Top 10 Entra ID Application Security Risks to Look For - Join us on 8/21!
August 15, 2024 •Alistair Pugin
Data Breaches and You. Yes, you. This ain't a dress rehearsal.
Data Breach. DATA BREACH. We've seen it everywhere. Literally everywhere. Companies like IBM and the Ponemon Institute produce yearly reports on the subject. You can access IBM’s Cost of a Data Breach report here.
Ever wonder why companies the size of IBM would spend the GDP of a small country on creating a yearly report? It's because of "data breaches!"
Don't believe me? Let's look at some recent news then:
- August 1st: Personal Data of 3 Billion People Stolen in Hack - Bloomberg
- August 6th: Thousands of Devices Wiped Remotely Following Mobile Guardian Hack - Security Week
- August 7th: UK health services call-handling vendor faces $7.7M fine over 2022 ransomware attack - The Register
That's just some of what has been made publicly available since the beginning of August 2024. It’s important to note too, that one of the above updates was from a 2022 data breach; the impact can have a very long tail. Recovering from the financial, legal, and reputational implications and damage from a data breach can take many years.
So, what is a data breach?
(I asked our Nvidia overlords, ChatGPT specifically)
"A data breach occurs when unauthorized individuals access, disclose, or steal sensitive, confidential, or protected information. A breach can happen for various reasons, such as cyberattacks, insider threats, accidental exposure, or physical theft of devices. Data breaches can involve different data types, including personal information (e.g., social security numbers, credit card details), corporate secrets, intellectual property, or other sensitive information.
The consequences of a data breach can be severe, leading to financial losses, legal liabilities, reputational damage, and loss of customer trust. Organizations often must report breaches to regulatory bodies and affected individuals, especially if the breach involves personally identifiable information (PII). Security measures like encryption, access controls, and regular security audits are essential to prevent and mitigate the impact of data breaches."
TLDR: People steal your data. Simple.
I wrote about the anatomy of a cyber attack at the beginning of the year, and to be Frank and Ernest, cyber-attacks are not slowing down. As we saw with Midnight Blizzard’s attack on Microsoft, vulnerable applications can be exploited to quickly escalate privileges and gain access to sensitive corporate data. Unless you consistently and proactively work to improve your application security posture, your risk exposure is only growing. This is your wake-up call. You need to pay attention.
Understanding what is happening in your Entra ID cloud environment is the only way to minimize your risk. Now, yes, this post focuses on Microsoft technology specifically, but these principles are the same across other public and private cloud provider services.
You have three parts to this Entra ID security story
- Identity
- Permissions
- Applications
Let’s dig into each one further:
Identity (Authentication)
Everything starts and ends with an identity. In the context of Entra ID (formerly Azure AD), an "Identity" refers to a digital representation of a user, application, or device that can be authenticated and authorized to access resources within an organization's IT environment. Be it a virtual machine, an application, or any other solution the platform provides.
Here's how it breaks down:
- User Identity: This is the unique digital profile of an individual within the organization. It includes credentials (like a username and password) and attributes such as name, email address, role, and department.
- Application Identity: Applications can also have identities in Entra ID, i.e. a Service Principal. This enables secure and controlled interaction between applications and services in the cloud without relying on a user's identity. In essence, a service principal is the application or service equivalent of a user identity, allowing non-human entities to be authenticated and authorized within Entra ID.
- Device Identity: Devices like laptops and smartphones can have their own identities. This type of identity allows an organization to manage and control access to resources based on the device's security posture and compliance status.
An Entra ID identity is the foundation for securing access to resources, enabling single sign-on (SSO), and enforcing policies for authentication, authorization, and compliance across an organization's digital ecosystem.
Permissions (Authorization)
Once your identity is verified, you can access specific services inside your environment. Two users might have different permissions for various reasons, including their department, role, seniority, project involvement, geography, compliance requirements, and security clearance, to name a few.
These differences in permissions help maintain security, ensure proper access control, and align with organizational policies. Permissions are central to Privilege Identity Management (PIM) principles in Entra ID, as PIM focuses on controlling, managing, and monitoring those who have elevated or privileged permissions within an organization. PIM best practices recommend that elevated permissions are granted only when necessary, typically on a just-in-time basis and for a limited duration to reduce the risk of unauthorized access or privilege misuse.
Applications (Solutions)
These are the applications that you need to interact with. It could be your collaboration platform like Microsoft Teams, a third-party ERP system, or even a bespoke application built by your organization. An Entra ID application is a registered entity that represents a software application or service, enabling it to integrate and interact with other resources within the Entra environment or external systems. The application has a unique identity and can be configured with permissions, roles, and access policies to perform specific tasks or access data securely.
Applications in Entra ID can be classified into two main types:
- Single-tenant applications are typically internal tools or services used by a single organization and are only accessible within that organization's Entra tenant.
- Multi-tenant applications can be accessed by multiple Entra ID tenants, meaning they can be used by users and organizations outside the one that registered the application. Many SaaS applications like Microsoft 365 are considered multi-tenant apps.
The Rapid Change of Cybersecurity
How we used to protect our IT world
In the old days, these parts were protected by a physical boundary, predominantly your office. We call that a perimeter. Back then, we had people and companies that sold and managed firewalls. You had to physically show up to the building, connect to the building's network, and access information that way. Life was good.
Today's cybersecurity topology
Modern times predicate that we access information from anywhere on the planet, even from space (cue weird Starlink music). Many of us work from anywhere, anytime, from any device. That means that information is no longer just protected by firewalls and perimeter security. The guardrails have changed. How we build applications has changed, and in so doing, our security requirements to protect our information have also had to change.
It's no longer about the firewall. It's about how you, as an organization, provide access to the applications that run your business to your users. Because of this proverbial "changing of the guard," you need new ways to protect and, more importantly, understand how applications are provisioned and processed in your environment. That's what all of this is really about.
Strengthen Entra ID security by starting with these questions
- Do you understand how Identity impacts Permissions?
- Do you understand how Identity and Permissions come into play when accessing applications?
- What data do the applications in your Entra ID tenant have access to?
- How do applications talk to each other? (Not talk, that's coming when AI becomes sentient).
- What identities have access to what applications?
To bring it full circle, everyone from your users to administrators to executives should take security and data breach prevention seriously—as seriously as you take drinking water daily. It's not something that you can worry about tomorrow or the next day. It's a now task.
Threat actors and adversaries don't wait for you to determine what that managed identity has access to. They probably know more about that managed identity than you do. We all need to get to grips with what is going on in our environments!
At a loss with how to secure Entra ID applications?
Join us on 8/21 for a webinar to get informed about this growing risk!
We’ve been focused on solving this problem over the last year. Let us tell you where to start:
- what to look for, and
- how to assess your environment
- so that you can risk profile it
- and then build a remediation plan
That'll give you your roadmap to closing the application security holes in your Entra ID platform (Security Posture Management 101). That's why we want to talk to you and why we planned this webinar.
Join me and co-host Nicolas Blank for another killer session hosted by ENow. On August 21st, we will discuss the Top 10 Entra ID Application Security Risks to Look For. Register to join live or get access to the recording.
Let us help you. "Help me, Help you."
Written by Alistair Pugin
M365 + Security MVP | Blogger | Podcaster | Speaker | Founder, CEO - YModernize
Alistair has worked in various capacities in multiple verticals from retail-manufacturing to government, spanning 50 to 50000 users utilizing all aspects of pure Enterprise Information Management.
Specialties: 20+ years pure IT, 16 years ECM, Livelink, Zylab, SharePoint, FileNet, etc. IT Pro dabbling in Dev, ECM Consultant, Suffering from Technophilia. Technology Architect specializing in Business Productivity Enrichment.