The Identity ‘no brainer’ Kevin Bacon Would Be Proud Of

February 23, 2018
Matt Johnston


Matt Johnston

If you reside in the UK, you may be familiar with EE’s (a mobile phone company for those of you not from the UK) current marketing campaigns featuring Hollywood star Kevin Bacon, whereby the actor has adopted the ‘no-brainer’ slogan. Features of EE’s mobile service are promoted with Kevin explaining that to not use these features would be a ‘no-brainer’ as they are that good.

With this in mind, I would like to draw attention to Azure Active Directories ‘no-brainer’ feature that all organizations should adopt. It’s such a no-brainer that Kevin Bacon would be proud.

Privileged Identity Management

It is generally accepted that a significant amount of security breaches start when user credentials have been compromised. This could happen through a variety of mechanisms, keyloggers, brute force, phishing, etc. Now imagine this happens to one of your users, but not just any one of your users, an Office 365 Global Admin. Let the chaos commence.

An Office 365 Global Admin has the highest level of privileges a user can have within Office 365. With privileges such as these, an attacker has full control over every aspect of your Office 365 tenant. Reconfiguration of services and access to company data are all possible.

To mitigate against this, we need to reduce the surface area of the attack which is where Privileged Identity Management (PIM) comes in. PIM provides Just In Time (JIT) privilege elevation for high profile accounts. With this in place, we can dramatically reduce the time an account is running with privileged credentials and therefor reduce the attack surface.

However, risks do not always come in the form of malicious external attacks. JIT privilege elevation helps increase the organization’s security posture when working with trusted partners (such as contractors) and outsourced services (such as helpdesks). All too often I find Global Admin accounts still active for contractors that no longer work for an organization, as the removal of these accounts is often a manual process and the task is forgotten.

With Privileged Identity Management we can specify the duration for which the account should be elevated, after which the account is automatically demoted to a standard account, eliminating the manual process that may otherwise have been forgotten.

As you would expect, enforcing Multi-factor Authentication (MFA) for elevated permissions, user and admin email notifications, detailed reporting and manual approvals are all supported.

The No-Brainer

If you are a Microsoft EM+S E5 customer you are already licensed for this service, but what if you have EM+S E3 or no EM+S at all? Simply purchase Azure Active Directory P2 for all the admins that need this service. There is no requirement to license all users for this service and therein lies the ‘no-brainer.’ For little cost, we can significantly increase the security posture of the organization.

For more information, contact SoftwareONE today.

One Response

  1. Simon says:

    Great piece Matt, really insightful. This should be a recommendation for all assessments we do.

Leave a Reply