Many organizations embrace hybrid architectures as the first step in a cloud-adoption journey. In such environments, the integration of Microsoft Active Directory and Azure Active Directory (Azure AD) can simplify administration. However, Active Directory is a hot target for threat actors especially in hybrid deployments, which can complicate authentication management.
Any breach in your identity services can grant malicious users access to your applications and business-critical data. A compromised Active Directory account can enable an on-premises attack to extend to the cloud and vice versa, as evidenced by the infamous SolarWinds attack. This type of compromise can be difficult to detect and mitigate. There is a growing need to focus on hybrid identity management in other words, how you manage authentication to ensure comprehensive security.
Although Active Directory and Azure AD are alike in name, the differ widely in the way they function and in their associated security models. Therefore, a paradigm shift is required to manage security in a hybrid identity environment, particularly in four key focus areas: role-based access control (RBAC), application security, federated authentication and multifactor authentication (MFA).
1. Evaluate RBAC options
Azure AD uses RBAC for authorization. Users are assigned roles with predefined permissions that allow or deny access to cloud resources. The rule of thumb is to follow the principle of least privilege (i.e., provide minimal permissions and only while required).
Azure RBAC uses two types of roles: built-in and custom. Built-in roles come with a predefined set of permissions, which makes life easier for administrators but can provide more access than required. If compromised during an attack, these roles could be exploited by threat actors to facilitate lateral movement. Custom roles let you customize permissions, enabling you to strictly control access to cloud resources.
To further support the principle of least privilege, you can create Administrative Units in your Azure AD tenant. You can use this capability to further restrict which objects various IT team members can manage, via a specific RBAC role. Only native Azure AD accounts should be made members of those highly privileged Azure AD roles.
2. Audit application permission settings
Using Azure AD for third-party application authentication could extend your risk perimeter. Some applications read and store Azure AD data in external databases. Others request more permissions in Azure AD than they require to operate.
Furthermore, additional security measures like MFA might not work for some apps. For example, many email clients use legacy protocols such as Exchange ActiveSync (EAS), IMAP, MAPI/HTTP, or POP3, which do not support MFA. If those protocols are enabled in your Azure AD tenant, cybercriminals could try to access your mailboxes without being prompted for a second factor. Implement strict governance and conduct periodic audits of app permissions to identify where additional restrictions are needed.
3. Consider federated authentication alternatives to Active DirectoryFS
Traditionally, organizations have used Active DirectoryFS to enable federated authentication in Active Directory environments. However, Active DirectoryFS can pose a security risk in hybrid environments, potentially extending the attack surface of an on-premises breach to the cloud.
Microsoft provides alternative solutions, such as password hash synchronization, Active Directory Pass-through Authentication, and Azure Active Directory Application Proxy. You can use these protocols in place of Active DirectoryFS while integrating on-premises Active Directory with Azure AD.
Both password hash synchronization and Active Directory Pass-through Authentication enable users to leverage the same password to log in to both on-premises and Azure AD integrated applications. The first option synchronizes an encrypted hash of the on-premises Active Directory to Azure AD, for a hassle-free user experience. The second uses authentication agents and an outbound-only connection model and can be integrated with native Azure AD security measures like conditional access and smart lockout.
However, Active Directory Pass-through Authentication relies on the availability of your on-premises Active Directory a problem during ransomware attacks. For resiliency, consider synchronizing the password hashes of your Active Directory users to Azure AD.
Azure Active Directory Application Proxy can configure secure remote access to on-premises applications using Azure AD credentials. The service leverages an application proxy connector for the secure exchange of sign-on tokens. This service can act as the first step to phase-down usage of Active DirectoryFS and adopt a truly hybrid identity model.
4. Enforce MFA
MFA provides an additional layer of credentials protection: Even if attackers get hold of a user’s credentials, they also need access to the user’s email, phone or security key to clear the authentication process. This requirement can slow down or flag potential infiltration attempts.
For MFA to be truly effective, organizations should implement it for all accounts not just the privileged ones. Attackers can and do use non-privileged accounts to infiltrate systems and move laterally across account access perimeters.
You can use MFA in conjunction with conditional access policies for context-aware security implementation. You can also implement conditions such as trusted locations, organization-managed devices and secure protocols before granting access to resources.
Gearing up for hybrid identity protection
Hybrid identity protection requires administrative due diligence: enabling the right set of roles in Azure AD, applying airtight security configurations, and adding guardrails such as MFA. In addition, organizations can implement tools that perform continuous assessment and risk profiling, enable visibility into your hybrid identity solution to help track lateral attacks, and provide change-tracking and auto-remediation features to protect against stolen credentials and malicious insiders.
No matter how much you fortify your environment, though, threat actors are continuously evolving. Hence, it’s equally important to have a recovery plan for Active Directory and Azure AD, in case an attack occurs.