BREAKING: Major Office 365/Azure AD multi-tenancy breach: 2019 predictions (blog 4 of 10)

Multi-tenancy security is a sure bet, right? Yes, and the big SaaS vendors go to great lengths to ensure this. But, just as no one would have predicted at the start of last year that nearly every computer produced in the last 20 years would be vulnerable to data loss due to design flaws in the microprocessor, we also shouldn’t write off multi-tenant security as a sure thing.

In this fourth detailed blog in my 2019 predictions for Windows and Office 365 professionals, I predict this sort of breach will hit the news either because of an exploitation of an unknown vulnerability, or, more likely, because someone provisions Office 365 or Azure Active Directory (AD) in the wrong place (think commercial vs. gov clouds) or someone punches holes between tenants for easier management, giving people access to data they shouldn’t see.

Mis-provisioning and misconfigurations miss the security goal

Per a previous prediction, humans affect provisioning as well as Office 365 and Azure AD configurations. Let’s explore where the problems start.

Acme Org has many holdings, including Company A, Company B and Company Z. Company A can share information back and forth with Company B, and B can share information with Company Z, but Z cannot share information with A due to regulatory compliance. They set up individual Office 365 tenants for each company. The natural isolation of multi-tenancy is working perfectly as a boundary of administration and security for their various holdings.

But, they need to manage and audit across all of these environments, and they also need to be able to share data in a controlled way. So they decide to deploy a PowerShell script to do the management and auditing across all three environments, thus unwittingly creating a hole between Company A and Company Z.

Acme Org started with a secure model, but have now slipped back. They are chipping away at the bottom of a dam without knowing it, breaching the model they set in place. Now they are left with an uncontrolled flood of information between Companies A, B and Z that a hacker, disgruntled employee or compromised solution could steal, share or abuse.

And what’s worse is Acme Org wouldn’t be able to detect this. They’re in for a long-term breach that is hemorrhaging data because there is no accountability and no auditing.

It only takes one programming error to compromise everything.

"The No. 1 issue is not properly securing access credentials," said Fernando Montenegro, analyst at 451 Research in SearchCloudComputing. He cites the lack of multi-factor authentication and the rise in misconfigurations as the biggest threats to cloud security.

Our recommendation for 2019

One of the best ways to ensure misconfiguration doesn’t compromise your system is to define and apply strict security and monitoring policies across your environment. The National Institute of Standards and Technology (NIST) has developed the Cybersecurity Framework to help organizations improve the security of critical infrastructures with recommended processes and procedures.

  • Apply the Framework to the management and auditing of your SaaS environments (whether third party or your own private cloud multi-tenancy environment).
  • Use the Framework to identify the desired cybersecurity outcomes against existing, trusted standards.
  • Incorporate the five NIST cybersecurity functions concurrently and continuously into your security practice: identify, protect, detect, respond and recover.
  • Use both Current and Target Profiles to rate the maturity of your identified cybersecurity outcomes and then track your outcomes and activities against where you want to be.

To learn more about the specifics of the NIST Framework and how to apply the five NIST standards in your AD environment to monitor the identities authenticating to and traversing your environment, check out this Randy Franklin Smith white paper: Securing Active Directory by Use the NIST Cybersecurity Framework.

Read the white paper