With the first two blog posts we defined the problems that we are trying to solve, in this one we’ll set out our solution.
The PowerON Secure Access Framework is based on a Zero Trust methodology and takes into account the Microsoft Enterprise Access Model. It differs from these by providing a more bespoke solution to businesses while directly addressing common pain points such as ensuring that business requirements and productivity are not needlessly impacted, taking into account typical IT team workloads and common remote access requirements such as Disaster Recovery working and Third-Party access.
The PowerON Secure Access Frameworks aims to:
- Make the solution as easy to digest and buzzword free as possible
- Take into account practical requirements such as third parties and home use
- Respect non-Microsoft security products
- Identify intermediate steps allowing for faster return on investments
- Customise solutions based on customer requirements
- Maintain the ethos and security of the Microsoft Zero Trust and Enterprise Access Models
What are the headline changes?
One of the quickest ways to full domain compromise is for domain administrators (and other high value accounts) credentials to be sniffed from memory. As such, in the new model admin accounts can only log into systems which are owned, managed and locked down to high standards reducing the chances that viruses are installed.
Administrators are people too and need to use standard systems such as the internet or email, this is either provided by separate dedicated hardware or via a virtual desktop solution such as Azure Virtual Desktop or Windows 365. This means that privileges can only be deescalated as the standard user account and VM have no rights to access the originating admin device (and the admin credentials never log into the standard system).
Multifactor authentication for all
Multifactor (or 2FA) authentication stops 99.9% of all attacks. The newest and highest standards such as FIDO2 keys rely on a combination of physical access, hardware security and known secrets. While this sounds daunting these tokens are actually often simpler to setup and use than telephone based MFA solutions while providing a smoother user experience and don’t suffer from cost or management issues such as traditional RSA keys.
Cloud as the control plane
With the widespread use of Ransomware anything connected to the operational domain is highly vulnerable to being compromised and deleted. By mastering core services such as authentication in Azure AD (or other cloud services) the infrastructure backing these protections is completely off network and secured with millions of pounds worth of security and 24/7 monitoring.
Overall the PowerON Secure Access Framework requires some changes to the way administrators work but the technologies are actually all available today. The key is to combine them into a layered approach which prioritises security and avoiding privilege escalation at the highest levels while minimising user disruption at the business level.
The most important element with any kind of significant change like this is to get organisational buy-in, articulate the benefits and then slowly work to improve the organisational posture over time (more on this in my next blog).
If you’re interested in finding out more about our Secure Access Framework and how it can help your organisation, get in touch with our team today.