Taller 3 de CISO de Microsoft:

Identidad y acceso de usuario

de Confianza cero

Microsoft Cybersecurity Solutions Group

El video de presentación de esto se puede encontrar en

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/ciso-workshop-module-3
Microsoft CISO workshop
Almuerzo
Su estrategia Aprendizajes y principios de
la gestión de la seguridad

Inicio e introducción Identity and Zero Trust

Architecture

Threat protection
(A) Identify-Protect
(B) Detect-Respond-Recover
TYPICOS STAKEHOLDERS Information protection
• Identity Security Architects
• Identity Architects
• Identity Operations Teams Joint planning
• Collaboration/Productivity Lead

CISO WORKSHOP OBJECTIVE:

Learn how Microsoft can help you achieve your cybersecurity goals
Identity and Zero Trust User Access
CONTEXT ACCOUNTS & PASSWORDLESS ZERO TRUST ARCHITECTURE

IDENTITY & ZERO

T R U S T H I S TO R Y A CCO U N T S E C U R I T Y &
Z T ACC E S S CO N T R O L BUILDING AN IDENTITY
G O I N G PA S S W O R D L E S S
REFERENCE ARCHITECTURE PERIMETER

IDENTITY SYSTEMS 3RD PARTY ACCOUNT RISK

ZERO TRUST
DEFINITION & MODELS

IDENTITY SYSTEM SECURITY PA RT N E R ACC E S S TO C U S TO M E R I D E N T I T I E S ( B 2 C )

S T R AT E G Y & P R I O R I T I E S CO R P O R AT E R E S O U R C E S
(B2B)
Why are we having a Zero Trust conversation?
Access Control: Keep Assets away from Attackers

1. IT Security is Complex
• Many Devices, Users, & Connections

2. “Trusted network” security strategy

• Initial attacks were network based
• Seemingly simple and economical
• Accepted lower security within network

3. Assets increasingly leave network

• BYOD, WFH, Mobile, and SaaS

4. Attackers shift to identity attacks

• Phishing and credential theft
• Security teams often overwhelmed
This “Zero Trust” idea has been evolving for a while

2004 2014 2016 Ongoing

Jericho Forum Microsoft Advocates Conditional AccessPasswordless
Formally Established “Assume Breach” Released Initiative

~2004 2010 2014 2017

Network Access Forrester coins BeyondCorp
Control (NAC) “Zero Trust” Term Published
Architectures

Slow mainstream adoption for both network identity models:

Network – Expensive and challenging to implement Identity – Natural resistance to big changes
Google’s BeyondTrust success is rarely replicated Security has a deep history/affinity with networking
Zero Trust Principles
Verify Explicitly
Always authenticate and authorize
based on all available data points,
including user identity, location,
device health, data classification,
and anomalies.
Least Privilege
Minimize user access with Just-
In-Time and Just-Enough
Access (JIT/JEA), risk-based
adaptive polices, and data
protection which protects data
and productivity.
Assume Breach
Minimize scope of breach damage and
prevent lateral movement by
segmenting access via network, user,
devices and application awareness.
Verify all sessions are encrypted end to
end. Use analytics to get visibility and
drive threat detection.
Zero Trust Access Control Strategy
Never Trust. Always verify.

Increase Remediate
Assurance Risk
Allow
Allow limited Block
full access Access access

Signal Decision Enforcement

to make an informed decision based on organization’s policy of policy across resources

Device Risk Apply to inbound requests Modern Applications

• Device Management SaaS Applications
• Threat Detection Re-evaluate during session Legacy Applications
• and more… And more…
User Risk
• Multi-factor Authentication
• Behavior Analytics
• and more…
Zero Trust Access Control Paradigms
Network Identity
Control Plane Apply Zero Trust Policy to network connections Apply Zero Trust Policy to access requests

Industry Proponents Network Security Vendors Identity Vendors

Microsegmentation enhances existing network perimeter Dual Perimeter – Adds an identity perimeter where
Overall Effect by shrinking “trusted network” to each server / IP “inside” is defined by authentication and authorization.
address. Coexists with network perimeter

Limited to networks controlled by customer. Doesn’t Applies to all assets –

Applicability/Scope protect modern SaaS and PaaS assets. Microsegmentation • Natively protects modern cloud assets
approach varies by vendor • Protects legacy intranet assets via proxy

Scope of assets where Integration of Behavior Microsoft focuses on protecting

zero trust is enforced Analytics (UEBA) risk signal modern and legacy assets as well as
Differentiation integration of ML, UEBA, and
Threat Intelligence Use of ML across large datasets
signal Integration decisions massive diverse threat intelligence

Common Components Evaluate trust signals for Devices & User Identities with per application policy
Microsoft’s Recommended Zero Trust Priorities
Do the most important stuff first

1. Align segmentation strategy & teams by unifying network, identity, app,

etc. into a single enterprise segmentation strategy (as you migrate to Azure)

2. Build identity-based perimeter to protect modern and legacy enterprise assets

3. Refine network perimeter using microsegmentation (if required for residual risk)
Integrating Zero Trust with Strategic Initiatives
Closely related to other initiatives

Zero Trust Identity Architecture

Establish Identity Perimeter with Conditional Access to Resources

SOC Modernization
Shift Tooling and Processes to Endpoint, Identity, and Application Layers

Secure Administration
Infrastructure/Datacenter access for admins

Network Transformation
• Internet-only clients / Firewalls for Datacenters onl
• Evaluate Microsegmentation

Resource Modernization
Enable ZT Access to Legacy Apps
Zero Trust Model
Trust Signal Full Access
Legend
Threat Intelligence Limited Access

Modern Approach to Access

Organization Policy Documents
Sensitive Data Access
User Risk
Multi-factor Authentication?
Impossible Travel?
Unusual Locations?
Modern Apps & Protocols
Password Leaked? Office 365 Dynamics 365
…and more

Security Policy
Integrated Threat Intelligence Engine(s) Monitor & Restrict Access

Continuous Risk
Evaluation
Legacy Apps
Opportunity to Reduce Risk from full network access

Device Risk {LDAP}

Managed?
Compliant? Remediate
Infected with Malware? User and Device Risk Networking
…and more
Reduce risks using segmentation, threat protection, and encryption

Signal Decision Enforcement

to make an informed decision based on organizational policy of policy across resources
 Full access Limited access

Zero Trust User Access

Legend
Risk Mitigation Remediation Path

Conditional Access to Resources

Policy is evaluated when Microsoft Applications

User Threat/ Azure AD Initial Access Request Lower Access Office 365
Identity Protection Restricted session
Risk Signals Change in posture (AADIP signal) Dynamics 365
Leaked cred protection
Behavioral Analytics Azure Resource
Azure ATP Cloud Infrastructure
User risk

Manager
Organization
Policy Azure Portal Linux Login
Cloud App Security User/Session Risk
Modern Applications
Increase Trust by
requesting MFA Monitor &
Hello for Business Restrict Access
Multi-Factor Conditional SaaS Applications
Azure MFA Authentication Access Cloud App Security
Conditional Access App Control
Azure Active
Intelligent Security Graph (ISG)
6.5 Trillion Signals/Day
Directory (Azure AD)
IsCompliant
Azure AD B2B Azure AD App Proxy Legacy Apps (Secure VPN Replacement )
{LDAP}
Partner MDM Microsoft Intune
Device risk

Remediate Leaked Credential

(Requires MFA) Azure Information
Microsoft Defender ATP Protection (AIP) Documents
Device Threat/
Risk Signals
Azure AD Self
Service Password
Microsoft Intune
Reset (SSPR) Mobile Apps
(MAM functionality)
Active IsManaged
Directory Approved Apps

Signal Decision Enforcement

to make an informed decision based on organizational policy of policy across resources
Securing identity systems
Most major breaches target identity systems to get rapid access/control of data and applications

Phishing Credential Theft Data Exfiltration Accelerate your credential theft defenses

Attack is now automated

(Death Star | GoFetch )

Identity Systems

Privileged Free technical guidance Professional services

Administrators
LDAP http://aka.ms/SPAroadmap http://aka.ms/cyber-services

Critical Security Dependency Harden to Highest Security Standards

Almost everything depends on their integrity Invest in people, process, and technology to provide
(email, data, applications, infrastructure, etc.) best protection and rapid detection, and response
http://aka.ms/securitystandards
Account security CO S T O F

Success factors to increase attack cost AT TAC K

Great experience Accounts

For users, identity managers, and security
Single Identity and Single Sign On (SSO)
Privileged CREDENTIAL THEFT
Administrators
Strong assurances
CO S T O F AT TAC K

Additional Factors like biometrics and others

Increase context in authentication / authorization decisions
CREDENTIAL ABUSE
Time, date, geolocation Standard CO S T O F AT TAC K
Device integrity and compliance Users
Known Bad sources from threat intelligence
Behavior Analytics to understand normal profile for that user/entity
Partner/B2B
Hardware assurance for credentials stored on devices
BIOMETRICS
Flexible Access Levels
Customer/B2C
Allow for Low Risk
Increase Assurance (add MFA) based on risk factors
H A R D WA R E A S S U R A N C E S
Decrease Access (Block download) based on risk factors
Force Remediation for high risks (compromised devices and accounts)
Eliminate Passwords through strong and multifactor authentication
Approach to a Password-less World

1 2
Develop and Deploy
password-replacement
offerings
Today
3 4
Reduce user-visible Transition users to using Eliminate passwords
password surface area strong authentication from identity directory
instead of passwords

Achieve End-user Promise

Achieve Security Promise

Windows Hello for Business

Available on all Windows 10 Machines today with improvements coming in RS4 and RS5 FIDO
Microsoft
+
Microsoft Authenticator Third Party
Available today across all mobile platforms, integral in corporate bootstrapping of MFA
Evolution of security perimeters

Physical Network Identity

A consistent set of controls between assets and threats

Modernizing the security perimeter
Persistent ? Network protects
Threats Shadow IT against classic attacks…
…but bypassed reliably with
Identity Perimeter Office 365
• Phishing
Approved Cloud Services
• Credential theft
+ Data moving out of the network
Resources = Critical to build modern security
perimeter based on Identity
 Identity and Access Management
Strong Authentication + Monitoring and
enforcement of policies
 Strength from Hardware & Intelligence–
Auth & Access should consider device
Devices
status, compromised credentials, &
Network Perimeter
other threat intelligence
VISIBILITY AND CONTROL AT THE PERIMETER

Intrusion Forward/Reverse Intranet Resources

Firewall
Detection/Prevention Proxy

Actions:
• Allow
• Block
Source: IP Address/Port Signatures Allow List
Destination: IP Address/Port Analytics Authentication

User Device
High

Medium

Actions:
Role Health/Integrity Low • Allow
Group Client • Allow Restricted
Device Config • Require MFA
Config Last seen • Block
Location Conditional • Force Remediation
Last Sign-in access risk
 Conditional Access Example

Office resource
User Device High

Medium

Low Block access

Role: Sales Account Representative Health: Device compromised Sensitivity: Medium
Group: London Users Client: Browser Force threat
Device: Windows Config: Anonymous remediation
Config: Corp Proxy Last seen: Asia Conditional
Location: London, UK access risk
Last Sign-in: 5 hrs ago

Malicious activity detected on device

For insights into password spray and other
modern attack patterns, see Anonymous IP

Your Pa$$word doesn't matter Unfamiliar sign-in location for this user
Identity and Access Management
Use Cases
I need my customers and partners Assign B2B users access
3 to access the apps they need from to any app or service your
organization owns
everywhere and collaborate seamlessly
Other
organizations
Azure AD B2B
Connect collaboration
SharePoint Online
& Office 365 apps
Add B2B users
Self-Service with accounts in
SSO to SaaS
capabilities other Azure AD
organizations Microsoft Azure
Remote Access Active Directory
Access
to on-premises
Panel/MyApps
apps

Conditional
Dynamic Groups
Access
Other Identity Google ID* Microsoft
Providers* Account

Add B2B users with MSA, Google, On-

Office 365 App
Launcher
Multi-Factor
Authentication
or other Identity Provider accounts premises
Azure Active Directory B2C

Customers Business
Social IDs Azure AD B2C Apps

Securely authenticate customers

with their preferred identity provider
Provide branded registration Analytics
and login experiences
Business & Government Capture login, preference, and
IDs conversion data for customers
CRM and
contoso
Marketing
Automation
Questions?
© Copyright Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Reference
Additional Resources
 Azure AD and ADFS best practices
 https://cloudblogs.microsoft.com/enterprisemobility/2018/03/05/azure-ad-and-adfs-best-pra
ctices-defending-against-password-spray-attacks/
 Microsoft Password Guidance
 https://aka.ms/passwordguidance

 NIST Updated Password Guidance

 Ignite Session: Azure Active Directory risk-based identity protection

 https://channel9.msdn.com/events/Ignite/Microsoft-Ignite-Orlando-2017/BRK3016
Disrupt Attacker ROI
Prioritize investments to maximize impact

Rapid detection and response drives

down predictability and quantity of return

Attacker Return:
Defender Return: Successful Monetization
Ruin Attacker ROI
Security Return on Deters opportunistic attacks
Investment (SROI) Slows or stops determined attacks Attacker Investment:
Increase Attack Friction & Cost
Defender Investment:
Security budget Prioritizing defense can rapidly raise
impact attacker cost & friction
Team time/attention