In the past, companies relied on the network security controls to create a perimeter around the corporate data and resources which were, on the larger part, located on-premises. Employees were accessing these resources mostly when they were located physically on company’s premises or while using tightly controlled remote access capabilities like VPN. With the defense zone created around the resources, IT could protect them from the outside and at the same time enable employees to do their work while being able to control, monitor and audit every access.
Traditional network perimeter controls are not sufficient anymore
Today, the way employees work and how companies are collaborating with the partners has changed. Company’s data is now located not just on-premises but also in cloud, using many of the available Software-as-a-Service (SaaS) providers (for example Office 365). Employees are using number of devices (desktops, laptops, tablets, and smartphones) and device types (corporate-owned devices, Bring Your Own Devices – BYOD, personal devices used at home). In these scenarios, traditional network perimeter controls are not sufficient anymore.
Identity as a new perimeter
Identity can follow employees no matter which device they are using, where they are located when accessing company’s data and at what time of the day. IT still wants to have control but at the same time enable employees to be productive in a way that best suites them. For example, if an employee wants to edit the tomorrow’s presentation slides from home on their personal tablet, she/he should be able to do so. IT on the other side wants to make sure that device employee is using is compliant with the company’s policy. Based on the accessed data classification we can even define conditions that will allow (or not allow) the access, e.g., data classified as Confidential can be accessed only from company-owned devices, but data classified as Public can be accessed from any device, implying that employee’s identity was linked to that device.
Companies are already providing identities for their employees and have made significant investment in the on-premises identity and access management (IAM) systems but now they need to extend these identities to the cloud.
Microsoft as a one of the leading cloud providers and with the large base of enterprise Active Directory installations across the world provides solutions for the challenges mentioned above, challenges that many companies have today.
In this post we’ll talk about:
- Azure Active Directory
- Azure Multi-factor Authentication
- Azure AD Identity Protection
- Azure AD Privileged Identity Management
- Conditional access
Azure Active Directory
Azure Active Directory (Azure AD) is multi-tenant directory, identity, and access management system, developed for the cloud. All Microsoft’s cloud offerings (Office 365 or Dynamics CRM Online) are using Azure AD but there are also many 3rd party SaaS solutions (like Salesforce, Dropbox, Workday or Concur) that also rely on Azure AD. With Azure AD, IT professionals can easily give employees and business partners access to any of such applications.
Developers can concentrate on how to solve business challenges and build applications that will empower the users, without spending too much time on integration with Azure AD because Microsoft provides Azure AD authentication libraries for many application platforms. Once application is integrated with Azure AD it can be accessed by company’s employees, business partners or if that is desired, to anyone who has Azure AD account.
Azure AD has many capabilities:
- integration with on-premises Active Directory
- multi-factor authentication
- device registration
- self-service password management
- self-service group management
- privileged account management
- role based access control
- application usage monitoring
- auditing, security monitoring and alerting
For companies that have existing Active Directory installation, Azure AD allows easy integration using Azure AD Connect, which is a free tool. Once on-premises identities are synchronized to Azure AD, employees can access any of the Microsoft’s, 3rd party SaaS or you company’s custom applications that live in cloud. Also, Azure AD capabilities are available to such (synchronized) identities, e.g., they have full self-service password management through the cloud, or they can use multi-factor authentication even when accessing some of the on-premises resources.
Azure Multi-factor Authentication
Azure Multi-factor Authentication is Microsoft’s two-step verification solution offered as a cloud service. Two-step verification means that user must go through more than one verification method when signing-in.
It works by requiring any two or more of the following methods:
- Something you know (for example a password)
- Something you have (device like a smartphone or a hardware token)
- Something you are (e.g., biometrics)
When employee is enabled for multi-factor authentication signing-in to any application protected by Azure AD (e.g., Office 365) is not possible any more with just a password. If company has internal applications protected by Active Directory Federation Services (AD FS), Azure Multi-factor Authentication can also be used as a two-step verification for that local AD FS instance. Azure Multi-factor Authentication can protect IIS web applications, VPN access, Remote Desktop access and other remote access applications that use RADIUS or LDAP authentication.
Tip: Microsoft is offering free Azure Multi-factor Authentication for Azure AD administrators (accounts that are members of Global administrator role in Azure AD) and for Office 365 as part of the Office 365 subscription.
Azure AD Identity Protection
Today, majority of successful cyber-attacks rely on compromised credentials. Attackers are becoming more and more effective in launching intelligent phishing attacks and using external breaches to obtain employee’s credentials. Once credentials are compromised, attacker can gain access to any resource available to the employee and then use lateral movement to escalate their privileges.
With Azure AD Identity Protection you can:
- Detect vulnerabilities that could affect company’s identities
- Investigate incidents and take appropriate action to resolve
- Enable automated response actions to any detected suspicious event with the use of company’s identities
Azure AD Identity Protection uses machine learning and behavioral analysis under the hood, allowing it to be very effective in detecting suspicious events. For each such event, corresponding risk event is created. Some risk events are detected in real-time, but for others Azure AD Identity Protection engine detects them offline and then alerts the administrator.
You start by creating risk-based policies and through the policy configure how to respond to suspicious event based on the level of risk.
Detected risk events are:
- Users with leaked credentials
- Sign-ins from anonymous IP addresses
- Impossible travel to atypical locations
- Sign-ins from infected devices
- Sign-ins from IP addresses with suspicious activity
- Sign-ins from unfamiliar locations
There are two types of policies: User risk policy and Sign-in risk policy.
User risk policy evaluates all active risks events for specific user, creates risk level and then applies mitigation steps, depending how access controls and conditions on the policy are set. For example, level of created risk is a condition and can be Low, Medium, or High. Access controls could then, based on the risk level value, either block the user from signing-in or allow it but require multi-factor authentication or a password change.
Sign-in policy evaluates user’s sign-ins in a real-time and offline and similarly to user risk policy, applies mitigation steps, again depending on risk level and its value, and configured access controls which are same for both policy types.
We can also review users flagged for risk, detected Risk events and Vulnerabilities.
Azure AD Identity Protection is a part of the Azure AD Premium P2 edition, it can be obtained by purchasing Azure AD Premium P2 or as part of Enterprise Mobility + Security E5 edition.
Azure AD Privileged Identity Management
Azure AD Privileged Identity Management allows companies to have better control over how privileged accounts are utilized. In any environment, use of privileged accounts should be minimized – number of such accounts should be minimal and most of such accounts should be activated only when there is a business need and deactivated immediately after that (Just-In-Time access).
With Privileged Identity Management, employees who need a temporary access to a privileged role are assigned to a role of Eligible administrator. They need to sign-in to Azure Portal and complete an activation for their account. Once activation is completed, they will have necessary privileges. They can then use their privileged role until activation for that role expires. How long privileged role can be used before expiration is configurable.
Before user can activate their privileged role, it could require approval of one or more administrators. Administrators need to approve the activation unless approved user will not be able to use their privileged role.
Currently, with Azure AD Privileged Identity Management, we can use any of the available Azure AD directory roles (like Global Administrator or Password Administrators) but we can also allow temporary privileged access to Azure resources (like resource groups, virtual machines, App Service Web Apps, Azure SQL databases, etc.).
Same as Identity Protection, Azure AD Privileged Identity Management is a part of the Azure AD Premium P2 edition, it can be obtained by purchasing Azure AD Premium P2 or as part of Enterprise Mobility + Security E5 edition.
Azure AD Conditional Access
As we’ve mentioned before, employees today want to be productive on any device, any location and at any time of the day. IT has to allow this and at the same time appropriately protect company’s data and resources. We need to ensure that only the right people under the right conditions have access, and if that’s not the case we need to block the access or require additional requirements (like multi-step verification).
With Azure AD Conditional Access, we have ability to enforce controlled access to cloud applications based on the multiple conditions by configuring policies. Using policies simplifies the configuration and we have the ability to configure multiple policies, for specific groups of users, specific set of applications or for specific set of conditions are access controls.
Azure AD Conditional Access policy is comprised of assignments and access controls. Within the assignment we define users and groups in scope of the policy, cloud applications protected by the policy and conditions.
Conditions are based on a sign-in risk (likelihood that the sign-in is coming from someone other than that employee), device platform (Android, iOS, Windows phone, Windows or macOS), user’s location and client app employee is using (browser, native mobile apps, or desktop clients).
With Access controls we can either block or grant the access and require multi-factor authentication, require device to be marked as compliant, require domain joined (Hybrid Azure AD) device or require approved client app. For example, we could configure policy so that it applies only to employees who are members of Remote Sales group and when they access Office 365 and Salesforce from untrusted network location and from Android or iOS device. If these conditions are fulfilled, then we require multi-factor authentication or we require device to be marked as compliant (managed by Intune) before employee is allowed access.
As we can see, Azure provides many ways to extend identities to the cloud, enables employees to securely access both cloud and on-premises applications and provides IT with the level of control they need, and with capability to appropriately monitor and audit access to company’s data.