Transforming Your Business Using Microsoft Azure - Part 2 - Identity & Access Management

As mentioned in Part 1 of this series, the main concern about moving to the cloud is data security. That is a concern with the future, a "what if" scenario. The top concern for right now, today, this minute, this second is Identity & Access Management (IAM). That goes for organizations running their IT infrastructures in the cloud, on premise, anywhere. You are probably aware that the top risk to your organizations security is it's people. Social Engineering attacks are breaching faster and spreading further than ever before. Data is being held for ransom to the tune of 7 figures and companies are paying it! In this part of my series on transforming your business using Microsoft Azure, we will discuss the services and features available to your organization to form a secure and cohesive IAM strategy.

Azure Active Directory

Azure Active Directory (AAD) is the backbone of authentication for Microsoft's Cloud portfolio. This includes Office 365, Dynamics 365, and Microsoft Azure. This is not your on-premise Active Directory Domain Services (ADDS) that runs on Windows Server. Rather than the technologies used by ADDS (Kerberos and LDAP), Azure AD is an all new authentication system born in the cloud and based on modern technologies such as OAuth 2.0 and SAML. These modern authentication technologies allow for a wide array of compatibility with other cloud services, leading to consolidation of identities in your organization.

Azure AD Application Catalog

Out of the box, Azure AD allows you to federate your users to thousands of other online services. These include popular services suhc as Box, Dropbox, SalesForce, DocuSign, Facebook, Amazon, AWS, Citrix GoToMeeting, Cisco WebEx, and many others. In fact, the catalog of readily available applications is up to 2,880 at the time of this writing.

When faced with managing different user accounts for different services, users will tend to take shortcuts such as saving the passwords in a text document, on a sticky note attached to the screen, or even revert to using overly simplistic passwords that are easily cracked. Additionally, when a user leaves the company, it can be difficult to ensure that all of the various accounts have been accounted for and disabled. Utilizing application federation with Azure AD can simplify hundreds of accounts into just one; which increases productivity and security.

It's important to mention that the applications in the catalog are not the only ones that can be used with Azure AD. In fact, nearly any service that allows for authentication through an OAuth or SAML based system will likely be compatible with Azure AD. For instance, if you utilize Citrix in your organization, you can redirect authentication from your NetScaler to Azure Active Directory.

Azure AD Connect

I mentioned that we can simplify hundreds of user accounts into one, but you are probably saying "Hey wait, I have ADDS today and am thinking of using Azure AD but you said they were two different systems. Wouldn't that leave me with 2 accounts?"

There's an app for that! Microsoft provides a tool called Azure AD Connect, which enables Active Directory Domain Services to be continually synchronized with Azure AD. In this scenario, ADDS becomes the authoritative party and accounts are then synchronized into Azure AD to extend user identity into the cloud. This is a continuous, scheduled sync (every 30 minutes by default). This scenario truly begins to create a one-to-many scenario where all user access interactions are controlled by a central authority.

Additional Features

A strong IAM strategy is more than simply extending identity into the cloud and reducing account sprawl. After all, a users password can still as easily be cracked or accidentally given away. Thankfully, Azure AD has some premium options available to further strengthen our identities.

Azure Multi-Factor Authentication

Available to organizations utilizing Azure AD is a feature called Azure Multi-Factor Authentication, or Azure MFA for short. Azure MFA is always free for users with Global Administrator status in any Azure AD tenant. For other users, there are a couple of pricing models available. Organizations can opt to pay a flat fee per user or use a consumption based model. Azure MFA can be placed in front of any application that utilizes Azure AD as its authentication authority. Organizations have a few options when it comes to the second factor; Telephone call, Mobile Application Code, Mobile Application Notification, or SMS Text Message. Modes made available to users can be restricted to a certain type, or if multiple factors are made available users may choose one to utilize.

Conditional Access

Security is a constant struggle to balance enough controls where users can still be productive without being hindered. Conditional Access can help create a diverse security strategy by changing the way users interact based on their location, device, or application they are interacting with.

Conditional Access allows for policies to be created which change the way users access applications, or access them at all, based on various factors. Those factors can include trusted networks (i.e. your office locations), devices joined to Active Directory, or client operating system in use (Android, Apple, Windows, etc). We can also restrict access to applications by group or individual user. Additionally, we can add these various factors together to create multi-tiered policies that transform access to our applications. For example, we can federate our Citrix authentication through Azure AD. We can then set a Conditional Access policy that says only a certain group of users is allowed access to Citrix while outside of the company network. Additionally, we can further set the policy to require those users to use Azure MFA to gain access to Citrix only when they are outside of the company network. In this scenario, we have created a complex multi-tiered security access architecture for external Citrix users, without disturbing the way on-premise users interact with Citrix.

Azure AD Activity in Power BI

An important part of an IAM strategy is knowing what your users are doing and when they are doing it. As part of Azure AD Premium, your organization gains access to advanced reporting on user activity occurring against the directory. These reports can be sent to Power BI where they are displayed in an easily consumable manner. The data can also be printed or exported to Excel. The reports themselves provide information such as when users are logging in and which applications they are logging into, as well as the geographical location the login originated from. This can be very useful in locating anomalous logon activity. For instance, if you see users logging in from a country where you know there should not be any logon activity. These reports contain information for any application federated through Azure AD. Therefore, the more applications you federate through Azure AD, the better the data surrounding your users activity.

Cloud App Security

Data is great, especially when presented in easy to read charts via Power BI. However, reviewing reports may uncover an old security event where the damage has already been done. With the ability of today's malware to compromise an identity and move both laterally and vertically through networks, it is imperative that attacks are identified and mitigated as soon as possible. Cloud App Security is an Azure AD Premium feature that enables alerting based on anomalous activity within the Azure AD tenant. This provides real-time notifications to administrators and, if desired, automated remediation. Just recently, improvements were made to the service to also expire the refresh token (in addition to the account itself) to ensure that malicious activity is stopped immediately, and not allowed to continue for the life of the token.

Summary

Today we have seen how we can transform our Identity & Access Management strategy using Microsoft Azure in the following ways:

• Extend on-premises Active Directory identities into the cloud using Azure AD Connect
• Federate authentication an organizations application portfolio using Azure Active Directory App Catalog and modern authentication
• Protect user identity using add-ons such as Azure MFA, Conditional Access and Cloud App Security

As an added bonus, the Microsoft Enterprise Mobility + Security blog posted a great article this morning on the steps Microsoft takes to protect your organizations usage of Azure AD. Coming up next in the series, we will discuss utilizing Microsoft Azure for Disaster Recovery & Business Continuity!