In this episode of Petri Dish, I speak to Jay Gundotra (CEO and Technical Founder of ENow Software) and Sander Berkouwer (Security Specialist and 15x Microsoft Valuable Professional) about why it is critical to establish an application governance policy for Microsoft Entra ID (formerly Azure Active Directory).
Links and resources
🔗 Check out ENow’s App Gov Score for free.
📖 Read Sander’s article on Petri.com for more on Microsoft Entra ID app registration and enterprise app security.
🚀 And here is Sander’s article on how to properly secure and govern Microsoft Entra ID apps.
– Hello and welcome to Petri Dish. Today we’re joined by two esteemed guests, Jay Gundotra, who’s CEO and technical founder of ENow Software, a long time Microsoft partner, and Sander Berkouwer, who’s a 15 time MVP specializing in security. Welcome to you both.
– Thank you.
– Thank you, Russell.
– Before we get started, Jay, could you tell us a little bit about ENow?
– Absolutely. ENow’s been in the monitoring and analog space for over 19 years. Can’t believe it’s been 19 years. I’m not that old, but it’s been 19 years. So our solutions focus on providing visibility into EntraID, Microsoft 365 and Active Directory. I spent years as a consultant in the unified collaboration space, also working with Active Directory. I also worked inside IT organizations. And during that time, I really came to understand firsthand how much pressure and stress comes along with supporting those technologies. So I decided to start a company that would make software to simplify those jobs.
– Great, thank you very much. Okay, so why is it an important thing for an organization to create an application governance policy?
Well, imagine not doing it. And that really scares me because there’s a lot of organizations that are not working on an application governance policy. And what you’ll see is that the default settings in EntraID are clearly geared towards adoption and user friendliness. But now what we’re seeing within organization is that user friendliness in this case is opposite to organization security. And what we need to do is minimize this potential attack surface. And well, if you don’t, then I think the least of your problems would be CEO fraud because that’s just money. Because basically a malicious actor could take over the entire organization and that’s just game over.
– Jay, what have you been hearing from your clients?
You know, I think most of our clients have some type of policy in place because like Sander mentioned, they wanna turn the faucet off. But a lot of it is manual. Even the organizations that have multi-steps where say you’re a business owner and you wanna get an application, it goes to a security review that may have to go over the procurement, may have to go to vendor review. But very manual, very time consuming. And a lot of organizations still have user consent turned on and they’re not aware of all those applications. So a lot of visibility, a lot of confusion, and a lot of people understanding the need but struggling to actually get one that’s done and one that’s automated.
– Yes, agree, yeah. In many organizations, what you’ll see is that the faucet is actually located in a windowless room without the light on. They don’t even know the faucet is there. Because where does this water come from? But yeah, and that’s the problem of education, basically.
So let’s say an organization doesn’t have an application governance policy. How would they go about creating one?
– Yeah, so the first thing you do is turn on the light, of course. So we need to read up to what the problem is and then we know what to solve it. Then what of course we need to do, we need to discover the organization’s risk appetite and red tape resilience because some of the settings that you wanna do are really hard on admins as well if you really want control. If you really want that nitty gritty control, that means work. And if you don’t wanna do the work, then don’t use those settings, of course. Then when you have the appetite and resilience for your organization, you can then outline the strategy and that includes creating the personas, that includes conditional access, scaffolding, and all that stuff. And then, because the light is on and because your entire organization structure has approved of your policy, then you can look at the tenant settings. And after you looked at the tenant settings, then you can remediate all the problems that are in your tenant in terms of applications after that. – How does ENow help with this problem?
– So as we mentioned in the previous videos, do you mind if I share my screen real quick, Russell?
Yeah, sure, sure. – So we created a free application governance assessment report that gives you an ENow AppGov score. So if you just wanna understand where you stand, go to appgovscore.com, you get this great report.
Beyond the report, we have a full paid version called the ENow App Governance Accelerator. So what you get with the full version is you get a working dashboard. So you have your score, and then you have some information about your tenant. And then as you make changes to your tenant, the score changes, and then we tell you what you did that changed the score. So the score is backed by security MVPs.
It compares what Microsoft recommended as practices are, compares them to what’s happening inside your tenant. So for example, if you wanted to know what applications were considered high risk, I can come into this screen, maybe I wanna know what’s using Windows Azure Active Directory.
So I can type that in right here. I now can see the filter, I can see what permissions are being used, or maybe it’s Microsoft Graph. So I can type in Microsoft Graph. There you go. I can see what applications are using Graph. With one click, I can get to the entry ID portal, and I can go to work. So the idea behind this dashboard is to quickly understand and give you visibility in your applications.
Another thing that Sondra talked about in the previous videos is understanding what client secrets, what certificates are gonna expire. So we have different reports that tackle that use case. There’s other reports that get into what versions of Microsoft authentication libraries your developers are using, or maybe you wanna know what your global tenant settings and you wanna see.
– Yeah, let’s look at the global tenant settings, Jay, because this is turning off the faucet. And here you can clearly see it because group owner consent is disabled. Guest user access restrictions are enabled. You have some permission classifications because user consent for apps disabled, people cannot add gallery apps to my apps. Yeah, this is perfect. Whose tenant is this, Jay? Is this yours? – It’s one of our test tenants.
Oh, someone did a good job.
Yeah, and so the idea behind this is step one is get the visibility. So you have the cards that you can go in and look at things. Alerting is gonna be added to the product here in a week or two, auditing, and then you’re gonna be able to put your policies in here and have workflows that route you to the various departments. So you’re gonna have full one-stop shopping to be able to implement an application governance policy. But step one is obviously you need to understand what’s happening and understand the concepts. Step two is looking in your tenant for what types of apps do you have. We also have the ability to show you what’s being used.
So you can take an app, for example, like the one I showed you previously, and you can see the sign-in activity, whether it’s interactive, not interactive, it’s a service principle. So you can imagine a world where you can identify high-risk apps that aren’t being used. Well, why not go clean them up? And in the future, the application’s actually gonna take care of that. So we believe that this is really going to accelerate tackling this problem. And then as Sandra likes to say, cutting the faucet off, cleaning things up, and now having a controlled faucet where water’s not splashing all over the floor. – Okay, thanks Jay. So where can people get hold of the freemium version of the product? – You can go to www.appgovscore.com and it has all the information you need right there on the site.
Great. Okay, so there are two other videos in this series, so I’m gonna put links to them on the screen now. I’m also gonna put a link to the freemium version of the product in the description for this video below. But that’s it from us today. Thank you Jay and Sander for joining us. And we’ll see you all next time.