anDREa Security Manifesto

Security Manifesto

First version: 2021-04-15
Last updated: 2024-01-24
Last change: Replacing 'Azure DRE' with 'myDRE' ; replaced 'Owner' with 'Accountable or Privileged Member'

Introduction

anDREa is committed to protecting the security of its business information in the face of incidents and unwanted events.

The purpose of this document is to describe anDREa’s what is at the core of the design and implementation of the myDRE. 

This document will be updated at least annually and when a significant change happens to the relevant areas covered.

Manifesto

In providing a solution for organizations employing people needing to receive, process, analyze and transfer data in a secure and controlled manner, we have come to value:

Being in control over eliminating risks

Empowering responsibility over organizational procedures

Making the easiest the correct way over eliminating all possible wrong ways 

Containment and isolation over low-cost solutions

Stimulating good behaviour over preventing wrong behaviour 


That is, while there is value in the items on the right, we value the items on the left more.


Further, while we are diligent in protecting against unauthorized processes or people and we do monitor for strange behaviour, we do not provide protection against authorized people with malicious intent. 


‘Most secure’ but always in control

It is never possible to ‘accidentally’ make a workspace less secure; e.g. opening up a port. Not only does it require a deliberate action, but the action will also be preceded by verification if it was authorized, argumentation why it is needed and pointing out the risks and responsibilities that come with these actions.

Most secure vs Less secure 

We believe that it is correct to say a workspace is less secure if an alternative is more secure. If for what is needed, the alternative is equally or less secure, we believe that it is correct to say a workspace is the most secure.

The difference is not semantic. If something goes wrong and there is evidence that the highest possible standards were applicable, it will be treated differently from when the conclusion is that more could have been done.


Being in control over eliminating risks

Known risks can be managed, unknown risks not.

It is relatively easy to ensure that people working on the platform cannot do any wrong things. However, this means that only very few people can do their work properly. The majority of people need to find an ‘alternative’. Apart from the alternatives we know are much less secure, those alternatives are most of the time not visible to the organization.

It is our belief that both the users and the organization are best served by being in control from their own perspective 


Empowering responsibility over organizational procedures

Even the notion of scarcity triggers more demand than actually needed. Opening ports does impact the security and audit of a workspace. Turning off auto shutdown can result in higher costs, too much compute and storage increases cost. Turning off auto-update/patching of Windows VMs impacts security. 

It is our belief that people, already entrusted with great responsibility, that can access the things they need on-demand are less likely to use it any longer than strictly needed. This is inversely true for how dependent on others they feel.


Making the easiest the correct way over eliminating all possible wrong ways 

Less is more.

Efficiency is a key driver in the behaviour of people, especially the target group for the Azure DRE. Other key characteristics of the target group are way above average intelligence and dedication to proving something everybody before them and currently living didn’t find or thought of.

It is our belief that by eliminating the need for workarounds, by offering easy to use foolproof functionalities with smart workflows we are serving the interest of both the users as the organizations. The smart workflows help to take responsibility and provide demonstrable proof of correct behaviour.

In the growing population of users, there are some who not only have the skills to find ‘alternative’ ways, but are more than willing to, or even eager, to use them on the Azure DRE. We believe that enlisting them in a White Hat Hacker Program is for the benefit of all.

Equally, as we are growing in the number of users, also the number of people with potentially malicious intent grow. Of course, starting from the design, we will eliminate as many ‘alternative’ ways as economically sound. That is why we also believe that the honeytraps and smart monitoring we will be creating, will be more effective than trying to eliminate all possible wrong ways.


Containment and isolation over low-cost solutions

Any euro spent not on the actual work, is in potential one euro too much. It is unlikely that unlikely events do not happen. 

It is our belief that from an individual user point of view, the probability of something going wrong is virtually zero; be it a data leak, corrupt or lost machine, etc. For a reasonably sized organization, the probability translates into several incidents a year with damage and recovery costs ranging from several hundred to millions of euros. Reputation damage can even have a long-lasting deep impact. Prevention and demonstrable evidence of non-negligence are therefore provided from design to implementation.

However, with an ever-growing user base the likelihood of an unlikely event increases. That is why we believe that the best protection is through containment and isolation; from design to implementation.


Stimulating good behaviour over preventing wrong behaviour 

Bad news travels faster than good news. Tell me how you measure me, and I’ll tell you how I behave.

It is our belief that a small portion of the user group will always do the right thing no matter what. Equally, there is a small portion of users that will be at least very tempted to do the wrong thing for various reasons. The majority of users sit widely spread in the middle. By making sure that what is needed is easily available (~carrot). That, especially correct, the behaviour of users is logged (~carrot: users can demonstrate correct behaviour and stick: no proof or logged ‘strange’ user actions). Together with users knowing that a platform-wide ban can be invoked (~stick), very few people will attempt to do the wrong thing on myDRE.

Threat Analysis, Prevention and Mitigation


Risk

Risk Reducing Measure

Unauthorized access to compute/storage resources

Access to a workspace requires a valid MFA protected user account and an invite of an Accountable or Privileged Member of that Workspace.

Changing compute/storage resources

Only to a workspace authorized users (core support team, approved owners)

Uploading data (incl. software)

Only a workspace authorized user can upload

Virus, trojans, crypto, etc

Virus scanner, 30-day rolling 24-hour snapshot

Phishing, obtaining username/password

Multi-Factor Authentication is always required

Unintentional extracting data from a workspace

Every extraction goes through an explicit request-approval workflow and only a workspace owner can (self) approve

Unauthorized data stream access

Data in transit is encrypted

Unauthorized physical access

Data at rest is encrypted

A person has access to the workspace but is no longer part of the study

A Workspace Accountable and/or Privileged can self-service remove people from his workspace at any given time

VM has auto shutdown turned off

Only for running VMs auto-shutdown can be turned off, VMs being started up or deallocated will have auto-shutdown switched on. Only available for Privileged and Accountable Members.

VM has port(s) open

Outbound only and can only be turned on by Accountable and Privileged Members, only in effect when VM is running

RDP brute force attacks

VM access requires IP-address whitelisting; on-prem this is the default, off-prem this can only be done after using MFA, monitoring

Using ‘skeleton’ keys on Azure

Always MFA (except for emergency only break-the-glass account), ADDS

An authorized person is identified as a risk by an organization

CISO of a Tenant can request a user on myDRE Shared Tenant to be blocked immediately, logging of activities

Denial of Service (DoS) attacks

24/7/365 active monitoring

Malicious insider or compromised personal account

People working for or with anDREa are only given access to the resources that they need to perform their duties, MFA, logging of activities

Exploits in under lying software

Applying updates/patches where necessary



    • Related Articles

    • Definition of (Security) Roles and Responsibilities

      Version 1: 2022-07-13 Update: 2023-01-02 Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Definition of (Security) Roles and ...

    • 20220607 Security Management Report

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001 please feel free to download and read the attached anDRE's 20220607 Security Management Report.

    • 20220714 Security Management Report Addendum

      As part of anDREa's commitment to maintaining an Information Security Management System (ISMS) based on ISO 27001. This document is an addendum to the 20220607 Security Management Report and addresses the on 2022-07-14 reported findings of the ISO ...

    • 20220713 Report Azure White Box Security Audit

      Version: 2022-07-14 Introduction anDREa has a Pentest Program program as part of the commitment to protect the security of its business information. At least once a year we request an external party to do the pentest and a white box security audit. ...

    • 20210224 Pentest 2021-Q1 Report & 20210301 White Box Security Audit 2021-Q1 Report

      In accordance with our Pentest Program, anDREa engaged nSEC/Resilience for the anDREa White Box Security and the Pentesting 2021-Q1. The core questions being: Can non-authorized people or services access Workspaces or affect anDREa’s core services? ...