How do you achieve a high level of security in the Microsoft Cloud (Microsoft 365 & Microsoft Azure) quickly and at a manageable / low cost? I will show you!
Unfortunately, the danger of cyber attacks is growing day by day. This is also independent of the global political situation. The targeted attacks are also no longer always the main issue – more and more indiscriminate attacks are happening. A few facts from reality that facilitate attacks nowadays:
- Environments are almost always named like the company: company.onmicrosoft.com
- Who works there in which position can be easily found out via social networks
One of the global administrator accounts is almost always called admin or administrator. Some creative ones also call it root or globaladmin. Occasionally it is also called something like M365 Service Owner, which can be identified on social networks.
- Typical VPN accesses are called remote.XYZ, ras.XYZ, vpn.XYZ, connect.XYZ, where XYZ stands for the company name.
- A record with working account data doesn’t even cost $1 on the darknet according to Microsoft Digital Defense Report – Microsoft Security from 2021.
- Only about 20% of the accounts in the Microsoft Cloud are protected with multifactor mechanisms:
Microsoft Digital Defense Report 2021 – Seite 89:If compromised organizations had applied basic
security hygiene like patching, applying updates, or
turning on multifactor authentication (MFA), they
may have been spared or less impacted. In fact, it
is shocking that less than 20% of our customers are
using strong authentication such as MFA93 (which
is free to our customers and can be turned on by
Unfortunately, these facts are an alarm signal. Because they make life easier for attackers. However, it is very easy to achieve a certain level of basic security in the Microsoft Cloud (as you can already read in the quote).
The guiding principle
We all know: 100% security does not exist. Even 99.9% is hard to achieve. But the first 80% are a piece of cake. That 80% is better than 25% or in the worst case even 0%, I hope I don’t have to explain extra 😉
It is important to understand how an attack works in the first place. A modern attacker does not conjure up a laughing skull on your display. No, an attacker behaves quietly in the network and steals data without the attacked party noticing anything. Alternatively, access to one’s own data is taken away, for example because it is encrypted. To prevent this from happening, you have to protect yourself. After all, everyone locks their front door at home.
Ideally, one implements the so-called zero trust model nowadays. Roughly speaking, this model implements the following principle: “Trust no one, not even yourself”. Why? Your own account could be hacked and you don’t know it or haven’t noticed it (yet?). Of course, here again the spirits are divided because there are many self-appointed experts and everyone knows everything better than everyone else. Forgetting the discussions, we can state that one guiding principle applies to all:
If there is no 100% security, then one should make it as difficult as possible for the (potential) attackers.
How does that work now? It’s not possible without effort and therefore also completely without costs. But you can keep everything manageable. I’ll show you how.
Patch your infrastructure
Patching and the cloud? How does that fit together? Quite simply, how do you access a cloud system? With clients. Clients are a popular point for attacks, so they should always be patched. If you’re still using Windows XP, it’s your own fault if you get compromised. I can’t complain about a 20-year-old Porsche having a lower top speed than the current top model.
But also everything that is in my own data center – no matter which operating system – no matter which software. Anything that I don’t keep up to date is potentially at risk. It doesn’t matter which software manufacturer the software comes from. Software always has bugs and is therefore vulnerable. So the manufacturers deliver patches to address these errors. If I don’t apply them, I make myself vulnerable. And before Microsoft bashing starts – look for Typo3 or WordPress AddOn gaps. I like to follow the news on Bleeping Computer.
In the cloud, I don’t need to patch servers, Microsoft does that work for me. And they do that, too.
Logging in with just a username and password is insecure. Everyone should have heard that by now. Even the most secure password can be cracked. Admittedly, the longer the password, the more difficult it is to crack it. I already mentioned the Microsoft Digital Defense Report – Microsoft Security above. In it, Microsoft reports at what prices the ‘undercover investigators’ were offered data sets with working logins. These prices are so frighteningly low that anyone can easily afford them. This does not require the commissioning of third parties or anything similar. No matter how secure a password is, if it is in a freely or cheaply obtainable database, the account is compromised.
The only thing that helps here is the interposition of another factor. Azure MFA offers itself here at no additional cost. This offers flexible options: SMS token, authenticator, phone call. Even if even SMS tokens are considered insecure nowadays, any MFA level is better than none! The best way to implement this today is via Conditional Access, which brings me to the next point:
Conditional Access is part of the Azure AD Premium P1 license. In principle, this means additional costs, but nowadays it is to be considered as a minimum for cloud security.
With Conditional Access you are able to define access scenarios in your tenant. These scenarios can evaluate device states (Intune required!), require certain actions at login based on used apps, account types or applications. For example, multi-level authentication. One should always force every administrator to use multi-level authentication in any case. Likewise guests and accesses from non-administrated clients. It can also make sense to block access to the cloud if it was not initiated from a known trusted IP address.
For the cloud, admins should always have separate cloud accounts with which no daily work is done. Sync should be avoided. This reduces potential dependencies on an on-premises AD, however unlikely. Likewise, in the event of a compromise of the on-premises AD, this prevents the cloud systems from being affected as well.
For administrators, the principle of least privilege applies, i.e. as few rights as necessary. Furthermore, admins should always be personalized, no generic accounts like admin@ should be used.