How to Avoid Identity Service Misconfigurations

Introduction

As companies continue rapid adoption of public cloud deployments, even the best security intentions can fall short due to a reliance on overly permissive default settings and configurations. A number of high profile breaches have been traced back to the adversary gaining access by exploiting those types of accidental misconfiguration. This demo and article will focus on the Azure Identity service configurations and policy options.

Video

Policy Assessments

Falcon Horizon provides cloud security posture management to help organizations identify and respond to cloud security issues. This dashboard provides an overview of the assessment findings related to cloud configurations as well as potentially malicious behaviors.

CSPM Azure Identity dashboard

Assessments are based on policies that CrowdStrike has developed for the different cloud services. A complete list for each provider can be found on the Policies tab along with details and compliance information for both the configuration and behavioral policies. In addition, the severity for each policy can be customized and enabled or disabled by account or region.

CSPM Azure Identity Edit Policies

Policies for Azure Identity Service

Specifically for Azure’s Identity service, some policies are aligned with CIS and PCI guidelines. However, CrowdStrike goes beyond that to offer more granular information. Below, the two highlighted configuration policies are designed to identify deprecated accounts. Because those accounts are unused, the recommendation to remove them eliminates any risk of those neglected credentials being compromised.

CSPM Azure Identity Deprecated Accounts

Another important aspect of the Identity service is authentication. While multi-factor authentication is not required by default, there are three separate ways to enforce MFA in Azure which complicates both visibility and auditing. Assessing the Falcon Horizon policies highlighted below ensures that the proper configurations are in place for owners, users and privileged users.

CSPM Azure Identity MFA

As an example, the policy details include a severity and description as well as an outline of remediation steps. In this case, by enabling the security default policy, users will be required to use multi-factor authentication to gain access.

CSPM Azure Identity Details

There are also behavioral policies to detect multiple failed logins and when a user has disabled MFA. 

CSPM Azure Identity MFA Behaviors

Because overly permissive or unnecessary access to company data can represent a tremendous risk, there are specific Identity policies to monitor the configuration around how users can grant access consent.  Assessment of these policies helps ensure that company data is properly protected and access is only granted to applications with a specific requirement. 

CSPM Azure Identity Consent

Also, behavioral policies are available to monitor if a user turns on user-controlled application consent or if a user grants an application access to Active Directory data.

CSPM Azure Identity Consent Behaviors

Conclusion

Attacks that leveraged misconfigurations are on the rise. Falcon Horizon’s granular Identity policies provide the visibility and assessment needed to quickly identify potential exposures and take action to improve overall cloud security.

More resources

CrowdStrike Falcon Free Trial
 

Try CrowdStrike Free for 15 Days Get Started with A Free Trial