Employees need the ability to access and share data wherever they are, using a variety of corporate and personal devices. As a result, security policies can no longer be based solely on whether a request originates from inside or outside the corporate perimeter. Therefore, organizations should follow the ‘Zero Trust’ Security model, starting with strong identity management. Microsoft recommends four steps for implementing strong identity for a Zero Trust security model: enable multi-factor authentication (MFA), implement policy-based access solutions, strengthen identity protection and allow only secure access to SaaS and on-premises apps.
A compromised identity credential, even one with low-level privileges, is all hackers need to gain entry into an organization to begin moving laterally, undetected, to gain access to business- critical systems and data. To implement strong identity, organizations need a way to rapidly detect compromised identities and proactively prevent them from being misused. Azure AD Identity Protection uses heuristics and adaptive machine learning to detect anomalous behavior and suspicious incidents that indicate potentially compromised identities. Administrators can configure risk-based policies within Azure AD Identity Protection to automatically respond to detected risks. Policies can be configured to automatically block access when a specified risk threshold has been reached. Administrators can also set policies for responding to suspicious user activity or risky sign-ins. Azure AD Identity Protection can proactively detect vulnerabilities that impact user identities, such as users without MFA registration, unmanaged cloud apps, users with unnecessary privileged access and weak authentication for role activation.
The Identity Protection dashboard provides information on users flagged for risk as well as suspicious and anomalous activity and vulnerabilities. Azure AD supports three directory roles for managing an Identity Protection implementation:
A Global Administrator role with full access to Identity Protection and rights to onboard Identity Protection
A Security Administrator role with full access to Identity Protection but no rights to onboard Identity Protection or to reset user passwords
A Directory Reader role with read-only access and no ability to onboard Identity Protection, configure policies or reset passwords
Azure AD role-based access control regulates the access management to Azure AD resources. Azure AD supports two types of identity service role definitions: built-in and custom roles. Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many built-in roles that Azure AD supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Azure AD also supports custom roles. Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.
“When an organization moves to the cloud and starts using identity protection, it is very important to properly configure the number and scope of administrator roles. This is particularly important because many avoidable errors can arise later on simply from the situation where the scope of administrator roles is not appropriate or too many people have such roles within the organization. It is therefore fundamental to ensure that everyone is only and exclusively authorized to do the job they are supposed to do. Noventiq can help its customers in this process from the very beginning. We assess your organization and its operations, thereby developing a global administration strategy tailored to the needs of your organization, with the right roles and positions. We will also develop individual roles for the organization if they are required to function properly. From the starting point, we will get the organization to a point where its operations are fully defined, structured, and developed in terms of administrator roles and rights.” - commented one of our experts.
If you feel your identity posture is not strong enough, whether it is about identity protection, authorization or policies, contact us, Noventiq has international experiences and is happy to help you to build a strong identity for your organization.
Strong identity is one of the foundational pillars of Microsoft’s Zero Trust security model, which provides a framework for moving from controlling access based on implicit trust assumptions to an approach that requires real-time verification of all users, devices, locations and other signals. Microsoft recommends four steps for implementing strong identity: Multi-factor authentication, Policy-based access, Identity protection and Secure access to SaaS and on-premises apps. Multi-factor authentication is a foundational one to strong identity. “Condition-based access and controls such as MFA are important to prevent unauthorized access to corporate applications, services and data. MFA spamming has become more prevalent with increasing adoption of strong authentication. Azure AD offers a broad range of flexible authentication methods to meet the unique needs of your organization and helps keep your users protected.” - Balázs Maar, Microsoft Solutions Sales Manager.
Identity is one of the six foundational pillars of a Zero Trust framework, along with devices, applications, data, infrastructure and network. Identities – whether they represent people, services or Internet of Things (IoT) devices – define the Zero Trust control plane. Out of the 4 recommended steps (multi-factor authentication, policy-based access, identity protection and secure access to SaaS and on-premises apps) that helps implementing Strong identity, policy-based access is a must because “With policy-based access we have near real time protection alongside an optimized for productivity user experience that omits all unnecessary or excessive security prompts and checks. That way, we all can focus on our work, knowing that we are protected” - Vitan Kostov, Noventiq’s Solution Sales Manager.
The increasing number of connecting devices used to access company data from different locations and the mix of virtual, physical and hybrid tools require comprehensive approach towards protection. Gain valuable insights into protecting the most important assets of your company and take recommended actions based on our article including a hands-on webinar.
“Nowadays when hybrid work has become natural in most enterprises, strong identity is essential for the balance between providing data- and identity security, while enabling good employee work experience. Strong identity starts with the foundation elements, and as a next step advanced solutions, like Cloud Access Security Broker (CASB) are necessary for strong security.” - said Nikolay Dinev, Regional Services Lead of Noventiq. Read our blog post about how to secure access to SaaS and on-premises app to enable strong identity.