When it comes to cloud services like Microsoft Entra ID (formerly Azure Active Directory), many assume that Microsoft handles everything from security to data backup. In reality, organizations still have their own responsibilities. The Microsoft Shared Responsibility Model is a foundational framework that explains which roles fall on Microsoft and which belong to an organization.
In this blog, we’ll dive into everything you need to know about The Shared Responsibility model, breaking down the role divisions between your organization and Microsoft for key components. We’ll also cover key practices to navigate this model in your organization’s Microsoft Entra ID data protection strategy, and how Veeam can help bridge the gaps.
The Shared Responsibility Model
As the industry shifts to adopting cloud-based Software-as-a-Service (SaaS) solutions into their businesses, the concept of shared responsibility has become more important than ever. Knowing where Microsoft’s role ends, and where yours begins is the foundation for protecting your Entra ID tenant. Let’s walk through that split of responsibility.
Primary Responsibility
Microsoft’s Responsibility
Microsoft’s primary role in the Entra ID environment is centered around maintaining the availability and operational integrity of the platform. This means making sure infrastructure remains globally operational, properly authenticating users, and enabling access across applications. As the cloud provider, Microsoft manages physical hosts, networks, and data centers on the back end.
Your Responsibility
Alternatively, it is the primary responsibility of your organization to manage identity lifecycles, access policies, and governance. Even in a cloud-based platform, you remain accountable for the configuration and management of identities within your environment.
What about your data? One common misconception with SaaS applications is that “cloud-based” automatically means it’s completely safe and protected. But that’s not really the case. While Microsoft manages the platform that processes your data, the responsibility of data availability, integrity, and appropriate usage rests with your organization. Maintaining Entra ID data resiliency is crucial to fully support the proper management and configuration of identities and remain protected from data incidents.
While Microsoft manages the platform that processes your data, the responsibility of data availability, integrity, and appropriate usage rests with your organization.
Supporting Technology
Microsoft’s Responsibility
Microsoft has packed the Entra ID platform with features to ensure platform availability with redundancy and failover infrastructure. However, these platform supporting technologies do not extend to Entra ID data. For instance: with redundancy, user changes are duplicated across all replicas. This means if a mistake is made on one version, it applies to them all.
Microsoft also invests heavily in the resiliency of the Entra ID platform by maintaining a robust backup authentication system to guarantee service continuity. These technologies work great to maintain the platform and keep things running smoothly. But when it comes to protecting your Entra ID tenant, it is key to implement safeguards that enable business continuity even when things go wrong.
Your Responsibility
While Microsoft provides a continuously available platform for Entra ID, your organization is steering the ship from there. Conditional Access Policies, role assignments, and other identity settings are only truly effective when they are tailored to your organization’s security requirements.
Even so, the most well-crafted configurations are still vulnerable if they can’t be recovered. One accidental deletion of misconfiguration can be a huge disruption to business continuity.
“But what about the recycle bin? That can recover my Entra ID data.”
Here’s the catch: The native Entra ID recycle bin only allows for the recovery of soft-deleted items for 30 days. Though that might seem like enough time, Microsoft’s 2024 Defense Report states it can take 207 days on average to detect and resolve a data incident. With the native recycle bin’s limited retention period, it’s very likely that by the time you pinpoint a potential issue, you will find that the data is no longer recoverable. All critical data must now be manually reconfigured, causing significant setbacks. It’s a common (and risky) misconception that the recycle bin is a recovery plan, rather than a basic safeguard. And when it comes to misconfigurations, there is no native point-in-time restore, meaning any detected misconfigurations must be manually reconfigured back to their proper state. Without an Entra ID backup, deletions and misconfigurations can often be a time-consuming, error prone process.
Just as Microsoft backs up their infrastructure to uphold their side of The Shared Responsibility Model, your organization should do the same. Microsoft promotes recoverability best practices which suggest that organizations are proactive in creating processes to restore their tenant to a functioning state. This optimal level of Entra ID data recoverability can only be achieved via a proper backup solution.
Security
Microsoft’s Responsibility
When it comes to security, Microsoft is responsible for protecting their data centers, networks, and the Entra ID platform. They leverage various protections to prevent attacks such as Distributed Denial of Service (DDoS) to servers. Note that Microsoft does provide limited encryption to Entra ID data, but only when that data is at-rest within Azure data centers.
Your Responsibility
In your organization, it is up to your IAM strategy to bridge security gaps and protect the identity of your users. That includes further encryption of data while in-transit and managing the at-rest encryption keys provided by Microsoft. Additionally, your organization is responsible for keeping your stored identities and associated identity settings secure. To reach the best level of Entra ID data protection, your organization should look towards a comprehensive backup solution to fill the security gap.
Regulatory
Microsoft’s Responsibility
Microsoft’s role in managing Entra ID compliance lies within regulatory maintenance of the platform. They ensure that the application remains compliant on the backend, but they do not hold any responsibility for keeping your organization’s data compliant.
Your Responsibility
In Entra ID, where Microsoft acts as the data processor, your organization is the data controller. You bear the responsibility for compliance with industry-specific regulations and internal policies that dictate how your identity data is collected, used, stored, and protected. You are also directly responsible for managing retention policies and export of logs for auditing purposes. With an Entra ID backups, the ease of Entra ID log retrieval makes preparation for audits a streamlined process. This eliminates the need for a last-minute scramble to gather the necessary data before audit time comes.
Examples of Entra ID Shared Responsibility
Knowing your organization’s role as an owner of your Entra ID data is essential to prevent misunderstandings, close security gaps, and align both sides of The Shared Responsibility Model. While Microsoft provides useful tools within Entra ID, they do not function as full backup and recovery solutions. To better understand what this shared responsibility looks like in practice, we’ll explore some scenarios where vulnerabilities in your identity data protection strategy can rise. The following examples highlight gaps in Microsoft Entra ID native protection, and why extra steps for business continuity and compliance are must-haves.
Deletions: When Microsoft Entra ID objects are deleted by accident or from a bad actor, the effects can halt certain business functions.
Imagine this: a Microsoft 365 group is accidentally deleted, and users within the group eventually lose access to shared mailboxes, Teams, and SharePoint sites. By the time IT admin have located the issue, the group object has passed the 30-day soft deletion period, and it is now lost forever. Without a backup in place, it will be a lengthy process to restore the group and all other associated policies.
Even in the event of timely detection and restoration of the group, some associated dependencies such as role assignments are not retained in the recycle bin and become immediately irretrievable, requiring manual reconfiguration to bridge those gaps in functionality.
Misconfigurations: When making new configurations to your Entra ID environment, Microsoft states that it is your responsibility to monitor and record changes as they are made. Ideally, having these practices in place will mitigate the chance of configuration mishaps, but still: accidents or external threats can occur.
Imagine This: A cyberattack gives a bad actor access to your organization’s Entra ID environment. Once inside, they reconfigure your conditional access policies to block every all users except for themselves. Legitimate users and admins are locked out of your organization’s environment for an unknown amount of time. This is becoming a very real threat to organizations, as there are over 600 million identity-based attacks that occur daily.
Since there is no real native versioning or rollback capabilities for configurations, previous settings must be manually reconfigured or reassigned. This process can lead to varying downtimes depending on the scale of the incident. In an instance like the one above, it can cripple an organization for longer, as the time to regain access can vary. And if your organization doesn’t have a break-glass account, expect it to take days just to access your Entra ID environment before reconfiguration is even possible. Want to learn more about why Microsoft Entra ID needs protection beyond the native tools? Explore 6 Reasons for Entra ID Backup.
Entra ID Shared Responsibility Best Practices
To navigate your share of Entra ID responsibilities, Microsoft outlines best practices for your Entra ID data strategy:
- Regularly create snapshots of your Entra ID environment: This is key to maintain documentation of your tenant’s “known good state” to revert to in case of a data disaster.
- Closely monitor changes and reconfigurations: Export and monitor audit logs to detect unauthorized and unintended changes. While monitoring is the first step, without an Entra ID backup it’s often impossible to roll back an unwanted change.
- Regularly test your restores: Microsoft recommends that you test your restoration processes to better understand your time to resolution and any possible challenges. This of course, assumes that you’ve been storing your Entra ID data somewhere safe, like a third-party backup solution.
How Veeam Keeps Your Organization Responsible
We’ve covered how The Shared Responsibility Model works for Microsoft Entra ID, and why relying solely on native tools can leave critical gaps in your identity and access management strategy.
That’s where Veeam Data Cloud for Microsoft Entra ID comes in. Veeam’s cloud-based Entra ID backup solution delivers purpose-built backup and recovery capabilities to simplify protection for your Entra ID data. When faced with data incidents or tricky compliance, Veeam can help your organization maintain business continuity with ease. You can also protect your Microsoft 365 data with Veeam using the same solution.
Who’s Responsible for What?
- Microsoft: ensures availability of the platform, secures backend infrastructure, and some built-in security and recovery features.
- Your organization: configures access policies, manages identities, monitors for possible threats, and protects against unwanted changes.
- Veeam Data Cloud for Microsoft Entra ID: empowers your identity data strategy by providing a comprehensive backup, granular recovery of objects, and long-term retention for configurations and objects.
Veeam Data Cloud for Microsoft Entra ID was built on a proven partnership. Veeam and Microsoft have worked together for years to bring data resilience to Microsoft environments, and that partnership has recently expanded.
Entra ID protection is just the beginning. Veeam Data Cloud offers comprehensive protection for your entire business, offering protection for other critical workloads such as Microsoft 365 and Salesforce to unlock a unified approach to your data resilience strategy.
To learn more about what Veeam Data Cloud for Entra ID offers, click here.
Like this blog, read the Microsoft 365 Shared Responsibility Model blog.
The post The Entra ID Shared Responsibility Model appeared first on Veeam Software Official Blog.
from Veeam Software Official Blog https://ift.tt/jBqk4mZ
Share this content: