Real-World Standards for Application Security & Governance

A few weeks ago, Nicolas Blank and I conducted a webinar to talk about Real word Standards for application security in Microsoft Entra ID. It formed part of our series on securing your identities in your Microsoft cloud environment, specifically what Entra ID caters to when looking at applications running in your Microsoft 365 tenant and Azure subscription. We focused on the following core topics:  

• The differences between standards and frameworks (super important to understand this) 

• The commonalities across standards and frameworks 

• What this means for application security 

• Changes that you should be making to your tenant to improve your security posture 

Let's recap what we covered in a more consumable manner.  

What is a Cybersecurity Standard? 

Why do standards exist? 

Worldwide, governments and organizations must meet or exceed specific regulations and requirements for security, data governance, compliance, data residency, and sovereign protections. These requirements vary according to local and national laws. 

Standards help organizations adhere to specific requirements that support security principles. Industry verticals have different standards. Healthcare is different to Petrochemical, which is different to retail, which is different to financial institutions. 

What is a Cybersecurity Framework? 

Why do frameworks exist? 

Security frameworks exist to provide organizations with a standardized approach to managing cybersecurity risks. They ensure consistency, help meet regulatory compliance, offer best practices, and guide effective incident response. Frameworks also promote continuous improvement and efficient resource allocation, helping organizations protect against evolving threats while staying compliant with legal obligations.

What are the Differences Between Cybersecurity Standards vs Frameworks? 

Figure 1: Key Differences 

Standards are something that you must comply to because there is legislation, regulation or fiduciary requirements that your business must attain, in order to operate.  

Frameworks are guides that you can subscribe to, to improve your overall security posture. Ergo, it's not rigid and typically easier to follow.  

Commonalities across Cybersecurity Frameworks 

Figure 2: Commonalities 

As you can see from the image above, most, if not all frameworks address the same 5-6 core areas and pretty much achieve the same outcomes. Yes, you get to choose which framework best suits your needs.  

The benefits of using a framework and/or standards include ensuring compliance with regulatory requirements, policy alignment, enablement of proactive security measures, accountability, and risk reduction.  

Figure 3: What frameworks and standards provide 

Improving your security posture in Entra ID 

To enhance the security posture of your organization's application registrations in Microsoft Entra ID, here are several steps you can take:

1. Use Conditional Access for App Registrations

• Disable Application registrations (We do this because by default in Microsoft Entra ID, all users can register applications and manage all aspects of applications they create.) https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/delegate-app-roles 

Figure 4: Disable user app registrations. 

• Implement Conditional Access Policies to restrict who can register and use applications.  
• Apply restrictions based on user roles, device compliance, location, or multi-factor authentication (MFA) requirements.  

 Figure 5: Admin Center's Access Rule 

• Require MFA for users and service principals when accessing sensitive applications, especially during registration and configuration changes.  
• Use MFA with Conditional Access Policies.

Figure 6: Risk evaluation decision process – Source 

• Use Privileged Identity Management (PIM) to restrict and monitor privileged roles like Application Administrator or Cloud Application Administrator.  
• Implement just-in-time (JIT) access for elevated privileges.
• Read our blog post to better understand Microsoft Entra Administrator Roles & Application Access

Figure 7: PIM in Azure.

4. Use Managed Identities Instead of Client Secrets

• Prefer Managed Identities for Azure resources over client secrets to avoid the need for long-lived credentials, reducing attack surface.  
• If secrets are necessary, enforce short expiration periods and use Azure Key Vault for secret storage. 

• Control which apps can request permissions to sensitive data by enabling Admin Consent Policies. This helps prevent unauthorized apps from gaining excessive permissions.  
• Use the "User consent settings" to limit which permissions users can grant without admin approval.  
• Check out our blog post on this topic: Entra ID Application Consent: What Identity Admins Need to Know

 Figure 8: Disable user consent. 

Figure 9: Assign Admin Consent Reviewers/Approvers.

6. Monitor Entra ID App Activity and Audit Logs

• Use Entra ID Sign-In Logs and Audit Logs to track application activity.  
• Set up alerts for unusual activities, such as unapproved app registrations or permission escalation.  

Figure 10: Sign-in logs 

 Figure 11: Audit Logs

7. Regularly Review Permissions and Roles

• Conduct regular reviews of the permissions granted to apps and ensure that they only have the minimum necessary access (principle of least privilege).  
• Utilize the API Permissions page to audit application permissions.  
• Securely manage API permissions by ensuring that applications only request the required API scopes and enforce consent reviews for sensitive APIs.  
• Check out our blog post to learn more about Application Permissions via App Registrations

Figure 12: API permissions per App.

8. Use Identity Protection and Risk-Based Policies

• Use Microsoft Entra ID Identity Protection (License requirement) to detect and respond to suspicious activities related to app usage.  
• Apply risk-based policies for high-risk sign-ins, enforcing additional verification methods.  
  

Figure 13: Entra ID Identity Protection features – Source.

In closing, we recommend doing more than just the eight steps above, but they are a great start. This will help you ensure that you have a better sense of what is going on in your Entra ID tenant and a better grasp of how enterprise applications get registered and deployed in your Microsoft cloud environment. You can watch full webinar recording on-demand here.

On October 6th, we'll be breaking down Security Frameworks one step further and discussing how to apply a Zero Trust Security Framework for Entra ID Enterprise Application Security. 

Upcoming Webinar: Zero Trust for Application Security in Entra ID

When: Wednesday, October 6, 2024 at 10 am PT / 1 pm ET. 

Do you know how many unused or risky applications reside in your tenant that could be increasing your attack surface and creating a security risk? The ENow AppGov Score is a free security assessment tool that will quantify your application governance state quickly.  In addition to providing your AppGov Score, the tool will provide a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!