Preface:

It’s no mystery that Cybersecurity is a major priority across the globe, with the increase in cyber-attacks, expanding attack surface, and the need for more and more remote-friendly solutions, the demand for organizations to mature their capabilities is higher than ever. Government is no exception, critical services that citizens rely on need to be protected. For all those reasons, I’m a huge fan of the CAL-SECURE vision, and while not everyone reading this article may be in State of California Government IT, the roadmap applies to organizations of all sizes and industries.

The purpose of this article stemmed from a discussion being had amongst our team here at Prodigy Consulting. At first glance the “Technology” capabilities laid out in the roadmap, we noticed many of those can be met using Microsoft cloud services.

With that, this is not Government documentation and the views expressed are merely those of our team, none of the information is guaranteed to meet the requirements of a security audit or CAL-SECURE.

 -Kyle Green

Article:

In October of 2021, the State of California Department of Technology (CDT) and its Office of Information Security (OIS) published “CAL-SECURE”, the State’s first five-year information security roadmap. According to the document, CAL-SECURE is intended to “outline capabilities the State must adopt and achieve in a prioritized fashion”. In other words, CDT has provided a vision for improving the security capabilities and maturity of all State departments within the Executive branch and stressed the urgency in complying.

Announcement of CAL-SECURE

CAL-SECURE priorities are broken into three categories, each with their own list of priorities and key initiatives. Those categories are People, Process, and Technology. For this article, we’ll be exploring the “Technology” category, which is intended to enhance cybersecurity capabilities by adopting prioritized solutions, practices, and solutions.

As a Microsoft Gold partner with extensive experience providing consulting services and adoption guidance for State and Local Government, we at Prodigy Consulting thought it would be a fun exercise to map priority items in CAL-SECURE to services available under the Microsoft cloud suite (Microsoft 365, Azure, etc.).  

First, let’s look at the priority items for cybersecurity capabilities across the five years:

In the following sections, we’ll share what we believe the Microsoft cloud suite of products can satisfy, or at a minimum, align from a conceptual standpoint. If there is no clear service that aligns with the capability, we will notate that using “Not assessed”, since there could be a service that we’re not familiar with. Licensing for the products below is outside the scope of this article, consult with Microsoft regarding the availability of these products and features.

Phase I

Anti-Malware Protection

Microsoft Defender for Endpoint is a comprehensive security and device-protection suite provided under the Microsoft 365 cloud service with qualifying/eligible licensing. Microsoft Defender for Endpoint provides next-generation antimalware for protected devices.

Anti-Phishing Program

Technologically, and applied to email communications, Microsoft Defender for Office 365 provides anti-phishing policies, rules, and the ability to conduct simulated phishing attacks.

Multi-Factor Authentication

Multi-Factor Authentication (MFA) is a feature provided in the Azure Active Directory service. Azure AD MFA is a first-class MFA service attached to Azure AD, a leading Identity and Access Management (IDAM) solution in the Microsoft cloud. Any organization using Microsoft 365 Exchange Online, Teams, or SharePoint is using Azure AD for authentication and authorization. Azure AD MFA can protect cloud and on-premises applications and supports a variety of second forms of authentication.  

Continuous Vulnerability Management

Microsoft Defender for Cloud does real-time vulnerability and compliance scanning of cloud and on-premises servers, including the Azure platform itself.

Additionally, Microsoft has several services that work in unison to provide vulnerability management across servers, PCs, mobile devices, and third-party services. As an example, Microsoft Sentinel is an enterprise-grade cloud SIEM/SOAR service. Sentinel can bring logs in from all other Microsoft cloud services, including security services such as Defender for Endpoint, Identity, and Office 365. You can also ingest log data from third-party services, clouds, and infrastructure.

Phase II

Asset Management

Microsoft Dynamics 365 Supply Chain Management has the features and customization to develop an asset management system. Also, see “Asset management overview” for information on the module.

Incident Response

Microsoft Azure has several services that facilitate incident response, including Azure Sentinel, Defender for Cloud, Azure Logic Apps, Azure Monitor, and the Microsoft Graph Security API. There’s a really good blog written by TJ Banasik titled “CMMC with Microsoft Azure: Incident Response Maturity” that outlines how these services work in unison to meet Cybersecurity Maturity Model Certification standards, specifically incident response. Reference that article here

Continuous Patch Management

Microsoft Intune is a cloud-native mobile device management platform and is part of the Microsoft Defender for Endpoint suite. Intune provides Windows and IOS device update. Intune can also be integrated with System Center to provide a single pane of glass for software delivery and patch management across devices.

Privileged Access Management

While not all encompassing (yet), Azure AD Privileged Identity Management provides just-in-time access at defined scopes to users accessing Microsoft cloud services. This allows for enhanced security controls, approvals, and reduces the risk of incidents due elevated permissions only being granted for approved time durations with the proper approvals.  

Security and Privacy Awareness Training

Not assessed

Security Continuous Monitoring 24×7

From a technological standpoint, Microsoft provides all the services one would need to do 24×7 continuous security monitoring. Alerting and incident management playbooks can be used to further trigger response activities 24×7.  

Cloud Security Monitoring

Cloud Security Monitoring is provided within most Microsoft 365 cloud security products. Various dashboards, alerts, and logs are available. Connect these services to Power BI for customizable dashboards and reporting.

Phase III

Data Loss Prevention

Microsoft 365 Data Loss Prevention provides capabilities for programmatically protecting against the leaking of sensitive data from cloud and on-premises sources. Examples include:

  • Microsoft Cloud Services such as Exchange, Teams, SharePoint, and OneDrive for Business
  • Office applications such as Office, Excel, and PowerPoint
  • Windows 10, Windows 11, and macOS endpoints
  • Non-Microsoft cloud apps
  • On-premises file shares and on-premises SharePoint
Log Management

Azure Monitor is a comprehensive cloud-based solution for collecting, analyzing, and acting on telemetry from cloud and on-premises environments. This in conjunction with Microsoft Sentinel cloud-based SIEM, provide enterprise-worthy log management capabilities.  

Network Threat Detection

Microsoft Sentinel includes many data connectors for third-party services and appliances. In that, there are many network and firewall vendors with approved connectors for aggregating logs. Once in Sentinel you can conduct threat hunting and detection.

Threat Intelligence Platform

Microsoft Sentinel.

Application Security

Microsoft Defender for Cloud Apps enables real-time monitoring and control of granular actions with SaaS apps, such as blocking downloads, uploads, copy and paste, and printing.  

Operational Technology Security

Not assessed

Phase IV

Disaster Recovery

Azure Site Recovery provides comprehensive DR-as-a-Service capabilities, allowing customers to orchestrate the replication and failover of virtual machines from on-premises to cloud, cloud-to-cloud, or cloud-to-on-premises. If you’re a VmWare shop, Azure VMWare Solution (AVS) allows you to extend your existing VMWare infrastructure to Azure and utilize native failover capabilities.

Enterprise Sign-On

Azure Active Directory is Microsoft’s enterprise identity and access management platform. Azure AD supports single sign-on, advanced security controls, B2B and B2C federation, and extensibility through SAML, OAuth, and OpenID protocols. Azure AD also provides APIs for custom solutions and applications.

Mobile Device Management

Microsoft Intune is a cloud-native mobile device management platform and is part of the Microsoft Defender for Endpoint suite.

Application Development Security

Not assessed – There’s a lot of layers to development security and organizations often vary with the preferred tools and platforms they utilize. GitHub has advanced security features such as code scanning vulnerability scanning, and secret scanning. Similar concepts can be applied to deployment pipelines using the likes of Jira, Azure DevOps, GitHub actions, etc.

Application Whitelisting

Application whitelisting can be accomplished using a combination of Defender for Cloud Apps and Windows Intune.

Software Supply Chain Management

Not assessed

Phase V

Identity Lifecycle Management

Azure Active Directory Identity Governance allows organizations to leverage their existing investment in Azure AD and automate the various stages of a user’s identity lifecycle. From provisioning, to group assignments, and updates. With the extensibility and integration capabilities Azure AD has with other platforms, it makes it a good solution for identity lifecycle management.

Insider Threat Detection

Microsoft Defender for Identity, formerly known as Azure Advanced Threat Protection, is a cloud-based security solution that leverages on-premises Active Directory to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.

Network Access Control

Not assessed

Enterprise Encryption

Not assessed

Mobile Threat Defense

Microsoft Defender for Endpoint is a comprehensive security and device-protection suite provided under the Microsoft 365 cloud service with qualifying/eligible licensing. Defender for endpoint is designed to provide protection and defense against risks and attacks targeted at mobile device endpoints.

Conclusion

As you can see, Microsoft 365 and Azure provide a wide array of cloud services that align with the technical capabilities outlined in the CAL-SECURE roadmap. Our hopes in writing this article was to hopefully educate others on these services, maybe some of which were unknown or foreign until now. All of these services have varying levels of complexity, licensing requirements, and cost for deploying. For additional information on how Prodigy Consulting is helping Government organizations elevate their security capabilities using the Microsoft cloud, please reach out to Kyle Green at kgreen@consult-prodigy.com