Protect identity from modern threat vectors

Modern attack methods are looking to compromise your identity and establish a foothold in your organisation. So it’s vital that we protect identities from these modern threat vectors. With an identity, attacks can proceed to compromise your apps and data. The traditional security architecture, with a hard outer-shell and a soft, chewy center – is now one of your biggest vulnerabilities.

Moving to a modern ‘zero trust’ scenario, where the entire network is treated as hostile, will address this. But getting there is what we call a journey! So what can you do today to start you off? Plenty, identity is a foundational component for so much: Productivity, collaboration, security and so on. Getting your identities secured and the experience sorted will open up a lot of opportunities in these areas.

MFA, MFA, MFA

With identity being the target, it’s strange there are still vast numbers of users still not protected by MFA. And a lot of organisations are still tied to ADFS, and federated authentication into Azure AD. This means they are not able to take full advantage of Conditional Access or Identity Protection features.

Consider moving to Azure AD SSO with Password Hash Sync, enable Self-Service Password Reset, and Azure MFA.

Modern authentication controls

Moving to Azure AD SSO with PHS makes life so much easier. Your users get a more performant experience when accessing cloud resources (no hairpin of authentication traffic back into on-premises infrastructure). Access to cloud resources is no longer dependent on fragile on-premises infrastructure, which can be subject to significant outages. Particularly in the case of successful malware attacks. And if you have concerns about PHS from a security perspective, here’s two points to consider:

  • The clear text password is not synchronised. In fact even Azure AD Connect never sees the clear text password. It goes through multiple thousand iterations of being salted and hashed. It’s not going to be of any use to anything other than Azure AD.
  • With ADFS, there is a strong likelihood that you have no visibility of compromised users, until it’s too late. And even then, you’re still in the realm of manual controls. When you enable PHS, you get the opportunity to enable the compromised credentials report. Or even better, with the M365 E5 or AAD P2 licensing, Identity Protection. Enforce MFA in the case of a risky sign-in, or a password reset in the case of compromised identity. When you save the CEO’s account, it all becomes worth it. With PHS, your identities get far more protection than they do today.

My Security Info

While you’re enabling AAD SSO and PHS, we should also enable SSPR and Azure MFA. Users can be enabled to use a nicely converged ‘My Security Info’ experience,. This is a simple portal that allows folks to update security settings and view their sign-in activity. By following this path, you ensure that you’ll be getting the best out of your Microsoft licensing. With the latest features as they become available, the easiest integration, and users will get the most seamless experience.

One of the biggest barriers to MFA is getting users enrolled. But even that’s becoming easier, as it is now possible to pre-register users in bulk. Remember, over 99% of compromised identities do not have MFA enabled. So this is a huge step to protecting your environment. Enabling SSPR will see a significant improvement for your end users. They can self-heal through the SSPR portal or even directly in the Microsoft Authenticator app on their smartphone. And your Service Desk will see a big reduction in password reset requests.

Block legacy auth

To make sure we’re not leaving the back door open, it’s vital we disable legacy auth. Your senior executives might not like this because they might enjoy using some app or other. But they need to be reminded – they are far more likely to be subject to a sophisticated and targeted attack and so need to be particularly cautious in comparison to most users.

Of course, proactively protecting identities will take you a very long way. But what about removing the password altogether? Password spray attacks, credential stuffing (people re-using passwords across services), key loggers and so on don’t go away. By removing the shared secret (the password) from the sign-in process, you are significantly increasing your security posture.

Go Passwordless

Windows Hello for Business is a boon for organisations, users love the simplified sign-in process, security folks certificate-based authentication. The passwordless strategy works; It’s about moving apps gradually across to Azure AD, and enabling these modern identity controls. Once you have some prerequisites enabled, Windows Hello for Business could not be easier to use. It will delight your users when they don’t have to remember so many passwords or reset them so frequently. If they’re admins, senior executives or other high-value targets then consider FIDO2 keys. These provide an additional level of protection by taking the certificate off-device. If the device is shared then you may run into the limits of the TPM. Consider FIDO2 in these cases for a secure, passwordless experience.

So to summarise: Modernise your approach to authentication and identity protection: It makes life easier for you and your users. Your service will become more available and performant. Identities will be protected from modern threat vectors.

Gavin Ashton

Catch me over at LinkedIn, or Twitter

About the author