Why identity has emerged as the security perimeter in hybrid deployments
By Guido Grillenmeier, Chief Technologist at Semperis
Cloud-led innovation has accelerated the digital transformation of many organizations that have embraced hybrid architectures as the first step in their cloud adoption journey. And as your identity service holds the keys to your kingdom, identity is emerging as the security perimeter in hybrid deployments. Any breach in this perimeter could result in malicious users gaining access to your applications and business-critical data.
Secure hybrid identity management is thus a must-have in cloud architectures, and integration with Microsoft Active Directory (AD) and Azure Active Directory (AAD) plays an important role in enabling the security of hybrid identities.
In this blog, we’ll explore the major challenges that organizations face in hybrid identity management. We’ll also dive into four key focus areas for ensuring the security of Azure Active Directory—role-based access control (RBAC), application security, federated authentication, and multi-factor authentication (MFA).
Understanding the challenges in hybrid identity management
Most organizations do not take the plunge and move completely to the cloud; instead, they take a phased approach where their on-premises and cloud systems co-exist. This approach brings additional complexity in terms of managing authentication in a hybrid environment, making it prone to errors and misconfigurations that leave the door wide open for possible cyberattacks. Moreover, the challenges associated with ensuring the security of hybrid identities can be unique, differing from those found in on-premises environments.
Active Directory and Azure Active Directory are closely integrated for hybrid identity management. This integration makes your life easier when your workloads are deployed across on-premises environments and in the cloud. However, it also means that a compromised Active Directory account can allow the attack to be extended to the cloud from on-premises and vice versa.
Lateral attacks from within on-premises AD
Cybercriminals often use phishing and social engineering attacks that target vulnerable users to disclose sensitive information including credentials. This trend is clear from recent high-profile attacks like SolarWinds and Colonial Pipeline. In the infamous SolarWinds attack, the threat actors gained dominance over on-premises AD, compromised the ADFS federation to forge SAML tokens, and gained access to Azure AD.
Being the gatekeeper of your IT landscape, Active Directory is a hot target for threat actors, especially in hybrid deployments.
Misconfigurations and other security vulnerabilities
Other entry points for attackers are misconfigurations and security vulnerabilities associated with your identity management solution. Because Azure AD consists of managed services, the security of its underlying infrastructure in the cloud is taken care of by Microsoft. However, the security of your data and Azure AD configuration is your responsibility. During a cyberattack, any of your users, groups, roles, conditional access policies, etc. could be altered or wiped out, causing a longstanding impact unless you have a proper recovery plan in place. Data or configurations in Azure Active Directory that are overwritten during an attack would also have a strong impact on your system, and there are not many native controls to protect these assets.
The Azure AD recycle bin provides a soft delete feature that could help you restore deleted users, but it has minimal capabilities to restore anything beyond a 30-day window. Any other forms of compromise would be difficult to detect and mitigate, especially if attackers move laterally from on-premises to the cloud. Hence, there is a growing need to focus on hybrid identity management, i.e., how you manage your organization’s authentication and security to ensure comprehensive security.
Key focus areas for Azure Active Directory security
Although Active Directory and Azure AD are alike in name, the way they function is very different. Because of this, the security models associated with these services are also different, meaning, a paradigm shift is required to manage security in a hybrid identity environment.
Let’s explore some of the key focus areas you need to consider when securing AD and Azure AD in a hybrid environment.
- Evaluate Role-Based Access Control options
Unlike on-premises AD, Azure AD uses RBAC for authorization. Users are assigned roles with predefined permissions that allow or deny them access to cloud resources. As this approach is different from the traditional Active Directory access management protocol, you need a new perspective for managing access in a hybrid identity environment.
Administrators should give careful consideration to how roles are defined and permissions granted. The rule of thumb is to follow the principle of least privilege, i.e., provide minimal permissions and only during the time they are required. Azure RBAC uses two types of roles—built-in and custom.
Built-in roles, as the name indicates, come with a predefined set of permissions that makes life easier for an administrator. However, this default configuration can also mean you end up providing more permissions than required. If compromised during an attack, these excessive permissions could be exploited by threat actors to facilitate lateral movement. Custom roles, on the other hand, let you customize permissions. Using custom roles allows you to further lock down permissions and strictly control access to cloud resources.
In the meantime, Microsoft has also provided the ability to create Administrative Units in your Azure AD tenant. This important capability allows you to further restrict which objects various IT team members can manage via a specific RBAC role to further support the principle of least privilege.
And if you don’t make the mistake of adding any of the accounts that you synchronized from your on-premises AD to your Azure AD into the privileged RBAC role—for example, Global Administrators—you’ll be on the right path. Only native AAD accounts should be made members of those highly privileged AAD roles.
- Audit application permission settings
Using Azure AD for third-party application authentication brings additional complexity to the security model. In some cases, data from Azure AD can be read and stored in external databases by these applications, which could effectively extend your risk perimeter. Data security will thus depend on the third-party application that Azure AD is integrated with.
Another possible weak spot is the level of permissions given to applications in Azure AD. If you don’t carefully review permission settings before granting access, these apps might end up having more permissions in Azure AD than what is required to operate. This potential oversight adds to the risk of applications making changes in the AD tenant.
Furthermore, additional security measures like MFA might not work for some of these applications, making them dependent on whatever security controls the application can provide. For example, MFA is not supported by legacy protocols used by many email clients, such as Exchange ActiveSync (EAS), IMAP, MAPI/HTTP, or POP3. So, if you still have those protocols enabled in your AAD tenant, cybercriminals can try to access your mailboxes without ever being prompted for a second factor. This potential security gap calls for strict governance and periodic audits of app permissions to understand where to implement additional restrictions.
- Consider federated authentication alternatives to ADFS
Traditionally, organizations have used ADFS to enable federated authentication in AD environments. However, ADFS can pose a security risk in hybrid environments because of the way such architectures are designed. For example, ADFS can potentially extend the attack surface of an on-premises breach to the cloud. This risk adds to the possible security vulnerabilities associated with maintaining the infrastructure for hosting ADFS, including missing patches, hardware updates, etc.
Simply put, modern-day hybrid identity management calls for additional security controls that might not be available in a traditional ADFS deployment.
Microsoft does provide alternative solutions to ADFS such as password hash synchronization, AD Pass-through Authentication, and Azure AD Application Proxy. You can use these protocols while integrating on-premises AD with Azure Active Directory in place of ADFS.
With password hash synchronization, users can leverage the same password as used on-premises to log in to Azure AD integrated applications. This service synchronizes an encrypted hash of the on-premises AD to Azure AD for a hassle-free user experience.
AD Pass-through Authentication also enables users to log in to on-premises and cloud applications with the same password. Authentication agents delegate the authentication process to the on-premises Active Directory. Then, with an outbound-only connection model initiated by the agent and certificate-based authentication, AD Pass-through provides a secure alternative to ADFS. You can also integrate this approach with native Azure AD security measures like conditional access and smart lockout, which protect you from infiltrations and credential thefts.
Note that neither AD Pass-through Authentication nor federation via ADFS can prevent login issues to cloud-hosted applications in Azure in the event that your on-premises AD is not available; this is a hard truth during ransomware attacks that encrypt all AD domain controllers. As such—even if only for resiliency—you should consider synchronizing the password hashes of your AD users to Azure AD.
Last is Azure AD Application Proxy, which can configure secure remote access to applications hosted on-premises using Azure AD credentials and provides the same user experience as when accessing any Azure AD integrated application. The service leverages an application proxy connector for the secure exchange of sign-on tokens. This service can act as the first step to phase-down usage of ADFS and adopt a truly hybrid identity model.
- Enforce Multi-Factor Authentication
Stolen identity credentials can lead to attacks that can go undetected for longer periods of time. Not all monitoring systems flag unusual account activity, so it is important to implement an additional layer of protection for your credentials through MFA. Even if an attacker manages to get a hold of user credentials, with MFA, they would also need to get access to their email/phone/security key to clear the authentication process. This requirement would slow down or flag potential infiltration attempts.
Customers can enable the security defaults configurations in the Azure AD tenant to implement preconfigured security settings across your organization, i.e., enforcing MFA for administrators, blocking legacy protocols, restricting access to Azure Portal, etc. However, for MFA to be truly effective, organizations should implement it for all accounts—not just the privileged ones. While breach of a privileged account can cause more damage, getting a hold of non-privileged accounts can also help an attacker infiltrate your systems and move laterally across the access perimeters of the account.
You can use MFA in conjunction with conditional access policies for context-aware security implementation. In addition to MFA, you can implement conditions such as trusted locations, organization-managed devices, and secure protocols before granting access to resources.
Gearing up for hybrid identity protection
Hybrid identity protection is a different beast altogether and requires due diligence from administrators to ensure that the keys to your kingdom are safe. This process involves tying up any loose ends and ensuring that you have the right set of roles enabled in your Azure Active Directory, airtight application security configurations, and additional guardrails such as MFA.
In addition to native security measures, IT leaders should explore tools that can perform continuous assessment and risk profiling, as well as enable visibility into their hybrid identity solution. These tools should have advanced capabilities to help you track attacks that could extend laterally across hybrid environments. Furthermore, tools with change-tracking and auto-remediation features can protect against stolen credentials and malicious insiders.
No matter how much you fortify your environment, be cognizant of the fact that attacks can still happen, as threat actors are continuously evolving in the cloud. Hence, it’s equally important to have a recovery plan in place for Active Directory and Azure AD in the event an attack does occur.
About the Author
Guido Grillenmeier, Chief Technologist at Semperis. Based in Germany, Guido was a Microsoft MVP for Directory Services for 12 years. He spent 20+ years at HP/HPE as Chief Engineer. A frequent presenter at technology conferences and contributor to technical journals, Guido is the co-author of Microsoft Windows Security Fundamentals. He’s helped various customers secure their Active Directory environments, and supported their transition to Windows 10/m365 and Azure cloud services.