Systems & Communications Protection

  • 4 minutes to read

Overview

Secure Collaborative Computing

Collaborative computing devices include shared access terminals, web cameras, network whiteboards etc. Remote activation of these devices can provide an attacker with an entry point into your network.

Collaborative computing devices require security authentications to validate a user is physically present with the device. Collaborative computing devices also require security controls for collaborative sessions to ensure all participants are authorized and that sessions logoff upon termination of the session.

Security Baseline: The following controls have been deployed to enforce device security

  • Windows Hello for Business for device-level MFA
  • Authentication duration policies
  • Conditional access policies enforcing session limits on shared devices

Encrypt Management Session

Encrypting management sessions ensures confidentiality of administrative functions. It restricts an attacker from sniffing and altering administrative functions and sessions.

Microsoft uses the Transport Layer Security (TLS) protocol to protect data when it’s traveling between the cloud services and customers. Microsoft datacenters negotiate a TLS connection with client systems that connect to Azure services. TLS provides strong authentication, message privacy, and integrity (enabling detection of message tampering, interception, and forgery), interoperability, algorithm flexibility, and ease of deployment and use.

Security Baseline: All endpoints are configured to use TLS 1.2 for secure transmissions

FIPS Validated Encryption

The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard that defines minimum security requirements for cryptographic modules in information technology products, as defined in Section 5131 of the Information Technology Management Reform Act of 1996.

Security Baseline: Bitlocker drive encryption is enforced and automatically applies to all enrolled devices.

Separate User/System Functionality

Separating user and system functionality requires managing separate user/system identities. It becomes challenging to identify security issues if a system is authenticating with user credentials or if a user is authenticating with system credentials. This can also create security gaps if credentials are hard codes or exposed for unauthorized use.

Security Baseline: The use of application registrations with scoped API permissions are created within Azure AD. The client secrets generated from these registrations are used as a managed identity to automate tasks for compliance notifications, change management logging & documentation access control.

Permit Traffic By Exception

Permitting traffic by exception and denying anything not permitted is a foundational approach to network security.

Security Baseline: Windows Firewall is enabled and enforced via device configuration policy with the following settings

Prevent Split Tunneling

Split tunneling occurs when a there are multiple access to different security domains for access. A mobile device is a good example as it might have internal internet access via WIFI and external internet access via cellular network simultaneously. This can create security gaps as a user could bypass security controls. Forced tunneling lets you redirect or “force” all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from Azure network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic. Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches

Prevent Unauthorized Disclosure

You can secure confidential data and control information flows with Azure Information Protection by the use of Sensitivity Labels

Click here to view more information about how to protect documents using Sensitivity Labels

Manage Cryptographic Keys

Your Microsoft tenant is configured to encrypt all data at-rest with your own encryption keys. This Customer Key encryption lets you provide and control your own encryption keys as described in the Online Services Terms (OST). Microsoft can not see or extract the encryption keys stored in your Azure Key Vault.

Security Baseline: Customer keys have been configured for your tenant and reside within your Azure Key Vaults.

Protect Data at Rest

All Microsoft 365 data is encrypted using your own cryptographic customer keys.