author photo
By Bruce Sussman
Mon | May 13, 2019 | 11:22 AM PDT

The cloud is kind of like that sweet new toy you got your kid for his or her birthday.

It looks like the perfect solution for birthday bliss, and then you see those dreaded words: "some assembly required."

Most of the toy is built easily, but there are a few key pieces that must be done exactly as instructed or the thing may fall apart.

In some ways, a move to the cloud is the same way. Especially when you're talking about cybersecurity in the cloud.

Once you get everything there and configured, it's going to be fantastic.

However, there are some things that are required to be done exactly right or the security of your data in the cloud may be at significant risk.

CISA analysis report on O365 and Azure

When it comes to cloud security cyber threats, many are made possible by a lack of understanding about security in the cloud.

This typically links back to configurations that many security professionals may be unaware of, especially since each cloud vendor has unique configurations.

This is so prevalent that the Cybersecurity and Infrastructure Security Agency (CISA) has issued a special analysis report on the topic.

"These security oversights have led to user and mailbox compromises and vulnerabilities."

Security configuration vulnerabilities to be aware of in Azure

Specifically, the CISA analysis looks at best practices for moving to Azure and O365, and key security settings leaders and teams need to know about.

Here are four key cloud security factors for Azure and Office 365:

1. Azure multi-factor authentication for administrator accounts not enabled by default:

Azure Active Directory (AD) Global Administrators in an O365 environment have the highest level of administrator privileges at the tenant level. This is equivalent to the Domain Administrator in an on-premises AD environment.

The Azure AD Global Administrator accounts are the first accounts created so that administrators can begin configuring their tenant and eventually migrate their users. Multi-factor authentication (MFA) is not enabled by default for these accounts.

There is a default Conditional Access policy available to customers, but the Global Administrator must explicitly enable this policy in order to enable MFA for these accounts. These accounts are exposed to internet access because they are based in the cloud. If not immediately secured, these cloud-based accounts could allow an attacker to maintain persistence as a customer migrates users to O365.

2. Mailbox auditing disabled: 

O365 mailbox auditing logs actions that mailbox owners, delegates, and administrators perform. Microsoft did not enable auditing by default in O365 prior to January 2019. Customers who procured their O365 environment before 2019 had to explicitly enable mailbox auditing.

Additionally, the O365 environment does not currently enable the unified audit log by default. The unified audit log contains events from Exchange Online, SharePoint Online, OneDrive, Azure AD, Microsoft Teams, PowerBI, and other O365 services.

An administrator must enable the unified audit log in the Security and Compliance Center before queries can be run.

3. Azure password sync enabled: 

Azure AD Connect integrates on-premises environments with Azure AD when customers migrate to O365. This technology provides the capability to create Azure AD identities from on-premises AD identities or to match previously created Azure AD identities with on-premises AD identities.

The on-premises identities become the authoritative identities in the cloud. In order to match identities, the AD identity needs to match certain attributes. If matched, the Azure AD identity is flagged as on-premises managed. Therefore, it is possible to create an AD identity that matches an administrator in Azure AD and create an account on-premises with the same username.

One of the authentication options for Azure AD is “Password Sync.” If this option is enabled, the password from on-premises overwrites the password in Azure AD. In this particular situation, if the on-premises AD identity is compromised, then an attacker could move laterally to the cloud when the sync occurs.

Note: Microsoft has disabled the capability to match certain administrator accounts as of October 2018. However, organizations may have performed administrator account matching prior to Microsoft disabling this function, thereby syncing identities that may be have been compromised prior to migration.

Additionally, regular user accounts are not protected by this capability being disabled.

4. Azure O365 authentication unsupported by legacy protocols:

Azure AD is the authentication method that O365 uses to authenticate with Exchange Online, which provides email services. There are a number of protocols associated with Exchange Online authentication that do not support modern authentication methods with MFA features.

These protocols include Post Office Protocol (POP3), Internet Message Access Protocol (IMAP), and Simple Mail Transport Protocol (SMTP).

Legacy protocols are used with older email clients, which do not support modern authentication. Legacy protocols can be disabled at the tenant level or at the user level. However, should an organization require older email clients as a business necessity, these protocols will not be disabled. This leaves email accounts exposed to the internet with only the username and password as the primary authentication method.

One approach to mitigate this issue is to inventory users who still require the use of a legacy email client and legacy email protocols. Using Azure AD Conditional Access policies can help reduce the number of users who have the ability to use legacy protocol authentication methods. Taking this step will greatly reduce the attack surface for organizations.

Moving to the cloud concerns

When our team was at SecureWorld Philadelphia, we interviewed John DiLullo, CEO of security and cloud visibility firm Lastline, on why moving to the cloud takes more than many security and IT leaders expect:

"You need to see it and have visibility to it, but you also have this problem: you’ve actually increased your surface area because now you have instances all over the place. The computing environment is getting more complicated than it was in the past because of the cloud."

This certainly sounds familiar, doesn't it? 

The toy in the box needs "some assembly required," and the move to the cloud needs "some configuration required."

Read the complete CISA Analysis Report on Azure O365 Security for more information.

[RESOURCE: How Bruce Schneier Sees Cybersecurity Now]

Comments