Archive

Archive for the ‘Azure Active Directory’ Category

New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI.

August 13th, 2020 No comments

Over the past six months, organizations around the world have accelerated digital transformation efforts to rapidly enable a remote workforce. As more employees than ever access apps via their home networks, the corporate network perimeter has truly disappeared, making identity the control plane for effective and secure access across all users and digital resources.

Businesses have responded to the pandemic by increasing budgets, adding staff, and accelerating deployment of cloud-based security technologies to stay ahead of phishing scams and to enable Zero Trust architectures. But the pressure to reduce costs is also real. Given COVID-19 and uncertain economic conditions, many of you are prioritizing security investments. But how should you allocate them? According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, investing in identity can not only help you accelerate your Zero Trust journey, it can also save you money and deliver more value. In this commissioned study, Forrester Consulting interviewed four customers in different industries who have used Azure AD for years. Forrester used these interviews to develop a composite organization. They found that customers securing apps with Azure AD can benefit from a 123 percent return on investment over three years in a payback period of six months.

An image showing the total econmic impact of securing apps with Microsoft Azure AD.

The customers interviewed improved user productivity, reduced costs, and gained IT efficiencies in the following areas[1]:

Increased worker productivity with secure and seamless access to all apps

Employees expect to collaborate on any project from anywhere using any app—especially now, when so many are working from home. But they find signing into multiple applications throughout the day frustrating and time-consuming. When you connect all your apps to Azure AD, employees sign in once using single sign-on (SSO). From there, they can easily access Microsoft apps like Microsoft Teams, software as a service (SaaS) apps like Box, on-premises apps like SAP Hana, and various custom line-of-business apps. Forrester estimates that consolidating to a single identity and access management solution and providing one set of credentials saves each employee 10 minutes a week on average, valued at USD 7.1 million over three years.

“Our CIO really didn’t like that anybody onboarding with our company was receiving—and this is not an exaggeration—two dozen credentials. In the executive branch, they took up to two weeks to get a new hire on their feet.” –Director of workplace technology, Electronics

Reduced costs by reducing the risk of a data breach

A data breach can be incredibly expensive for victims, who must recover not only their environments but also their reputations. Breaches often start with a compromised account, which is why it’s so important to protect your identities.

With Azure AD, you can secure all your applications and make it harder for attackers to acquire and use stolen credentials. You can ban common passwords, block legacy authentication, and protect your privileged identities. You can implement adaptive risk-based policies and enforce multi-factor authentication to ensure that only the right users have the right access. Forrester found that using these Azure AD features can help organizations reduce the risk of a data breach, saving them an estimated USD 2.2 million over a three-year period.

“Conditional Access was non-negotiable as we moved to the cloud. We had to be able to apply policies that scoped applications, users, devices, and risk states. You can’t let a compromised user walk into a cloud app anymore. It’s unacceptable.” –Information security services, manufacturing

Empowered workers to reset their own passwords

If you have a help desk, your employees likely make thousands of password reset requests per month. Locked out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. One organization told Forrester it costs them between USD500,000 and USD700,000 per year just to reset passwords.

With Azure AD Self-Service Password Reset, employees can reset their own passwords without help desk intervention. Forrester estimates that with this feature, customers can decrease the number of password reset calls per month by 75 percent, yielding a three-year adjusted present value of USD 1.7 million.

Unlocked efficiency gains by consolidating their identity infrastructure

Many enterprises use several solutions to manage identity and access management: an on-premises solution for legacy applications, a SaaS-based solution for modern cloud applications, and Azure AD for Microsoft applications. Maintaining this complex infrastructure requires multiple servers and licenses, not to mention people who understand the various systems. Migrating authentication for all your apps to Azure AD can significantly reduce hardware and licensing fees. Forrester estimates savings at a three-year adjusted present value of USD 1.9 million.

Consolidating your identity infrastructure to Azure AD gives you the benefits of cloud-based identity and access management solutions and frees your team to focus on other priorities. IT and identity teams in the study reduced time and effort spent provisioning/deprovisioning accounts, integrating new applications, and addressing issues related to IAM infrastructure. They also experienced less system downtime. Forrester estimated the value of IT efficiency gains at USD 3.0 million over three years.

Integrating with Azure AD also benefits software vendors

As part of the TEI, Forrester interviewed two Independent Software Vendors (ISVs), Zscaler and Workplace from Facebook. They documented their findings in the spotlight, Software Vendors Boost Adoption by Integrating Their Apps with Microsoft Azure Active Directory. Integrating their applications with Azure AD helped the two ISVs interviewed accelerate their sales cycles, as well as product adoption. Seamless integration with Azure AD helps ISVs reach the more than 200,000 organizations that use Azure AD. ISVs can easily give their customers and prospects single sign-on, automated user provisioning, and enhanced security through the security features built into Azure AD, while focusing their energies on enhancing their own solution.

“There is a shorter sales cycle for our platform. Many of our customers are already AD FS-based users, and our integration with Azure AD makes the case for our services that much more compelling. It also allows us to be more agile in helping customers get things implemented more quickly. Essentially, there’re fewer barriers to entry for customers.” – Vice President, product management, Zscaler

“We have a strong mutual customer base with Microsoft, which is why we’ve built such a great partnership with them over the years. Obviously, Azure AD is widely used by our customers, so it makes sense to leverage it.” – Platform Partnerships Manager, Workplace from Facebook

Learn more

COVID-19 has ushered in a new normal of remote work and conservative budgets, but that doesn’t mean you have to sacrifice security or the user experience. By integrating all your apps with Azure AD you can add value—like giving your employees a more convenient and secure work from home experience—while preserving valuable resources.

Find out how Azure AD can help secure all your apps and read the full Forrester Consulting study, The Total Economic Impact™ of securing apps with Microsoft Azure Active Directory and Software vendors boost adoption by integrating their apps with Microsoft Azure Active spotlight.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

[1] Forrester based all savings estimates on the composite organization developed for its TEI study.

The post New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI. appeared first on Microsoft Security.

Prevent and detect more identity-based attacks with Azure Active Directory

July 15th, 2020 No comments

Security incidents often start with just one compromised account. Once an attacker gets their foot in the door, they can escalate privileges or gather intelligence that helps them reach their goals. This is why we say that identity is the new security perimeter. To reduce the risk of a data breach, it’s important to make it harder for attackers to steal identities while arming yourself with tools that make it easier to detect accounts that do get compromised.

Over the years the Microsoft Security Operations Center (SOC) has learned a lot about how identity-based attacks work and how to reduce them. We’ve leveraged these insights to refine our processes, and we’ve worked with the Azure AD product group to improve Microsoft identity solutions for our customers. At the RSA Conference 2020, we provided an inside look into how the Microsoft SOC helps protect Microsoft from identity compromise. Today, we are sharing best practices that you can implement in your own organization to help decrease the number of successful identity-based attacks.

Increase the cost of compromising an identity

One reason that identity-based attacks work is because passwords are hard for busy people, but they can be an easy target for attackers. People struggle to memorize unique and complex passwords for hundreds of work and personal applications. Instead, they reuse passwords across different applications or pick something that is easy to remember—sports teams, for example: Seahawks2020!

Bad actors exploit this reality with techniques like phishing campaigns to trick users into providing credentials. They also try to guess passwords or buy them on the dark web. In password spray, attackers test commonly used passwords against several accounts—all they need is one.

To make it harder for bad actors to acquire and use stolen credentials, implement the following technical controls:

Ban common passwords: Start by banning the most common passwords. Azure Active Directory (Azure AD) can automatically prevent users from creating popular passwords, such as password1234! You can also customize the banned password list with words specific to your region or company.

Enforce multi-factor authentication (MFA): MFA requires that people sign in using two or more forms of authentication, such as a password and the Microsoft Authenticator app. This makes it much harder for an attacker with a stolen password to gain access. In fact, this one control can block over 99.9 percent of account compromise attacks.

Block legacy authentication: Authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, which makes them an ideal target for bad actors. According to an analysis of Azure AD, over 99 percent of password spray attacks use legacy authentication. Blocking these apps eliminates a common access point for attackers. If teams are currently using apps with legacy authentication, this takes careful planning and a phased process, but tools in Azure AD can help you limit your risk as you migrate to apps with more modern authentication protocols.

Protect your privileged identities: Users with administrative privileges are often targeted by cybercriminals because they have access to valuable resources and information. To reduce the likelihood that these accounts will be compromised, they should only be used when people are conducting administrative tasks. When users are doing other work, like answering emails, they should use an account with reduced access. Just-in-time privileges can further protect administrative identities, by requiring that individuals receive approval before accessing sensitive resources and time-bounding how long they have access.

Detect threats through user behavior anomalies

Strong technical controls will reduce the risk of a breach, but with determined adversaries, they may not be totally preventable. Once attackers get in, they want to avoid detection for as long as possible. They build hidden tunnels and back doors to hide their tracks. Some lay low for thirty or more days on the assumption that log files will be deleted during that time. To discover threats inside your organization, you need the right data and tools to uncover patterns across different data sets and timeframes.

Event logging and data retention: Capturing and saving data can be tricky. Privacy regulations put restrictions on how long and what types of data you can save. Storing large amounts of information can get expensive. However, you’ll need to see across login events, user permissions, and applications to spot anomalous behavior. Data from months or even years ago may help you spot patterns in more recent behavior. Once you understand your contractual and legal obligations related to data, decide which events your organization should store and then decide how long to keep them.

Leverage User and Entities Behavioral Analytics (UEBA): People tend to sign in and access resources in consistent ways over time. For example, a lot of employees check email as soon as they sign in. On the other hand, if someone’s account immediately starts downloading files from a SharePoint site, it may mean the account has been compromised. To identify anomalous behavior, UEBA uses artificial intelligence and machine learning to model how users and devices typically behave. It then compares future behavior against the baseline to create a risk score. This allows you to analyze large data sets and elevate the highest-priority alerts.

Assess your identity risk

As you are making decisions about what controls and actions to prioritize, it helps to understand current risks. Penetration tests can help you uncover vulnerabilities. You can also run password spray tests to generate a list of easily guessable passwords. Or send a phishing email to your company to see how many people respond. The SOC can use these findings to test detections. They will also help you prepare training materials and build awareness with employees. Tools such as Azure AD Identity Protection can help you discover current users at risk and monitor risky behavior as your controls mature.

Learn more

Many of the technical controls we’ve outlined are also best practices in a Zero Trust security strategy. Instead of assuming that everything behind the corporate network is safe, the Zero Trust model assumes breach and verifies each access request. Learn more about Zero Trust.

One way to reduce the likelihood that a password will be stolen is to eliminate passwords entirely. Read more about passwordless authentication.

Watch our RASC 2020 presentation: Cloud-powered compromise blast analysis: In the trenches with Microsoft IT.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Prevent and detect more identity-based attacks with Azure Active Directory appeared first on Microsoft Security.

The world is your authentication and identity oyster

July 2nd, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

The world is your authentication/identity oyster

If you’re older than 10 years of age you’ve undoubtedly heard the phrase “The world is your oyster.” This basically means that you are able to take the opportunities that life has to offer. Nothing could be more accurate in the description of technology of the world today. Now if we take some liberties with that phrase, we could also say that “the world is your authentication/identity oyster.” There are countless options available to the organizations as to how they want to execute on their vision.

Too long we’ve been collectively saddled with the prospect of passwords as one of the default authentication protocols. This has proven itself to be a standard in many respects. We’ve been taught for decades that passwords are some level of security that can be implemented to protect websites and so forth. This is an unfortunate notion that we need to dispel.

The problem here is that passwords have come to a point where they need to be replaced with an advanced system of security for authentication. Let’s take this as an example: If someone knows a password it by no means ensures who that person is who is utilizing it. Yes, there is some understanding of trust as to who has the use of said password, but over the years I’ve learned that this is by no means a guarantee. As an example, 86 percent of breaches were financially motivated, according to the 2020 Verizon DBIR.

When attackers managed to compromise a website they will re-use the credentials that they capture in a bid to increase their access to other websites simply because they understand that people are creatures of habit and will reuse the same password in multiple places in a bid to reduce the mental fatigue that comes with trying to remember them all. Even when I check in my own password manager application, I’ll note that I have over 900 passwords alone. It is too little surprise that people still write them on post-it notes to this very day.

There are so many options available to remedy our password predicament. MFA is an excellent example of how to move forward with a better solution to authentication. When we look at something such as MFA we have to understand that there is a culture shift involved. Eighty percent of security breaches involve compromised passwords. People can be hesitant and resistant to change but will embrace that change when security has been democratized.

If it is easy for a non-technical person to use, then they will adopt that and then by extension improve the security of your organization. Case in point, my mother can use the Duo app as an example to authenticate to her email and other applications. When you have applications written for engineers by engineers in the hands of the layperson you can imagine how that will end. The security tools need to be easy to use.

If you’re using a push-based application or even something with the W3C WebAuthN open standard, which can leverage an API to replace passwords, you can improve the security of your organization by removing passwords from the mix. Using technologies such as this in conjunction with Azure AD as an example will reduce the risk to an organization. You would have authenticated users access to your systems without having to wonder if the person with the password logging in from a coffee shop in London, New York, or Toronto is in fact who you assume they should be.

The tools are at your disposal today to improve your security posture, reduce risk, and ultimately costs when users can self-manage. When security technology has been democratized it leads to wider adoption by techno-savvy users and luddites alike.

Ready to get started? Sign up for a free trial at signup.duo.com.

Want to learn more about Duo and Microsoft together?

About Duo Security

Duo helps Azure Active Directory (Azure AD) customers move to the cloud safely and securely by verifying the identity of the users with strong multi-factor authentication (MFA), and the trust of the device using device hygiene insights. Our joint customers use that information to create robust access policies that are enforced before granting access to applications both on-premises and in the cloud.

How Duo helps protect Microsoft Applications: Duo + Microsoft Partnership Page

Learn more: Duo Security – Azure Active Directory 

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The world is your authentication and identity oyster appeared first on Microsoft Security.

Barracuda and Microsoft: Securing applications in public cloud

June 18th, 2020 No comments

This blog was written by a MISA partner. To learn more about MISA, visit our website.

Barracuda Cloud Application Protection (CAP) platform features integrations with Microsoft Azure Active Directory (Azure AD) and Azure Security Center. A component of CAP, Barracuda WAF-as-a-Service is built on Microsoft Azure and provides advanced WAF capabilities in an easy to deploy and manage solution.

In our last blog, I spoke about how Barracuda and Microsoft are working together to remove barriers to faster public cloud adoption. The post focused on remote access, networks, and secure connectivity to public cloud. The topic of this blog post is to share some thoughts on how web applications in public cloud are secured. 

Accelerating digital transformation

As I mentioned last time, digital transformation is fundamentally changing today’s enterprises, making digital assets—data and applications—key to doing business. Organizations are increasingly competing based on their digital agility, and of course web applications are central to how digital businesses operate today.

In order to develop and update applications faster, organizations are deploying DevOps processes and agile methodologies, and they are moving their infrastructure to the cloud. However, while applications are developed and deployed faster than ever, secure coding practices have not kept pace, resulting in a constantly growing number of open vulnerabilities that can be exploited.

At the same time, the threat environment is continuously evolving and becoming more challenging. Hackers are getting more sophisticated; they are now professional criminals or even nation states. In addition to manual hacking attacks, bots and botnets are increasingly used to attack enterprise infrastructures through web applications. These automated exploits are often executed as Distributed Denial of Service (or DDoS) attacks, at both network and application layer. And of course, malware is constantly getting more advanced. The growth in the number of unprotected application vulnerabilities, coupled with the increase in hacking and malware, has resulted in a perfect storm of data breaches. So, application security is a key requirement for successful digital transformation. A recent Microsoft Build 2020 blog post focused on how Microsoft is helping developers build more secure applications.

Is the latest health crisis going to slow down the digital transformation process? In fact, it appears the opposite is occurring—it is acting as a catalyst. In the last blog, we discussed how the sudden increase in remote work is accelerating the network evolution. In addition, similar changes are occurring in the applications landscape.

As people stay at home due to government orders, they are increasingly transacting online. Brick-and-mortar stores are closed, and to stay in business retailers and other businesses are shifting all their operations online.

Leveraging public cloud for web applications

Such rapid scaling of online operations is difficult and expensive to achieve using traditional datacenters. Fortunately, public cloud providers such as Microsoft Azure provide robust platforms that allow customers to quickly scale up application infrastructure—now things can be completed in days or even hours, instead of weeks or months. And of course, the flexibility that comes with public cloud deployments is especially valuable now, as there is a lot of uncertainty about how long lockdowns will continue and whether online capacity would need to be reduced in the future.

We have seen a significant increase in hacking, DDoS, and bot attacks during the last couple of months, so in addition to scaling up online capacity, it is critically important to ensure security and availability. Using a complete application security platform is the best way to protect applications from all attack vectors, including hacking, DDoS, bots, and even API attacks.

Types and number of online threats in the public cloud.

In the new report, Future shock: the cloud is the new network,1 published in February, Barracuda surveyed 750 IT decision makers responsible for their organizations’ cloud infrastructure. We learned that organizations are well on their way to moving their infrastructure to public cloud, with 45 percent of IT infrastructure already running in the cloud today and rising to an estimated 76 percent in 5 years.

At the same time, the top concern restricting an even faster adoption of public cloud is security, with 70 percent of the respondents indicating that security concerns restrict their organizations’ adoption of public cloud.

If you look at the type of security issues that are the biggest blockers to public cloud adoption, the top two are sophisticated hackers and open vulnerabilities in applications. Also on the list are DDoS attacks and advanced bots/botnets, and from conversations with both customers and analysts since the onset of COVID-19, it appears that both DDoS attacks and bot attacks have spiked up even higher.

Barracuda Cloud Application Protection (CAP) platform is a comprehensive, scalable and easy-to-deploy platform that secures applications wherever they reside.

 

About Barracuda

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-enabled, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers’ journey. More than 150,000 organizations worldwide trust Barracuda to protect them—in ways they may not even know they are at risk—so they can focus on taking their business to the next level. For more information, visit barracuda.com.

View our integration videos

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Future shock: the cloud is the new network, Barracuda, February 2020

The post Barracuda and Microsoft: Securing applications in public cloud appeared first on Microsoft Security.

4 identity partnerships to help drive better security

May 28th, 2020 No comments

At Microsoft, we are committed to driving innovation for our partnerships within the identity ecosystem. Together, we are enabling our customers, who live and work in a heterogenous world, to get secure and remote access to the apps and resources they need. In this blog, we’d like to highlight how partners can help enable secure remote access to any app, access to on-prem and legacy apps, as well as how to secure seamless access via passwordless apps. We will also touch on how you can increase security visibility and insights by leveraging Azure Active Directory (Azure AD) Identity Protection APIs.

Secure remote access to cloud apps

As organizations adopt remote work strategies in today’s environment, it’s important their workforce has access to all the applications they need. With the Azure AD app gallery, we work closely with independent software vendors (ISV) to make it easy for organizations and their employees and customers to connect to and protect the applications they use. The Azure AD app gallery consists of thousands of applications that make it easy for admins to set up single sign-on (SSO) or user provisioning for their employees and customers. You can find popular collaboration applications to work remotely such Cisco Webex, Zoom, and Workplace from Facebook or security focused applications such as Mimecast, and Jamf. And if you don’t find the application your organization needs, you can always make a nomination here.

The Azure AD Gallery

The Azure AD Gallery.

Secure hybrid access to your on-premises and legacy apps

As organizations enable their employees to work from home, maintaining remote access to all company apps, including those on-premises and legacy, from any location and any device, is key to safeguard the productivity of their workforce. Azure AD offers several integrations for securing on-premises SaaS applications like SAP NetWeaver, SAP Fiori systems, Oracle PeopleSoft and E-Business Suite, and Atlassian JIRA and Confluence through the Azure AD App Gallery. For customers who are using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM), or Zscaler Private Access (ZPA), Microsoft has partnerships to provide remote access securely and help extend policies and controls that allow businesses to manage and govern on-premises legacy apps from Azure AD without having to change how the apps work.

Our integration with Zscaler allows a company’s business partners, such as suppliers and vendors, to securely access legacy, on-premises applications through the Zscaler B2B portal.

Integration with Zscaler

Go passwordless with FIDO2 security keys

Passwordless methods of authentication should be part of everyone’s future. Currently, Microsoft has over 100-million active passwordless end-users across consumer and enterprise customers. These passwordless options include Windows Hello for Business, Authenticator app, and FIDO2 security keys. Why are passwords falling out of favor? For them to be effective, passwords must have several characteristics, including being unique to every site. Trying to remember them all can frustrate end-users and lead to poor password hygiene.

Since Microsoft announced the public preview of Azure AD support for FIDO2 security keys in hybrid environments earlier this year, I’ve seen more organizations, especially with regulatory requirements, start to adopt FIDO2 security keys. This is another important area where we’ve worked with many FIDO2 security key partners who are helping our customers to go passwordless smoothly.

Partner logos

Increase security visibility and insights by leveraging Azure AD Identity Protection APIs

We know from our partners that they would like to leverage insights from the Azure AD Identity Protection with their security tools such as security information event management (SIEM) or network security. The end goal is to help them leverage all the security tools they have in an integrated way. Currently, we have the Azure AD Identity Protection API in preview that our ISVs leverage. For example, RSA announced at their 2020 conference that they are now leveraging our signals to better defend their customers.

We’re looking forward to working with many partners to complete these integrations.

If you haven’t taken advantage of any of these types of solutions, I recommend you try them out today and let us know what you think. If you have product partnership ideas with Azure AD, feel free to connect with me via LinkedIn or Twitter.

The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.

Zero Trust Deployment Guide for Microsoft Azure Active Directory

April 30th, 2020 No comments

Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy. In this guide, we cover how to deploy and configure Azure Active Directory (Azure AD) capabilities to support your Zero Trust security strategy.

For simplicity, this document will focus on ideal deployments and configuration. We will call out the integrations that need Microsoft products other than Azure AD and we will note the licensing needed within Azure AD (Premium P1 vs P2), but we will not describe multiple solutions (one with a lower license and one with a higher license).

Azure AD at the heart of your Zero Trust strategy

Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD’s Conditional Access capabilities are the policy decision point for access to resources based on user identity, environment, device health, and risk—verified explicitly at the point of access. In the following sections, we will showcase how you can implement your Zero Trust strategy with Azure AD.

Establish your identity foundation with Azure AD

A Zero Trust strategy requires that we verify explicitly, use least privileged access principles, and assume breach. Azure Active Directory can act as the policy decision point to enforce your access policies based on insights on the user, device, target resource, and environment. To do this, we need to put Azure Active Directory in the path of every access request—connecting every user and every app or resource through this identity control plane. In addition to productivity gains and improved user experiences from single sign-on (SSO) and consistent policy guardrails, connecting all users and apps provides Azure AD with the signal to make the best possible decisions about the authentication/authorization risk.

  • Connect your users, groups, and devices:
    Maintaining a healthy pipeline of your employees’ identities as well as the necessary security artifacts (groups for authorization and devices for extra access policy controls) puts you in the best place to use consistent identities and controls, which your users already benefit from on-premises and in the cloud:

    1. Start by choosing the right authentication option for your organization. While we strongly prefer to use an authentication method that primarily uses Azure AD (to provide you the best brute force, DDoS, and password spray protection), follow our guidance on making the decision that’s right for your organization and your compliance needs.
    2. Only bring the identities you absolutely need. For example, use going to the cloud as an opportunity to leave behind service accounts that only make sense on-premises; leave on-premises privileged roles behind (more on that under privileged access), etc.
    3. If your enterprise has more than 100,000 users, groups, and devices combined, we recommend you follow our guidance building a high performance sync box that will keep your life cycle up-to-date.
  • Integrate all your applications with Azure AD:
    As mentioned earlier, SSO is not only a convenient feature for your users, but it’s also a security posture, as it prevents users from leaving copies of their credentials in various apps and helps avoid them getting used to surrendering their credentials due to excessive prompting. Make sure you do not have multiple IAM engines in your environment. Not only does this diminish the amount of signal that Azure AD sees and allow bad actors to live in the seams between the two IAM engines, it can also lead to poor user experience and your business partners becoming the first doubters of your Zero Trust strategy. Azure AD supports a variety of ways you can bring apps to authenticate with it:

    1. Integrate modern enterprise applications that speak OAuth2.0 or SAML.
    2. For Kerberos and Form-based auth applications, you can integrate them using the Azure AD Application Proxy.
    3. If you publish your legacy applications using application delivery networks/controllers, Azure AD is able to integrate with most of the major ones (such as Citrix, Akamai, F5, etc.).
    4. To help migrate your apps off of existing/older IAM engines, we provide a number of resources—including tools to help you discover and migrate apps off of ADFS.
  • Automate provisioning to applications:
    Once you have your users’ identities in Azure AD, you can now use Azure AD to power pushing those user identities into your various cloud applications. This gives you a tighter identity lifecycle integration within those apps. Use this detailed guide to deploy provisioning into your SaaS applications.
  • Get your logging and reporting in order:
    As you build your estate in Azure AD with authentication, authorization, and provisioning, it’s important to have strong operational insights into what is happening in the directory. Follow this guide to learn how to to persist and analyze the logs from Azure AD either in Azure or using a SIEM system of choice.

Enacting the 1st principle: least privilege

Giving the right access at the right time to only those who need it is at the heart of a Zero Trust philosophy:

  • Plan your Conditional Access deployment:
    Planning your Conditional Access policies in advance and having a set of active and fallback policies is a foundational pillar of your Access Policy enforcement in a Zero Trust deployment. Take the time to configure your trusted IP locations in your environment. Even if you do not use them in a Conditional Access policy, configure these IPs informs the risk of Identity Protection mentioned above. Check out our deployment guidance and best practices for resilient Conditional Access policies.
  • Secure privileged access with privileged identity management:
    With privileged access, you generally take a different track to meeting the end users where they are most likely to need and use the data. You typically want to control the devices, conditions, and credentials that users use to access privileged operations/roles. Check out our detailed guidance on how to take control of your privileged identities and secure them. Keep in mind that in a digitally transformed organization, privileged access is not only administrative access, but also application owner or developer access that can change the way your mission critical apps run and handle data. Check out our detailed guide on how to use Privileged Identity Management (P2) to secure privileged identities.
  • Restrict user consent to applications:
    User consent to applications is a very common way for modern applications to get access to organizational resources. However, we recommend you restrict user consent and manage consent requests to ensure that no unnecessary exposure of your organization’s data to apps occurs. This also means that you need to review prior/existing consent in your organization for any excessive or malicious consent.
  • Manage entitlements (Azure AD Premium P2):
    With applications centrally authenticating and driven from Azure AD, you should streamline your access request, approval, and recertification process to make sure that the right people have the right access and that you have a trail of why users in your organization have the access they have. Using entitlement management, you can create access packages that they can request as they join different teams/project and that would assign them access to the associated resources (applications, SharePoint sites, group memberships). Check out how you can start a package. If deploying entitlement management is not possible for your organization at this time, we recommend you at least enable self-service paradigms in your organization by deploying self-service group management and self-service application access.

Enacting the 2nd principle: verify explicitly

Provide Azure AD with a rich set of credentials and controls that it can use to verify the user at all times.

  • Roll out Azure multi-factor authentication (MFA) (P1):
    This is a foundational piece of reducing user session risk. As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices/locations as they move around the world (without having administrators parse individual signals). Check out this deployment guide.
  • Enable Azure AD Hybrid Join or Azure AD Join:
    If you are managing the user’s laptop/computer, bringing that information into Azure AD and use it to help make better decisions. For example, you may choose to allow rich client access to data (clients that have offline copies on the computer) if you know the user is coming from a machine that your organization controls and manages. If you do not bring this in, you will likely choose to block access from rich clients, which may result in your users working around your security or using Shadow IT. Check out our resources for Azure AD Hybrid Join or Azure AD Join.
  • Enable Microsoft Intune for managing your users’ mobile devices (EMS):
    The same can be said about user mobile devices as laptops. The more you know about them (patch level, jailbroken, rooted, etc.) the more you are able to trust or mistrust them and provide a rationale for why you block/allow access. Check out our Intune device enrollment guide to get started.
  • Start rolling out passwordless credentials:
    With Azure AD now supporting FIDO 2.0 and passwordless phone sign-in, you can move the needle on the credentials that your users (especially sensitive/privileged users) are using on a day-to-day basis. These credentials are strong authentication factors that can mitigate risk as well. Our passwordless authentication deployment guide walks you through how to roll out passwordless credentials in your organization.

Enacting the 3rd principle: assume breach

Provide Azure AD with a rich set of credentials and controls that it can use to verify the user.

  • Deploy Azure AD Password Protection:
    While enabling other methods to verify users explicitly, you should not forget about weak passwords, password spray and breach replay attacks. Read this blog to find out why classic complex password policies are not tackling the most prevalent password attacks. Then follow this guidance to enable Azure AD Password Protection for your users in the cloud first and then on-premises as well.
  • Block legacy authentication:
    One of the most common attack vectors for malicious actors is to use stolen/replayed credentials against legacy protocols, such as SMTP, that cannot do modern security challenges. We recommend you block legacy authentication in your organization.
  • Enable identity protection (Azure AD Premium 2):
    Enabling identity protection for your users will provide you with more granular session/user risk signal. You’ll be able to investigate risk and confirm compromise or dismiss the signal which will help the engine understand better what risk looks like in your environment.
  • Enable restricted session to use in access decisions:
    To illustrate, let’s take a look at controls in Exchange Online and SharePoint Online (P1): When a user’s risk is low but they are signing in from an unknown device, you may want to allow them access to critical resources, but not allow them to do things that leave your organization in a non-compliant state. Now you can configure Exchange Online and SharePoint Online to offer the user a restricted session that allows them to read emails or view files, but not download them and save them on an untrusted device. Check out our guides for enabling limited access with SharePoint Online and Exchange Online.
  • Enable Conditional Access integration with Microsoft Cloud App Security (MCAS) (E5):
    Using signals emitted after authentication and with MCAS proxying requests to application, you will be able to monitor sessions going to SaaS Applications and enforce restrictions. Check out our MCAS and Conditional Access integration guidance and see how this can even be extended to on-premises apps.
  • Enable Microsoft Cloud App Security (MCAS) integration with identity protection (E5):
    Microsoft Cloud App Security is a UEBA product monitoring user behavior inside SaaS and modern applications. This gives Azure AD signal and awareness about what happened to the user after they authenticated and received a token. If the user pattern starts to look suspicious (user starts to download gigabytes of data from OneDrive or starts to send spam emails in Exchange Online), then a signal can be fed to Azure AD notifying it that the user seems to be compromised or high risk and on the next access request from this user; Azure AD can take correct action to verify the user or block them. Just enabling MCAS monitoring will enrich the identity protection signal. Check out our integration guidance to get started.
  • Integrate Azure Advanced Threat Protection (ATP) with Microsoft Cloud App Security:
    Once you’ve successfully deployed and configured Azure ATP, enable the integration with Microsoft Cloud App Security to bring on-premises signal into the risk signal we know about the user. This enables Azure AD to know that a user is indulging in risky behavior while accessing on-premises, non-modern resources (like File Shares) which can then be factored into overall user risk to block further access in the cloud. You will be able to see a combined Priority Score for each user at risk to give a holistic view of which ones your SOC should focus on.
  • Enable Microsoft Defender ATP (E5):
    Microsoft Defender ATP allows you to attest to Windows machines health and whether they are undergoing a compromise and feed that into mitigating risk at runtime. Whereas Domain Join gives you a sense of control, Defender ATP allows you to react to a malware attack at near real time by detecting patterns where multiple user devices are hitting untrustworthy sites and react by raising their device/user risk at runtime. See our guidance on configuring Conditional Access in Defender ATP.

Conclusion

We hope the above guides help you deploy the identity pieces central to a successful Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog.

The post Zero Trust Deployment Guide for Microsoft Azure Active Directory appeared first on Microsoft Security.

Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device (BYOD) model make perimeter security controls irrelevant. Networks that fail to evolve from traditional defenses are vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network.

In 2013, a massive credit card data breach hit Target and exposed the credit card information of over 40 million customers. Attackers used malware-laced emails to steal credentials from contractors that had remote access to Targets network. They then used the stolen credentials to gain access to the network, effectively evading the perimeter defense mechanisms that Target had in place. Once inside the network, the attackers installed malware on payment systems used in Target stores across the US and stole customer credit card information.

Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources. A general Zero Trust network model (Figure 1) typically comprises the following:

  • Identity provider to keep track of users and user-related information
  • Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.)
  • Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins
  • Access proxy that utilizes the above signals to grant or deny access to an organizational resource

Figure 1. Basic components of a general Zero Trust network model

Gating access to resources using dynamic trust decisions allows an enterprise to enable access to certain assets from any device while restricting access to high-value assets on enterprise-managed and compliant devices. In targeted and data breach attacks, attackers can compromise a single device within an organization, and then use the “hopping” method to move laterally across the network using stolen credentials. A solution based on Zero Trust network, configured with the right policies around user and device trust, can help prevent stolen network credentials from being used to gain access to a network.

Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the assume breach mindset, but this approach should not be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace using technologies that empower employees to be productive anytime, anywhere, any which way.

Zero Trust networking based on Azure AD conditional access

Today, employees access their organization’s resources from anywhere using a variety of devices and apps. Access control policies that focus only on who can access a resource is not sufficient. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture.

Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory.

Figure 2. Microsofts high-level approach to realizing Zero Trust networks using conditional access.

To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is an endpoint protection platform (EPP) and endpoint detection response (EDR) technology that provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.

For example, attackers use the Pass-the-Hash (PtH) and the Pass the ticket for Kerberos techniques to directly extract hashed user credentials from a compromised device. The hashed credentials can then be used to make lateral movement, allowing attackers to leapfrog from one system to another, or even escalate privileges. While Windows Defender Credential Guard prevents these attacks by protecting NTLM hashes and domain credentials, security admins still want to know that such an attack occurred.

Windows Defender ATP exposes attacks like these and generates a risk level for compromised devices. In the context of conditional access, Windows Defender ATP assigns a machine risk level, which is later used to determine whether the client device should get a token required to access corporate resources. Windows Defender ATP uses a broad range of security capabilities and signals, including:

Windows Defender System Guard runtime attestation

Windows Defender System Guard protects and maintains the integrity of a system as it boots up and continues running. In the assume breach mentality, its important for security admins to have the ability to remotely attest the security state of a device. With the Windows 10 April 2018 Update, Windows Defender System Guard runtime attestation contributes to establishing device integrity. It makes hardware-rooted boot-time and runtime assertions about the health of the device. These measurements are consumed by Windows Defender ATP and contribute to the machine risk level assigned to the device.

The single most important goal of Windows Defender System Guard is to validate that the system integrity has not been violated. This hardware-backed high-integrity trusted framework enables customers to request a signed report that can attest (within guarantees specified by the security promises) that no tampering of the devices security state has taken place. Windows Defender ATP customers can view the security state of all their devices using the Windows Defender ATP portal, allowing detection and remediation of any security violation.

Windows Defender System Guard runtime attestation leverages the hardware-rooted security technologies in virtualization-based security (VBS) to detect attacks. On virtual secure mode-enabled devices, Windows Defender System Guard runtime attestation runs in an isolated environment, making it resistant to even a kernel-level adversary.

Windows Defender System Guard runtime attestation continually asserts system security posture at runtime. These assertions are directed at capturing violations of Windows security promises, such as disabling process protection.

Azure Active Directory

Azure Active Directory is a cloud identity and access management solution that businesses use to manage access to applications and protect user identities both in the cloud and on-premises. In addition to its directory and identity management capabilities, as an access control engine Azure AD delivers:

  • Single sign-on experience: Every user has a single identity to access resources across the enterprise to ensure higher productivity. Users can use the same work or school account for single sign-on to cloud services and on-premises web applications. Multi-factor authentication helps provide an additional level of validation of the user.
  • Automatic provisioning of application access: Users access to applications can be automatically provisioned or de-provisioned based on their group memberships, geo-location, and employment status.

As an access management engine, Azure AD makes a well-informed decision about granting access to organizational resources using information about:

  • Group and user permissions
  • App being accessed
  • Device used to sign in (e.g., device compliance info from Intune)
  • Operating system of the device being used to sign in
  • Location or IP ranges of sign-in
  • Client app used to sign in
  • Time of sign-in
  • Sign-in risk, which represents the probability that a given sign-in isnt authorized by the identity owner (calculated by Azure AD Identity Protections multiple machine learning or heuristic detections)
  • User risk, which represents the probability that a bad actor has compromised a given user (calculated by Azure AD Identity Protections advanced machine learning that leverages numerous internal and external sources for label data to continually improve)
  • More factors that we will continually add to this list

Conditional access policies are evaluated in real-time and enforced when a user attempts to access any Azure AD-connected application, for example, SaaS apps, custom apps running in the cloud, or on-premises web apps. When suspicious activity is discovered, Azure AD helps take remediation actions, such as block high-risk users, reset user passwords if credentials are compromised, enforce Terms of Use, and others.

The decision to grant access to a corporate application is given to client devices in the form of an access token. This decision is centered around compliance with the Azure AD conditional access policy. If a request meets the requirements, a token is granted to a client. The policy may require that the request provides limited access (e.g., no download allowed) or even be passed through Microsoft Cloud App Security for in-session monitoring.

Microsoft Intune

Microsoft Intune is used to manage mobile devices, PCs, and applications in an organization. Microsoft Intune and Azure have management and visibility of assets and data valuable to the organization, and have the capability to automatically infer trust requirements based on constructs such as Azure Information Protection, Asset Tagging, or Microsoft Cloud App Security.

Microsoft Intune is responsible for the enrollment, registration, and management of client devices. It supports a wide array of device types: mobile devices (Android and iOS), laptops (Windows and macOS), and employees BYOD devices. Intune combines the machine risk level provided by Windows Defender ATP with other compliance signals to determine the compliance status (isCompliant) of the device. Azure AD leverages this compliance status to block or allow access to corporate resources. Conditional access policies can be configured in Intune in two ways:

  • App-based: Only managed applications can access corporate resources
  • Device-based: Only managed and compliant devices can access corporate resources

More on how to configure risk-based conditional access compliance check in Intune.

Conditional access at work

The value of conditional access can be best demonstrated with an example. (Note: The names used in this section are fictitious, but the example illustrates how conditional access can protect corporate data and resources in different scenarios.)

SurelyMoney is one of the most prestigious financial institutions in the world, helping over a million customers carry out their business transactions seamlessly. The company uses Microsoft 365 E5 suite, and their security enterprise admins have enforced conditional access.

An attacker seeks to steal information about the companys customers and the details of their business transactions. The attacker sends seemingly innocuous e-mails with malware attachments to employees. One employee unwittingly opens the attachment on a corporate device, compromising the device. The attacker can now harvest the employees user credentials and try to access a corporate application.

Windows Defender ATP, which continuously monitors the state of the device, detects the breach and flags the device as compromised. This device information is relayed to Azure AD and Intune, which then denies the access to the application from that device. The compromised device and user credentials are blocked from further access to corporate resources. Once the device is auto-remediated by Windows Defender ATP, access is re-granted for the user on the remediated device.

This illustrates how conditional access and Windows Defender ATP work together to help prevent the lateral movement of malware, provide attack isolation, and ensure protection of corporate resources.

Azure AD applications such as Office 365, Exchange Online, SPO, and others

The executives at SurelyMoney store a lot of high-value confidential documents in Microsoft SharePoint, an Office 365 application. Using a compromised device, the attacker tries to steal these documents. However, conditional access tight coupling with O365 applications prevents this from taking place.

Office 365 applications like Microsoft Word, Microsoft PowerPoint, and Microsoft Excel allow an organizations employees to collaborate and get work done. Different users can have different permissions, depending on the sensitivity or nature of their work, the group they belong to, and other factors. Conditional access facilitates access management in these applications as they are deeply integrated with the conditional access evaluation. Through conditional access, security admins can implement custom policies, enabling the applications to grant partial or full access to requested resources.

Figure 3. Zero Trust network model for Azure AD applications

Line of business applications

SurelyMoney has a custom transaction-tracking application connected to Azure AD. This application keeps records of all transactions carried out by customers. The attacker tries to gain access to this application using the harvested user credentials. However, conditional access prevents this breach from happening.

Every organization has mission-critical and business-specific applications that are tied directly to the success and efficiency of employees. These typically include custom applications related to e-commerce systems, knowledge tracking systems, document management systems, etc. Azure AD will not grant an access token for these applications if they fail to meet the required compliance and risk policy, relying on a binary decision on whether access to resources should be granted or denied.

Figure 4. Zero Trust network model expanded for line of business apps

On-premises web applications

Employees today want to be productive anywhere, any time, and from any device. They want to work on their own devices, whether they be tablets, phones, or laptops. And they expect to be able to access their corporate on-premises applications. Azure AD Application Proxy allows remote access to external applications as a service, enabling conditional access from managed or unmanaged devices.

SurelyMoney has built their own version of a code-signing application, which is a legacy tenant application. It turns out that the user of the compromised device belongs to the code-signing team. The requests to the on-premises legacy application are routed through the Azure AD Application Proxy. The attacker tries to make use of the compromised user credentials to access this application, but conditional access foils this attempt.

Without conditional access, the attacker would be able to create any malicious application he wants, code-sign it, and deploy it through Intune. These apps would then be pushed to every device enrolled in Intune, and the hacker would be able to gain an unprecedented amount of sensitive information. Attacks like these have been observed before, and it is in an enterprises best interests to prevent this from happening.

Figure 5. Zero Trust network model for on-premises web applications

Continuous innovation

At present, conditional access works seamlessly with web applications. Zero Trust, in the strictest sense, requires all network requests to flow through the access control proxy and for all evaluations to be based on the device and user trust model. These network requests can include various legacy communication protocols and access methods like FTP, RDP, SMB, and others.

By leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. We will continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network.

 

 

Sumesh Kumar, Ashwin Baliga, Himanshu Soni, Jairo Cadena
Enterprise & Security