IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft

1. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022

2. Gestion des privilèges sur le Cloud Microsoft 27 octobre 2022 - PARIS Identity Days 2022 Xuan AHEHEHINNOU Hakim TAOUSSI Nicolas BONNET

3. • Introduction • Azure AD roles • Privileged Identity Management • Azure roles & RBAC • Account protection • Azure AD Conditional Access • Privileged access devices • Interface security levels • Intermediaries • Azure bastion • Conclusion AGENDA DE LA CONFÉRENCE 27 octobre 2022 - PARIS Identity Days 2022 Xuan AHEHEHINNOU Microsoft 365 Solution Architect @Abalon Hakim TAOUSSI Technical Architect / MVP Azure @Insight Nicolas BONNET CEO & IT Architect MVP Enterprise Mobility @InYourCloud

4. Introduction Identity Days 2022 27 octobre 2022 - PARIS

5. http://aka.ms/SPAroadmap http://aka.ms/cyber-services http://aka.ms/securitystandards Death Star GoFetch

6. Account Devices/Workstations Intermediaries Interface Business Critical Assets Account Devices/Workstations Intermediaries Interface Potential Attack Surface

7. Account Devices/Workstations Intermediaries Interface Business Critical Assets Account Devices/Workstations Intermediaries Interface Asset Protection also required Security updates, DevSecOps, data at rest / in transit, etc.

8. Business Critical Assets Account Devices/Workstations Intermediaries Interface Typical path of user access Levels of security Attacker’s cost https://aka.ms/deploySPA

9. Deploying a privileged access solution | Microsoft Learn

10. Machine Learning (ML) Applications & Websites API Data

11. There are about 60 Azure Active Directory (Azure AD) built-in roles, which are roles with a fixed set of role permissions. To supplement the built-in roles, Azure AD also supports custom roles. There are many different services in Microsoft 365, such as Azure AD and Intune. Some of these services have their own role-based access control systems (AAD, Exchange, Intune, MDCA, 365 Defender, Purview, Cost Management + Billing). Azure has its own role-based access control system for Azure resources such as virtual machines, and this system is not the same as Azure AD roles. 27 octobre 2022 - PARIS Identity Days 2022 Understand Azure Active Directory role concepts - Microsoft Entra | Microsoft Learn

12. Secure access with Microsoft Entra Multicloud identity and access management Oversee all your organization’s identities in one place Microsoft Entra encompasses all of Microsoft’s identity and access capabilities. The Entra family includes Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity. 27 octobre 2022 - PARIS Identity Days 2022 Microsoft Entra Datasheet

13. Azure AD Privileged Identity management Identity Days 2022 27 octobre 2022 - PARIS

14. What is Privileged Identity Management (PIM)? PIM is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. Such resources include those in Azure AD, Azure, and other Microsoft Online Services, such as Microsoft 365 or Microsoft Intune 27 octobre 2022 - PARIS Identity Days 2022

15. What does PIM do? PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions on resources that you care about. Key features of PIM include: ✓ Provide just-in-time privileged access to Azure AD and Azure resources ✓ Assign time-bound access to resources using start and end dates ✓ Require approval to activate privileged roles ✓ Enforce multifactor authentication to activate any role ✓ Use justification to understand why users activate ✓ Get notifications when privileged roles are activated ✓ Conduct access reviews to ensure users still need roles ✓ Download audit history for internal or external audit Identity Days 2022 27 octobre 2022 - PARIS Identity Days 2022

16. PIM for Azure resource roles • Azure Active Directory (Azure AD) Privileged Identity Management (PIM) can manage the built-in Azure resource roles, as well as custom roles, including (but not limited to): ❑ Owner ❑ User Access Administrator ❑ Contributor ❑ Security Admin ❑ Security Manager 27 octobre 2022 - PARIS Identity Days 2022

17. Management capabilities for Privileged Access groups • In Privileged Identity Management (PIM), you can now assign eligibility for membership or ownership of privileged access groups. 27 octobre 2022 - PARIS Identity Days 2022

18. Azure roles & RBAC Identity Days 2022 27 octobre 2022 - PARIS

19. Understanding Azure Roles and RBAC What is Azure role-based access control (Azure RBAC)? | Microsoft Learn 27 octobre 2022 - PARIS Identity Days 2022

20. Best practices for Azure RBAC • Only grant the access users need • Using Azure RBAC, you can segregate duties within your team and grant only the amount of access to users that they need to perform their jobs. Instead of giving everybody unrestricted permissions in your Azure subscription or resources, you can allow only certain actions at a particular scope. • Limit the number of subscription owners • You should have a maximum of 3 subscription owners to reduce the potential for breach by a compromised owner. This recommendation can be monitored in Microsoft Defender for Cloud. • Use Azure AD Privileged Identity Management • PIM helps protect privileged accounts by providing just-in-time privileged access to Azure AD and Azure resources. Access can be time bound after which privileges are revoked automatically. • Assign roles to groups, not users • Assigning roles to groups instead of users also helps minimize the number of role assignments • Assign roles using the unique role ID instead of the role name • Even if a role is renamed, the role ID does not change Identity Days 2022 27 octobre 2022 - PARIS Best practices for Azure RBAC | Microsoft Learn Identity Days 2022

21. Azure RACI Template • The purpose of this RACI is to provide a foundation for organizations beginning the journey into Microsoft Azure. It contains common tasks across both governance and operations that organizations should identify owners and operators for. Identity Days 2022 27 octobre 2022 - PARIS GitHub - jkstant/AzureRACIToolkit Identity Days 2022

22. Account protection Identity Days 2022 27 octobre 2022 - PARIS

23. Privileged access: Accounts Identity Days 2022 27 octobre 2022 - PARIS Securing privileged access accounts | Microsoft Learn

24. CRITICAL BEST PRACTICES BLOCK LEGACY AUTHENTICATION password spray attacks (majority use legacy auth) https://techcommunity.microsoft.com/t5/Azure-Active- Directory-Identity/Azure-AD-Conditional-Access- support-for-blocking-legacy-auth-is/ba-p/245417 Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

25. AAD B2B Collaboration Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

26. Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

27. where normal administrative accounts can’t be used (federation unavailable, etc.) Managing emergency access administrative accounts in Azure AD Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

28. built-in roles Custom roles Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

29. Get started using Attack simulation training - Office 365 | Microsoft Docs Identity Days 2022 27 octobre 2022 - PARIS Azure identity & access security best practices | Microsoft Learn

30. CRITICAL BEST PRACTICES https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016 http://aka.ms/HelloForBusiness https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication- phone-sign-in https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates Note: Text Message based MFA is now relatively inexpensive for attackers to bypass, so focus on passwordless & stronger MFA Identity Days 2022 27 octobre 2022 - PARIS

31. Different forms of MFA and passwordless authentication Identity Days 2022 27 octobre 2022 - PARIS Identity Days 2022 Authentication methods and features - Azure Active Directory - Microsoft Entra | Microsoft Learn

32. Conditional Access authentication strength (preview) Identity Days 2022 27 octobre 2022 - PARIS Identity Days 2022 Overview of Azure Active Directory authentication strength (preview) - Microsoft Entra | Microsoft Learn

33. Azure AD Conditional Access Identity Days 2022 27 octobre 2022 - PARIS

34. Azure AD conditional access 27 octobre 2022 - PARIS Identity Days 2022

35. Privileged access devices Identity Days 2022 27 octobre 2022 - PARIS

36. Secure workstation for sensitive users Identity Days 2022 27 octobre 2022 - PARIS Why are privileged access devices important | Microsoft Learn

37. Interface security levels Identity Days 2022 27 octobre 2022 - PARIS

38. Privileged interface Security controls for specialized interfaces should include • Zero Trust policy enforcement - on inbound sessions using Conditional Access to ensure that users and devices are secured at the privileged level • Role-Based Access Control (RBAC) - Model should ensure that the application is administered only by roles at the privileged security level • Just in time access workflows (required) - that enforce least privilege by ensuring privileges are used only by authorized users during the time they are needed. Identity Days 2022 27 octobre 2022 - PARIS Securing privileged access interfaces | Microsoft Learn

39. Intermediaries Identity Days 2022 27 octobre 2022 - PARIS

40. Privileged access: Intermediaries Identity Days 2022 27 octobre 2022 - PARIS Securing privileged access intermediaries | Microsoft Learn

41. Azure Bastion Identity Days 2022 27 octobre 2022 - PARIS

42. Azure BastionArchitecture Identity Days 2022 27 octobre 2022 - PARIS About Azure Bastion | Microsoft Learn Azure Bastion is a service you deploy that lets you connect to a virtual machine using your browser and the Azure portal, or via the native SSH or RDP client already installed on your local computer.

43. Identity Days 2022 27 octobre 2022 - PARIS Conclusion

44. CLEAR LINES OF RESPONSIBILITY CRITICAL BEST PRACTICES Document and Socialize this widely with all teams working on Azure T I P 27 octobre 2022 - PARIS Identity Days 2022 Microsoft Security Best Practices module: Governance, risk, and compliance | Microsoft Learn

45. Microsoft Zero Trust Principles To help secure both data and productivity, limit user access using • Just-in-time (JIT) • Just-enough-access (JEA) • Risk-based adaptive polices • Data protection against out of band vectors Always validate all available data points including • User identity and location • Device health • Service or workload context • Data classification • Anomalies Minimize blast radius for breaches and prevent lateral movement by • Segmenting access by network, user, devices, and app awareness. • Encrypting all sessions end to end. • Use analytics for threat detection, posture visibility and improving defenses Verify explicitly 27 octobre 2022 - PARIS Identity Days 2022 Zero Trust Model - Modern Security Architecture | Microsoft Security

46. Merci à tous nos partenaires ! 27 octobre 2022 - PARIS @IdentityDays #identitydays2022

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft

Vous êtes en train de lire un aperçu.

Consultez-les par la suite

IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft

Plus De Contenu Connexe

Similaire à IdentityDays2022 - Gestion des privilèges sur le Cloud Microsoft (20)

Plus par Identity Days (20)

Plus récents (20)