As more and more businesses enter the news cycle for security breaches, organizations are facing difficult decisions on how to best secure their data and users. According to Acronis, a global leader in cyber protection, the average cost of data breaches is estimated to exceed $5 million per incident in 2023. Thankfully, Microsoft Azure has provided several easy-to-use tools to help organizations build a more secure identity platform to protect against several types of identity-based attacks. In this article, we are going to look at five ways to better secure your organization’s end users and data:
- Harden your existing MFA (multi-factor authentication) implementation.
- Deploy strong Conditional Access policies.
- Leverage PIM (Privileged Identity Management) to ensure least-privileged access to your administrator accounts.
- Implement Azure Active Directory (Azure AD) Identity Protection.
- Utilize Defender for Office 365’s Attack simulation to train users on how to spot phishing attempts.
Although there has been a steady focus on ensuring MFA is enabled across the board, some organizations are still using less secure second factors to verify user sign-ins. The current industry recommendations are to retire weaker second factors such as SMS and voice notifications, as these are becoming easier and easier for attackers to spoof. A stronger option is push notifications through mobile applications or, ideally, a number matching prompt. This ensures that end users cannot simply hit “approve” on an MFA prompt if their login is being repeatedly attempted in what is known as an “MFA fatigue” or “MFA bombing” attack. The goal of these attacks is to frustrate users with the repeated MFA prompts until they finally approve the login to cease the notifications. If feasible, the best defense against MFA attacks is passwordless authentication through FIDO2 security keys, which require a physical hardware device to complete sign-in. This can also circumvent user hesitancy to install work applications, such as an MFA application, on personal devices. Adjusting the approved MFA methods for your Azure tenant is available through Azure AD Free and does not require any additional licensing.
Furthermore, organizations can leverage Conditional Access policies to help strengthen their security posture. Some of the benefits of Conditional Access policies are the ability to block sign-ins from specific locations, require certain device compliance states be adhered to, or require users connect to services only through approved applications. A strong Conditional Access policy can also help ensure that all new users are registered for MFA and that it is required upon their subsequent logins.
Azure’s Privileged Identity Management is an excellent way to ensure your day-to-day administrator accounts do not have more privileges than required to do their job. PIM is designed to require elevation to specific Azure roles before an account can perform administrative actions. This can be further protected by setting limits on how long the elevated role can last, requiring administrators provide a reason for the elevation request for auditing purposes, prompting for MFA, and even requiring that someone else approve the request. PIM elevations can also send notifications to quickly alert administrators if their account (and therefore MFA) has been compromised.
Azure AD Identity Protection helps establish risk policies that can block suspicious sign-in attempts or even allow for auto-remediation of compromised user accounts. Risk policies can be established to assess the likelihood of a login attempt being malicious based on factors such as impossible travel, login attempts from anonymous IP addresses, leaked credentials and more. These policies can force users to respond to an MFA prompt, require them to reset their password before logging in, or even block the account until an administrator is able to investigate further.
Lastly, Defender for Office 365 gives organizations the ability to simulate phishing attacks against users. These phishing simulations can be conducted either from the pre-selected templates that Microsoft provides or by administrators creating their own. When creating custom templates, you can indicate which parts of the phishing email should have raised a red flag for your users. In addition to highlighting common phishing tactics, administrators can assign training based on users who click malicious attachments through Attack simulator and build reports based on historical simulations. End-user education is one of the most important aspects of an organization’s security posture, as even the strongest security can be bypassed by taking advantage of unsuspecting users.
There are license considerations to take into account when planning feature implementations — although the cost of lacking security can often be higher. Conditional Access policies require Azure AD Premium P1, while PIM and Identity Protection require Azure AD Premium P2. Microsoft’s Attack simulator also requires additional licensing in the form of Defender for Office Plan 2. Organizations looking to strengthen their security posture through these offerings may want to consider the Enterprise Mobility + Security E and E5 licenses, which include Azure AD Premium Plan 1 and 2, respectively, as well as additional features such as Intune, Defender for Endpoint, and Information Protection that can help transform the security landscape of your organization.
As a leading consultancy in all things Microsoft, Cloudforce is taking advantage of these tools and more to help protect our business and our clients. If you are interested in doing the same, reach out to us to see how we can help strengthen your cloud computing security posture in this quickly changing industry.