The pandemic has pushed admins to realize that identity should be the first thing they think of when designing a secure network. If you aren’t prioritizing your identity focus in your organization, it’s time for you to do so. If you’re managing identity with an on-premises mindset but support remote staff, then it might be time to update your approach.
If you have been in technology for any length of time, you’ve probably used Microsoft’s Active Directory (AD). Introduced in 1999, Active Directory Domain Services (AD DS) is the cornerstone of many networks. It stores information about devices and users in a domain and verifies their credentials and rights to the network.
AD DS has been the gold standard of how admins set up networks and validated users. Cloud services were not a major part of many daily network needs before 2020. Then came the pandemic and all five-year plans for technology to provide for better integration between our physical domains and cloud applications were compressed to being needed, well, yesterday. Suddenly we needed something that could go outside the physical network and allow for authentication with cloud services; we needed a way to connect and control home computers and allow them to access corporate networks.
As a result, Azure Active Directory (Azure AD) has moved from being something to evaluate to a now mandatory platform to successfully support users and their work-from-home needs. The ability to work from home will be a standard even after the threat of the pandemic goes away.
Recently I spoke with Joy Chik, corporate vice president for Microsoft Identity. She referred to her recent blog post discussing this transformation. Azure AD App Gallery saw a 109% increase in use from last year with many of the applications related to remote access to the network. Proxy apps, or app delivery and network controllers and VPNs, was one category that increased the most. Azure AD Application Proxy service, which helps organizations with remote access to critical on-premises apps, had a huge increase in growth.
Chik discussed how identity security is now such a key pivotal requirement in organizations. You would have to be living under a rock not to see all the headlines about how attackers have gained persistent access into a network by attacking users, consultants, and especially remote access. Designing networks with the idea that attackers will at some point access them is key to protecting them.
Microsoft calls this an “assume breach” mentality. It means that you start with verifying identity explicitly in your organization. Attackers do not hack these days; they log in with credentials that they have harvested.
Securing access across your network can start with connecting your network and applications to Azure AD. It can help with secure sign-on technology roll outs and using stronger passwords and mandated controls. You can also add multi-factor authentication (MFA) and conditional access policies to legacy on-premises applications by using Azure AD Application Proxy.
As Chik notes in her blog, you need to ensure that MFA is enabled in your organization. You can use the Microsoft Authenticator app to provide two-factor confirmation as well as become the de facto password sync manager for your organization. Passwords used in Edge will be automatically synced into Authenticator. I look for applications that support the Microsoft authenticator app as it makes my life easier if all my applications use the same authenticator. I find that I always have my phone with me, but I might forget a two-factor token. The convenience of the Authenticator app cannot be overlooked.
Microsoft recently rolled out the public preview of Azure AD Application Proxy that supports header-based authentication. Prior to this, you had to rely on third-party services to publish remote access applications through Azure AD. You can strengthen your security posture by ensuring that all the applications you provide to your remote users through VPN can be published and offered as remote applications through Azure AD Application Proxy. This will mandate stronger choice of passwords and the ability to apply more granular conditional access policies even to legacy applications.
Organizations are still struggling through the journey from using passwords to using more secure techniques ranging from the use of Windows Hello for Business, Microsoft Authenticator and tools such as Yubico YubiKeys. Consumer use of PINs have increased since the rollout of Windows 10. As consumers have purchased hardware that supports more secure authentication techniques, consumer use of PINs and biometrics to log in versus old-fashioned passwords has increased. The use of passwordless techniques is not as great in business implementations. This is partly due to legacy server deployments that can’t support stronger authentication processes. Connecting to Azure AD allows the organization to bridge the gap to introduce stronger authentication processes.
Chik stressed that as you review legacy applications and migrate to newer versions, you should investigate and deploy more secure applications. Just as I look for applications that support the Microsoft Authenticator, you should look for applications that support Microsoft Authentication Library (MSAL) or make sure your application developers design your internal software to support it. When setting up cloud applications I recommend using the administrator consent process to ensure that only those applications that you approve will be connected to your users’ access. Given today’s security, you can no longer set up cloud applications without these consent policies.