Critical Cloud Assets: Identifying and Protecting the Crown Jewels of your Cloud
Cloud computing has revolutionized the way businesses operate, with many organizations shifting their business-critical services and workloads to the cloud. This transition, and the massive growth of cloud environments, has led to a surge in security issues in need of addressing. Consequently, the need for contextual and differentiated security strategies is becoming a necessity. Organizations need solutions that allow them to detect, prioritize, and address security issues, based on their business-criticality and overall importance to the organization. Identifying an organization’s business-critical assets serves as the foundation to these solutions.
Microsoft is pleased to announce the release of a new set of critical cloud assets classification capability in the critical asset management and protection experience, as part of Microsoft Security Exposure Management solution, and Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud (MDC). This capability enables organizations to identify additional business-critical assets in the cloud, thereby allowing security administrators and the security operations center (SOC) teams to efficiently, accurately, and proactively prioritize to address various security issues affecting critical assets that may arise within their cloud environments.
Learn more how to get started with Critical Asset Management and Protection in Exposure Management and Microsoft Defender for Cloud: Critical Asset Protection with Microsoft Security Exposure Management, Critical assets protection (Preview) - Microsoft Defender for Cloud
Criticality classification methodology
Over the past few months, we, at Microsoft, have conducted extensive research with several key objectives:
- Understand and identify the factors that signify a cloud asset’s importance relative to others.
- Analyze how the structure and design of a cloud environment can aid in detecting its most critical assets.
- Accurately and comprehensively identify a broad spectrum of critical assets, including cloud identities and resources.
As a result, we are announcing the release of a new set of pre-defined classifications for critical cloud assets, encompassing a wide range of asset types, from cloud resources, to identities with privileged permissions on cloud resources. With this release, the total number of business-critical classifications has expanded to 49 for cloud identities and 8 for cloud resources, further empowering users to focus on what matters most in their cloud environments.
In the following sections, we will briefly discuss some of these new classifications, both for cloud-based identities and cloud-based resources, their integration into our products, their objectives, and unique features.
Identities
In cloud environments, it is essential to distinguish between the various role-based access control (RBAC) services, such as Microsoft Entra ID and Azure RBAC. Each service has unique permissions and scopes, necessitating a tailored approach to business-criticality classification.
We will go through examples of new business-critical rules classifying identities with assigned roles both in Microsoft Entra and Azure RBAC:
Microsoft Entra
The Microsoft Entra service is an identity and access management solution in which administrators or non-administrators can be assigned a wide range of built-in or custom roles to allow management of Microsoft Entra resources.
Examples of new business-criticality rules classifying identities assigned with a specific Microsoft Entra built-in role:
- Classification: “Exchange Administrator”
Default Criticality Level: “High”
This rule applies to identities assigned with the Microsoft Entra Exchange Administrator built-in role.
Identities assigned this role have strong capabilities and control over the Exchange product, with access to sensitive information through the Exchange Admin Center, and more.
- Classification: “Conditional Access Administrator”
Default Criticality Level: “High”
This rule applies to identities assigned with the Microsoft Entra Conditional Access Administrator built-in role.
Identities assigned this role are deemed to be of high importance, as it grants the ability to manage Microsoft Entra Conditional Access settings.
Azure RBAC
Azure role-based access control (Azure RBAC) is a system that provides fine-grained access management of Azure resources that helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to. The way you control access to resources using Azure RBAC is to assign Azure roles.
Example of a new criticality rule classifying identities assigned with specific Azure RBAC roles:
- Classification: “Identities with Privileged Azure Role”
Default Criticality Level: “High”
This rule applies to identities assigned with an Azure privileged built-in or custom role.
Assets criticality classification within the Azure RBAC system necessitates consideration of different parameters, such as the role assigned to the identity, the scope in which the role takes effect, and the contextual business-criticality that lies within this scope.
Thus, this rule classifies identities which have a privileged action-permission assigned over an Azure subscription scope, in which a critical asset resides, thereby utilizing contextual and differential security measures. This provides the customer with a cutting-edge criticality classification technique for both Azure built-in roles, and custom roles, in which the classification accurately adapts to dynamic changes inside the customer environment, ensuring a more accurate reflection of criticality.
List of pre-defined criticality classifications for identities in Microsoft Security Exposure Management
Cloud resources
A cloud environment is a complex network of interconnected and isolated assets, allowing a remarkable amount of environment structure possibilities, asset configurations, and resource-identity interconnections. This flexibility provides users with significant value, particularly when designing environments around business-critical assets and configuring them to meet specific requirements.
We will present three examples of the new predefined criticality classifications as part of our release, that will illustrate innovative approaches to identifying business-critical assets.
Azure Virtual Machines
Examples of new criticality rules classifying Azure Virtual Machines:
- Classification: “Azure Virtual Machine with High Availability and Performance”
Default Criticality Level: “Low”
Compute resources are the cornerstone of cloud environments, supporting production services, business-critical workloads, and more. These assets are created with a desired purpose, and upon creation, the user is presented with several types of configurations options, allowing the asset to meet its specific requirements and performance thresholds.
As a result, an Azure Virtual Machine configured with an availability set, indicates that the machine is designed to withstand faults and outages, while a machine equipped with a premium Azure storage, indicates that the machine should withstand heavy workloads requiring low-latency and high-performance. Machines equipped with both are often deemed to be business-critical.
- Classification: “Azure Virtual Machine with a Critical User Signed In”
Default Criticality Level: “High”
Resource-user interconnections within a cloud environment enable the creation of efficient, well-maintained, and least privilege-based systems. These connections can be established to facilitate interaction between resources, enabling single sign-on (SSO) for associated identities and workstations, and more.
When a user with a high or very high criticality level has an active session in the resource, the resource can perform tasks within the user's scoped permissions. However, if an attacker compromises the machine, they could assume the identity of the signed-in user and execute malicious operations.
Azure Key Vault
Example of a new criticality rule classifying Azure Key Vaults:
- Classification: “Azure Key Vaults with Many Connected Identities”
Default Criticality Level: “High”
Through the complex environments of cloud computing, where different kinds of assets interact and perform different tasks, lies authentication and authorization, supported by the invaluable currency of secrets. Therefore, studying the structure of the environment and how the key management solutions inside it are built is essential to detect business-critical assets.
Azure Key Vault is an indispensable solution when it comes to key, secrets, and certificate management. It is widely used by both business-critical and non-critical processes inside environments, where it plays an integral role in the smoothness and robustness of these processes.
An Azure Key Vault whose role is critical within a business-critical workload, such as a production service, could be used by a high number of different identities compared to other key vaults in the organization, thus in case of disruption or compromise, could have adverse effects on the integrity of the service.
List of pre-defined criticality classifications for cloud resources in Exposure Management
Protecting the crown jewels of your cloud environment
The critical asset protection, identification, and management, lies in the heart of Exposure Management and Defender Cloud Security Posture Management (CSPM) products, enriching and enhancing the experience by providing the customer with an opportunity to create their own custom business-criticality classifications and use Microsoft’s predefined ones.
Protecting your cloud crown jewels is of utmost importance, thus staying on top of best practices is crucial, some of our best practice recommendations:
- Thoroughly enabling protections in business-critical cloud environments.
- Detecting, monitoring, and auditing critical assets inside the environments, by utilizing both pre-defined and custom classifications.
- Prioritizing and executing the remediation and mitigation of active attack paths, security issues, and security incidents relating to existing critical assets.
- Following the principle of least privilege by removing any permissions assigned to overprivileged identities, such identities could be identified inside the critical asset management experience in Microsoft Security Exposure Management.
Conclusion
In the rapidly growing and evolving world of cloud computing, the increasing volume of security issues underscores the need of contextual and differentiated security solutions to allow customers to effectively identify, prioritize, and address security issues, thereby the capability of identifying organizations’ critical assets is of utmost importance.
Not all assets are created equal, assets of importance could be in the form of a highly privileged user, an Azure Key Vault facilitating authentication to many identities, or a virtual machine created with high availability and performance requirements for production services.
Protecting customers’ most valuable assets is one of Microsoft’s top priorities. We are pleased to announce a new set of business-critical cloud asset classifications, as part of Microsoft Defender for Cloud and Microsoft Security Exposure Management solutions.
Learn more
Microsoft Security Exposure Management
- Start with Exposure Management Documentation, Product website, blogs
- Critical Asset Management documentation
- Critical Asset Protection and how to get started in Microsoft Security Exposure Management blog post
- List of Microsoft’s predefined criticality classifications: Link
- Microsoft Security Exposure Management what's new page
Microsoft Defender for Cloud
- Microsoft Defender for Cloud (MDC) plans
- Microsoft’s Cloud Security Posture Management (CSPM) documentation
- Critical Asset Protection in Microsoft Defender for Cloud (MDC) documentation