That alphabet of Security starts with I of “Identity”

It’s an understatement to say security is moving fast, it’s changing very rapidly and the pressure to keep up with it, increases too.

From various angles, people in IT (as in Information Technology), are under fire to keep the infrastructure secure. Cloud is getting mature, new features pop up every week.
It’s almost a contradiction, but also legislation is catching up to close the holes regarding the protection of people’s security and privacy.

In many cases, the first reaction of customers, management, ITPros, Developers, DevOps,… is to look for the ultimate and ideal tool that will help to plug the security hole.

But if you only focus on the tooling, you’ll discover rather sooner than later, it is not sufficient to get your security watertight.
One of the basic reasons is that tools can’t be implemented properly without involving people and processes. I don’t need to explain the PPT (people-proces-technology) or PPP (people-proces-products) triade, right?

Lots of security management approaches and certifications handle this triad (ISO27001, CISSP, … I’ll cover that another time.

(credits: smart picture of ITGovernance.co.uk)

Rather than diving into the search for a tool, you better take a step back and consider first.

What’s the primary function of security?
Protecting an item that you want to keep (safe), right?

[The reason (“why”) for keeping it safe = the CIA triad, Confidentiality, Integrity and Availability]

When you think about the processes (“how”) to secure  an asset (anything that is worth securing), there are 3 basics actions you need to define

  • authorization: what you can do with the asset (the CRUD stuff, create/read/update/delete)
  • identification: who needs the authorization?
  • authentication: the method to proof your identity (using passwords, passes, cards, 2FA, MFA, …)

This is essentially the foundation of my credo “no security without identity”

Just by interpreting the basic components of security, you directly hit the “PROCESS” part of the PPT triad.
Now, here’s were most technical people get into trouble… not knowing how to put this in practice.

But let me ask you a simple question: within the normal, usual businesses or companies, where does the identity process typically start?
Yes, correct, HR (Human Resources)

The second question: can you name at least 2 typical high-level HR processes (for people).
Answer: something like “hire” and “fire”, or synonyms like “onboarding/off-boarding”, “termination”, “end-of-life” (but that sounds pretty dramatic when talking about people…).

These 2 events announce the beginning and the end of a lifecycle, the identity lifecycle.
And to make it complete, you also need to define the life-in-between as people change over time.

BTW, just a small side step here: this does not apply to humans only, but any other asset in your environment has pretty much the same cycle and it does not matter if it’s considered “IT” or not… computer, certificates, smart cards, disks, tapes, … but also cars, documents, …

This idea to consider the lifecycle as universal, is a great approach to explain the “identity lifecycle” to non-techies that get involved in the identity lifecycle processes.

This is the common ground you can use to talk to HR people, business managers, Executive level, …

Now, if you look on the internet for pictures on identity lifecycle management, you’re smashed with a lot of complex schemas…

google_identitylifecycle

Many of results are variations of 3 essential processes

hire-change-fire1

Depending on your background you might name them differently, like:

1AA.png

For the sake of simplicity, when teaching IDM and security workshops I usually only keep the keywords “Hire”, “Change” and “Fire”.
Short and easy to remember for most people.

For your understanding, the circle approach  would assume you start over again after the “Fire” block, but that’s not always the case. The cycle might stop.
So, the approach below is easier to visualize for most people.

Clockwise:

  1. Starting the cycle at (1),
  2. updating the identity at (2),
  3. exiting the cycle at (3)

hire-change-fire2

As I mentioned, earlier, virtually any IT or asset related proces is basically working like this.

Now, let’s take it a step further… How does identity management control security?

A first thing to consider is the typical length of the hire-change-fire modules.

How many tasks/steps does it usually take to complete each of the 3 steps?
Keep the asset in mind and keep it simple…

Typical actions in a hire process:

  • signing contract
  • getting an network/AD account
  • getting an email address
  • getting building access
  • IT stuff (laptop, …)

Pretty straight forward…
How much time would it take, in simple cases to start working?  Hours if not days.

What about the change process? For example, you get promotion to team lead or head of department…

  • hand over your tasks to peers
  • get ramped up on new job
  • in some cases, there is segregation of duties, getting rid of existing rights permissions
  •  getting access to new environment
  • changing communications channels (notifications to stakeholders of change)

In reality, this usually takes a few weeks.

And what are the typical things your consider for the “fire” process?

  • informing stakeholders/customers
  • disabling the account
  • changing password
  • lock account
  • removing access
  • extracting documentation form personal storage
  • move documents to manager or team
  • handing over ownership
  • knowledge transfer
  • data backup/archiving
  • cleaning the mailbox
  • deleting the account (* not always allowed for various reasons)
  • sending legal / tax documents
  • and more…

As you can understand, this entire termination process might take months… In many situations the termination process must be executed in different steps, like:

  • Disabling the account till x+30 days (for example, revert in case the person gets a renewal)
  • Removing access on x+60 days
  • Kill mailbox on X+90
  • Remove the account on X+1y (or even: never)

In some cases accounts must be kept for legal reasons or tracking/cybersecurity reasons…

The further you go in the lifecycle, you need to combine more tasks, and tasks or decisions get more complex.

Overall you can distinguish 2 properties of these processes: duration and complexity. Both go up.

complexity

procesduration

Now, when considering security, why is this important?
Instead of discussing the impact of successful processes, it’s easier to find out what happens if it fails.

WHAT IF… (the process fails)??

Let’s run through the cycle again….

What if the “Hire” process fails?

  • you can’t access the building
  • you do not get an account
  • you can’t logon
  • you can’t access documents

Basically, on your first (few) day(s) you can’t work. Sorry!
But what’s the balance for security: just great, because the risk is nearly 0, except for a bad start and a bit of reputation damage..
At the end: you can’t do any harm, essentially.

In case of the “change” process, a larger part of the tasks and operations will impact the security posture.

When your “change” process fails,  for example

  • you can still access your old documents
  • you get more access (eg collecting access of your old and new role)
  • you start collection sensitive accesses over time
  • managers don’t know
  • user profiles get copied from existing colleagues in the same team (no ‘reset’ or the permissions before the new ones are assigned)

So for this second piece of the circle, the impact might be significant, over time.

But for the “end-of-life” the story is completely different, a failing “deprovisioning” scenario has major impact on the business and IT process

  • accounts stay active
  • accounts not being disabled
  • access not removed
  • active accounts not detected
  • account with highly privileged access still active
  • accounts being deleted too soon
  • unauthorized users that have access to critical resources
  • hackers go undetected for a long time, using sleeping accounts
  • hardware not returned,
  • data stolen,
  • over-use of budgets to software licenses that are not revoked
  • access badges allow unauthorized access to your building and environment
  • failure to ‘deprovision’ old hard disks properly expose your company data to interested (unauthorized) parties…
  • …,

It’s clear that a failing deprovisioning/end-of-life process has major impact on your enterprise security.

risk.png

And hackers or disgruntled employees like that.

Of course you can imagine the benefits of an efficient and effective end-of-life process. It’s the opposite.

Does that require you implement an automated identity management?
No.

That’s where ISO27001 and eg GDPR surprises a lot of people.

Once you’ve got the basic processes in place you can discuss tooling, not the other way around.

questforsecurity

You have
no security without managing your identity.

you want
no identity without security.

Did I mention  that I’ll be presenting more of this fun stuff on TechoRama 2017.
Check it out here: http://sched.co/9M94

I’m very proud to present a session on the ABC of identity: Maximizing security with 10 simple processes.

 

Note-to-self: You lost access to your initial Office 365 admin?

Although Microsoft has built in quite some methods to regain access to your 0365 tenant/account, you might have some bad luck one day… (experience talking here)

First of all you should try the default options, meaning : the password reset options.

The direct way to get there is the first link to bookmark: https://passwordreset.microsoftonline.com/

Another way to get there is in the 0365 logon page (also for Azure),

o365_1

If you forgot your password or can’t access the account, hit the link at the bottom.
You get directed to :

o365_2

If you know the logon, you can proceed to

o365_3

You notice that the verification is pointing to your alternative mail address or your mobile number…

But what if you forgot your original logon ID (mail address), eg in case you have setup a test tenant in 0365 with an mail address you don’t use frequently? (yes, that happens)

If that is not working or you need more help, check these options:

And if you really ran out of luck: you might raise a ticket and ask for help. https://portal.office.com/support/newsignupservicerequest.aspx

Anyway, as shown there are some options when configuring 0365 that should keep you out of trouble in the first place

  • make sure to add a mobile number to your user account
  • make sure to add a secondary email address to your account (not belonging to your O365 domain)
  • Configure and test MFA (multifactor Authentication), eg with the Authenticator app
  • add a secondary admin account with sufficient rights (with the same security measures!)

June 2017: @TroyHunt is back in Belgium for his workshop ‘Hack Yourself First’. Wanna join?

ZIONSECURITY will be welcoming Troy Hunt again. The 1st and 2nd of June, he will be leading a ‘Hack Yourself First’ workshop where he will teach professionals how to break into their own applications. Find out the program and register here!

I have been there the last time, it was great fun, lots of interaction. And I certainly would recommend you to join.

What if you really wanna join, but your boss is not willing to sponsor? (While he SHOULD!).
Or any other silly reason you can’t attend?

Well, you know, if you can provide me a very good, strong, original and unique argument why you MUST be at this workshop, you might be lucky.

You know the channels to reach out to me and test your luck. Comment on this post, mail me, tweet me, F@ceBook me, LinkedIn …

Convince me and it could be you sitting at the first row.

 

 

Note-to-self: Got #MIM2016 product feedback, feature wish list? aka.ms/mimfeedback

Very short note-to-myself (#memory-function-on)…

David Steadman, respected @fimguy, now  @TheMIMGuy posted an interesting poke…

So, got any constructive suggestion, move over to that feedback page at:https://aka.ms/mimfeedback

Note-to-self: Windows 10 numeric keypad not working

Once they know you do “something with computers”, you can’t escape your family request fixing anything that goes wrong on machines with a CPU, right?

Last weekend a laptop was dropped of with a bizare symptom: once logged in, the numeric keypad stopped working.
Freshly migrated to Windows 10, a Toshiba Satellite c(something)…

When you quickly search for it on bing/google… you’ll find some hints like

  • updating BIOS (check, latest installed)
  • checking BIOS (well, …nah, it is working at logon)
  • registry settings (maybe, but ..nope, lets first try the normal stuff)
  • some other windows settings

This one got me started, but actually discussed the solution for Windows 7.
” if you have Windows 7, just go to Ease of Access Center >>>>>> Turn on Mouse Keys and make sure it’s unchecked”

Well, how about Windows 10?

First go to Settings.

w10settings

Find the Ease Of Access

Within Ease of Access, check the Mouse option

w10_eoa_mouse

In the Mouse settings, check the Mouse Keys settings.
Make sure the option to “use numeric keypad to move mouse around the screen” is disabled/off.

Easy, simple, but this single setting isn’t easily found, as you won’t think about mouse settings.

Certainly, when searching apps, files and settings, and the setting does not show up when typing “numeric” or “keypad”

Note-to-self: OneDrive (For Business) vs SharePoint Online

Just got a question about the differences between OneDrive (for Business) and SharePoint Online… As it’s not my core knowledge, I just did some quick research, which might serve your knowledge too… Here we go.

Sources:

The page on OneDrive for Business Service Description has a very interesting comparison, but IMHO, it’s missing a bit of color.
So, I’ve reworked the page slightly (but all credits to the Microsoft Product team.

 

Table of Contents

 

Developer features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Access Services
Yes Yes Yes Yes

App Catalog (SharePoint)
Yes Yes Yes Yes

App Deployment: Cloud-Hosted Apps
Yes Yes Yes Yes

App Deployment: SharePoint-Hosted Apps
Yes Yes Yes Yes

App Management Services
Yes Yes Yes Yes

BCS: Alerts for External Lists
No No No Yes

BCS: App Scoped External Content Types (ECTs)
No No No Yes

BCS: Business Data Webparts
No No No Yes

BCS: External List
No No No Yes

BCS: OData connector
No No No Yes

BCS: Profile Pages
No No No No

BCS: Rich Client Integration
No No No No

BCS: Secure Store Service
No No No Yes

BCS: Tenant-level external data log
No No No Yes

Browser-based customizations
Yes Yes Yes Yes

Client Object Model (OM)
Yes Yes Yes Yes

Client-side rendering (CSR)
Yes Yes Yes Yes

Custom Site Definitions
No No No No

Custom Site Provisioning
No No No No

Developer Site
No No Yes Yes

Forms Based Applications
No No Yes Yes

Full-Trust Solutions
No No No No

InfoPath Forms Services
No No No Yes

JavaScript Object Model
Yes Yes Yes Yes

List and Library APIs
Yes Yes Yes Yes

Remote Event Receiver
No No Yes Yes

REST API
Yes Yes Yes Yes

Sandboxed Solutions
Yes Yes Yes Yes

SharePoint Design Manager
No No Yes Yes

SharePoint Designer
No No Yes Yes

SharePoint Store
2
Yes Yes Yes Yes

Workflow 2010 (.NET 3.5)
No No Yes Yes

Workflow 2010 (out of the box)
No No Yes Yes

Workflow 2013
No No Yes Yes

Workload API: ECM APIs
No No Yes Yes

Workload API: Search APIs
No No Yes Yes

Workload API: Social APIs
No No Yes Yes

 

IT Professional features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Active Directory Synchronization
Yes Yes Yes Yes

Alternate Access Mapping (AAM)
No No No No

Analytics Platform
No No Yes Yes

Anti-malware protection
Yes Yes Yes Yes

Claims-Based Authentication Support
No No No No

Configuration Wizards
No No No No

Data loss prevention
No Yes No Yes

Deferred Site Collection upgrade
Yes Yes Yes Yes

Distributed Cache
No No No No

Encryption at rest
Yes Yes Yes Yes

Host Header Site Collections
No No No No

Improved Permissions Management
Yes Yes Yes Yes

Improved Self-Service Site Creation
No No No No

Managed Accounts
No No No No

Minimal Download Strategy (MDS)
Yes Yes Yes Yes

OAuth
Yes Yes Yes Yes

Patch Management
No No No No

Quota Templates
No No No No

Read-Only Database Support
No No No No

Remote BLOB Storage
No No No No

Request Management
No No No No

Request throttling
No No No No

Resource throttling
No No No No

Service Application Platform
No No Yes Yes

SharePoint Health Analyzer
No No No No

SharePoint admin center
Yes Yes Yes Yes

Shredded Storage
Yes Yes Yes Yes

Site Collection Compliance Policies
Yes Yes Yes Yes

Site Collection Health Checks
Yes Yes Yes Yes

State Service
No No No No

Streamlined Central Administration
No No No No

System Status Notifications
No No No No

Unattached Content Database Recovery
No No No No

Upgrade evaluation site collections
No No Yes Yes

Usage Reporting and Logging
No No No No

Windows PowerShell Support
Yes Yes Yes Yes

 

Content features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Accessibility Standards Support
Yes Yes Yes Yes

Asset Library Enhancements/Video Support
Yes Yes Yes Yes

Auditing
Yes Yes Yes Yes

Auditing & Reporting (e.g. doc edits, policy edits, deletes)
Yes Yes Yes Yes

Content Organizer
No No Yes Yes

Design Manager
No No Yes Yes

Document Sets
Yes Yes Yes Yes

Document Translation in Word Online
Yes4 Yes4 Yes4 Yes4

eDiscovery Search
Yes Yes Yes Yes

eDiscovery Hold
No Yes No Yes

eDiscovery Export
No Yes No Yes

Email enabled lists and libraries
No No No No

External Sharing: External Access
Yes Yes Yes Yes

External Sharing: Guest Link
Yes Yes Yes Yes

Folder Sync
Yes Yes Yes Yes

IRM using Azure AD Rights Management
No1 No1 No1 No1

IRM using Windows Server AD RMS
No No No No

Managed Metadata Service
No No Yes Yes

Metadata-driven Navigation
No No Yes Yes

Multi-stage Disposition
Yes Yes Yes Yes

Office Online (create/edit)
Yes Yes No No

Office Online (view)
Yes Yes Yes Yes

Office Web Apps Server integration
No No No No

PowerPoint Automation Services
No No No No

Preservation hold library
No Yes No Yes

Quick Edit
Yes Yes Yes Yes

Records management
No No Yes Yes

Recycle Bin (SharePoint admin center)
Yes Yes Yes Yes

Recycle Bin (site collection)
Yes Yes Yes Yes

Related Items
No No Yes Yes

Rich Media Management
No No Yes Yes

Shared Content Types
Yes Yes Yes Yes

SharePoint Translation Services
No No Yes Yes

Site mailbox
No No Yes Yes

Surveys
Yes Yes Yes Yes

Unique Document IDs
Yes Yes Yes Yes

Video Search
No No No Yes

WCM: Analytics
No No Yes Yes

WCM: Catalog
No No No Yes

WCM: Category page and catalog item page
No No No Yes

WCM: Search web parts
No No No Yes

WCM: Cross-Site publishing
No No No Yes

WCM: Designer Tools
No No Yes Yes

WCM: Faceted navigation
No No No No

WCM: Image Renditions
No No Yes Yes

WCM: Managed navigation
No No Yes Yes

WCM: Mobile and Device Rendering
No No Yes Yes

WCM: Multiple Domains
No No No No

WCM: Recommendations
No No Yes Yes

WCM: Search Engine Optimizations (SEO)
No No Yes Yes

Word Automation Services
No No No No

 

Insights features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Business Intelligence Center
No No No Yes

Calculated Measures and Members
No No No Yes

Data Connection Library
No No No Yes

Decoupled PivotTables and PivotCharts
No No No Yes

Excel Services
No No No Yes

Field list and Field Support
No No No Yes

Filter Enhancements
No No No Yes

Filter Search
No No No Yes

PerformancePoint Services
No No No No

PerformancePoint Services (PPS) Dashboard Migration
No No No No

Power View for Excel in SharePoint
No No No Yes

Power Pivot for Excel in SharePoint
No No No Yes

Quick Explore
No No No Yes

Scorecards & Dashboards
No No No No

SQL Server Reporting Services (SSRS) Integrated Mode
No No No No

Timeline Slicer
No No No Yes

Visio Services
No No No Yes

 

Search features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Advanced Content Processing
No No No No

Continuous crawls
Yes Yes Yes Yes

Custom entity extraction
No No No No

Deep links
Yes Yes Yes Yes

Event-based relevancy
Yes Yes Yes Yes

Expertise Search
Yes Yes Yes Yes

Extensible content processing
No No No No

Graphical refiners
Yes Yes Yes Yes

Hybrid search
Yes Yes Yes Yes

Manage search schema
No No Yes Yes

On-premises search index
No No No No

Phonetic name matching
Yes Yes Yes Yes

Query rules—Add promoted results
No No Yes Yes

Query rules—advanced actions
No No No No

Query spelling correction
No No Yes Yes

Query suggestions
No No Yes Yes

Query throttling
No No Yes Yes

Quick preview
Yes Yes Yes Yes

Ranking models
No Yes Yes2 Yes2

Refiners
Yes Yes Yes Yes

RESTful Query API/Query OM
Yes Yes Yes Yes

Result sources
Yes Yes Yes Yes

Search connector framework
No No No No

Search results sorting
Yes Yes Yes Yes

Search vertical: “Conversations”
Yes Yes Yes Yes

Search vertical: “People”
Yes Yes Yes Yes

Search vertical: “Video”
No No No Yes

“This List” searches
Yes Yes Yes Yes

 

Sites features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Change the look
No No Yes Yes

Connections to Microsoft Office Clients
Yes Yes Yes Yes

Cross Browser Support
Yes Yes Yes Yes

Custom Managed Paths
No No No No

Governance
Yes Yes Yes Yes

Large List Scalability and Management
Yes Yes Yes Yes

Mobile Connectivity
Yes Yes Yes Yes

Multi-Lingual User Interface
Yes Yes Yes Yes

My Tasks
No No Yes Yes

OOTB Web Parts
No No Yes Yes

Permissions Management
Yes Yes Yes Yes

Project functionality for team sites
No No Yes Yes

Project site template
No No Yes Yes

Project Summary web part
No No Yes Yes

Project workspace
No No Yes Yes

SharePoint Lists
No No Yes Yes

SharePoint Ribbon
No No Yes Yes

Site folders
No No Yes Yes

Task list
No No Yes Yes

Team Site: Drag & Drop
No No Yes Yes

Team Site: Notebook
No No Yes Yes

Team Site: Simplified Access
No No Yes Yes

Templates
No No Yes Yes

Themes
No No Yes Yes

Usage Analytics
No No Yes Yes

Variations
No No Yes Yes

Work Management Service
No No Yes Yes

 

Social features OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Ask Me About
Yes Yes Yes Yes

Blogs
No No Yes Yes

Communities Reputation, Badging, and Moderation
No No Yes Yes

Community
No No Yes Yes

Company Feed
No No Yes Yes

Document Conversations with Yammer
Yes Yes Yes Yes

Follow
Yes Yes Yes Yes

Microblogging
No No Yes Yes

Newsfeed
No No Yes Yes

One Click Sharing
Yes Yes Yes Yes

People, Sites, Document Recommendations
No No Yes Yes

Personal Site
Yes Yes Yes Yes

Photos and Presence
Yes Yes Yes Yes

Profile
Yes Yes Yes Yes

Ratings
Yes Yes Yes Yes

Shared with Me
Yes Yes Yes Yes

Site Feed
No No Yes Yes

OneDrive for Business
Yes Yes Yes Yes

Tag profiles
No No Yes Yes

Tasks integrated with Outlook
Yes Yes Yes Yes

Trending Tags
No No Yes Yes

Wikis
No No Yes Yes

 

Add-Ons OneDrive for Business Plan 1 OneDrive for Business Plan 2 SharePoint Online Plan 1 SharePoint Online Plan 2

Additional Storage
No No No No

Azure Provisioned Apps: Access Services
Yes Yes Yes Yes

Azure Provisioned Apps: Custom Code in Azure LWR
Yes Yes Yes Yes

Duet Online
No No No No