Building a secure workstation to manage your cloud services


A Shared responsibility journey requires that you consider how you use the cloud. A while back I discussed the need to make sure you understand the responsibility you share with your cloud provider and consider that in cloud your responsibility to mange your services changes based on the cloud model your considering. IaaS, and PaaS you need to look at protecting network, and applications, which requires that you build with SDL in mind. In all services you need to ensure you design and implement good authentication, and authorization. This can at times be as simple as enabling 2FA. 


In the blogs I've published I've noted that the device you use to connect to your services also needs to be designed and configured correctly. This includes your development workstations, and administrative clients. This is essential since there is very little guarantee that the device you use is already owned, and managed by an hacker.
 If your lucky they will only mess with your workstation, maybe encrypt your disk, and expect a ransom to be payed. If your unlucky it's quite possible the attacker will lay low, and collect information, including credential to all your cloud services you own and maybe manage. This can be a world of hurt - as criminals are now on the lookout for ripe client workstations they can steal cloud credentials and start the lateral movement journey into your organizations cloud based services.
Secured Workstation
What's essential is to consider how you can build and protect the client device that is difficult to compromise, breaking the chain at the source prior to infiltration.

For Microsoft users the guidance to build a custom network, using a isolated AD was part of the original Privileged Access Workstation (PAW) model. The unfortunate fact is that the it's a costly and complicated pattern to follow and deploy. To help remedy the complexity of the PAW program I started to consider what modern tech that's available and could also provide the level of isolation, and security that the PAW solution offered when it was designed.

Azure Secured Workstation
The Azure Secured Workstation utilizes capabilities introduced in Windows 10RS5, Microsoft Defender ATP, Azure Active Directory, and Intune to provide a level of security and assurances that are designed to help:
·         Protect privileged credentials and sensitive artifacts used for managing the cloud
·         Restrict and manage the entry point of administration
·         Reduce credential theft, pass-the-hash, and phishing attacks
·         Protect against malicious software

Additionally unlike the prior model this one can benefit from the flexibility built into Intune a Mobile Device Manager (MDM) to selectively allow you to dial up or down the rigidness of the security based on user roles and risk tollerance. I designed the solution with six different security enforcement models. From simple connected and managed state, to government level protection and isolation.











Each profile builds on the previous level, and provides enhancement that reduce the risk of a host workstation being compromised. All of this management was also automated with simple PowerShell script based policy deployments. Allowing you  to review the controls and methods used in each profile.

In my deployments I've found that it was very easy to deploy the Enhanced Workstation and start dialing up the controls to reduce the attack surface. this makes the enforcement process a journey, instead of a destination.

Non-Microsoft workstation
I know when I considered the development of the solution I'd be asked how this can translate to non-Windows based solution.
Question is do Linux and Mac's users need secured workstations?. I think the truth is absolutely yes. Users frequently reuse their username and passwords across services and applications. Compromise one and the attacker has the ability to gain privileged access on any desktop platform.
For Mac users - the solution that brings similar ability to intune MDM managed clients is jampf which can provide similar ability to deploy management policies, and help isolate your management workstation.
In the Linux world - it's a bit more complicate. Several tools and tooling provide the ability to control your organizations devices, however it does require more hands on (DIY) and tools like IBM - BigFix, or Citrix ZenMobile.








Comments

Post a Comment

Popular posts from this blog

Protecting sensitive data

Image
Last month I wrote an article on key things to consider when protecting high valued assets or sensitive data. The article called Security Tip of the Month: Protecting Highly Sensitive Information addressed some of the key items that organizations should consider when protecting data that has the possible impact on an organization that is irreparable. As my article stated the cost of protecting this data tends to be higher than most data. Fact is that this data is not traditionally just sensitive such as credit card data, or HR data. Key indicators of what is High Value Data can be summed up like this. Assets that are considered to be of high value will frequently have the potential to cause the following conditions if they are lost or divulged: •        Loss of life - such as an informant list •        Regulatory fines - such as financial performance data •        Significant damage to the business - such as code signing and encryption keys (private) or trade secrets
Read more

Secure workstation - Root of trust to manage the cloud

Image
Two months ago I introduced the Azure secure workstation, and I’ve had the privilege to present the ideal to some great audiences. From the discussions, a common question I’ve been asked is a pattern that would provide the Secured PAW model lock down scenario to exclusively manage an Azure Portal (EG how to I assure only secured workstation, and users assigned to the program can manage my cloud services)? In this article I’ll provide the NEXT step to accomplish exactly that outcome. This includes additional configurations that I only lightly covered, or net new technology to apply since the publishing of the doc. Proposed outcome “ How do I” Use a Secured workstation (that I can trust) to manage my Azure cloud. Here’s how I would deploy the solution. First I will start by deploying the Secured Workstation model this using the secured profile. New technology, and capabilities to add: Hardware root of trust – in our solution we post the idea that you can
Read more

Why is privileged access important?

Image
Last year about this time I had published updates to the Azure Secure Workstation that was originally released two years ago. And This month the solution has been considerably rewritten and revised to provide a better more complete management for privileged access!  Collaborating with two great security experts James Noyce, and Mark Simos The content got a massive overhaul, and a broad perspective on what it takes to build and manage a comprehensive privileged access solution, including account management, device management, intermediaries such as VPN's and interfaces such as Web and Cloud services. Additionally, the solution was uniformly designed with three distinct security levels that anyone reading the article can deploy from a more flexible Enterprise security, to a comprehensive isolated PAW or privileged Access Management. Over the past two years I've been working to explain and illustrate how you can use a cloud-based solution to build an effective Zero tr
Read more