Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine conditional access policy evaluation #754

Open
4 tasks
schrolla opened this issue Dec 18, 2023 · 1 comment
Open
4 tasks

Refine conditional access policy evaluation #754

schrolla opened this issue Dec 18, 2023 · 1 comment
Labels
enhancement This issue or pull request will add new or improve existing functionality epic A high-level objective issue encompassing multiple issues instead of a specific unit of work
Milestone
Jellyfish

Comments

@schrolla
Copy link
Collaborator

schrolla commented Dec 18, 2023
edited by tkol2022
Loading

Description

This epic is a larger feature to continue evolving the ScubaGear AAD conditional access policy evaluation logic. The work is improve the AAD secure configuration baselines by enhancing evaluation and assessment of conditional access policy (CAP) settings.

Initiative / Goal

The goal is to improve ScubaGear assessment checks of AAD policies that require a CAP to apply broadly to the tenant's users or applications. At this time, due to the large number of conditions available in CAPs, the tool may provide a false negative (pass) when one or more CAPs meet a baseline policy broadly but has additional conditions that limit its application more narrowly than the policy indicates.

Relevant Issues

Hypothesis

By improving the evaluation of Azure AD CAPs, ScubaGear can better highlight tenant configurations that do not match the recommended security settings for strong access control. This hypothesis can be tested by collecting feedback from agencies and running the tool internally against tenants in which CAPs meeting the edge cases where a variety of conditions are set to limit the application of a policy to the tenant users and applications.

Acceptance criteria

Criteria that are considered must have for feature launch and in-scope for this epic include:

  • Additional conditions for ScubaGear evaluation have been identified
  • New unit and functional tests have been added that exercise the new conditions
  • New evaluation logic has been successfully added to the ScubaGear Azure AD provider and Rego module
  • All new unit and functional tests successfully pass using the new logic

Stakeholders / Resources

Include CISA decision makers and dev team members in discussions about this epic. Resources needed for this epic include access to test tenants and possibly ability to temporarily modify privileged roles for testing purposes.

Timeline

The current projected timeline for delivery of this epic feature is with the associated release milestone.

Associated Tasks
@schrolla schrolla added epic A high-level objective issue encompassing multiple issues instead of a specific unit of work enhancement This issue or pull request will add new or improve existing functionality labels Dec 18, 2023
@schrolla schrolla changed the title Refining conditional access policy evaluation Refine conditional access policy evaluation Dec 18, 2023
@schrolla schrolla added this to the Jellyfish milestone Jun 26, 2024
@mitchelbaker-cisa mitchelbaker-cisa mentioned this issue Jun 27, 2024
Closed
3 tasks
@schrolla schrolla mentioned this issue Aug 14, 2024
Open
3 tasks
@tkol2022
Copy link
Collaborator

I added issues that I felt were related to this epic in the description above. Please review. We should probably set a priority order to work the respective issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement This issue or pull request will add new or improve existing functionality epic A high-level objective issue encompassing multiple issues instead of a specific unit of work
Projects
None yet
Milestone
Jellyfish
Development

No branches or pull requests
2 participants
@tkol2022 @schrolla