Securing the channel: journey to zero trust
Update June 2, 2022: Granular delegated admin privilege (GDAP) capabilities are now available. We encourage all partners in the Cloud Solution Provider (CSP) program to remove any delegated admin privileges (DAP) they don’t need or use, transition DAP connections they’re using to GDAP, and update their process for acquiring new CSP customers to include requesting GDAP permissions from customers. In Q3 2022, Microsoft will begin removing DAP connections that are not in use and partners will need to gain customer permission to reinstate GDAP connections. More information on GDAP is available here.
Cybersecurity continues to be one of the top challenges of our digital age, and Microsoft partners play an important role in securing cloud transformations around the world. The global shift to hybrid work has coincided with a rise in cyberattacks that are more frequent and complex than ever before. Across industries, organizations are evaluating their security posture to ensure they are protected against threats such as ransomware, malware, and phishing. We now find ourselves with the urgent opportunity to adopt a Zero Trust approach to security and assume all activity, even by trusted users, could be an attempted breach.
A Zero Trust approach follows three principles:
- Verify explicitly
- Use least privileged access
- Assume breach
This is a model that effectively adapts to the complexity of the modern environment, embraces the hybrid workplace, and protects people, devices, apps and data wherever they’re located. Organizations who operate under these principles become more resilient, consistent, and responsive to new attacks. Together with our partners, we’re taking steps aligned to Zero Trust to encourage users to adopt a holistic security approach that properly secures the channel.
Verify explicitly: always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
Digital identity takes many forms—email addresses, passwords, PINs—and is a major target of cybercriminals. To enforce Zero Trust authentication, Microsoft has implemented mandatory security requirements for the Cloud Solution Provider (CSP) program such as multi-factor authentication (MFA) and the Secure Application Model framework. For assistance in understanding how MFA is protecting them, partners can view their security requirements status report in Partner Center.
As we move forward, Microsoft will continue to work with partners to implement verification tools that thoroughly authenticate user identities. Partners and customers can proactively protect their organizations through identity isolation, device health monitoring (with tools like Microsoft Defender for Endpoint with opt-in for Microsoft Threat Experts), and third-party security monitoring and penetration testing features. As hybrid work environments continue to bring an influx of new connected devices, zero trust principles will be essential to defending digital identities.
Use least privileged access: limit user access with just-in-time and just-enough-access, risk-based adaptive polices, and data protection to help secure both data and productivity.
Protecting access to customer data is another critical part of securing the ecosystem, and partners should employ tools for the principle of least privileged access. Microsoft currently offers a free, 24-month subscription to Azure AD Premium Plan 2 for qualified partners in the Cloud Solution Provider (CSP) program, available in Partner Center. Through this subscription, managed service providers can take advantage of premium access management features that offer a more hands-on approach to security. Partners should also use reporting tools launched in December 2021 to audit and review access privileges, and remove partner admin roles if no longer required.
In the coming months, Microsoft will release a technical preview for granular delegated administration privileges (GDAP) so that partners can test the new capabilities and begin planning their transition from DAP to GDAP. This will allow a higher degree of control over customers’ access through the features outlined here.
Partners are also advised to regularly check the activity log in Partner Center to monitor any user activities and to use Partner Center Activity Log APIs to create a custom security dashboard.
Assume breach: minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.
New technical training is now available for partners in the CSP program who are responsible for managing their customers’ tenants. This virtual training covers security vulnerabilities exploited by recent attacks (such as Nobelium) and instructs partners on best practices for protecting their organizations and their customers. The training includes threat awareness, guidance on hardening one’s environment, auditing and monitoring, and specific actions partners in the CSP program should be taking.
Additional guidance for partners and their customers regarding Nobelium targeted attacks is available on the Microsoft Partner Network blog.
By implementing Zero Trust principles, we can ensure our solutions are protecting all customers and organizations. They provide an invaluable framework for moving forward into a world of increasing and evolving threats. We’ve found that a more secure system is a more successful system and will empower partners and customers to continue achieving at the highest level. Thank you for your continued partnership and commitment to security practices.