Using an MSP Requires Trusting your MSP

A person using a laptop with a women in the background.

Recently there was news of another suspect breach of IT systems. This time the attack vector was via the Managed Service Providers (MSPs) that resell Office 365 licenses. Having an MSP that is going to help you manage your Azure or Office 365 environment requires having a lot of trust in the security systems that your MSP has put in place to ensure that the access to your environment that you have given to the MSP can’t be exploited by either an employee at the MSP, or by an unknown actor that compromised the MSP.

From a technical perspective, this requires that there are a few things in place. This includes Multi-Factor Authentication (MFA) as well as some sort of Just In Time (JIT) process.

Multi-Factor Authentication (MFA)

MFA involves using a third method for authentication. Normal authentication (and username and password) requires two pieces of information, both of which you know. Because these are things that are pieces that you know and are typed in, and they are the same every time, they can be copied. Multi-Factor Authentication introduces a third step to this, instead of being something that you know, it requires something that you have. In most cases a phone (either a landline or a cell phone, usually a cell phone). The cell phone either gets a text message, or it has an application installed on it which Azure Active Directory sends a push message to, and which then prompts you to approve the authentication, and this only happens after the username and password is entered successfully.

Having an MSP which manages your Office 365 environment involves giving the MSP access to your systems. Lots of MSPs request that you give a single account which all their staff uses access. This is a horrible idea as there’s no way to have multiple phones setup for MFA. Access should be granted to the accounts that each member of the MSP that would be managing the environment uses. While this does involve setting up more users with guest access into your environment it does mean that the users can have MFA setup on their accounts.

Just In Time (JIT) Access

In addition to having MFA setup, people shouldn’t be granted the Global Admin right, or any other admin rights within the Office 365 environment. People should have to request access to do the task witch they are going to perform. Once that access is granted those rights are taken away.

Even though the person requesting the access should have it, they don’t need to have it all the time. The fact that they are doing something should be logged somewhere; which involves the person that needs access requesting the access, so that the request can be logged; all while the person’s account is protected using MFA.

Everyone Should Have MFA Enabled

In order to protect against these attacks (and other attacks) everyone at MSPs (and when possible everyone) should have MFA enabled on their accounts. Having MFAs prevents at attacker from getting access to a users account, even if the password is compromised as the attack doesn’t have access to the users MFA device (such as their cell phone).

DCAC Does Exactly That

When DCAC does management of customers Azure and/or Office 365 platforms we always do what was described above. By default we have MFA enabled on all our accounts, no matter what the customer’s security requirements are.

We also pitch JIT to customers so that it is up to our customers as to weather they want us to use a JIT process to gain access to their environment. Some do and some don’t. Those that do, we can either configure the JIT process that it available through Active Active Directory P2 license, or we can build a custom JIT process. Which one we configure depends on what sort of permissions the user wants to give the DCAC team within their environment.

If you’d be interested in DCAC helping you manage your environments please contact our sales team and we can get the process started, securely right away.

Denny

Contact the Author | Contact DCAC

No, I Will Not Be Using Your “Secure” Email System

I get the occasional email with some attachment, that I then have to log into some “secure” system in order to gain access to the attachment. Usually it’s a PDF that I need to sign, either for personal or business reasons. And it’s usually a one off process. Recently I’ve seen an even more annoying process. The Original email has the attachment, but the attachment (usually a PDF) has a password included which I need to go to the annoying “secure” system in order to get the password.

Recently I got one of these from my insurance sales guy. He told me (as he emailed me the PDF without a password) that it was done for compliance reasons.

Let’s review why this is a waste of time.

You’ve sent me a document which has a password. The email includes a link to the website which has the password. Assuming that I’m an attacker who wishes to steal this document that means the attacker has access to my mailbox. So that means that the attack also has the URL. And can click on the reset password link on the website, which allows them to reset the password. Then reset the password to the website, and get the password. So the attacker now has the file, and the password for the file. It took said attacker an extra 20-30 seconds to get the passwords.

That’s assuming that the attacker didn’t spend the $20 to get PDF Password Recovery which would allow them to simply remove the password from the document without needing to know what it is.  And that $20 is a one time fee.  They can unlock all the stolen PDFs that they want after paying for the software, probably with a stolen credit card or just finding a cracked version of it which I was just to lazy to see if there was, spoiler I’m confident if I spent 10 minutes looking I could find a cracked version for free.

In short, I applaud the idea of making sending me a document more secure.  “A” for effort, “F” for implementation.  Two factor authentication (which is basically what they are going for) doesn’t work when both factors rely on the same device, in this case my email software.

Now you are probably thinking that I must be crazy for allowing this sensitive information to be emailed around like this.  The confidential information in this document was my name “Denny Cherry”.  The policy number of my new insurance policy, the amount of the policy, and my insurance guys work address.  That’s it.  Technically there’s nothing in there that really matters.

If we are going to make things “secure”, let’s make them actually secure.  Enough of this making it look secure to the general public.  I get that we need to have some security around this sort of thing.  If this system worked correctly when he uploaded the document to their secure system, it would have asked him for my cell phone number.  Then it would have texted me the password for the document so that I had the password and the text at the same time.  That would be secure and just about as easy to use.

Denny

Contact the Author | Contact DCAC

Video

Globally Recognized Expertise

As Microsoft MVP’s and Partners as well as VMware experts, we are summoned by companies all over the world to fine-tune and problem-solve the most difficult architecture, infrastructure and network challenges.

And sometimes we’re asked to share what we did, at events like Microsoft’s PASS Summit 2015.

Awards & Certifications

Microsoft Partner   Denny Cherry & Associates Consulting LLC BBB Business Review    Microsoft MVP    Microsoft Certified Master VMWare vExpert
INC 5000 Award for 2020    American Business Awards People's Choice    American Business Awards Gold Award    American Business Awards Silver Award    FT Americas’ Fastest Growing Companies 2020   
Best Full-Service Cloud Technology Consulting Company       Insights Sccess Award    Technology Headlines Award    Golden Bridge Gold Award    CIO Review Top 20 Azure Solutions Providers