Workplace
Microsoft 365-powered for smart, secure, and flexible workspaces, seamlessly integrating cutting-edge technologies and identity services.
Contact
Security
Vigilance in the cloud with an award-winning 24/7 managed service, incident response and state-of-the-art protection for your infrastructure.
Company
Pioneer in the Cloud: Your top Microsoft partner for comprehensive cloud solutions with a Blueprint-based approach and Infrastructure-as-Code expertise.
Contact
Cut Off Lateral Movement Paths

Managed Red Tenant

Administrative users and their devices are prime targets for attackers. Cybercriminals exploit lateral movement to identify vulnerabilities in your infrastructure and compromise administrative endpoints. With Managed Red Tenant, you establish a robust and scalable environment that provides optimal protection for your privileged identities and access.

Abstract security map with route lines and blue “X” markers on an orange background

Protection Against Lateral Movement and Privilege Escalation

Ransomware attackers target highly privileged users and endpoints to cause maximum damage and demand ransom. Exploiting vulnerabilities within the infrastructure, they infiltrate administrative endpoints and move laterally through the organization. In many companies, users with extensive privileges work on unsecured devices, leaving the door wide open for attackers. By utilizing separate administrative devices and a dedicated admin infrastructure ("Red Tenant"), the risk of ransomware attacks can be significantly reduced.

Jan Geisbauer and Thomas Naunheim discussing Managed Red Tenant cybersecurity strategy
Illustration of a blue key entering a yellow keyhole, symbolizing security or access control

Maximum Protection for Administrative Access

The Managed Red Tenant combines our extensive experience in managed services with proven blueprints in the areas of workplace, Azure, and security.

The result: An isolated, fully cloud-based environment that effectively protects administrative users and endpoints – even in target environments with multiple Microsoft Entra tenants and Active Directory domains.

Our solution relies on native, cloud-based identity and security features from Microsoft and strictly adheres to Zero Trust principles.

Illustration of three yellow figures behind a blue cloud, symbolizing cloud-based collaboration or cloud services for teams

Managed PAW for critical roles and a scalable cloud solution for all admins

Securing administrative clients is essential for an effective security strategy when it comes to privileged access. Regular devices should not be used for this purpose. We enforce strict policies to ensure the security and compliance of these endpoints. Based on the Microsoft Enterprise Access Model (EAM), we separate and evaluate privileged permissions according to defined administrative levels – forming the foundation for the use of an admin workstation.

Illustration of three yellow figures behind a blue cloud, symbolizing cloud-based collaboration or cloud services for teams
  • For highly critical roles with Control Plane access, such as the Global Administrator, we implement the "Clean Keyboard" approach by using a Privileged Admin Workstation (PAW) with dedicated hardware.
  • For additional administrative roles, such as managing workloads in Microsoft Azure, we provide a scalable solution through Virtual Access Workstations (VAW). These are built on a secure and customized Azure Virtual Desktop (AVD) infrastructure within the Red Tenant.

Key Components of Managed Red Tenant

Illustration of a computer screen with binary code and a yellow hexagonal logo above
The management of hardened configurations and policies is done "as code," ensuring complete transparency and traceability of all changes. Our security framework is continuously evolving to seamlessly integrate new features and detections. The DevOps approach enables us to deliver ongoing improvements in a timely manner.
Illustration of a computer screen with a yellow lock in the lower right corner
Based on Microsoft Entra Identity Governance, we have developed a native, standardized solution for provisioning and managing administrative accounts. This solution enables seamless onboarding of new administrative user accounts and provides granular access control to corporate tenants and domains. Access can be delegated through an approval process as well as via self-service.
Illustration of a blue eye with a yellow eyeball
The Managed Red Tenant is monitored 24/7 by our Cloud Security Operations Center (CSOC). We leverage Microsoft Security solutions to ensure comprehensive monitoring of the tenant. This is further enhanced by custom-developed detections and the enrichment of data related to administrative permissions and access.
Visual representation of Global Secure Access with a globe and padlock symbolizing secure and controlled connectivity across networks
We have integrated the latest innovations from Global Secure Access into various components of the Managed Red Tenant to enhance security when accessing Virtual Access Workstations (VAWs) and to protect and restrict outgoing privileged access.

Microsoft Entra Internet Access functioning as an identity-centric Secure Web Gateway (SWG), has been implemented to block public internet access and restrict connectivity to privileged interfaces and the authorized company’s tenant environments only. Additional features, such as Universal Conditional Access Evaluation (CAE), enable near real-time access blocking.

Microsoft Entra Private Access serves as an identity-centric Zero Trust Network Access (ZTNA) solution and is the core of our approach to providing secure and private access to VAWs. Its integration into our solution adds an extra layer of protection for privileged sessions on AVD-based endpoints by enforcing Conditional Access on the accessing client before establishing connectivity to the VAW. Securing access and applying Zero Trust principle to manage private or on-premises resources is another use cases where we take benefit of Private Access.

Architecture of Managed Red Tenant

Contact us now

Jan Geisbauer
In most of our emergency operations, we repeatedly find that IT was not well enough prepared for attacks. A proactive security check is therefore an efficient investment in more security to reduce downtime.
Jan GeisbauerCyber Security Lead