Maintenance & Media Protection

  • 5 minutes to read

Overview

The following Microsoft technologies have been deployed to facilitate maintenance & media protection.

  • Azure Active Directory
  • Azure AD Privileged Identity Management
  • Key Vault
  • Azure Information Protection
  • Exchange Online Message Encryption
  • Conditional Access Policies

Controlled Maintenance

Performing controlled maintenance ensures uptime through established processes such as change and configuration management. Maintenance windows are an important time to apply critical security updates and patches.

Windows 10 and later update policies have been implemented that specify how and when Windows updates your Windows workstation.

Security Baseline: NIST - Windows 10/11 Update Policy has been assigned to all user Windows devices and contain the following settings.

Microsoft Product Updates: Allow

Automatic Update Behavior: Auto install at maintenance time

Active hours start: 8AM

Active hours end: 5PM

Restart checks: Allow

Option to pause Windows updates: Enable

Option to check Windows updates: Enable

Grace Period: 7 days

Auto Reboot before deadline: Yes

Control Maintenance Operations

Currently, maintenance operations managed by Intune are limited to Windows 10/11 update policies. These updates are deployed on a regular interval and do not require elevated access to install.

Multi-Factor Authentication

Azure Active Directory provides the capabilities to set granular authentication controls for users, applications and services. Multi-factor authentication is enforced and requires users to register multiple authentication methods. Those authentication methods are:

  • Password
  • Microsoft Authenticator App
  • SMS text message
  • Voice Call

Security Baseline: MFA is enforced for all Azure AD cloud applications and services using the conditional access policy, NIST - GRANT - MFA For All Users
MFA is enforced on workstations by leveraging Windows Hello for Business. This NIST - Windows Hello Configuration Profile combined with the Nimbus Logic device script to disable password use on Windows workstations do satisfy the MFA requirement for endpoints in NIST 800-171.

Supervise Maintenance Personnel

You can supervise maintenance personnel with Azure Active Directory Privileged Identity Management. This feature provides tight control over administrative rights including conditional access, eligibility windows, global admin approvals, admin time windows and logging. Privileged Identity Management combined with the Azure Sentinel & sign-in logs provide a comprehensive audit trail that allows you to fully keep track of all maintenance personnel and contractors.

Label Sensitive Data

Sensitivity Labels

Sensitivity Labels are implemented to classify CUI as well as any other custom labels requested by your company. This helps to limit certain data to specific teams, prevent outside sharing, and prevent CUI leaks.

In Azure Information Protection, the labels are created with a descriptive display name, and a tool tip to help identify when users should select the label.
For example…
Label Display Name: Contracts – Restricted.
Description: Contracts data that is restricted to the Legal Team.

Protect Sensitive Data

Encryption

BitLocker is employed on your tenant to encrypt all data on Windows 10/11 devices. This profile requires TPM to be enabled, and leverages XTS-AES 128-bit encryption on your physical hard drives. Your devices’ BitLocker recovery keys are backed up to Azure Active Directory, and can be recovered by an administrator in the event of a data recovery requirement.

Security Baseline: NIST - Endpoint Protection Configuration Profile outlines and implements the required BitLocker configuration to AzureAD joined workstations.

Limit Access to Sensitive Data

DLP Policies / Conditional Access to Sites

Data Loss Prevention (DLP) policies are implemented to prevent data leaks, intentional or non. Data / emails are scanned, and transmission will be blocked if any of the contents match a DLP policy. Default DLP policies implemented by Nimbus Logic include Personal Identifiable Information, and any items that you specified to Nimbus at the time of onboarding.

Personal Identifiable Information (PII) is defined as:
Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

Protect Sensitive Data in Transit

Security Baseline: NIST - Security Protocols is enforced on all endpoints, and disables the transmission of data over the internet unless it is using specifically TLS 1.2.

Nimbus Logic has also implemented key vaults using Azure Key Vauilt to securely store your application keys, certificates and secerts. This reduces the risk of key exposure while providing role based access control for key usage, and a full audit logging of key usage.