5 ways to improve identity security in a hybrid environment
In our recent security article, 6 Critical Success Factors for Deploying Zero Trust, we outlined some of the challenges faced by organisations on their Zero Trust journey. Of these challenges, legacy systems are some of the trickiest to overcome. The multi-faceted, hybrid security perimeters they create make for pretty complex security landscapes that are both error-prone and all too easy to misconfigure.
So, what’s the answer? In an ideal world, organisations could overcome this challenge by simply consolidating their workloads within Microsoft 365. In reality, this isn’t always a viable option.
Instead, the solution lies in one of the last remaining control planes for preventing unauthorised access in a hybrid technology ecosystem: identities.
Now, if you’re working in a hybrid environment, you’re probably well aware of the challenges of securing hybrid identities. Getting on-premises Active Directory to work in concert with Azure AD is no walk in the park, with any vulnerabilities in one creating knock-on vulnerabilities in the other.
Thankfully, complicated is not the same as impossible. Here are our top five ways to improve hybrid identity security and shore up this critical security perimeter.
1. Set up multi-factor authentication
Adding multi-factor authentication (MFA) is a very effective way to limit the potential damage of leaked/stolen credentials like usernames and passwords.
Typically, MFA requires a combination of something you know (e.g. password), something you are (e.g. facial recognition) and something you have (e.g. OTP via mobile phone) to gain access. That said, even two-factor authentication (e.g. password + OTP) can dramatically reduce an attacker’s ability to leverage stolen credentials.
2. Use Azure AD Pass-through Authentication
Federation between on-premises and cloud environments is traditionally done using Active Directory Federation Services (ADFS). Having to maintain, patch and update ADFS infrastructure comes with its own overheads and risks, however. Falling behind on these responsibilities (or getting them just a little bit wrong) can introduce some dangerous – and hard to spot – security loopholes.
A less error-prone alternative is Azure AD Pass-through Authentication. This uses a proxy agent running on the on-premises domain-joined server(s) to validate user logins with the on-prem AD on behalf of Azure AD. It uses outbound-only connections to maintain a security gap between Azure AD and on-prem AD and prevents passwords from ever needing to be stored in the cloud (reducing organisations’ potential attack surface).
Azure AD Pass-through Authentication also integrates with other Azure AD security features that can further reduce the risk of unauthorised access.
3. Audit 3rd-party apps and permissions regularly
It’s possible – and often convenient – for Azure AD to be used to authenticate third-party apps. If this feature is enabled, however, it’s essential that you keep close tabs on the apps in play and the permissions granted to them.
Apps that read and/or store data from Azure AD are effectively extensions of your own security perimeter. If their security is not up to your standards, they could be used as vectors for phishing attacks and more.
4. Crack the whip on governance
Prevention is better than cure when it comes to identity security – particularly when you’re dealing with complex hybrid environments.
Careful, considered and comprehensive governance policies should be absolutely non-negotiable. Everything from Azure AD role assignments and role-based access controls (RBAC) to MFA and app configurations, permissions and settings, should have clearly defined policies, protocols and best practices.
5. Rope in the experts
Hybrid identities are tricky to secure, even with the best laid plans in place. Thankfully, there are specialist tools available that can make the process a lot simpler and more agile, and the results more robust.
One of our current favourites is from our colleagues at Semperis. It offers sophisticated capabilities that significantly streamline attack surface minimisation, advanced attack detection, automatic remediation, accelerated incident response and recovery.
We’ll be diving deeper into those details during our complimentary identity security assessments. Get in touch to find out more.