Jul 30 2020
Near Zero O365 Security Without Zero Trust
The only way to have 100% trust in your Office 365 security is, ironically, to have zero trust. It sounds contrary, but that’s because the concept of zero trust means you trust nothing and protect everything.
Zero trust is an important, but too often neglected, security management and protection paradigm. IT used to have a trusted network and trusted users, and an external network and untrusted users. As part of this approach, for instance, IT installed a DMZ – a security zone or barrier between the ‘safe’ network and the ‘dangerous’ outside world.
With the zero trust model, the organization only allows access between IT entities that have to communicate with each other. There is no such thing as a trusted user anymore, or even a trusted server. Instead, IT secures every communications channel, because IT does not know who is listening in on the router. IT removes generic access to anything; and that access has to be granted specifically. It cannot be inherited, and it has to have a purpose. This is Microsoft’s way to implement zero trust throughout an organization.
One problem is that implementing zero trust in Azure Active Directory (Azure AD) is highly complicated. “I think the Microsoft approach would probably get you there – eventually. In contrast, CoreView has a straightforward check box model that gets you to zero trust and least privilege access through our operator access and functional access control model,” explained CoreView solution architect Matt Smith. “Now contrast Microsoft’s complexity with the simple CoreView approach. Our permissions model is all check box-based. The example I typically use is mailboxes. If I want to give someone the ability to create mailboxes, I check a box. Now that person can create mailboxes. If I want to scope it, I put that person in a virtual tenant that is created in a couple of minutes just by looking at properties of Azure Active Directory. Now that person can only create mailboxes for people in the sales department, for example.”
This ties into role-based access control (RBAC) administration since those mailbox permissions are functional-based. CoreView can truly dive deep, and offer highly granular role-based permissions – even offer short-term admin roles. “If I want to give you the function as a help desk person of forwarding SMTP mail because somebody is out on long-term leave, I check some boxes. If I want to give it for just a period of time, I set off a workflow engine that says, ‘Grant this operator the ability to forward SMTP mail for a period of an hour or two. That works really well with workstation folks, who have to roll out OneDrive to workstations; you want to give these folks the ability to change the password on a desktop, but just for the next hour and a half or so while they are rolling OneDrive,” Smith said.
Making Microsoft RBAC a Hundred Times Better
This is far simpler than the Microsoft role-based administration model. In Azure Active Directory, Microsoft has defined many roles. One is Application Administrator, which includes 71 different attributes an Application Administrator gets permission to do something with – to read or write or change. “Nobody, not even folks at Microsoft, knows precisely what all of these attributes exactly mean and what this functionally gives the ability to do. How can an IT admin look the chief security officer (CSO) in the eye and say, ‘I gave them Application Administrator rights, and know precisely what he’s now able to do?’ They cannot. Moreover, Microsoft does not define what those rights are,” Smith argued.
In the CoreView model, if IT checks the box so a person can create mailboxes, that person can create mailboxes – but cannot do anything else. They cannot change somebody’s password, or look up what they are doing in Skype or in Teams. “This is a critical security area. Nobody has truly deployed least privilege access within the Microsoft Office 365 ecosystem – unless they use CoreView,” Smith said.
These concerns are too often overlooked – much to the detriment of O365 tenant security. “It’s a hard conversation to walk into the CSO’s office and say ‘You’ve been running at significant risk from a least privilege access standpoint since you implemented Office 365, which might’ve been several years ago. You’re not following best practices, and you don’t know what people are able to do in the platform.’ That is a tough conversation to have, and it has to be very delicate as well,” Smith argued.
Protect Your O365 Tenant With CoreView
Or sign up for a personalized CoreView demo.
Doug Barney was the founding editor of Redmond Magazine, Redmond Channel Partner, Redmond Developer News and Virtualization Review. Doug also served as Executive Editor of Network World, Editor in Chief of AmigaWorld, and Editor in Chief of Network Computing.