Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
That means you're now responsible for their software being up to date, their OS being patched, their access being secured, firewall enabled, AV/EDR installed and up to date, passwords meeting policy... Better hope they're not also a local admin.
That is _UTTERLY UNWORKABLE_
4/9
That is _UTTERLY UNWORKABLE_
4/9
I was able to verbally ask them the above scenario on the call and they confirmed it. I had to check with someone else who was on the call that I'd heard them right as I was in shock.
They also turned off my mic so I couldn't interject or counter their response.
5/9
They also turned off my mic so I couldn't interject or counter their response.
5/9
Someone also highlighted this scenario:
Are you a primary school who's Gov funding relies on passing CE, but you fail "compliance" because your student account don't have MFA?
Little Timmy in Year 3 better get a Yubikey or a phone for the MS Authenticator.
6/9
Are you a primary school who's Gov funding relies on passing CE, but you fail "compliance" because your student account don't have MFA?
Little Timmy in Year 3 better get a Yubikey or a phone for the MS Authenticator.
6/9
But don't worry, there's STILL no requirement for device encryption anywhere, despite @NCSC doing so in their guidance!
If the requirements set don't make sense, they can't possibly be expected to be adhered to, and the fault here lies with @IASME1
7/9
If the requirements set don't make sense, they can't possibly be expected to be adhered to, and the fault here lies with @IASME1
7/9
Sweeping statement time:
I've seen & heard many ITSec people who love buzzwords but know _nothing_ about the technical controls or implications of things they're demanding, and I that's exactly what's happening here.
A complete disconnect from the actual technology.
8/9
I've seen & heard many ITSec people who love buzzwords but know _nothing_ about the technical controls or implications of things they're demanding, and I that's exactly what's happening here.
A complete disconnect from the actual technology.
8/9
Would love input from any UK-based #Security or #InfoSec people across #Microsoft #Microsoft365, #MDE #AzureAD & #Intune, and if the @M365SandCUG want a ranty speaker for their next event my DM's are open :D
9/9
9/9
• • •
Missing some Tweet in this thread? You can try to
force a refresh
