Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
That means you're now responsible for their software being up to date, their OS being patched, their access being secured, firewall enabled, AV/EDR installed and up to date, passwords meeting policy... Better hope they're not also a local admin.

That is _UTTERLY UNWORKABLE_
4/9
I was able to verbally ask them the above scenario on the call and they confirmed it. I had to check with someone else who was on the call that I'd heard them right as I was in shock.
They also turned off my mic so I couldn't interject or counter their response.
5/9
Someone also highlighted this scenario:
Are you a primary school who's Gov funding relies on passing CE, but you fail "compliance" because your student account don't have MFA?
Little Timmy in Year 3 better get a Yubikey or a phone for the MS Authenticator.
6/9
But don't worry, there's STILL no requirement for device encryption anywhere, despite @NCSC doing so in their guidance!

If the requirements set don't make sense, they can't possibly be expected to be adhered to, and the fault here lies with @IASME1
7/9
Sweeping statement time:
I've seen & heard many ITSec people who love buzzwords but know _nothing_ about the technical controls or implications of things they're demanding, and I that's exactly what's happening here.
A complete disconnect from the actual technology.
8/9
Would love input from any UK-based #Security or #InfoSec people across #Microsoft #Microsoft365, #MDE #AzureAD & #Intune, and if the @M365SandCUG want a ranty speaker for their next event my DM's are open :D
9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with James Robinson

James Robinson Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(