Many companies see a hybrid architecture as the first step toward cloud adoption. In such an environment, management can be simplified by integrating Microsoft Active Directory and Azure Active Directory (Azure AD). However, Active Directory is a common target for threat actors, especially in hybrid deployments, and can complicate authentication management.
A compromised identity service could allow malicious users to access applications and business-critical data. As evidenced by the infamous SolarWinds attack, compromised Active Directory accounts can allow local attacks to spread to the cloud and vice versa. Detecting and mitigating this type of compromise can be difficult. There is a growing need to focus on hybrid identity management, a method of managing authentication to ensure end-to-end security.
Despite their similar names, Active Directory and Azure AD are very different in how they work and the security models associated with them. Therefore, managing security in a hybrid identity environment requires a paradigm shift, especially in four key focus areas:
Role-based access control (RBAC), application security, federated authentication, and multi-factor authentication (MFA).
1. Evaluate RBAC options
Azure AD uses RBAC for authorization. Users are assigned roles with predefined permissions that allow or deny access to cloud resources. The rule of thumb is to follow the principle of least privilege (i.e., provide minimal permissions and only while required).
Azure RBAC uses two types of roles: built-in and custom. Built-in roles come with a predefined set of permissions, which makes life easier for administrators but can provide more access than required. If compromised during an attack, these roles could be exploited by threat actors to facilitate lateral movement. Custom roles let you customize permissions, enabling you to strictly control access to cloud resources.
To further support the principle of least privilege, you can create Administrative Units in your Azure AD tenant. You can use this capability to further restrict which objects various IT team members can manage, via a specific RBAC role. Only native Azure AD accounts should be made members of those highly privileged Azure AD roles.
2. Audit application permission settings
Using Azure AD for third-party application authentication could extend your risk perimeter. Some applications read and store Azure AD data in external databases. Others request more permissions in Azure AD than they require to operate.
Furthermore, additional security measures like MFA might not work for some apps. For example, many email clients use legacy protocols such as Exchange ActiveSync (EAS), IMAP, MAPI/HTTP, or POP3, which do not support MFA. If those protocols are enabled in your Azure AD tenant, cybercriminals could try to access your mailboxes without being prompted for a second factor. Implement strict governance and conduct periodic audits of app permissions to identify where additional restrictions are needed.
3. Consider federated authentication alternatives to Active DirectoryFS
Traditionally, organizations have used Active DirectoryFS to enable federated authentication in Active Directory environments. However, Active DirectoryFS can pose a security risk in hybrid environments, potentially extending the attack surface of an on-premises breach to the cloud.
Microsoft provides alternative solutions, such as password hash synchronization, Active Directory Pass-through Authentication, and Azure Active Directory Application Proxy. You can use these protocols in place of Active DirectoryFS while integrating on-premises Active Directory with Azure AD.
Both password hash synchronization and Active Directory Pass-through Authentication enable users to leverage the same password to log in to both on-premises and Azure AD integrated applications. The first option synchronizes an encrypted hash of the on-premises Active Directory to Azure AD, for a hassle-free user experience. The second uses authentication agents and an outbound-only connection model and can be integrated with native Azure AD security measures like conditional access and smart lockout.
However, Active Directory Pass-through Authentication relies on the availability of your on-premises Active Directory a problem during ransomware attacks. For resiliency, consider synchronizing the password hashes of your Active Directory users to Azure AD.
Azure Active Directory Application Proxy can configure secure remote access to on-premises applications using Azure AD credentials. The service leverages an application proxy connector for the secure exchange of sign-on tokens. This service can act as the first step to phase-down usage of Active DirectoryFS and adopt a truly hybrid identity model.
4. Enforce MFA
MFA provides an additional layer of credentials protection: Even if attackers get hold of a user’s credentials, they also need access to the user’s email, phone or security key to clear the authentication process. This requirement can slow down or flag potential infiltration attempts.
For MFA to be truly effective, organizations should implement it for all accounts not just the privileged ones. Attackers can and do use non-privileged accounts to infiltrate systems and move laterally across account access perimeters.
You can use MFA in conjunction with conditional access policies for context-aware security implementation. You can also implement conditions such as trusted locations, organization-managed devices and secure protocols before granting access to resources.
Gearing up for hybrid identity protection
Hybrid identity protection requires administrative due diligence: enabling the right set of roles in Azure AD, applying airtight security configurations, and adding guardrails such as MFA. In addition, organizations can implement tools that perform continuous assessment and risk profiling, enable visibility into your hybrid identity solution to help track lateral attacks, and provide change-tracking and auto-remediation features to protect against stolen credentials and malicious insiders.
No matter how much you fortify your environment, though, threat actors are continuously evolving. Hence, it’s equally important to have a recovery plan for Active Directory and Azure AD, in case an attack occurs.