Archive

Archive for the ‘Azure Active Directory’ Category

Medius’ small IT team supports distributed workforce with Azure Active Directory

March 22nd, 2021 No comments

In today’s Voice of the Customer blog post, IT Manager Jacob Andersson and IT Systems Architect Fredrik Frööjd of Medius share how Azure Active Directory (Azure AD) has inspired employees to live by the cloud commitment the company encourages from customers and helped their small team support a remote workforce with fewer resources. Atea, one of our Azure AD system integration partners, played a key role in this effort.

Medius logo

Securing a remote workforce with fewer resources with Azure Active Directory

At Medius, we develop cloud-based spend management solutions, including the accounts payable workflow solution MediusFlow (Microsoft offers an online tutorial on configuring MediusFlow for automatic user provisioning). We’re one of the largest Microsoft partners in the Nordics to build and offer an entire solution in Azure. Because we advocate the value of cloud for customers, we decided it was fitting to turn to the cloud solution offered by Azure AD to meet our identity requirements.

Providing a fully remote work environment

Our 3,500 customers typically want to restrict access to their financial documents by title or division. Since most have more than 200 employees, it would be cumbersome to manually set access for each employee. Being able to assign users through Azure AD using known Microsoft protocols is a big selling point of our spend management solution.

We can relate to our customers’ need for secure authentication in systems and applications; it’s important to us too. While headquartered in Sweden, Medius has offices in eight other countries and our employees work from across the globe. Teams are both distributed and virtual. It’s not unusual for project meetings with customers to include Medius employees from three countries. We’ve prioritized providing a fully remote environment, in part because the consulting nature of our business requires that some employees travel to customer sites.

That fully remote experience extends to offboarding. When employees leave Medius, Azure AD identity and access management makes it easier to abide by our HR processes, which are reviewed by external auditors. Each employee is associated with an active ID. When an employee is offboarded, we can disable accounts and block user access to everything at once from Azure AD.

Freeing up IT time with features and user self-service

As a small IT team, we couldn’t support Medius’ 400 employees without the increased security and high reliability offered by Azure AD. Time savings is among the biggest benefits of using Azure AD for secure management of users and identities. If a partner requires access, Medius can add them as a guest in Azure AD so the external identity is trusted in required Medius’ internal systems.

Azure AD serves as a trusted source of information that we can depend on in every situation. Rather than navigating islands of systems with unique identities, Azure AD is our single place for everything related to identity management. Because of that, we can help users in any time zone from wherever we’re working. However, users appreciate that the solution is user-friendly, and they can handle some identity tasks themselves. This frees up the IT service desk to focus on other work, and in a growing company, there’s plenty to do.

Users tell us they appreciate the simplicity of single sign-on, which allows them to log in with a single ID and password to SaaS apps like Salesforce, Zuora, Jira, Confluence, DocuSign, and Freshdesk. They also like the flexible integration, ease of use for frictionless workflow, and convenience of Azure AD multifactor authentication, which lets them verify their identity via multiple credentials.

Self-service password reset is another popular feature. We operate in just about every time zone, but our IT team is located in European time zones. Before self-service password reset, it could take as long as two days for an employee to have a password reset by the IT team. Now, employees can reset a forgotten or locked password themselves 24/7 and stay productive.

Connecting during the health crisis

Before the recent healthcare crisis sent employees home, Medius switched from Skype to Microsoft Teams, making it easier for everyone to remotely collaborate and share files. That’s been even more valuable now that in-person meetings are not possible.

Medius is a growing company that has been hiring throughout the crisis. With Azure AD, we can ship laptops directly to the homes of new employees and have them login remotely using Windows Autopilot, which is a collection of technologies to set up and pre-configure new devices.

Improving processes with support from Atea

Our partner Atea, one of the leading providers of IT infrastructure in the Nordic and Baltic regions, offers a full range of hardware and software from the world’s leading technology companies and a team of consultants. The company played a key role in our effort to migrate apps to Azure AD and ramp up new employees.

Atea has told us that they do a lot of work for their customers when it comes to migrating apps to the cloud, helping them to benefit from the security and time-saving benefits of Azure AD. For instance, the pre-defined instructions on configuring applications in the app gallery facilitate the process of setting up a new integration.

Atea calls the partnership with Microsoft “extremely important” and has appreciated seeing product roadmaps and gaining access to private previews, which help it shape future offerings.

We look forward to sharing our next big successes: the introduction of the Conditional Access feature and a broader rollout of passwordless identity authentication.

Voice of the Customer: Looking ahead

Many thanks to Jacob and Fredrik for sharing the benefits they’ve realized with Azure AD. Our customers have told us how valuable it is to learn from their peers. The Voice of the Customer blog series is designed to share our customers’ security and implementation insights more broadly. Bookmark the Microsoft Security blog Voice of the Customer so you don’t miss the next blog in this series!

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Medius’ small IT team supports distributed workforce with Azure Active Directory appeared first on Microsoft Security.

Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work

March 2nd, 2021 No comments

We’re now a year into our new reality, and two trends stand out. First, people need even more flexibility as we work, learn, and collaborate in a world without perimeters. And second, bad actors are getting even more sophisticated. They’re adding new attack vectors and combining them in new creative ways, as we just saw with Solorigate.

In January, I shared our top five identity priorities for 2021 to help you strengthen security and accelerate your transition to the new hybrid work era. More than ever, organizations need to strengthen their defenses to give employees, partners, and customers the flexibility to work from anywhere using apps that live inside and outside the traditional corporate network perimeter. That’s why Zero Trust, a security strategy that combines maximum flexibility with maximum security, is so crucial.

For IT pros and security professionals, the implementation of Zero Trust should be simple and straightforward. For users, it should never get in the way, and it should fit into familiar workflows and habits. This week, on the virtual Microsoft Ignite stage, I’m announcing several Azure Active Directory (Azure AD) innovations that will help make life easier for you and your employees now—and help you stay prepared for whatever comes next.

Give your employees a secure and seamless user experience

As part of our commitment to making security as seamless as possible, passwordless authentication is now generally available for organizations to deploy at scale. Your IT admins, employees, and partners can benefit from increased security and simplicity. We’ve made it easy to roll out passwordless at scale with expanded policies that define which authentication methods specific users or groups can use. New reporting capabilities allow you to see the usage and adoption of passwordless authentication methods across your organization. To help you simplify and secure remote access, we’ve also released the preview of Temporary Access Pass, a time-limited code used to set up and recover a passwordless credential.

Azure AD Temporary Access Pass

Microsoft already has more than 200 million passwordless users across our consumer and enterprise services. We’re excited to see even more customers adopting passwordless each day. Axiata Group is the first company in Southeast Asia to eliminate passwords for their employees. They went passwordless using Windows Hello for Business and the Microsoft Authenticator app. Abid Adam, group chief risk and compliance officer at Axiata Group said, “Rather than make their lives miserable with long passwords that create risk for the organization, we turned to biometrics. Now with Windows Hello, security is baked into our ecosystem, and we have better access to information with greater barriers to bad actors. It’s a win-win for our security team, our employees, and the company.” Similarly, in Europe, Umeå municipality wanted to strengthen security and eliminate the use of passwords. With help from Onevinn and Yubico partners, they were able to roll out their first passwordless deployment in less than 10 days. Watch my interview on Microsoft Mechanics to see passwordless in action.

Going passwordless not only simplifies the user experience but also strengthens your security posture. And thanks to Azure AD Conditional Access, you no longer need to request multifactor authentication every time someone accesses an app that touches sensitive data. Instead, you can step up authentication based on what the user is trying to do within the app—for example, downloading a highly confidential document. With Azure AD Conditional Access authentication context, now in preview, you can move away from one-size-fits-all security and adopt more granular policies that protect resources with the right level of controls based on user actions or the data they are trying to access.

Azure AD Conditional Access authentication context

Announcements:

  • General availability of passwordless authentication.
  • Preview of Temporary Access Pass.
  • Preview of Azure AD Conditional Access authentication context.

Secure access to all apps

Most of you manage multi-cloud environments. Your developers are building apps that are distributed across Microsoft Azure, Amazon Web Services (AWS), and Google Cloud Platform. They need to sign in to each cloud with only one set of credentials. So that you can quickly configure single-sign-on (SSO) and user provisioning, we’re constantly expanding the Azure AD app gallery with as many pre-integrations as possible—even with our competitors.

AWS Single Sign-On app is now pre-integrated with Azure AD and available in the app gallery. This integration lets you connect Azure AD to AWS SSO, a cloud-based service that simplifies SSO access across multiple AWS accounts and resources. You can centralize management of user access to AWS, while your employees can gain access using their Azure AD credentials.

AWS SSO pre-integrated with Azure AD

During the past year, many organizations have relied on our Azure AD App Proxy service to help employees secure remote access to on-premises apps. Usage grew more than 100 percent last year, helping organizations move away from VPN solutions. Today, we’re adding two new features to help you get the most out of App Proxy. First, native support for header-based authentication with App Proxy is now generally available. Second, traffic optimization by region for App Proxy is now in preview. This new feature lets you designate which region your App Proxy service connector group should use and select the same region as your apps. This new feature helps reduce latency and improve performance.

Azure AD App Proxy support for header-based authentication apps

To protect your legacy, on-premises applications, we’re expanding the list of our secure hybrid access partnerships to include Datawiza, Perimeter 81, Silverfort, and Strata. In addition to connecting your on-premises apps, partners like Datawiza, Strata, and Silverfort can help you discover and prioritize apps and resources to migrate to Azure AD. “Silverfort is thrilled to be able to collaborate with Azure AD to enable unified secure access to legacy, on-premises apps, and resources,” said Ron Rasin, vice president of product and strategic alliances at Silverfort. “Identity has become the primary security control plane making it critical that organizations can discover, prioritize, and migrate the apps and resources to a central identity solution like Azure AD.”

Solorigate taught us that in many cases, cloud environments are more secure than on-premises. To strengthen your defenses, it’s critical to minimize your on-premises footprint and manage all your apps from the cloud. The process of discovering applications across different environments and prioritizing them for cloud modernization can be daunting, however. To make it easier, we’re announcing the general availability of Active Directory Federation Services (AD FS) activity and insights report. This report assesses all AD FS applications for compatibility with Azure AD, checks for any issues, and provides guidance on preparing individual applications for migration to Azure AD.

AD FS activity and insights report

Announcements:

  • AWS Single Sign-On now available in Azure AD app gallery.
  • General availability of AD FS activity and insights report.
  • New secure hybrid access partnerships with Datawiza, Perimeter 81, Silverfort, and Strata.
  • General availability of Azure AD App Proxy support for header-based authentication apps.
  • Preview of Azure AD App Proxy support for traffic optimization by region.

Secure your customers and partners

A strong Zero Trust approach requires that we treat access requests from customers, partners, and vendors just like requests from employees: verify every request, allow users to access the data they need only when they need it, and don’t let guests overstay their welcome. With Azure AD, you can apply consistent access policies to all types of external users.

Generally available starting this month, Azure AD External Identities is a set of capabilities for securing and managing identity and access for customers and partners. Self-service sign-up user flows in Azure AD apps make it easy to create, manage, and customize onboarding experiences for external users, with little to no application code. You can integrate support for sign-in using Google and Facebook IDs and extend the flow with powerful API connectors. Using Azure AD Identity Protection, you can protect your business-to-business (B2B) and business-to-consumer (B2C) apps and users with adaptive, machine learning–driven security.

Azure AD External Identities admin portal and user experience

With automated guest access reviews for Microsoft Teams and Microsoft 365 groups, now generally available, Azure AD will prompt you to review and update access permissions for all guests added to new or existing Teams or groups on a regular schedule. The process of cleaning up access to sensitive resources that your guest users no longer need will become less manual—and less neglected.

Announcements:

  • General availability of Azure AD External Identities.
  • General availability of Azure AD access reviews for all guests in Teams and Microsoft 365 groups.

The future of identity is bright

While 2020 was a challenging year, we have much to look forward to in 2021, with innovations that will deliver more security, transparency, and privacy for users. Last Microsoft Ignite, I talked about verifiable credentials and our commitment to empowering every person to own their own identity thanks to decentralized identifiers. I’m happy to share that Azure AD verifiable credentials is entering preview in just a few weeks. Developers will get an SDK, with quick-start guides, for building apps that request and verify credentials, just like they do with usernames and passwords. I’m also excited to announce that we are partnering with some of the leading ID verification partners—Acuant, Au10tix, Idemia, Jumio, Socure, Onfido, Vu Security—to improve verifiability and secure information exchange.

Verifiable credentials let organizations confirm information about someone—like their education and professional certifications—without collecting and storing their personal data. This will revolutionize the way we grant permissions to access our information. Organizations will be able to issue digital versions of a variety of credentials such as physical badges, loyalty cards, and government-issued paper documents based on open standards. Because the digital information is verified by a known party, it’s more trustworthy, and verification will only take minutes instead of days or weeks.

Azure AD verifiable credentials

Individuals get more control over what information they share with whom, and they can restrict access to that shared information at any time. They only have to verify a credential once to use it everywhere. To manage their credentials, they can use the Microsoft Authenticator app and other wallet apps that support open standards, such as the pilot application built by Keio University for their students.

Announcement:

  • Preview of Azure AD verifiable credentials.

And finally, I’m happy to share that we’re releasing a new Microsoft Identity and Access Administrator Certification, which you can find at the Microsoft Security Resources portal. This training helps admins design, implement, and operate Azure AD as the organization’s security control plane.

Announcement:

  • Release of the Microsoft Identity and Access Administrator Certification.

The new features announced at Microsoft Ignite will make it easier to provide seamless user experiences in the hybrid workplace and to strengthen your defenses against attacks that are increasingly sophisticated. As you try these new tools, please send us your feedback so we can continue to build advancements that help you keep your employees secure, connected, and productive.

Let’s make 2021 the Year of Passwordless!

To see these features in action when I take the Microsoft Ignite stage tomorrow, register for free at Microsoft Ignite and watch my session starting at 5 PM Pacific Time. Follow Microsoft Identity at @AzureAD on Twitter for more news and best practices.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security Blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Identity at Microsoft Ignite: Strengthening Zero Trust defenses in the era of hybrid work appeared first on Microsoft Security.

Why threat protection is critical to your Zero Trust security strategy

February 8th, 2021 No comments

The corporate network perimeter has been completely redefined. Many IT leaders are adopting a Zero Trust security model where identities play a critical role in helping act as the foundation of their modern cybersecurity strategy. As a result, cybercriminals have shifted their focus and identities are increasingly under attack.

In this infographic, we explore how this shift is affecting IT leaders and how Microsoft can help apply threat protection to proactively prevent identity compromise and reduce alert fatigue.

  1. There’s been a significant increase in identity-based attacks. As IT leaders rely more heavily on identity in their security strategies, cybercriminals have increased their efforts on this threat vector. And with the shift to remote work in response to COVID-19, we’ve seen a notable number of pandemic-related phishing attacks.
  2. IT leaders need more visibility and protection. With the increase in threats, security professionals and admins are being overwhelmed with alerts. IT leaders are looking for more effective ways to manage alerts and better tools to proactively prevent attackers from being able to compromise accounts.
  3. Preventing identity compromise is more critical than ever. As IT leaders evolve their security strategies, people increasingly working remotely, and the number of identity-based attacks are rising, it’s vital for organizations to implement real-time, AI-based protections that prevent identity compromise.

Check out the infographic for more details.

If you’re interested in how Microsoft can help, see how Azure Active Directory (Azure AD) Identity Protection and Microsoft 365 Defender use real-time, cloud-based AI to proactively prevent identity compromise. Also check out our Security Unlocked podcast with Data Scientist Lead for Microsoft’s Identity Security and Protection team, Maria Peurtas Calvo, to hear how AI is being used to protect identities inside Microsoft products and services.

Visit our Zero Trust page to stay up-to-date on how the latest Microsoft products, features, and resources that can help you implement Zero Trust principles in your organization.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Why threat protection is critical to your Zero Trust security strategy appeared first on Microsoft Security.

5 identity priorities for 2021—strengthening security for the hybrid work era and beyond

January 28th, 2021 No comments

When I outlined the five identity priorities for 2020, the world was a very different place. Since then, the COVID-19 pandemic has forever changed how organizations run their businesses. It’s also changed the way we work, learn, and collaborate. What hasn’t changed is the critical role identity plays in helping organizations to be secure and productive.

Yesterday, we shared the progress we’ve made with our integrated security, compliance, identity, and management solutions. Identity alone has grown at an unprecedented pace—from 300 million monthly active users (MAU) in March 2020 to 425 million today. Organizations around the world have accelerated the adoption of security and collaboration apps. But behind these numbers are stories of customers like you, working tirelessly to help your organizations stay ahead.

As I prepare for our traditional customer co-innovation week and reflect on our customers’ challenges and business goals, I want to share our five identity priorities for this year. Many of the recommendations I outlined last year still apply. In fact, they’re even more relevant as organizations accept the new normal of flexible work while bad actors continue to master sophisticated cyber attack techniques. Our 2021 recommendations will help you strengthen your identity and security foundations for the long term, so you can be ready for whatever comes next.

1. Trust in Zero Trust

Zero Trust is back this year, but this time it’s at the top of the list. The “assume breach” mentality of Zero Trust has become a business imperative. Organizations need to harden their defenses to give employees the flexibility to work from anywhere, using applications that live outside of traditional corporate network protections. When the pandemic hit last year, we worked side by side with many of you. We noticed that organizations already on their Zero Trust journey had an easier time transitioning to remote work and strengthening their ability to fend off sophisticated attacks.

The good news is that 94 percent of the security leaders we polled last July told us they had already embarked on a Zero Trust journey. Wherever you are on your journey, we recommend making identity the foundation of your approach. You can protect against credentials compromise with essential tools like multifactor authentication (MFA) and benefit from innovations like risk assessment in Identity Protection, continuous access evaluation, Intune app-protection policies, as well as Microsoft Azure Active Directory (Azure AD) Application Proxy and Microsoft Tunnel.

Looking ahead, as more services act like people by running applications (via API calls or automation) and accessing or changing data, secure them using the same principles: make sure they only get access to the data they need, when they need it, and protect their credentials from misuse.

Where to start: Take the Zero Trust assessment and visit our Deployment Center for deployment guidelines.

2. Secure access to all apps

This was our top recommendation last year, and it couldn’t be more critical today. The growth in app usage with Azure AD shows that organizations are connecting more apps to single sign-on. While this provides seamless and secure access to more apps, the best experience will come from connecting all apps to Azure AD so people can complete all work-related tasks from home and stay safer during the pandemic. Connecting all apps to Azure AD also simplifies the identity lifecycle, tightens controls, and minimizes the use of weak passwords. The result is stronger security at a lower cost: Forrester estimates that such a move can save an average enterprise almost USD 2 million over three years.

Azure AD app gallery includes thousands of pre-integrated apps that simplify deployment of single sign-on and user provisioning. If you want to extend MFA and Conditional Access to legacy on-premises apps, including header-based apps, use Azure AD Application Proxy or an integrated solution from one of our secure hybrid access partners. With our migration tools, you can modernize authentication of all apps and retire your ADFS implementation. This will help prevent attacks that are particularly difficult to detect in on-premises identity systems.

It’s also important to limit the number of admins who can manage apps across your organization, to protect privileged accounts with MFA and Conditional Access, and to require just-in-time (JIT) elevation into admin roles with Privileged Identity Management.

Where to start: Learn how to use Azure AD to connect your workforce to all the apps they need.

3. Go passwordless

We’ll keep repeating the mantra “Go passwordless” as long as passwords remain difficult for people to remember and easy for hackers to guess or steal. Since last year we’ve seen great progress: in May, we shared that over 150 million users across Azure AD and Microsoft consumer accounts were using passwordless authentication. By November, passwordless usage in Azure AD alone had grown by more than 50 percent year-over-year across Windows Hello for Business, Microsoft Authenticator, and FIDO2 security keys from partners like AuthenTrend, Feitian, or Yubico.

Passwordless authentication can minimize or eliminate many identity attack vectors, including those exploited in the most sophisticated cyberattacks. At a minimum, going passwordless should be non-negotiable for admin-level accounts. Moreover, providing employees with a fast, easy sign-in experience saves time and reduces frustration. Forrester estimates that consolidating to a single identity solution and providing one set of credentials saves each employee 10 minutes a week on average, or more than 40 hours a year. Imagine additional savings from not having to reset passwords or mitigate phishing attacks.

Where to start: Read the Forrester Report, “The Total Economic Impact™ Of Securing Apps With Microsoft Azure Active Directory.”

4. Choose and build secure-by-design apps

Because attacks on applications are growing, it’s important to go a step beyond integrating apps with Azure AD to deploying apps that are secure by design. Build secure authentication into the apps you write yourself using the Microsoft Authentication Library (MSAL). Ideally, apps should go passwordless too, so ensure they’re using strong credentials like certificates. If your apps interact with other Microsoft services, take advantage of the identity APIs in Microsoft Graph. Whenever possible, choose third-party apps from verified publishers. Since publisher verification badges make it easier to determine whether an app comes from an authentic source, encourage your ISV partners to become verified publishers if they haven’t already.

Since most apps ask to access company data, administrators may choose to review consent requests before granting permissions. While neglecting to review requests is a security risk, doing it for every single app used by every single employee takes too much time and costs too much. Fortunately, new features like app consent policies and admin consent workflow help avoid the extreme choices of reviewing all requests or delegating full responsibility to employees. Regularly review your apps portfolio and take action on overprivileged, suspicious, or inactive apps.

Where to start: Update your applications to use Microsoft Authentication Library and Microsoft Graph API, adopt app consent policies and publisher verification practices, and follow identity platform best practices.

5. Break collaboration boundaries

We know that partners, customers, and frontline workers are essential to your business. They, too, need simple and secure access to apps and resources, so they can collaborate and be productive, while administrators need visibility and controls to protect sensitive data.

Simplify collaboration for external users with intuitive self-service sign-up flows and the convenience of using their existing email or social account. For frontline workers, Azure AD offers simple access, through sign-in with a one-time SMS passcode, which eliminates the need to remember new credentials. For frontline managers, the My Staff portal makes it easy to set up SMS sign-in, to reset passwords, and to grant access to resources and shared devices without relying on help desk or IT.

Visibility and control are easier to achieve when managing all identities using a common toolset. You can apply the same Conditional Access policies for fine-grained access control to services, resources, and apps. By setting up access review campaigns, or using automated access reviews for all guest users in Microsoft Teams and Microsoft 365 groups, you can ensure that external guests don’t overstay their welcome and only access resources they need.

Where to start: Learn more about Azure AD External Identities and using Azure AD to empower frontline workers.

Get started on the future now: Explore verifiable credentials

During the pandemic, you’ve had to support not only remote work but also remote recruiting. People usually show up to an interview with documentation in hand that confirms their identity and qualifications. It’s more complicated to vet candidates remotely, especially when hiring needs to happen quickly—for example, in the case of essential workers.

Microsoft and industry-leading ID verification partners are pushing the frontier of identity by transforming existing ID verification practices with open standards for verifiable credentials and decentralized identifiers. Verifiable credentials are the digital equivalent of documents like driver’s licenses, passports, and diplomas. In this paradigm, individuals can verify a credential with an ID verification partner once, then add it to Microsoft Authenticator (and other compatible wallets) and use it everywhere in a trustworthy manner. For example, a gig worker can verify their driver’s license and picture digitally, and then use it to get hired by a ride-sharing service and a food delivery company.

Such an approach can improve verification while protecting privacy across the identity lifecycle: onboarding, activating credentials, securing access to apps and services, and recovering lost or forgotten credentials. We’re piloting this technology with customers like the National Health Service in the UK and MilGears, a program of the United States Department of Defense that helps service members and veterans enroll in higher education and jumpstart their civilian careers.

Where to start: Watch our Microsoft Ignite session on Decentralized Identity and join the Decentralized Identity Foundation.

Whether your top priority is modernizing your infrastructure and apps or implementing a Zero Trust security strategy, we are committed to helping you every step of the way. Please send us your feedback so we know what identity innovations you need to keep moving forward on your digital transformation journey.

The post 5 identity priorities for 2021—strengthening security for the hybrid work era and beyond appeared first on Microsoft Security.

Microsoft Advanced Compliance Solutions in Zero Trust Architecture

September 29th, 2020 No comments

Zero Trust revolves around three key principles:  verify explicitly, use least privileged access, and assume breach.  Microsoft’s Advanced Compliance Solutions are an important part of Zero Trust.

This post applies a Zero Trust lens to protecting an organization’s sensitive data and maintaining compliance with relevant standards. Ultimately, Zero Trust architecture is a modern approach to security that focuses on security and compliance for assets regardless of their physical or network location, which contrasts with classic approaches that attempt to force all assets on a ‘secure’ and compliant network.

A Zero Trust strategy should start with Identity and Access Management.  Microsoft built Azure Active Directory (AAD) to enable rapid Zero Trust adoption:

An image of the workflows and visualizations to manage cases.

Architects focus on applying the Zero Trust principles to protect and monitor six technical pillars of the enterprise including:

  • Identity
  • Devices
  • Applications and APIs
  • Data
  • Infrastructure
  • Networks

In an integrated Microsoft Zero Trust solution, AAD and Microsoft Defender for Identity provide protection, monitoring, and trust insights in the User/Identity Pillar. Microsoft Defender for Endpoints and Intune protect and manage the Device.  Azure Security Center and Azure Sentinel monitor, report and provide automated playbooks to deal with events.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft’s Advanced Compliance solutions are foundational to Zero Trust as well, particularly when implemented to support Microsoft 365.

Microsoft Information Protection, Insider Risk Management and Microsoft Cloud App Security are all part of a complete Zero Trust architecture.

Advanced Auditing can increase the visibility around insider or bad actor’s activities with sensitive data like documents and emails as well as increasing the period over which audit data is available for review.

Let’s look closer at these solutions:

  • Microsoft Information Protection: Allows policy enforcement at the document level based on AAD identity.  This protection is resident with the document throughout its lifecycle.  It controls the identities, groups or organizations that can access the document, expires access to the document and controls what authorized users can do with the document e.g. view, print, cut and paste as well as other controls like enforced watermarking.  These controls can be mandatory or can support users with suggested protection.  The policy can be informed by machine learning, standard sensitivity data types (like social security numbers), regular expressions, keywords or exact data match.  When users elect to apply different protection than recommended, their actions are tracked for later review.  Documents can thus be protected throughout their lifecycle, wherever they may travel and to whomever they may be transmitted.

Microsoft Information Protection sensitivity labels are fully integrated with our data loss prevention solution, preventing movement of sensitive information at the boundary of the cloud, between Microsoft and third-party clouds, and at the device endpoint (e.g. laptop).

  • Insider Risk Management: Applies machine learning to the signals available from Microsoft O365 tenant logs, integration with Microsoft Defender Advanced Threat Protection and an increasing number of Microsoft and third party relevant signals to alert on insiders such as employees or contractors who are misusing their access. Default policies are provided, and enterprises can customize policies to meet their needs including for specific projects or scoped to users deemed to be at high risk.   These policies allow you to identify risky activities and mitigate these risks.  Current areas of focus for the solution are:
    • Leaks of sensitive data and data spillage
    • Confidentiality violations
    • Intellectual property (IP) theft
    • Fraud
    • Insider trading
    • Regulatory compliance violations

These signals are visualized and actioned by other Microsoft solutions.  Insider Risk Management uses its specialized algorithms and machine learning to correlate signal and expose Insider Risks in context.  It also provides workflows and visualizations to manage cases.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection.

Insider Risk Management is integrated with AAD and acts on signals from Microsoft Information Protection as well as others in the tenant, providing additional security value from the systems already in place.  The alerts generated by the system can be managed with the native case management features or surfaced to Azure Sentinel or third-party systems through the API.

  • Microsoft Cloud App Security: Is a Cloud Access Security Broker that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, granular control over data travel, and sophisticated analytics to identify and combat cyber threats across all Microsoft and third-party cloud services. It controls shadow IT.  It can be used to govern the use of Microsoft and third-party clouds and the sensitive information placed there.

An image of advanced Auditing for M365.

  • Advanced Auditing for M365: Advanced Audit retains all Exchange, SharePoint, and Azure Active Directory audit records for a default of one year.  You can retain audit logs for up to ten years.  Crucial events for investigations, such as whether an attacker has accessed a mail message, whether a sensitive document is re-labelled and many other new log data types are part of this solution.  Investigation playbooks will also shortly be part of this solution.

These Advanced Compliance solutions have native visibility into AAD, the Microsoft Tenant, and into each other.  For example, Insider Risk Management has visibility into Microsoft Information Protection sensitivity labels.  Microsoft Cloud App Security has visibility into and can act on sensitivity labels.

This visibility and machine learning run through the Microsoft Security and Advanced Compliance solutions, making them particularly well suited to a holistic Zero Trust architecture.

The post Microsoft Advanced Compliance Solutions in Zero Trust Architecture appeared first on Microsoft Security.

New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI.

August 13th, 2020 No comments

Over the past six months, organizations around the world have accelerated digital transformation efforts to rapidly enable a remote workforce. As more employees than ever access apps via their home networks, the corporate network perimeter has truly disappeared, making identity the control plane for effective and secure access across all users and digital resources.

Businesses have responded to the pandemic by increasing budgets, adding staff, and accelerating deployment of cloud-based security technologies to stay ahead of phishing scams and to enable Zero Trust architectures. But the pressure to reduce costs is also real. Given COVID-19 and uncertain economic conditions, many of you are prioritizing security investments. But how should you allocate them? According to a new study, The Total Economic Impact™ of Securing Apps with Microsoft Azure Active Directory, investing in identity can not only help you accelerate your Zero Trust journey, it can also save you money and deliver more value. In this commissioned study, Forrester Consulting interviewed four customers in different industries who have used Azure AD for years. Forrester used these interviews to develop a composite organization. They found that customers securing apps with Azure AD can benefit from a 123 percent return on investment over three years in a payback period of six months.

An image showing the total econmic impact of securing apps with Microsoft Azure AD.

The customers interviewed improved user productivity, reduced costs, and gained IT efficiencies in the following areas[1]:

Increased worker productivity with secure and seamless access to all apps

Employees expect to collaborate on any project from anywhere using any app—especially now, when so many are working from home. But they find signing into multiple applications throughout the day frustrating and time-consuming. When you connect all your apps to Azure AD, employees sign in once using single sign-on (SSO). From there, they can easily access Microsoft apps like Microsoft Teams, software as a service (SaaS) apps like Box, on-premises apps like SAP Hana, and various custom line-of-business apps. Forrester estimates that consolidating to a single identity and access management solution and providing one set of credentials saves each employee 10 minutes a week on average, valued at USD 7.1 million over three years.

“Our CIO really didn’t like that anybody onboarding with our company was receiving—and this is not an exaggeration—two dozen credentials. In the executive branch, they took up to two weeks to get a new hire on their feet.” –Director of workplace technology, Electronics

Reduced costs by reducing the risk of a data breach

A data breach can be incredibly expensive for victims, who must recover not only their environments but also their reputations. Breaches often start with a compromised account, which is why it’s so important to protect your identities.

With Azure AD, you can secure all your applications and make it harder for attackers to acquire and use stolen credentials. You can ban common passwords, block legacy authentication, and protect your privileged identities. You can implement adaptive risk-based policies and enforce multi-factor authentication to ensure that only the right users have the right access. Forrester found that using these Azure AD features can help organizations reduce the risk of a data breach, saving them an estimated USD 2.2 million over a three-year period.

“Conditional Access was non-negotiable as we moved to the cloud. We had to be able to apply policies that scoped applications, users, devices, and risk states. You can’t let a compromised user walk into a cloud app anymore. It’s unacceptable.” –Information security services, manufacturing

Empowered workers to reset their own passwords

If you have a help desk, your employees likely make thousands of password reset requests per month. Locked out users can’t be productive, and their pleas for help eat up valuable time help desk workers could spend on other priority tasks. One organization told Forrester it costs them between USD500,000 and USD700,000 per year just to reset passwords.

With Azure AD Self-Service Password Reset, employees can reset their own passwords without help desk intervention. Forrester estimates that with this feature, customers can decrease the number of password reset calls per month by 75 percent, yielding a three-year adjusted present value of USD 1.7 million.

Unlocked efficiency gains by consolidating their identity infrastructure

Many enterprises use several solutions to manage identity and access management: an on-premises solution for legacy applications, a SaaS-based solution for modern cloud applications, and Azure AD for Microsoft applications. Maintaining this complex infrastructure requires multiple servers and licenses, not to mention people who understand the various systems. Migrating authentication for all your apps to Azure AD can significantly reduce hardware and licensing fees. Forrester estimates savings at a three-year adjusted present value of USD 1.9 million.

Consolidating your identity infrastructure to Azure AD gives you the benefits of cloud-based identity and access management solutions and frees your team to focus on other priorities. IT and identity teams in the study reduced time and effort spent provisioning/deprovisioning accounts, integrating new applications, and addressing issues related to IAM infrastructure. They also experienced less system downtime. Forrester estimated the value of IT efficiency gains at USD 3.0 million over three years.

Integrating with Azure AD also benefits software vendors

As part of the TEI, Forrester interviewed two Independent Software Vendors (ISVs), Zscaler and Workplace from Facebook. They documented their findings in the spotlight, Software Vendors Boost Adoption by Integrating Their Apps with Microsoft Azure Active Directory. Integrating their applications with Azure AD helped the two ISVs interviewed accelerate their sales cycles, as well as product adoption. Seamless integration with Azure AD helps ISVs reach the more than 200,000 organizations that use Azure AD. ISVs can easily give their customers and prospects single sign-on, automated user provisioning, and enhanced security through the security features built into Azure AD, while focusing their energies on enhancing their own solution.

“There is a shorter sales cycle for our platform. Many of our customers are already AD FS-based users, and our integration with Azure AD makes the case for our services that much more compelling. It also allows us to be more agile in helping customers get things implemented more quickly. Essentially, there’re fewer barriers to entry for customers.” – Vice President, product management, Zscaler

“We have a strong mutual customer base with Microsoft, which is why we’ve built such a great partnership with them over the years. Obviously, Azure AD is widely used by our customers, so it makes sense to leverage it.” – Platform Partnerships Manager, Workplace from Facebook

Learn more

COVID-19 has ushered in a new normal of remote work and conservative budgets, but that doesn’t mean you have to sacrifice security or the user experience. By integrating all your apps with Azure AD you can add value—like giving your employees a more convenient and secure work from home experience—while preserving valuable resources.

Find out how Azure AD can help secure all your apps and read the full Forrester Consulting study, The Total Economic Impact™ of securing apps with Microsoft Azure Active Directory and Software vendors boost adoption by integrating their apps with Microsoft Azure Active spotlight.

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

[1] Forrester based all savings estimates on the composite organization developed for its TEI study.

The post New Forrester study shows customers who deploy Microsoft Azure AD benefit from 123% ROI. appeared first on Microsoft Security.

Prevent and detect more identity-based attacks with Azure Active Directory

July 15th, 2020 No comments

Security incidents often start with just one compromised account. Once an attacker gets their foot in the door, they can escalate privileges or gather intelligence that helps them reach their goals. This is why we say that identity is the new security perimeter. To reduce the risk of a data breach, it’s important to make it harder for attackers to steal identities while arming yourself with tools that make it easier to detect accounts that do get compromised.

Over the years the Microsoft Security Operations Center (SOC) has learned a lot about how identity-based attacks work and how to reduce them. We’ve leveraged these insights to refine our processes, and we’ve worked with the Azure AD product group to improve Microsoft identity solutions for our customers. At the RSA Conference 2020, we provided an inside look into how the Microsoft SOC helps protect Microsoft from identity compromise. Today, we are sharing best practices that you can implement in your own organization to help decrease the number of successful identity-based attacks.

Increase the cost of compromising an identity

One reason that identity-based attacks work is because passwords are hard for busy people, but they can be an easy target for attackers. People struggle to memorize unique and complex passwords for hundreds of work and personal applications. Instead, they reuse passwords across different applications or pick something that is easy to remember—sports teams, for example: Seahawks2020!

Bad actors exploit this reality with techniques like phishing campaigns to trick users into providing credentials. They also try to guess passwords or buy them on the dark web. In password spray, attackers test commonly used passwords against several accounts—all they need is one.

To make it harder for bad actors to acquire and use stolen credentials, implement the following technical controls:

Ban common passwords: Start by banning the most common passwords. Azure Active Directory (Azure AD) can automatically prevent users from creating popular passwords, such as password1234! You can also customize the banned password list with words specific to your region or company.

Enforce multi-factor authentication (MFA): MFA requires that people sign in using two or more forms of authentication, such as a password and the Microsoft Authenticator app. This makes it much harder for an attacker with a stolen password to gain access. In fact, this one control can block over 99.9 percent of account compromise attacks.

Block legacy authentication: Authentication protocols like POP, SMTP, IMAP, and MAPI can’t enforce MFA, which makes them an ideal target for bad actors. According to an analysis of Azure AD, over 99 percent of password spray attacks use legacy authentication. Blocking these apps eliminates a common access point for attackers. If teams are currently using apps with legacy authentication, this takes careful planning and a phased process, but tools in Azure AD can help you limit your risk as you migrate to apps with more modern authentication protocols.

Protect your privileged identities: Users with administrative privileges are often targeted by cybercriminals because they have access to valuable resources and information. To reduce the likelihood that these accounts will be compromised, they should only be used when people are conducting administrative tasks. When users are doing other work, like answering emails, they should use an account with reduced access. Just-in-time privileges can further protect administrative identities, by requiring that individuals receive approval before accessing sensitive resources and time-bounding how long they have access.

Detect threats through user behavior anomalies

Strong technical controls will reduce the risk of a breach, but with determined adversaries, they may not be totally preventable. Once attackers get in, they want to avoid detection for as long as possible. They build hidden tunnels and back doors to hide their tracks. Some lay low for thirty or more days on the assumption that log files will be deleted during that time. To discover threats inside your organization, you need the right data and tools to uncover patterns across different data sets and timeframes.

Event logging and data retention: Capturing and saving data can be tricky. Privacy regulations put restrictions on how long and what types of data you can save. Storing large amounts of information can get expensive. However, you’ll need to see across login events, user permissions, and applications to spot anomalous behavior. Data from months or even years ago may help you spot patterns in more recent behavior. Once you understand your contractual and legal obligations related to data, decide which events your organization should store and then decide how long to keep them.

Leverage User and Entities Behavioral Analytics (UEBA): People tend to sign in and access resources in consistent ways over time. For example, a lot of employees check email as soon as they sign in. On the other hand, if someone’s account immediately starts downloading files from a SharePoint site, it may mean the account has been compromised. To identify anomalous behavior, UEBA uses artificial intelligence and machine learning to model how users and devices typically behave. It then compares future behavior against the baseline to create a risk score. This allows you to analyze large data sets and elevate the highest-priority alerts.

Assess your identity risk

As you are making decisions about what controls and actions to prioritize, it helps to understand current risks. Penetration tests can help you uncover vulnerabilities. You can also run password spray tests to generate a list of easily guessable passwords. Or send a phishing email to your company to see how many people respond. The SOC can use these findings to test detections. They will also help you prepare training materials and build awareness with employees. Tools such as Azure AD Identity Protection can help you discover current users at risk and monitor risky behavior as your controls mature.

Learn more

Many of the technical controls we’ve outlined are also best practices in a Zero Trust security strategy. Instead of assuming that everything behind the corporate network is safe, the Zero Trust model assumes breach and verifies each access request. Learn more about Zero Trust.

One way to reduce the likelihood that a password will be stolen is to eliminate passwords entirely. Read more about passwordless authentication.

Watch our RASC 2020 presentation: Cloud-powered compromise blast analysis: In the trenches with Microsoft IT.

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Prevent and detect more identity-based attacks with Azure Active Directory appeared first on Microsoft Security.

The world is your authentication and identity oyster

July 2nd, 2020 No comments

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

The world is your authentication/identity oyster

If you’re older than 10 years of age you’ve undoubtedly heard the phrase “The world is your oyster.” This basically means that you are able to take the opportunities that life has to offer. Nothing could be more accurate in the description of technology of the world today. Now if we take some liberties with that phrase, we could also say that “the world is your authentication/identity oyster.” There are countless options available to the organizations as to how they want to execute on their vision.

Too long we’ve been collectively saddled with the prospect of passwords as one of the default authentication protocols. This has proven itself to be a standard in many respects. We’ve been taught for decades that passwords are some level of security that can be implemented to protect websites and so forth. This is an unfortunate notion that we need to dispel.

The problem here is that passwords have come to a point where they need to be replaced with an advanced system of security for authentication. Let’s take this as an example: If someone knows a password it by no means ensures who that person is who is utilizing it. Yes, there is some understanding of trust as to who has the use of said password, but over the years I’ve learned that this is by no means a guarantee. As an example, 86 percent of breaches were financially motivated, according to the 2020 Verizon DBIR.

When attackers managed to compromise a website they will re-use the credentials that they capture in a bid to increase their access to other websites simply because they understand that people are creatures of habit and will reuse the same password in multiple places in a bid to reduce the mental fatigue that comes with trying to remember them all. Even when I check in my own password manager application, I’ll note that I have over 900 passwords alone. It is too little surprise that people still write them on post-it notes to this very day.

There are so many options available to remedy our password predicament. MFA is an excellent example of how to move forward with a better solution to authentication. When we look at something such as MFA we have to understand that there is a culture shift involved. Eighty percent of security breaches involve compromised passwords. People can be hesitant and resistant to change but will embrace that change when security has been democratized.

If it is easy for a non-technical person to use, then they will adopt that and then by extension improve the security of your organization. Case in point, my mother can use the Duo app as an example to authenticate to her email and other applications. When you have applications written for engineers by engineers in the hands of the layperson you can imagine how that will end. The security tools need to be easy to use.

If you’re using a push-based application or even something with the W3C WebAuthN open standard, which can leverage an API to replace passwords, you can improve the security of your organization by removing passwords from the mix. Using technologies such as this in conjunction with Azure AD as an example will reduce the risk to an organization. You would have authenticated users access to your systems without having to wonder if the person with the password logging in from a coffee shop in London, New York, or Toronto is in fact who you assume they should be.

The tools are at your disposal today to improve your security posture, reduce risk, and ultimately costs when users can self-manage. When security technology has been democratized it leads to wider adoption by techno-savvy users and luddites alike.

Ready to get started? Sign up for a free trial at signup.duo.com.

Want to learn more about Duo and Microsoft together?

About Duo Security

Duo helps Azure Active Directory (Azure AD) customers move to the cloud safely and securely by verifying the identity of the users with strong multi-factor authentication (MFA), and the trust of the device using device hygiene insights. Our joint customers use that information to create robust access policies that are enforced before granting access to applications both on-premises and in the cloud.

How Duo helps protect Microsoft Applications: Duo + Microsoft Partnership Page

Learn more: Duo Security – Azure Active Directory 

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post The world is your authentication and identity oyster appeared first on Microsoft Security.

Barracuda and Microsoft: Securing applications in public cloud

June 18th, 2020 No comments

This blog was written by a MISA partner. To learn more about MISA, visit our website.

Barracuda Cloud Application Protection (CAP) platform features integrations with Microsoft Azure Active Directory (Azure AD) and Azure Security Center. A component of CAP, Barracuda WAF-as-a-Service is built on Microsoft Azure and provides advanced WAF capabilities in an easy to deploy and manage solution.

In our last blog, I spoke about how Barracuda and Microsoft are working together to remove barriers to faster public cloud adoption. The post focused on remote access, networks, and secure connectivity to public cloud. The topic of this blog post is to share some thoughts on how web applications in public cloud are secured. 

Accelerating digital transformation

As I mentioned last time, digital transformation is fundamentally changing today’s enterprises, making digital assets—data and applications—key to doing business. Organizations are increasingly competing based on their digital agility, and of course web applications are central to how digital businesses operate today.

In order to develop and update applications faster, organizations are deploying DevOps processes and agile methodologies, and they are moving their infrastructure to the cloud. However, while applications are developed and deployed faster than ever, secure coding practices have not kept pace, resulting in a constantly growing number of open vulnerabilities that can be exploited.

At the same time, the threat environment is continuously evolving and becoming more challenging. Hackers are getting more sophisticated; they are now professional criminals or even nation states. In addition to manual hacking attacks, bots and botnets are increasingly used to attack enterprise infrastructures through web applications. These automated exploits are often executed as Distributed Denial of Service (or DDoS) attacks, at both network and application layer. And of course, malware is constantly getting more advanced. The growth in the number of unprotected application vulnerabilities, coupled with the increase in hacking and malware, has resulted in a perfect storm of data breaches. So, application security is a key requirement for successful digital transformation. A recent Microsoft Build 2020 blog post focused on how Microsoft is helping developers build more secure applications.

Is the latest health crisis going to slow down the digital transformation process? In fact, it appears the opposite is occurring—it is acting as a catalyst. In the last blog, we discussed how the sudden increase in remote work is accelerating the network evolution. In addition, similar changes are occurring in the applications landscape.

As people stay at home due to government orders, they are increasingly transacting online. Brick-and-mortar stores are closed, and to stay in business retailers and other businesses are shifting all their operations online.

Leveraging public cloud for web applications

Such rapid scaling of online operations is difficult and expensive to achieve using traditional datacenters. Fortunately, public cloud providers such as Microsoft Azure provide robust platforms that allow customers to quickly scale up application infrastructure—now things can be completed in days or even hours, instead of weeks or months. And of course, the flexibility that comes with public cloud deployments is especially valuable now, as there is a lot of uncertainty about how long lockdowns will continue and whether online capacity would need to be reduced in the future.

We have seen a significant increase in hacking, DDoS, and bot attacks during the last couple of months, so in addition to scaling up online capacity, it is critically important to ensure security and availability. Using a complete application security platform is the best way to protect applications from all attack vectors, including hacking, DDoS, bots, and even API attacks.

Types and number of online threats in the public cloud.

In the new report, Future shock: the cloud is the new network,1 published in February, Barracuda surveyed 750 IT decision makers responsible for their organizations’ cloud infrastructure. We learned that organizations are well on their way to moving their infrastructure to public cloud, with 45 percent of IT infrastructure already running in the cloud today and rising to an estimated 76 percent in 5 years.

At the same time, the top concern restricting an even faster adoption of public cloud is security, with 70 percent of the respondents indicating that security concerns restrict their organizations’ adoption of public cloud.

If you look at the type of security issues that are the biggest blockers to public cloud adoption, the top two are sophisticated hackers and open vulnerabilities in applications. Also on the list are DDoS attacks and advanced bots/botnets, and from conversations with both customers and analysts since the onset of COVID-19, it appears that both DDoS attacks and bot attacks have spiked up even higher.

Barracuda Cloud Application Protection (CAP) platform is a comprehensive, scalable and easy-to-deploy platform that secures applications wherever they reside.

 

About Barracuda

At Barracuda we strive to make the world a safer place. We believe every business deserves access to cloud-enabled, enterprise-grade security solutions that are easy to buy, deploy, and use. We protect email, networks, data, and applications with innovative solutions that grow and adapt with our customers’ journey. More than 150,000 organizations worldwide trust Barracuda to protect them—in ways they may not even know they are at risk—so they can focus on taking their business to the next level. For more information, visit barracuda.com.

View our integration videos

For more information on Microsoft Security Solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

 


1Future shock: the cloud is the new network, Barracuda, February 2020

The post Barracuda and Microsoft: Securing applications in public cloud appeared first on Microsoft Security.

4 identity partnerships to help drive better security

May 28th, 2020 No comments

At Microsoft, we are committed to driving innovation for our partnerships within the identity ecosystem. Together, we are enabling our customers, who live and work in a heterogenous world, to get secure and remote access to the apps and resources they need. In this blog, we’d like to highlight how partners can help enable secure remote access to any app, access to on-prem and legacy apps, as well as how to secure seamless access via passwordless apps. We will also touch on how you can increase security visibility and insights by leveraging Azure Active Directory (Azure AD) Identity Protection APIs.

Secure remote access to cloud apps

As organizations adopt remote work strategies in today’s environment, it’s important their workforce has access to all the applications they need. With the Azure AD app gallery, we work closely with independent software vendors (ISV) to make it easy for organizations and their employees and customers to connect to and protect the applications they use. The Azure AD app gallery consists of thousands of applications that make it easy for admins to set up single sign-on (SSO) or user provisioning for their employees and customers. You can find popular collaboration applications to work remotely such Cisco Webex, Zoom, and Workplace from Facebook or security focused applications such as Mimecast, and Jamf. And if you don’t find the application your organization needs, you can always make a nomination here.

The Azure AD Gallery

The Azure AD Gallery.

Secure hybrid access to your on-premises and legacy apps

As organizations enable their employees to work from home, maintaining remote access to all company apps, including those on-premises and legacy, from any location and any device, is key to safeguard the productivity of their workforce. Azure AD offers several integrations for securing on-premises SaaS applications like SAP NetWeaver, SAP Fiori systems, Oracle PeopleSoft and E-Business Suite, and Atlassian JIRA and Confluence through the Azure AD App Gallery. For customers who are using Akamai Enterprise Application Access (EAA), Citrix Application Delivery Controller (ADC), F5 BIG-IP Access Policy Manager (APM), or Zscaler Private Access (ZPA), Microsoft has partnerships to provide remote access securely and help extend policies and controls that allow businesses to manage and govern on-premises legacy apps from Azure AD without having to change how the apps work.

Our integration with Zscaler allows a company’s business partners, such as suppliers and vendors, to securely access legacy, on-premises applications through the Zscaler B2B portal.

Integration with Zscaler

Go passwordless with FIDO2 security keys

Passwordless methods of authentication should be part of everyone’s future. Currently, Microsoft has over 100-million active passwordless end-users across consumer and enterprise customers. These passwordless options include Windows Hello for Business, Authenticator app, and FIDO2 security keys. Why are passwords falling out of favor? For them to be effective, passwords must have several characteristics, including being unique to every site. Trying to remember them all can frustrate end-users and lead to poor password hygiene.

Since Microsoft announced the public preview of Azure AD support for FIDO2 security keys in hybrid environments earlier this year, I’ve seen more organizations, especially with regulatory requirements, start to adopt FIDO2 security keys. This is another important area where we’ve worked with many FIDO2 security key partners who are helping our customers to go passwordless smoothly.

Partner logos

Increase security visibility and insights by leveraging Azure AD Identity Protection APIs

We know from our partners that they would like to leverage insights from the Azure AD Identity Protection with their security tools such as security information event management (SIEM) or network security. The end goal is to help them leverage all the security tools they have in an integrated way. Currently, we have the Azure AD Identity Protection API in preview that our ISVs leverage. For example, RSA announced at their 2020 conference that they are now leveraging our signals to better defend their customers.

We’re looking forward to working with many partners to complete these integrations.

If you haven’t taken advantage of any of these types of solutions, I recommend you try them out today and let us know what you think. If you have product partnership ideas with Azure AD, feel free to connect with me via LinkedIn or Twitter.

The post 4 identity partnerships to help drive better security appeared first on Microsoft Security.

Zero Trust Deployment Guide for Microsoft Azure Active Directory

April 30th, 2020 No comments

Microsoft is providing a series of deployment guides for customers who have engaged in a Zero Trust security strategy. In this guide, we cover how to deploy and configure Azure Active Directory (Azure AD) capabilities to support your Zero Trust security strategy.

For simplicity, this document will focus on ideal deployments and configuration. We will call out the integrations that need Microsoft products other than Azure AD and we will note the licensing needed within Azure AD (Premium P1 vs P2), but we will not describe multiple solutions (one with a lower license and one with a higher license).

Azure AD at the heart of your Zero Trust strategy

Azure AD provides critical functionality for your Zero Trust strategy. It enables strong authentication, a point of integration for device security, and the core of your user-centric policies to guarantee least-privileged access. Azure AD’s Conditional Access capabilities are the policy decision point for access to resources based on user identity, environment, device health, and risk—verified explicitly at the point of access. In the following sections, we will showcase how you can implement your Zero Trust strategy with Azure AD.

Establish your identity foundation with Azure AD

A Zero Trust strategy requires that we verify explicitly, use least privileged access principles, and assume breach. Azure Active Directory can act as the policy decision point to enforce your access policies based on insights on the user, device, target resource, and environment. To do this, we need to put Azure Active Directory in the path of every access request—connecting every user and every app or resource through this identity control plane. In addition to productivity gains and improved user experiences from single sign-on (SSO) and consistent policy guardrails, connecting all users and apps provides Azure AD with the signal to make the best possible decisions about the authentication/authorization risk.

  • Connect your users, groups, and devices:
    Maintaining a healthy pipeline of your employees’ identities as well as the necessary security artifacts (groups for authorization and devices for extra access policy controls) puts you in the best place to use consistent identities and controls, which your users already benefit from on-premises and in the cloud:

    1. Start by choosing the right authentication option for your organization. While we strongly prefer to use an authentication method that primarily uses Azure AD (to provide you the best brute force, DDoS, and password spray protection), follow our guidance on making the decision that’s right for your organization and your compliance needs.
    2. Only bring the identities you absolutely need. For example, use going to the cloud as an opportunity to leave behind service accounts that only make sense on-premises; leave on-premises privileged roles behind (more on that under privileged access), etc.
    3. If your enterprise has more than 100,000 users, groups, and devices combined, we recommend you follow our guidance building a high performance sync box that will keep your life cycle up-to-date.
  • Integrate all your applications with Azure AD:
    As mentioned earlier, SSO is not only a convenient feature for your users, but it’s also a security posture, as it prevents users from leaving copies of their credentials in various apps and helps avoid them getting used to surrendering their credentials due to excessive prompting. Make sure you do not have multiple IAM engines in your environment. Not only does this diminish the amount of signal that Azure AD sees and allow bad actors to live in the seams between the two IAM engines, it can also lead to poor user experience and your business partners becoming the first doubters of your Zero Trust strategy. Azure AD supports a variety of ways you can bring apps to authenticate with it:

    1. Integrate modern enterprise applications that speak OAuth2.0 or SAML.
    2. For Kerberos and Form-based auth applications, you can integrate them using the Azure AD Application Proxy.
    3. If you publish your legacy applications using application delivery networks/controllers, Azure AD is able to integrate with most of the major ones (such as Citrix, Akamai, F5, etc.).
    4. To help migrate your apps off of existing/older IAM engines, we provide a number of resources—including tools to help you discover and migrate apps off of ADFS.
  • Automate provisioning to applications:
    Once you have your users’ identities in Azure AD, you can now use Azure AD to power pushing those user identities into your various cloud applications. This gives you a tighter identity lifecycle integration within those apps. Use this detailed guide to deploy provisioning into your SaaS applications.
  • Get your logging and reporting in order:
    As you build your estate in Azure AD with authentication, authorization, and provisioning, it’s important to have strong operational insights into what is happening in the directory. Follow this guide to learn how to to persist and analyze the logs from Azure AD either in Azure or using a SIEM system of choice.

Enacting the 1st principle: least privilege

Giving the right access at the right time to only those who need it is at the heart of a Zero Trust philosophy:

  • Plan your Conditional Access deployment:
    Planning your Conditional Access policies in advance and having a set of active and fallback policies is a foundational pillar of your Access Policy enforcement in a Zero Trust deployment. Take the time to configure your trusted IP locations in your environment. Even if you do not use them in a Conditional Access policy, configure these IPs informs the risk of Identity Protection mentioned above. Check out our deployment guidance and best practices for resilient Conditional Access policies.
  • Secure privileged access with privileged identity management:
    With privileged access, you generally take a different track to meeting the end users where they are most likely to need and use the data. You typically want to control the devices, conditions, and credentials that users use to access privileged operations/roles. Check out our detailed guidance on how to take control of your privileged identities and secure them. Keep in mind that in a digitally transformed organization, privileged access is not only administrative access, but also application owner or developer access that can change the way your mission critical apps run and handle data. Check out our detailed guide on how to use Privileged Identity Management (P2) to secure privileged identities.
  • Restrict user consent to applications:
    User consent to applications is a very common way for modern applications to get access to organizational resources. However, we recommend you restrict user consent and manage consent requests to ensure that no unnecessary exposure of your organization’s data to apps occurs. This also means that you need to review prior/existing consent in your organization for any excessive or malicious consent.
  • Manage entitlements (Azure AD Premium P2):
    With applications centrally authenticating and driven from Azure AD, you should streamline your access request, approval, and recertification process to make sure that the right people have the right access and that you have a trail of why users in your organization have the access they have. Using entitlement management, you can create access packages that they can request as they join different teams/project and that would assign them access to the associated resources (applications, SharePoint sites, group memberships). Check out how you can start a package. If deploying entitlement management is not possible for your organization at this time, we recommend you at least enable self-service paradigms in your organization by deploying self-service group management and self-service application access.

Enacting the 2nd principle: verify explicitly

Provide Azure AD with a rich set of credentials and controls that it can use to verify the user at all times.

  • Roll out Azure multi-factor authentication (MFA) (P1):
    This is a foundational piece of reducing user session risk. As users appear on new devices and from new locations, being able to respond to an MFA challenge is one of the most direct ways that your users can teach us that these are familiar devices/locations as they move around the world (without having administrators parse individual signals). Check out this deployment guide.
  • Enable Azure AD Hybrid Join or Azure AD Join:
    If you are managing the user’s laptop/computer, bringing that information into Azure AD and use it to help make better decisions. For example, you may choose to allow rich client access to data (clients that have offline copies on the computer) if you know the user is coming from a machine that your organization controls and manages. If you do not bring this in, you will likely choose to block access from rich clients, which may result in your users working around your security or using Shadow IT. Check out our resources for Azure AD Hybrid Join or Azure AD Join.
  • Enable Microsoft Intune for managing your users’ mobile devices (EMS):
    The same can be said about user mobile devices as laptops. The more you know about them (patch level, jailbroken, rooted, etc.) the more you are able to trust or mistrust them and provide a rationale for why you block/allow access. Check out our Intune device enrollment guide to get started.
  • Start rolling out passwordless credentials:
    With Azure AD now supporting FIDO 2.0 and passwordless phone sign-in, you can move the needle on the credentials that your users (especially sensitive/privileged users) are using on a day-to-day basis. These credentials are strong authentication factors that can mitigate risk as well. Our passwordless authentication deployment guide walks you through how to roll out passwordless credentials in your organization.

Enacting the 3rd principle: assume breach

Provide Azure AD with a rich set of credentials and controls that it can use to verify the user.

  • Deploy Azure AD Password Protection:
    While enabling other methods to verify users explicitly, you should not forget about weak passwords, password spray and breach replay attacks. Read this blog to find out why classic complex password policies are not tackling the most prevalent password attacks. Then follow this guidance to enable Azure AD Password Protection for your users in the cloud first and then on-premises as well.
  • Block legacy authentication:
    One of the most common attack vectors for malicious actors is to use stolen/replayed credentials against legacy protocols, such as SMTP, that cannot do modern security challenges. We recommend you block legacy authentication in your organization.
  • Enable identity protection (Azure AD Premium 2):
    Enabling identity protection for your users will provide you with more granular session/user risk signal. You’ll be able to investigate risk and confirm compromise or dismiss the signal which will help the engine understand better what risk looks like in your environment.
  • Enable restricted session to use in access decisions:
    To illustrate, let’s take a look at controls in Exchange Online and SharePoint Online (P1): When a user’s risk is low but they are signing in from an unknown device, you may want to allow them access to critical resources, but not allow them to do things that leave your organization in a non-compliant state. Now you can configure Exchange Online and SharePoint Online to offer the user a restricted session that allows them to read emails or view files, but not download them and save them on an untrusted device. Check out our guides for enabling limited access with SharePoint Online and Exchange Online.
  • Enable Conditional Access integration with Microsoft Cloud App Security (MCAS) (E5):
    Using signals emitted after authentication and with MCAS proxying requests to application, you will be able to monitor sessions going to SaaS Applications and enforce restrictions. Check out our MCAS and Conditional Access integration guidance and see how this can even be extended to on-premises apps.
  • Enable Microsoft Cloud App Security (MCAS) integration with identity protection (E5):
    Microsoft Cloud App Security is a UEBA product monitoring user behavior inside SaaS and modern applications. This gives Azure AD signal and awareness about what happened to the user after they authenticated and received a token. If the user pattern starts to look suspicious (user starts to download gigabytes of data from OneDrive or starts to send spam emails in Exchange Online), then a signal can be fed to Azure AD notifying it that the user seems to be compromised or high risk and on the next access request from this user; Azure AD can take correct action to verify the user or block them. Just enabling MCAS monitoring will enrich the identity protection signal. Check out our integration guidance to get started.
  • Integrate Azure Advanced Threat Protection (ATP) with Microsoft Cloud App Security:
    Once you’ve successfully deployed and configured Azure ATP, enable the integration with Microsoft Cloud App Security to bring on-premises signal into the risk signal we know about the user. This enables Azure AD to know that a user is indulging in risky behavior while accessing on-premises, non-modern resources (like File Shares) which can then be factored into overall user risk to block further access in the cloud. You will be able to see a combined Priority Score for each user at risk to give a holistic view of which ones your SOC should focus on.
  • Enable Microsoft Defender ATP (E5):
    Microsoft Defender ATP allows you to attest to Windows machines health and whether they are undergoing a compromise and feed that into mitigating risk at runtime. Whereas Domain Join gives you a sense of control, Defender ATP allows you to react to a malware attack at near real time by detecting patterns where multiple user devices are hitting untrustworthy sites and react by raising their device/user risk at runtime. See our guidance on configuring Conditional Access in Defender ATP.

Conclusion

We hope the above guides help you deploy the identity pieces central to a successful Zero Trust strategy. Make sure to check out the other deployment guides in the series by following the Microsoft Security blog.

The post Zero Trust Deployment Guide for Microsoft Azure Active Directory appeared first on Microsoft Security.

Building Zero Trust networks with Microsoft 365

The traditional perimeter-based network defense is obsolete. Perimeter-based networks operate on the assumption that all systems within a network can be trusted. However, todays increasingly mobile workforce, the migration towards public cloud services, and the adoption of Bring Your Own Device (BYOD) model make perimeter security controls irrelevant. Networks that fail to evolve from traditional defenses are vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand foothold across the entire network.

In 2013, a massive credit card data breach hit Target and exposed the credit card information of over 40 million customers. Attackers used malware-laced emails to steal credentials from contractors that had remote access to Targets network. They then used the stolen credentials to gain access to the network, effectively evading the perimeter defense mechanisms that Target had in place. Once inside the network, the attackers installed malware on payment systems used in Target stores across the US and stole customer credit card information.

Zero Trust networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures leverage device and user trust claims to gate access to organizational data and resources. A general Zero Trust network model (Figure 1) typically comprises the following:

  • Identity provider to keep track of users and user-related information
  • Device directory to maintain a list of devices that have access to corporate resources, along with their corresponding device information (e.g., type of device, integrity etc.)
  • Policy evaluation service to determine if a user or device conforms to the policy set forth by security admins
  • Access proxy that utilizes the above signals to grant or deny access to an organizational resource

Figure 1. Basic components of a general Zero Trust network model

Gating access to resources using dynamic trust decisions allows an enterprise to enable access to certain assets from any device while restricting access to high-value assets on enterprise-managed and compliant devices. In targeted and data breach attacks, attackers can compromise a single device within an organization, and then use the “hopping” method to move laterally across the network using stolen credentials. A solution based on Zero Trust network, configured with the right policies around user and device trust, can help prevent stolen network credentials from being used to gain access to a network.

Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the assume breach mindset, but this approach should not be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace using technologies that empower employees to be productive anytime, anywhere, any which way.

Zero Trust networking based on Azure AD conditional access

Today, employees access their organization’s resources from anywhere using a variety of devices and apps. Access control policies that focus only on who can access a resource is not sufficient. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.

Microsoft has a story and strategy around Zero Trust networking. Azure Active Directory conditional access is the foundational building block of how customers can implement a Zero Trust network approach. Conditional access and Azure Active Directory Identity Protection make dynamic access control decisions based on user, device, location, and session risk for every resource request. They combine (1) attested runtime signals about the security state of a Windows device and (2) the trustworthiness of the user session and identity to arrive at the strongest possible security posture.

Conditional access provides a set of policies that can be configured to control the circumstances in which users can access corporate resources. Considerations for access include user role, group membership, device health and compliance, mobile applications, location, and sign-in risk. These considerations are used to decide whether to (1) allow access, (2) deny access, or (3) control access with additional authentication challenges (e.g., multi-factor authentication), Terms of Use, or access restrictions. Conditional access works robustly with any application configured for access with Azure Active Directory.

Figure 2. Microsofts high-level approach to realizing Zero Trust networks using conditional access.

To accomplish the Zero Trust model, Microsoft integrates several components and capabilities in Microsoft 365: Windows Defender Advanced Threat Protection, Azure Active Directory, Windows Defender System Guard, and Microsoft Intune.

Windows Defender Advanced Threat Protection

Windows Defender Advanced Threat Protection (ATP) is an endpoint protection platform (EPP) and endpoint detection response (EDR) technology that provides intelligence-driven protection, post-breach detection, investigation, and automatic response capabilities. It combines built-in behavioral sensors, machine learning, and security analytics to continuously monitor the state of devices and take remedial actions if necessary. One of the unique ways Windows Defender ATP mitigates breaches is by automatically isolating compromised machines and users from further cloud resource access.

For example, attackers use the Pass-the-Hash (PtH) and the Pass the ticket for Kerberos techniques to directly extract hashed user credentials from a compromised device. The hashed credentials can then be used to make lateral movement, allowing attackers to leapfrog from one system to another, or even escalate privileges. While Windows Defender Credential Guard prevents these attacks by protecting NTLM hashes and domain credentials, security admins still want to know that such an attack occurred.

Windows Defender ATP exposes attacks like these and generates a risk level for compromised devices. In the context of conditional access, Windows Defender ATP assigns a machine risk level, which is later used to determine whether the client device should get a token required to access corporate resources. Windows Defender ATP uses a broad range of security capabilities and signals, including:

Windows Defender System Guard runtime attestation

Windows Defender System Guard protects and maintains the integrity of a system as it boots up and continues running. In the assume breach mentality, its important for security admins to have the ability to remotely attest the security state of a device. With the Windows 10 April 2018 Update, Windows Defender System Guard runtime attestation contributes to establishing device integrity. It makes hardware-rooted boot-time and runtime assertions about the health of the device. These measurements are consumed by Windows Defender ATP and contribute to the machine risk level assigned to the device.

The single most important goal of Windows Defender System Guard is to validate that the system integrity has not been violated. This hardware-backed high-integrity trusted framework enables customers to request a signed report that can attest (within guarantees specified by the security promises) that no tampering of the devices security state has taken place. Windows Defender ATP customers can view the security state of all their devices using the Windows Defender ATP portal, allowing detection and remediation of any security violation.

Windows Defender System Guard runtime attestation leverages the hardware-rooted security technologies in virtualization-based security (VBS) to detect attacks. On virtual secure mode-enabled devices, Windows Defender System Guard runtime attestation runs in an isolated environment, making it resistant to even a kernel-level adversary.

Windows Defender System Guard runtime attestation continually asserts system security posture at runtime. These assertions are directed at capturing violations of Windows security promises, such as disabling process protection.

Azure Active Directory

Azure Active Directory is a cloud identity and access management solution that businesses use to manage access to applications and protect user identities both in the cloud and on-premises. In addition to its directory and identity management capabilities, as an access control engine Azure AD delivers:

  • Single sign-on experience: Every user has a single identity to access resources across the enterprise to ensure higher productivity. Users can use the same work or school account for single sign-on to cloud services and on-premises web applications. Multi-factor authentication helps provide an additional level of validation of the user.
  • Automatic provisioning of application access: Users access to applications can be automatically provisioned or de-provisioned based on their group memberships, geo-location, and employment status.

As an access management engine, Azure AD makes a well-informed decision about granting access to organizational resources using information about:

  • Group and user permissions
  • App being accessed
  • Device used to sign in (e.g., device compliance info from Intune)
  • Operating system of the device being used to sign in
  • Location or IP ranges of sign-in
  • Client app used to sign in
  • Time of sign-in
  • Sign-in risk, which represents the probability that a given sign-in isnt authorized by the identity owner (calculated by Azure AD Identity Protections multiple machine learning or heuristic detections)
  • User risk, which represents the probability that a bad actor has compromised a given user (calculated by Azure AD Identity Protections advanced machine learning that leverages numerous internal and external sources for label data to continually improve)
  • More factors that we will continually add to this list

Conditional access policies are evaluated in real-time and enforced when a user attempts to access any Azure AD-connected application, for example, SaaS apps, custom apps running in the cloud, or on-premises web apps. When suspicious activity is discovered, Azure AD helps take remediation actions, such as block high-risk users, reset user passwords if credentials are compromised, enforce Terms of Use, and others.

The decision to grant access to a corporate application is given to client devices in the form of an access token. This decision is centered around compliance with the Azure AD conditional access policy. If a request meets the requirements, a token is granted to a client. The policy may require that the request provides limited access (e.g., no download allowed) or even be passed through Microsoft Cloud App Security for in-session monitoring.

Microsoft Intune

Microsoft Intune is used to manage mobile devices, PCs, and applications in an organization. Microsoft Intune and Azure have management and visibility of assets and data valuable to the organization, and have the capability to automatically infer trust requirements based on constructs such as Azure Information Protection, Asset Tagging, or Microsoft Cloud App Security.

Microsoft Intune is responsible for the enrollment, registration, and management of client devices. It supports a wide array of device types: mobile devices (Android and iOS), laptops (Windows and macOS), and employees BYOD devices. Intune combines the machine risk level provided by Windows Defender ATP with other compliance signals to determine the compliance status (isCompliant) of the device. Azure AD leverages this compliance status to block or allow access to corporate resources. Conditional access policies can be configured in Intune in two ways:

  • App-based: Only managed applications can access corporate resources
  • Device-based: Only managed and compliant devices can access corporate resources

More on how to configure risk-based conditional access compliance check in Intune.

Conditional access at work

The value of conditional access can be best demonstrated with an example. (Note: The names used in this section are fictitious, but the example illustrates how conditional access can protect corporate data and resources in different scenarios.)

SurelyMoney is one of the most prestigious financial institutions in the world, helping over a million customers carry out their business transactions seamlessly. The company uses Microsoft 365 E5 suite, and their security enterprise admins have enforced conditional access.

An attacker seeks to steal information about the companys customers and the details of their business transactions. The attacker sends seemingly innocuous e-mails with malware attachments to employees. One employee unwittingly opens the attachment on a corporate device, compromising the device. The attacker can now harvest the employees user credentials and try to access a corporate application.

Windows Defender ATP, which continuously monitors the state of the device, detects the breach and flags the device as compromised. This device information is relayed to Azure AD and Intune, which then denies the access to the application from that device. The compromised device and user credentials are blocked from further access to corporate resources. Once the device is auto-remediated by Windows Defender ATP, access is re-granted for the user on the remediated device.

This illustrates how conditional access and Windows Defender ATP work together to help prevent the lateral movement of malware, provide attack isolation, and ensure protection of corporate resources.

Azure AD applications such as Office 365, Exchange Online, SPO, and others

The executives at SurelyMoney store a lot of high-value confidential documents in Microsoft SharePoint, an Office 365 application. Using a compromised device, the attacker tries to steal these documents. However, conditional access tight coupling with O365 applications prevents this from taking place.

Office 365 applications like Microsoft Word, Microsoft PowerPoint, and Microsoft Excel allow an organizations employees to collaborate and get work done. Different users can have different permissions, depending on the sensitivity or nature of their work, the group they belong to, and other factors. Conditional access facilitates access management in these applications as they are deeply integrated with the conditional access evaluation. Through conditional access, security admins can implement custom policies, enabling the applications to grant partial or full access to requested resources.

Figure 3. Zero Trust network model for Azure AD applications

Line of business applications

SurelyMoney has a custom transaction-tracking application connected to Azure AD. This application keeps records of all transactions carried out by customers. The attacker tries to gain access to this application using the harvested user credentials. However, conditional access prevents this breach from happening.

Every organization has mission-critical and business-specific applications that are tied directly to the success and efficiency of employees. These typically include custom applications related to e-commerce systems, knowledge tracking systems, document management systems, etc. Azure AD will not grant an access token for these applications if they fail to meet the required compliance and risk policy, relying on a binary decision on whether access to resources should be granted or denied.

Figure 4. Zero Trust network model expanded for line of business apps

On-premises web applications

Employees today want to be productive anywhere, any time, and from any device. They want to work on their own devices, whether they be tablets, phones, or laptops. And they expect to be able to access their corporate on-premises applications. Azure AD Application Proxy allows remote access to external applications as a service, enabling conditional access from managed or unmanaged devices.

SurelyMoney has built their own version of a code-signing application, which is a legacy tenant application. It turns out that the user of the compromised device belongs to the code-signing team. The requests to the on-premises legacy application are routed through the Azure AD Application Proxy. The attacker tries to make use of the compromised user credentials to access this application, but conditional access foils this attempt.

Without conditional access, the attacker would be able to create any malicious application he wants, code-sign it, and deploy it through Intune. These apps would then be pushed to every device enrolled in Intune, and the hacker would be able to gain an unprecedented amount of sensitive information. Attacks like these have been observed before, and it is in an enterprises best interests to prevent this from happening.

Figure 5. Zero Trust network model for on-premises web applications

Continuous innovation

At present, conditional access works seamlessly with web applications. Zero Trust, in the strictest sense, requires all network requests to flow through the access control proxy and for all evaluations to be based on the device and user trust model. These network requests can include various legacy communication protocols and access methods like FTP, RDP, SMB, and others.

By leveraging device and user trust claims to gate access to organizational resources, conditional access provides comprehensive but flexible policies that secure corporate data while ensuring user productivity. We will continue to innovate to protect the modern workplace, where user productivity continues to expand beyond the perimeters of the corporate network.

 

 

Sumesh Kumar, Ashwin Baliga, Himanshu Soni, Jairo Cadena
Enterprise & Security