Tools to drive your Zero Trust implementation

Today, someone said on a call that implementing a zero-trust model, was as difficult as learning a new language and did not know where to start.

PowerPoint Presentation I am trying to describe the areas and provide my peers with ideas on where to start with the basics of zero-trust. As you begin to assess your Zero Trust readiness and begin to plan on the changes to improve protection across identities, devices, applications, data, infrastructure, and networks. CIOs and IT personnel should consider these key areas to help drive the Zero Trust implementation more effectively.

  1. Strong authentication: Ensure strong multi-factor authentication and session risk detection as the backbone of your access strategy to minimize the risk of identity compromise.
  2. Policy-based adaptive access: Define acceptable access policies for your resources and enforce them with a consistent security policy engine that provides both governance and insight into variances.
  3. Micro-segmentation: Move beyond simple centralized network-based perimeter to comprehensive and distributed segmentation using software-defined micro-perimeters.
  4. Automation: Invest in automated alerting and remediation to reduce your mean time to respond (MTTR) to attacks.
  5. Intelligence and AI: Utilize cloud intelligence and all available signals to detect and respond to access anomalies in real time.
  6. Data classification and protection: Discover, classify, protect, and monitor sensitive data to minimize exposure from malicious or accidental exfiltration.

RBAC settings required to allow a non-administrator to request or initiate a JIT session

Today, I faced the challenge to grant a remote consultant temporary access to a VM in Azure.

Since, Bastion may be a cleaner way to access the service, we decided to try JIT via the Azure portal as it gives you a quick and easy access protected with MFA. I decided to AZURE AD federations and granted access to his account on his own domain and request MFA (External Access).

After giving the account permission to login to the VM the user got an error when invoking the JIT. The permission does not allow the user to request JIT. When the user clicked the connect option from Azure portal VM UI, it was showing JIT was not enabled on this particular VM. Therefore, the connection was failing. But JIT was enabled on the VM, and a subscription owner/contributor were able to see “Request Access” when clicked Connect.

I learned that one option will be to use the reader role. But that would have given extra visibility to the VM that I was not interested in exposing.

The solution was to create a custom role at the VM level and assigned the external user to the role.

The permission needed are as follows:

If you prefer to use the JSON, you may use the following:

{
    "properties": {
        "roleName": "Just In Time (JIT) Request",
        "description": "Created by Clopez. Allow non-administrator to request JIT",
        "assignableScopes": [
            "/subscriptions/bdd4aef1-176f-46b9-b150-40930ced4f32/resourceGroups/Falcon1"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.Security/locations/jitNetworkAccessPolicies/initiate/action",
                    "Microsoft.Security/locations/jitNetworkAccessPolicies/read",
                    "Microsoft.Security/policies/read",
                    "Microsoft.Compute/virtualMachines/read"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

The result was positive, and now the user has the options to request the JIT.

Enforce multi-factor verification for users (Best Practice 6/10)

Enabling two-factor authentication should be the standard and perhaps it should be enforced as the minimum requirements for authentication for any cloud service. Password are not safe, and users keeps making the same mistakes protection and securing their password.

I highly recommend that you require two-step verification for all of your users. This includes administrators and others in your organization who can have a significant impact if their account is compromised.

There are multiple options for requiring two-step verification. The best option for you depends on your goals, the Azure AD edition you’re running, and your licensing program. There are numerous options in Azure AD. From using the build-in option included in the regular subscription, to using Azure Multi-factor authentication server for on-premise services or using a third part solution such as DOU, VIPAccess, Okta, or RSAID with Federation.