Recently there was news of another suspect breach of IT systems. This time the attack vector was via the Managed Service Providers (MSPs) that resell Office 365 licenses. Having an MSP that is going to help you manage your Azure or Office 365 environment requires having a lot of trust in the security systems that your MSP has put in place to ensure that the access to your environment that you have given to the MSP can’t be exploited by either an employee at the MSP, or by an unknown actor that compromised the MSP.
From a technical perspective, this requires that there are a few things in place. This includes Multi-Factor Authentication (MFA) as well as some sort of Just In Time (JIT) process.
Multi-Factor Authentication (MFA)
MFA involves using a third method for authentication. Normal authentication (and username and password) requires two pieces of information, both of which you know. Because these are things that are pieces that you know and are typed in, and they are the same every time, they can be copied. Multi-Factor Authentication introduces a third step to this, instead of being something that you know, it requires something that you have. In most cases a phone (either a landline or a cell phone, usually a cell phone). The cell phone either gets a text message, or it has an application installed on it which Azure Active Directory sends a push message to, and which then prompts you to approve the authentication, and this only happens after the username and password is entered successfully.
Having an MSP which manages your Office 365 environment involves giving the MSP access to your systems. Lots of MSPs request that you give a single account which all their staff uses access. This is a horrible idea as there’s no way to have multiple phones setup for MFA. Access should be granted to the accounts that each member of the MSP that would be managing the environment uses. While this does involve setting up more users with guest access into your environment it does mean that the users can have MFA setup on their accounts.
Just In Time (JIT) Access
In addition to having MFA setup, people shouldn’t be granted the Global Admin right, or any other admin rights within the Office 365 environment. People should have to request access to do the task witch they are going to perform. Once that access is granted those rights are taken away.
Even though the person requesting the access should have it, they don’t need to have it all the time. The fact that they are doing something should be logged somewhere; which involves the person that needs access requesting the access, so that the request can be logged; all while the person’s account is protected using MFA.
Everyone Should Have MFA Enabled
In order to protect against these attacks (and other attacks) everyone at MSPs (and when possible everyone) should have MFA enabled on their accounts. Having MFAs prevents at attacker from getting access to a users account, even if the password is compromised as the attack doesn’t have access to the users MFA device (such as their cell phone).
DCAC Does Exactly That
When DCAC does management of customers Azure and/or Office 365 platforms we always do what was described above. By default we have MFA enabled on all our accounts, no matter what the customer’s security requirements are.
We also pitch JIT to customers so that it is up to our customers as to weather they want us to use a JIT process to gain access to their environment. Some do and some don’t. Those that do, we can either configure the JIT process that it available through Active Active Directory P2 license, or we can build a custom JIT process. Which one we configure depends on what sort of permissions the user wants to give the DCAC team within their environment.
If you’d be interested in DCAC helping you manage your environments please contact our sales team and we can get the process started, securely right away.