In non-cloud environments with static configurations, the focus has often been on firewalls and a traffic-centric approach for security. However, in the cloud, resources become dynamic, infrastructure and networking are shared, and users expect access to applications and data from any location at any time. Trying to manage your cloud security with firewall rules alone quickly becomes complex or unfeasible. Security through identity authentication and authorization is a better solution.

Identity authentication and authorization bring you granularity of security, allowing you to protect individual and groups of resources, whether static or dynamic. A cloud-based identity management system like Azure Active Directory (AD) also has visibility into massive numbers of access requests and large volumes of threat information. By leveraging this information, Azure AD offers you superior threat intelligence, compared to legacy approaches.

Single enterprise directory and synchronization

Having a single enterprise or organizational directory for employee and resource identity management rather than multiple departmental directories helps ensure clarity and consistency. Such a unique authoritative source enhances secure management and decreases risk. Changes are made in one place for resources in multiple locations.

You can define a single Azure AD instance directory to be the authoritative source for Azure accounts for the enterprise or organization. Azure AD Connect then lets you synchronize Azure AD with your existing authoritative on premises AD.

However, accounts with the highest privilege access to on premises resources should not be part of the synchronization between your organizational identity systems and cloud directories. By excluding these accounts, you prevent an attacker who has compromised a cloud account from obtaining full control of on-premises assets. The default configuration for Azure AD Connect blocks synchronization to Azure AD of accounts that have high privileges in your existing Active Directory.

You can also use a single identity provider to authenticate Windows, Linux, and other platforms, and cloud services. This lets you avoid potential problems of multiple or incomplete identity solutions, including unenforceable password policies, failure to reset passwords after a breach, password proliferation, and failure to delete the passwords of  former employees.

For example, Azure AD enables you to authenticate Windows, Linux, Azure, Office 365 (now Microsoft 365), Amazon Web Services (AWS), Google Services, remote access to legacy applications running on premises, and third-party Software as a Service (SaaS) providers.

Cloud identity services and authentication

You can ensure that your enterprise or organizational directory is only for employees of your organization, by using cloud identity services for non-employee accounts. This reduces risk and effort for your organization. External users such as vendors, partners, and customers receive only the appropriate level of access, instead of the full-default permissions that are granted to employees. External attacks are easier to prevent and detect. Less effort is needed from your HR and IT teams for the management of these cloud identities, with native integration into the Azure ID identity and permission model that both Azure and Office 365/Microsoft 365 use.

You should also move all user accounts for your organization to password-less or multi-factor authentication (MFA). Accounts with the highest privileges such as administrative accounts are the highest priority for this migration. Another way to reduce the use of passwords for applications is by using Managed Identities to grant users access to Azure resources. 

For the same reasons, disable insecure legacy protocols for services that can be accessed from the internet. Legacy protocols that only support passwords without MFA are among the top attack vectors for cloud-hosted services. Furthermore, these older protocols may lack account lockouts, back-off timers, and other countermeasures against attacks. Configure conditional access to block legacy protocols for Azure and Azure AD-based accounts.

Moving user accounts to MFA and disabling legacy protocols may need to be done in phases:

• Find out from your authentication provider how many users continue to authenticate with old clients.
• Disable insecure protocols that are not in use.
• Provide ample notice and assistance to users about upgrading to more secure authentication, before disabling legacy protocol authentication for all users and all services.

For accounts that must still function with passwords, cloud identity providers handling large volumes of logins can better detect password anomalies and notify you accordingly. This protection goes further than that of legacy identity providers, which has often been limited to checking parameters like length and variety of character types.

You can enable modern protection in Azure AD for Azure by configuring Azure AD Connect to synchronize password hashes (for example, to mitigate the risk of ransomware and destructive virus attacks). Issues may then be remediated manually or automatically:

• Manual enforcement can leverage risk event information in Azure AD security reports, as well as Azure AD Identity Protection.
• Automatic remediation assigns conditional access for high risk passwords based on Azure AD Identity Protection risk assessments.
• You can also obtain programmatic access to security detections via the Identity Protection risk events API and Microsoft Graph.

Zero Trust and attack simulation for users

You should not assume any security assurances for users during authentication. Define and apply a Zero Trust strategy based on measurement and enforcement of key security attributes.

Simulate attacks against users, for example by using Office 365 Attack Simulation, to build their knowledge and skills in avoiding and resisting attacks. Your employees and users are an essential part of your defense. By educating and empowering them in this way, you reduce overall risk to your organization.

In Summary…

In the cloud, resources become dynamic and users may access applications and data from any location. Identity authentication and authorization is well-suited for cloud security. A single organizational directory for employee and resource identity management helps ensure clarity and consistency.

About the Author:

Jason is a 1st Vice President, Cloud Solutions Architect at City National Bank of Florida headquartered in Miami, Florida. Jason has been working with computers ever since he bought his first, a Timex/Sinclair 1000 in 6th grade and taught himself BASIC programming. Jason was educated at the University of Cincinnati and the Massachusetts Institute of Technology – Sloan School of Management. He is a Microsoft Azure MVP (2010-present), a young adult author, and a cellist.

Reference:

Milgram, J. (2020). Identity and access management. Available at: https://www.linkedin.com/pulse/identity-access-management-jason-milgram/ [Accessed: 20th May 2020].

Check out more great Azure content here