Maintenance Best Practices to Enhance Azure Security
Financial institutions that use Microsoft Azure with Exchange Online, OneDrive, and SharePoint can apply good maintenance practices to enhance their security in the Cloud. They can employ a variety of Azure Active Director (AD) concepts to summarize their data and ultimately recognize anomalies to make the cloud environment more secure. Two of the main areas that institutions can examine to identify inconsistencies are users and devices.
Anomalies with Users
The primary Azure AD user properties to analyze are the user type, synchronization status, disabled status, and creation date. Within user type, if there are a significant number of guest users, this can raise an obvious red flag especially if there is no justification for guest users to exist. In this case, for guest users without a specific approved use case, the best option is likely to delete the user.
It can be more difficult to detect abnormalities within the synchronization status of some users, especially those being synchronized to Azure AD from on-premise AD. The key is to build a good baseline to use for comparative analysis. Because users are sourced on-premise, this number should be quite familiar. But if the number does not match expectations, it should be obvious and prompt further scrutiny.
Accounting for cloud users can also be challenging because they typically are not tracked as closely as on-premise users. But if the number of cloud users drastically changes, this may indicate an anomaly. In addition, IT administrators should be cognizant of modifications involving disabled users. If the number of disabled users changes, the situation should be reviewed to determine why.
Creation date is a unique kind of property in that it relates to both security and utility. Identifying an anomaly here should be fairly simple; the number of users should match expectations. For example, if the number of users spikes abnormally for a particular day, it definitely warrants investigation.
Inconsistencies with Devices
Another critical form of identity in Azure AD is devices, including desktops, laptops, phones, and tablets. In terms of device management, we can focus on Azure AD, Intune, and Exchange Online. Having access controls with devices makes it easier to recognize anomalies. With strict access policies, the number of devices connecting should not change significantly without an administrator’s knowledge.
Conversely, spotting anomalies becomes more difficult without stringent access policies. If IT administrators are relying on default settings, those default policies will allow users to enroll devices on their own. Administrators should build a baseline to see where their numbers are and monitor device enrollment accordingly.
Scrutinizing synchronization status can also reveal inconsistencies. IT administrators should remove devices that have not been synchronized in at least 30 days and those that have no sync data, which represents a gray area. Closely monitoring the synchronization status makes device management easier and more secure going forward.
The Maintenance and Security Connection
We have seen several real-life scenarios that illustrate the connection between maintenance and security. Here’s a common type of situation that involves the creation date and sync status: You notice that a new user was created unexpectedly, which is suspicious. You investigate, starting with the synchronization status, and find that the number of cloud users does not match. Next, you review Azure AD details based on the display names and do not see the new user. Then when you examine the users by creation date, there are only existing users.
This leads to an interesting question: Can you have more than one user in Azure AD with the same name? The answer: yes and no. There are a variety of name properties, however, the User Principal Name (UPN) must be unique. If you notice that the UPN of two users is ‘identical’ check again. Look for characters that might appear the same due to typography. It could indicate intentional obfuscation and represent a form of attack on your organization. In this case, if a user is already being created as a component of an attack, it would be safe to assume some form of administrative account has been compromised.
This type of attack could happen to almost any financial institution, and it shows the importance of using ongoing maintenance to discover irregularities. Good maintenance leads to better security in Azure AD, and Safe Systems’ CloudInsight™ family of products can assist in these efforts. They provide reports that make it easier for community banks and credit unions to catch anomalies, so they can improve their security posture. For more insights about this topic, watch our “Good Maintenance Leads to Better Security in Azure” webinar.