Connect with us

Hi, what are you looking for?

Online Business Success

Three Considerations For Securing A Hybrid Identity Environment


Co-founder of Semperis. Leads the company’s overall strategic vision and implementation.

Given the buzz about cloud computing in the past decade, some find it startling to confront data that illustrates the predicted wholesale shift to the cloud still hasn’t happened. According to a 2021 Gartner report (paywall), only 3% of mid-sized and large organizations will migrate completely from on-premises Active Directory (AD) to a cloud-based identity service by 2025.

The key qualifier here is “completely.” Most organizations will continue to leverage the mix of on-premises and cloud assets that best fits their situations for the foreseeable future. While the flexibility of hybrid identity environments brings huge benefits, it comes with increased risk.

Security vulnerabilities of on-premises AD (the primary identity store for 90% of businesses worldwide) are becoming well-known. A 2021 survey by EMA that was sponsored by my company revealed that 50% of organizations experienced an attack on AD in the past one to two years. Even more alarming is that more than 40% of the attacks were successful. Cybercriminals are exploiting security weaknesses in hybrid identity systems by gaining entry into the cloud and moving to the on-premises system — or vice versa.

In the SolarWinds case, threat actors targeted (among other attack vectors) the federation service that the company had set up between its own on-premises directory services and the cloud, where it managed the Orion software code that hundreds of Fortune 500 companies and government agencies used. Because the cloud puts full trust in the federation service to properly authenticate users, attackers stole the token signing certificate, giving them undercover access to the entire Orion source code.

Advertisement. Scroll to continue reading.

The key takeaway is that managing hybrid identity system security is complicated. And since Azure AD is a critical piece of organizations’ security puzzle, organizations embracing a hybrid identity model need to carefully manage these three primary challenges:

1. Azure AD security paradigm is very different from on-premises AD.

AD and Azure AD have almost nothing in common, and it’s important to understand these differences. For IT teams adept at managing on-premises AD security settings, familiar concepts like forests and Group Policy Objects do not apply in the Azure AD environment. In addition, the notion of the traditional network perimeter doesn’t exist in Azure AD. IT and security teams need to be prepared to guard against an endless number of potential entry points in a hybrid identity environment.

Shifting to Azure AD brings radical changes to the permissions model. In an on-premises environment, IT teams can easily control who can access domain controllers (although misconfigurations can hinder security goals) and entry points are well-defined. In a hybrid AD environment, identities are stored in the cloud and are potentially vulnerable to exploitation by malicious actors, as we have seen in various attacks.

A favorite target for cyberattackers is the cloud service that organizations tend to adopt first and fastest: Microsoft 365. In 2020, Mandiant researchers saw an increase in incidents involving Microsoft 365 and Azure AD, mostly tied to phishing activities that enticed users into divulging their Office 365 credentials. Mandiant researchers also saw attackers using AADInternals, a PowerShell module that lets them navigate from the on-premises AD environment to Azure AD, where they can create backdoors, steal passwords and conduct other malicious activity.

2. Organizations lack skills to effectively manage hybrid identity security.

AD is the core technology for managing authentication and access to all business-critical assets, yet the lack of in-house AD security expertise means that IT and security teams are often blindsided by attacks that target common AD misconfigurations. Because AD security was not a priority 10+ years ago, insecure settings that were made for convenience — often without full realization of the security implications — have accumulated over time. IT administrators often inherit a tangled web of faulty settings that leave open doors for cyberattackers.

After talking with the user of an AD security assessment tool, who is an IT manager at a community college, I learned that IT ops teams, especially in the education sector, often don’t have the resources or knowledge to fix the dozens or even hundreds of misconfigurations that they encounter. This lack of expertise is compounded when you introduce Azure AD into the scenario — as every organization that has embraced Microsoft 365 has already done — given that the security model is completely different from on-premises AD.

3. Successfully managing hybrid security requires a clear understanding of the shared responsibility model.

Advertisement. Scroll to continue reading.

The concept of moving assets and services to the cloud promises many benefits, not the least of which is giving up some of the management hassles to the cloud provider. But to ensure that organizations can withstand a cyberattack, leaders need a clear understanding of the cloud identity provider’s responsibilities. In essence, the IDP’s responsibility is to ensure that the service is continuously available. But protecting your assets, including your Azure AD resources, is your obligation.

For example, in the event of an Azure AD sabotage, you might think that once Microsoft restores the Azure service, business operations will resume as normal. But the Azure AD resources that your IT team carefully built to manage access to company-wide services — such as user accounts, roles, and groups — are not backed up by Microsoft. If those resources get wiped out, which can occur either through an accidental account deletion or malicious deletion that extends beyond the Recycle Bin, they will need to be rebuilt from scratch. That process will take time, and in the interim, your business will be at a standstill.

In summary, securing a hybrid identity environment requires diligence.

Although hybrid environments are demonstrably prime targets for cyberattacks, organizations can strengthen their security stance by dedicating resources to understanding the nuances of hybrid identity security, shoring up identity security skill sets and carefully reviewing the recovery plan for Azure AD in case of a cyberattack.


Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?


.



Source link

Click to comment

Leave a Reply

Latest

Technology

Something to look forward to: The first game to support AMD’s new FSR 2.0 upscaler was Deathloop, which compares favorably to Nvidia’s DLSS. Recently,...

Social Media

LinkedIn is currently seeing ‘record levels’ or user engagement, but much of that is seemingly dominated by re-posts from other platforms, spam, vaguely topical...

Top Stories

Brazil’s Federal Reserve (RFB) has declared that Brazilian investors in the crypto-asset market must pay income tax on transactions that involve the like-kind exchange...

Technology

WordPress is web software you can use to create a beautiful website or blog. We like to say that WordPress is both free and...

Social Media

Digital content managers and webmasters, best to keep an eye on your Google rankings over the next few weeks. Today, Google has confirmed that...

Social Media

Reddit’s looking to make a bigger push on its Reddit Talk audio social experiment, with a new Host Program to help it find and...

Advertisement

You May Also Like

Uncategorized

Introductions get a lot of attention. I’ve explored the topic of how to write them even though as a reader, I always skip them....

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

Online Business Success

The internet is now our nervous system. We are constantly streaming and buying and watching and liking, our brains locked into the global information...

Online Business Success

You can think of link building in many ways. I like to call it tedious, painful, and a test of patience. It’s also necessary...

Advertisement