As companies continue rapid adoption of public cloud deployments, even the best security intentions can fall short due to a reliance on overly permissive default settings and configurations. A number of high profile breaches have been traced back to the adversary gaining access by exploiting those types of accidental misconfiguration. This demo and article will focus on the Azure Identity service configurations and policy options.
Falcon Horizon provides cloud security posture management to help organizations identify and respond to cloud security issues. This dashboard provides an overview of the assessment findings related to cloud configurations as well as potentially malicious behaviors.
Assessments are based on policies that CrowdStrike has developed for the different cloud services. A complete list for each provider can be found on the Policies tab along with details and compliance information for both the configuration and behavioral policies. In addition, the severity for each policy can be customized and enabled or disabled by account or region.
Policies for Azure Identity Service
Specifically for Azure’s Identity service, some policies are aligned with CIS and PCI guidelines. However, CrowdStrike goes beyond that to offer more granular information. Below, the two highlighted configuration policies are designed to identify deprecated accounts. Because those accounts are unused, the recommendation to remove them eliminates any risk of those neglected credentials being compromised.
Another important aspect of the Identity service is authentication. While multi-factor authentication is not required by default, there are three separate ways to enforce MFA in Azure which complicates both visibility and auditing. Assessing the Falcon Horizon policies highlighted below ensures that the proper configurations are in place for owners, users and privileged users.
As an example, the policy details include a severity and description as well as an outline of remediation steps. In this case, by enabling the security default policy, users will be required to use multi-factor authentication to gain access.
There are also behavioral policies to detect multiple failed logins and when a user has disabled MFA.
Because overly permissive or unnecessary access to company data can represent a tremendous risk, there are specific Identity policies to monitor the configuration around how users can grant access consent. Assessment of these policies helps ensure that company data is properly protected and access is only granted to applications with a specific requirement.
Also, behavioral policies are available to monitor if a user turns on user-controlled application consent or if a user grants an application access to Active Directory data.
Attacks that leveraged misconfigurations are on the rise. Falcon Horizon’s granular Identity policies provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.