the importance of protecting your systems, right?

So from the identity risk, there’s other ways to hack you as well. But if you do not want your systems to be hacked using an identity related hack, why would someone be able to get access to this? Well, if you’ve got users in your system who no longer work for you, like employees that have left and those users were never disabled, that’s the source of this risk, right? So that’s one way that you can have that. Or if you have employees who have authorizations that exceed their need, you’ve got people who are admin users or super users or things like that for a job they no longer perform or you were in a rush, you sort of granted them admin rights because they needed something done that day. You couldn’t figure out exactly what rights to give them and then you forget about it. So having two high permissions on users and even service principals is another risk that leads to getting hacked. If your systems can be accessed physically, so somebody has their computer unlocked and they walk away from their desks, somebody’s able to get access to whatever they’re logged into simply because they have physical access to their devices. And there’s no screen saver that locks after two minutes, or they don’t lock their computer. Your server room, obviously you’re going to want that to be behind lined as a locked door as well. And you don’t want a regular employee with a regular security pass to swipe their card and get into the back end systems as well. So securing the fiscal.

2. Mitigating Risks with Identity

So hopefully I didn’t scare you too much in the last video talking about all of the things that can go wrong, including your bankruptcy of your business if you get hacked and if your identity protection is not secure. So in this video, we’re going to talk about how to prevent those risks from happening in your identity system. First section is talking about risk assessment strategy. Now there’s a reporting feature within Azure Active Directory called Access Reviews. Access Reviews can basically force people who are responsible for security of a group to review the contents of that group on a regular basis. And so you can set up a policy within Azure Active Directory that says every 30 days, the group owner must review all of the members of the group. And the Access Review will not only remind them, it will basically nag them and they would have to go into the system and review the membership of the group that they control. So let’s say a particular group like the Marketing Group has access to the marketing application and you log into your Access Review.

You force the group owner to review access every 30 days. And you see that there’s a bunch of people who’ve not logged into the marketing application in this past month. Well, that’s a bit of a red flag. Why is it that certain people don’t log into the marketing application? It could be that they’ve moved jobs, they used to work in marketing. Now they’ve moved over into more of a management role and they don’t need access to the marketing application. That would be a perfect time to say, you know what, we still love you, but we’re going to be removing access to that old application because you don’t use it anymore. And the more people you have access to have access to an application, there’s a little bit higher risk with each additional person.

And so removing the number of people who have access is one mitigation factor. So implementing Access Reviews to your groups is one way you’re going to ensure that the members of the group are all need access and are at the right level. Another thing you can do is establish a company policy for access to certain things and use the Azure policy engine to enforce that policy. Now this isn’t so much for applications themselves as it is for access within the portal. And so if you have a marketing resource group and your policy is no, if you’re a marketing employee, you can only create resources in the marketing resource group.

You cannot create resources in any other group. Well, instead of just having that as a written policy, you could and should implement an Azure policy that says people who are members of the Marketing group can only create policies in this resource group. And in that way you’ve got a system that’s enforcing the policy as opposed to just it being something that you sent an email on and people are forget. You can also use policy not only to prevent this from happening, but to report on how incompliance people are. So if you have a policy to add tags to your resources so that you can do billing, you can either prevent them from doing that, or you can just report who’s not using tags, and then you can deal with that offline. Another policy you can implement in your company is around physical access. We talked about people walking away from their computers not logged out, that they go for a snack or a break, and someone can go and sit down at the computer and start using the applications that they have access to. Well, that’s a security risk. And so this is a policy that you can put in place to say, all servers must be behind locked doors. The people who have access to those servers must be a limited set. Not everyone in the company. All employees must lock their computer. The screen saver must be a very short timer. I once knew someone who worked in a bank, and the policy was if they were away from their desk, they had to be locked off the computer.

And someone walked by their desk and saw a logged in version of Windows and they’re not sitting in that seat, they could actually get in trouble for that. That’s a disciplinary action. And so your company can have a policy around the physical access aspects to your accounts. Another thing that you can do is use Azure Ad Connect health. So we’re talking about security and basically preventing the risks within your identity system.

Well, Ad Connect is one of the key elements of your identity system. It could be if you have an on premises Active Directory and you have Azure Active Directory in the cloud, and you’re using Azure Ad Connect to synchronize between them, you’re going to want to know that that’s operating correctly, that the roles that are being assigned to people within on premises ad are being synchronized into the cloud. This way, let’s say somebody was to leave your company, you were to go into on premises ad and disable their access. If your Ad Connect is not working and is throwing errors, well, then they’re not going to be disabled access within Azure ad, and that person could potentially still log into their applications even after you’ve disabled them in the on premises. So a functioning Ad Connect is one of the keys to a good secure system. And you want to use Ad Connect health to ensure that that part of your security apparatus has been functioning correctly. So those are the policy elements. Those are things that you can, as a company, say, this is what we want to do. But when we’re talking about things within Azure, things within our technology, within our groups, within our applications, what can we do to mitigate some of these risks?

So one thing you can do is you can decide that you are going to follow certain standards. There are quality standards, ISO 9001, there are lots of standards out there. And so if you’re going to be in compliance with those standards, that could be one way to take away risk from your systems. Okay, so if you’re going to say the standard is our entire website is Https and there’s going to be no pages that are not Https, well that could be something that you just enforce as a standard that you’re going to follow. Another thing you can do is have a strong testing group. A person who does tests dedicated, you can instill this value into your development team as well in terms of tests, you can do automated tests. So certainly making sure that when a person comes in with a particular privilege they can’t get access to the section X is an important element.

So it’s one thing to say we can define a user, we can define a group and we can assign them a role. But if your application is not honoring that’s a whole so having a good strong testing system, making sure you’re testing the individual locks on the doors of your hotel, so to speak, is one way to mitigate risk as well. Another general rule within security is don’t reinvent the wheel and so don’t roll your own security. You don’t even really need to have your own user ID and password system if you use something like Azure ad. So basically don’t resist the urge to come up with your own unique method of doing something. When there’s a standard that exists, when there’s an industry standard, when there’s proven software that’s been through hundreds of thousands of eyes, have looked over it and made sure that all the holes have been closed. Fishing has always been a problem from the very early days I can remember hearing people calling into customer service and saying, hi, I’m John Doe, can I reset my password? And the customer service just doing it.

So teaching all of your employees not to be so easily fished, not clicking on links with an email, not basically believing people are who they say they are over the phone. Hi. This is Bob from It Support. I need your password because I’m trying to do something. Oh yeah, Bob, here, here’s my password. Like understanding the most basic elements of what phishing is and training your employees to prevent against that is going to be, that’s going to be a powerful way of making sure people can’t get access to systems they’re not supposed to. Security is best done in layers. So instead of having a single fence around your application and then absolutely no security whatsoever, having your not only username and password multi factor authentication, rule based security network, security groups, make sure that your security is basically end to end and does sort of a full coverage. So Https encryption, data encryption, make sure your columns are encrypted, maybe use the always encrypted within SQL data clients, et cetera. So the more security you can add, you’re basically incrementally making your application just a little bit stronger.

Because even if somebody was to figure out a username and password that they can’t do anything with, that there’s no way to elevate their permissions, there’s no way to jump to other systems, then that was all your layers is what’s going to save you. Implementing multi factor authentication, you don’t have to do it for every single user, but if you use the conditional access as being one where somebody’s logging in outside of your office using a new device from a far off location, some of these suspicious actions using conditional access can enable MFA or just deny them service entirely. Privileged identity management is also a relatively new feature of Azure ad. And so that people who have administrator and super user type permissions are the ones that are forced to go through MFA. But regular users who have the low level read only contributor access permissions don’t.

So that’s a smart idea is to only force the administrative levels to go through the additional identity. And there’s a feature we haven’t talked about called Advanced Threat Protection, which is more of an intelligent active protection against your account. And it can actually detect that there’s a hack going on in real time, somebody’s trying to brute force guess a password. We’ve got suspicious activities coming in. It looks like a system that’s logging in using a person’s user ID and password and so enabling ATP. There’s obviously a cost for some of these things, but the more that you’re able to do, the less likelihood that we have some of those.

• Category: Uncategorized