Microsoft is reportedly tightening the security of Azure with granular permissions. The company hopes to cut down the potential damage of a leaked PAT credential in its cloud platform.
Microsoft Is Reportedly Tightening the Security of Azure
All of Azure DevOps REST APIs are at the moment getting granular Personal Access Tokens (PAT). The main goal of the change which was met with in the cybersecurity community with a glee is to help to minimize the potential damage that can be caused by a leaked PAT credential.
Product manager Barry Wolfson when announcing the news via an Azure DevOps blog post said that prior to the change, there was a “significant security risk to organizations, given the potential to access source code, production infrastructure, and other valuable assets.”
Product Manager Barry Wolfson’s Take on the Development
“Previously, a number of Azure DevOps REST APIs were not associated with a PAT scope, which at times led customers to consume these APIs using full-scoped PATs.” The wide range of permissions that were associated with these was the main reason for concern.
And while Wolfson did not make mention of any specifics, others have however speculated that the change looks to have come just after Praetorian researchers made use of REST API PATs to get access to corporate networks of other institutions and companies.
GitHub Is One of the Affected Companies
One of those was GitHub which is a Microsoft-owned website, which was reportedly compromised all thanks to a leaked PAT. The company at the moment is trailing the use of fine-grained PATs in its public Beta in order to remedy the issue.
Wolfson at the moment is suggesting that DevOps teams should make the change quickly and sooner rather than later. “If you are currently using a full-scoped PAT to authenticate to one of the Azure DevOps REST APIs, consider migrating to a PAT with the specific scope accepted by the API to avoid unnecessary access”, he stated.
Supported Granular PAT Scopes for A Given REST API
The supported granular PAT scopes for a given REST API can easily be found in the Security Scopes section of the REST API documentation pages, he added.
The changes additionally should enable customers to control and restrict just how full-scoped PATs are created, via a control plane policy.
“We look forward to continuing to ship improvements that will help customers secure their DevOps environments,” Wolfson concluded on the matter.
