Securing the Channel
Act now to protect you and your customers
Table of Contents
MSPs have privileged access into their customer’s IT infrastructure, but this puts them on the hitlist for cybercriminals who attack vulnerabilities in MSP software, enabling them to compromise a range of customers. In November 2022, it was announced that there was to be a change in NIS regulations, originally derived when the UK was part of the EU, but since leaving the EU, are now able to change this legislation to better suit the cybersecurity needs of the UK.
The updates to these laws are part of the government’s £2.6 billion National Cyber Strategy which is taking a stronger approach to improving UK businesses’ cyber resilience and making our digital economy more secure and prosperous. The proposal brings MSPs into the scope of regulations to ensure that the UK’s digital supply chains remain secure and will be made as soon as parliamentary time allows. This would mean that outsourced IT providers would be financially liable for their customer’s infrastructure, and if they experience a breach, then the provider can be fined up to £17 million for non-compliance.
Microsoft has also updated their CSP agreements and Microsoft policy, which holds the CSP partner financially responsible for their customers’ fraudulent purchases. In most situations, Microsoft is not making exceptions to the policy.
With this change in policy and legislation, it’s more important than ever for partners to ensure they’re following security best practices and providing their customers with robust security solutions to protect their environments and prevent cyber-attacks.
Act now and apply the five principles from the cybersecurity bell curve to protect your customers’ tenants.
1. Enable Multifactor Authentication (MFA)
MFA is a simple step to lock the door to customers’ CSP environments.
Cybercriminals don’t break in; they log in and 98% of successful cyberattacks could be prevented by implementing basic security hygiene practices.
Breaches are costly, and passwords are a single point of failure, so if Partners and Customers alike can do one thing to protect themselves, then enabling MFA is that. There are a variety of options to be utilised, such as Microsoft Authenticator app which can help protect against 99.9% of identity attacks
2. Apply zero trust principles
Microsoft are implicitly encouraging partners to adopt a Zero Trust approach to security and assume all activity is an attempted breach, even if by trusted users.
A Zero Trust approach follows three principles:
- Verify explicitly
- Use least privileged access
- Assume breach
This is an adaptive model which embraces hybrid work and protects devices, apps, data and identities regardless of location. Organisations that adopt these principles become more resilient, consistent, and responsive to new attacks.
GDAP is a security feature that provides partners with least-privileged access following the Zero Trust cybersecurity protocol. It lets partners configure granular and time-bound access to their customers’ workloads in production and sandbox environments.
All partners globally will need to make this transition to GDAP and will need to review the level of access they require to retain least-privileged access required to support their customers. They must understand and plan for this change to start their DAP to GDAP transitions for their customers.
3. Use modern anti-malware
Installing and enabling antimalware solutions on both endpoints and devices can stop malware attacks from happening. Partners should use cloud-connected solutions to ensure they have the most current and accurate detection capabilities. Microsoft Defender for Endpoint and Defender for Business are Microsoft’s next-generation protection offering for antimalware.
4. Keep up to date
5. Protect data
Enabling all of the above is a great way to ensure good cyber hygiene and will inherently protect data however it’s important that organisations are able to identify any sensitive data they have.
This involves classifying the data and applying sensitivity labels where relevant, which can then be used to utilise information protection and data loss prevention technologies. These practices also assist security teams, in the event of a breach, to understand where the most sensitive data is and if it has been compromised.
Microsoft CSP Best Practices
Microsoft has also put together a set of best practices for Cloud Solution Providers (CSPs) with the recommendation that they follow the security guidance in the article to protect themselves and their customers with similar guidance for customers also.
The most highly recommended steps to act on are:
- Add a security contact for security-related issue notifications in the Partner Center tenant.
- Check your identity secure score in Microsoft Azure Active Directory (Azure AD) and take the appropriate actions to raise your score.
- Review and implement the guidance documented in Managing nonpayment, fraud, or misuse.
- Familiarise yourself with the NOBELIUM threat actor and related materials.
Both Partners and customers need a security contact listed in Partner Center and the Admin Center, and it’s important that the contact information for this person(s) remains up to date.
The designated contacts should be made aware that they are the security contact as they will be the contact that receives notification from Microsoft when a security incident has affected the partner or customer tenant.
That security contact is expected to take immediate action to mitigate and remediate security concerns as soon as possible, and so it’s imperative that there are robust processes in place (which are regularly tested) in case of a breach.
Identity secure score
The identity secure score is an indicator that demonstrates how aligned you are with Microsoft’s best practice recommendations for security. The score helps you to:
- Objectively measure your identity security posture
- Plan identity security improvements
- Review the success of your improvements
The secure score is not a measure of the likelihood of being breached but expresses the extent to which the adopted features can offset the risk of being breached.
Review and Implement
Review and implement the guidance documented in Managing nonpayment, fraud, or misuse.
As mentioned previously, CSP partners are now financially liable for fraudulent purchases on customer tenants, and so it is strongly recommended that partners understand the potential risks and implement rigorous fraud prevention and detection risk mitigation controls to reduce exposure.
NOBELIUM threat actor
Familiarise yourself with the NOBELIUM threat actor and related materials:
The Microsoft Threat Intelligence Center (MSTIC) detected nation-state activity associated with the threat actor tracked as NOBELIUM, attempting to gain access to downstream customers of multiple CSP, MSP and outsourced IT Providers that have been granted administrative or privileged access by customers. NOBELIUM has been targeting privileged accounts of service providers, leveraging the trusted relationships and gaining access into customer environments and accessing or targeting their systems. The linked materials give further information:
Other considerations should be made for any Azure Subscriptions you have in your customer’s tenants that don’t have any services attached to them.
These are an area of vulnerability that could be potentially compromised by a cybercriminal who could then exploit this unmonitored subscription to fraudulently purchase Azure services. By removing these 0-cost subscriptions in CASCADE, you can eliminate this risk.
By implementing zero trust principles and following the best practices highlighted above, you can take a proactive approach to protecting your customers in a world of evolving threats.
For further guidance on anything you have read, please get in touch!