May 2, 2024 •ENow Software
It’s Ok to feel a little FOMO if you missed our webinar this past Wednesday on Entra ID Governance: Best Practices for Real-World Success, which was led by Microsoft Security MVP Alistair Pugin and Microsoft MVP/MCM/MCSM Nicolas Blank. Since we had such a phenomenal attendee turnout with a tremendous appetite for Entra ID Governance info, we decided to recap some of the high notes because ultimately, we want all IAM Admins, Consultants, Engineers, and Architects to benefit from a Best Practice Framework.
Recap
To start off, Al and Nic discussed the importance of Identity Governance in the cloud and how to govern Identities, with the evolution of technology from mainframes to public cloud and IoT and now with AI disrupting the mix.
They emphasized the need to move away from traditional security measures like firewalls and VPNs and instead focus on securing Identities, as those traditional perimeter security measures are no longer effective. They discussed the use of Conditional Access Policies as a way to enforce Zero Trust policies, stressing the need for organizations to implement sophisticated security configurations for protection against advanced attacks.
They underscored the importance of Identity Governance and its maturity modelling; elaborating on the various policies and roles that can be implemented to ensure the security of Identities, and the various tools available in Microsoft Entra Identity Governance Portal. They also covered risk profiling, and how critical Governance maturity risk profiling is in the context of application security. It’s vital that Identity admins understand the different types of Identities within an organization, how they interact with applications, and their associated risks. Nic explained the different types of Identities, including human, machine, and application Identities.
They unpacked the strategy behind Identity Governance, the importance of Multi-Factor Authentication (MFA) and safeguarding resources; as well as the lifecycle of Identities, and the need for a proper governance framework to manage them. They were explicit about the importance of taking inventory of what you actually have potentially lurking in your tenant - before you can fix, measure, or manage it. It’s critical that admins understand what access your Identity has granted to applications on your behalf, using the Midnight Blizzard hack to illustrate this point; in addition to the permissions granted to apps and how hackers can perform various actions based on those permissions.
They reviewed the concept and importance of regularly monitoring and growing the maturity of Identity Governance within an organization:
And the gravity of having policies and standards in place to properly manage Identity and access, and the need for Identity admins to understand their Identity stack by profiling applications to ensure they are being used effectively. And not just that, but the many challenges associated with removing outdated apps and permissions:
However, they also introduced the power of an automated third-party solution that can quickly quantify your application governance state, when you sign up to receive your free AppGov Score and coinciding Application Governance assessment report. The new ENow AppGov Score Freemium now offers 3 new Hunting Summary Reports, showing the number of apps with potential Midnight Blizzard-related vulnerabilities in Microsoft Entra ID.
Additionally, The ENow App Governance Accelerator 2.0 introduces powerful Hunting features, crafted to identify vulnerabilities and thwart potential threats lurking within your Microsoft Entra ID. In response to the surge in OAuth-related attacks, including those seen by Microsoft, these new Hunting capabilities offer proactive defense mechanisms so you can detect and defend. Enterprise and Professional edition subscribers unlock detailed Hunting reports, offering granular visibility into app permissions. Leveraging these features, you can stay one step ahead of malicious actors, safeguarding your organization's digital infrastructure
And now you’ll REALLY be feeling some FOMO after you hear about the special offer that was only available to attendees. NBConsult offered up to ten free 1:1 work shops, with Microsoft MVP/MCM/MCSM Nicolas Blank, and Microsoft Security MVP Matthew Levy, where they'll review the AppGov Score Application Governance Assessment Report, and share tangible next steps for the client to take.
STAY SECURE. STAY AHEAD. And make sure you don’t miss our next webinar!!!
Q&A
There were of course some questions, and Nic and Al confirmed that it is possible to decommission Active Directory and that legacy applications that cannot use modern authentication should be switched off.
There was also a question around NIST 2.0, and whether or not they reference anything around Identity Governance. So, Nic did some more research and put together a more comprehensive response which we are including here, and hope you find helpful. In Nic’s opinion, the answer is more 'yes' than it is 'no', since it is a compliance standard, which requires strong Governance by definition.
NIST 2.0 itself doesn't directly state anything specific about Identity Governance. However, it does create an environment where strong Identity Governance becomes essential for compliance. Here's how:
- Focus on Risk Management: NIST 2.0 emphasizes identifying and mitigating cybersecurity risks. Weak Identity Governance practices can be a significant security risk, making strong Governance crucial.
- Stricter Access Controls: The directive pushes for robust access control. Identity Governance plays a key role in defining who has access to what systems and data.
- Accountability and Transparency: NIST 2.0 holds senior management accountable for cybersecurity. Effective Identity Governance provides transparency into user access and strengthens accountability.
- Focus on Access Control: NIST 2.0 emphasizes robust access control policies, hinting at the importance of identity management as a foundation.
- Multi-Factor Authentication: The directive explicitly highlights the need for continuous and multi-factor authentication, aligning with a zero-trust security approach. Strong identity verification strengthens access control.
- Improved Auditing and Reporting: NIST 2.0 requires better methods for reporting and auditing security incidents. Identity management solutions often have features that facilitate this process.
While NIST 2.0 doesn't mandate specific Identity Governance practices, it indirectly compels organizations to improve them. Here's how Identity Governance helps with NIST 2.0 compliance:
- User Lifecycle Management: Ensures users are granted, reviewed, and revoked access appropriately throughout their employment.
- Entitlement Management: Defines and manages user permissions to specific systems and data.
- Access Request and Approval Processes: Provides a structured way to request, review, and approve access requests, minimizing human error.
Overall, NIST 2.0 compels organizations to implement stricter access controls. To achieve this effectively, organizations likely need an Identity and Access Management (IAM) system in place, such as:
- Role-Based Access Control (RBAC): Defines permissions based on user roles, ensuring users only have access to what they need.
- Single Sign-On (SSO): Allows users to access multiple applications with a single login, improving convenience and security.
Following these practices strengthens access management and helps organizations comply in the spirit of NIST 2.0, even though IAM isn't explicitly mandated. By implementing these Identity Governance practices, organizations can achieve the stricter access controls demanded by NIST 2.0.
If you missed the webinar, you can watch it On-Demand here.
ENow App Governance Accelerator evaluates your tenant’s Application Registrations, Enterprise Applications, and Global Tenant Settings, making identifying Application Ownership simple. Using the information in the Ownerless Apps report, for example, an organization can implement and maintain an application management delegation model beyond the built-in administrative roles.
The ENow AppGov Score is a free security assessment tool that provides a comprehensive Application Governance Assessment report that includes each test, your result and why the test matters. Sign up to get your score and assessment report in just a few minutes - Get Your AppGov Score today!
