For businesses operating in a post-pandemic climate, embracing hybrid identity makes a lot of sense.
The once normal rigid office-based business model has been replaced by more flexible remote work policies. Organisations today are adopting a hybrid IT infrastructure featuring both on-premises and cloud-based applications.
Indeed, these hybrid models provide the best of both worlds. Hybrid systems leverage years of data, knowledge and expertise embedded into the on-prem environment. They then extend that legacy framework to embrace a gradual implementation of innovative solutions.
In this sense, an organisation can link new tech into an existing environment without making any binary decisions.
It’s also no secret that Microsoft is placing its efforts into the cloud right now. The Microsoft Teams service has been the biggest driver of that in recent times, stepping in as a logical and attractive proposition when the world was plunged into lockdown.
If companies hadn’t already thought about going hybrid, the pandemic – and capabilities of Microsoft Teams – really accelerated this.
The benefits of hybrid identity are clear, from convenience and ease of access via single sign-on to boosted productivity. However, from a security perspective, the hybrid identity architecture upon which it is often built poses significant risks.
The vast majority of such architectures are based on Microsoft Azure Active Directory (AAD). It is a platform entirely different from that of the familiar on-premises Active Directory in everything but name.
In this article, we’ll analyse the vulnerabilities of AAD and consider the key risks to watch out for when adopting hybrid identity management.
Overhauled authentication
As is common best practice with IT, any major changes should be considered with extreme caution.
Most office-based organisations have almost exclusively been working with a one-way identity management for decades.
Therefore, shifting this to hybrid identity – and incorporating AAD – is by no means an easy adjustment to make.
It’s an easy trap to fall into, but AAD is not the same as securing Active Directory (AD). The latter is used for managing infrastructure and applications on-premises. The former manages user access to cloud applications like Office 365 and non-Microsoft SaaS applications such as Salesforce.
The two operate in entirely different ways. If and when you choose to incorporate AAD, it will alter much of your IT and security posture.
To implement AAD effectively and safely, many new concepts need to be fully understood to keep systems secure. As an example, consider which is better: keeping AD and AAD separate or merging them using Azure AD Connect?
The new perimeter
Indeed, it is hard to argue that the pandemic didn’t single-handedly inspire the digital transformation strategies of many companies.
In numerous instances, this shift was simply necessary, an extreme case of ‘adapt or die’. Yet, cloud-based transformation has delivered many positives. These include optimising business efficiencies, improving employee productivity and providing a host of other benefits. However, as digital footprints continue to expand, the risk of harm to companies, employees and customers grows.
Organisations are continuing to divert operations into the cloud. As they adopt an increasing number of SaaS solutions, their network perimeter becomes harder to defend. The attraction of Azure is that existing services can be linked to it. Yet, each of these adds a new convoluted set of entry points.
With operations housed directly within the internet, cybercriminals have more opportunities to bypass network security. This is due to the increased number of entry points and exposed vulnerabilities.
For IT professionals that have only ever known on-prem AD, guarding this boundless perimeter is a significant shift. However, it is one that is necessary within a hybrid model as organisations must now prepare for and guard against a much wider array of threats.
Changing the permissions model
The concept of the perimeter is not the only difference between on-premises AD and Azure AD. Equally, the permissions model in AAD is completely different.
In the same way that a network perimeter is more easily defensible, permissions can be controlled with relative ease on-prem, with easily implementable audit trails and well-defined entry points. However, adding the cloud into the mix exposes your organisation to the wider internet, opening doors to attackers.
By its very nature, the cloud is open. And while this model has many benefits, it poses a challenge from a security perspective. When managing permissions in a hybrid environment, administrators need to be aware that initial access connections can come from anywhere, not just within the perimeter. It significantly exacerbates risk.
Equally, access is typically given via roles. From administrator to guest, Microsoft offers a large number – including custom roles. Unfortunately, the capabilities that each role offers aren’t particularly well defined.
Azure services have unique permission models
As well as roles, each Azure service has its own unique permission models that need to be managed. For example, managing Teams is different from Stream or Flow or Azure Storage accounts etc. The way those roles interact with these services is complex. But this creates a complicated, unclear and tiresome task that many organisations simply don’t have the time, know-how or energy to deal with.
A lack of understanding of the permissions leads to people being given roles that provide more access than they need. It increases the risk of a breach. Indeed, allowing elevated privileges to go unchecked can result in a series of privileged users – the holy grail for attackers.
Let’s once again consider Microsoft Teams. Adding a guest may seem like a low-risk setting. However, doing so without consideration for security and proper configurations can mean the new user has access to the organisation’s files stored in a team on Sharepoint, owing to its integration with Microsoft Teams. Access to SharePoint could allow the user to move laterally through the organisation, seeking additional elevated privileges.
Evaluating the risks
Microsoft itself is fully aware of the risks to businesses associated with AAD. In September 2020, the firm removed 18 apps from the Azure portal that were used by Chinese state-sponsored hackers Gadolinium (also known as Leviathan, or APT40). Since then, Microsoft has continually offered educational materials to raise awareness of the security challenges.
However, despite such efforts, many organisations remain oblivious to the adverse impacts of hybrid identity adoption. And attackers have responded, as you might expect.
In September 2020, Mandiant noted that they had seen a rise in phishing emails involving Microsoft 365 and Azure Active Directory. These aimed to trick victims into giving away their Office 365 credentials.
A PowerShell module called AAD Internals was also observed. It is used by hackers to create backdoors through which passwords and other key information could be extracted. And as more and more companies embed their operations in a hybrid environment, the opportunities for attackers will grow, and such threats are only expected to become more prevalent.
Adopting hybrid identity securely
The crux of the problem stems from a simple lack of awareness.
The mammoth number of security capabilities in Azure make it hard to understand fully. Microsoft has tried to simplify it through applications like SecureScore. However, there is no getting away from the fact that organisations adopting AAD are moving from a defined AD environment where it’s easy to have a good degree of control, to an undefined one that is changing all the time.
The positive side of this is that Azure is getting more and more secure. Security updates are being rolled out both increasingly quickly and more broadly. But AAD, at its heart, is a more vulnerable environment.
Organisations must take the necessary steps to manage their security better when adopting hybrid identity and tapping into AAD.
A security-first approach is essential
The start point is a fully conscious security-first mindset. Without this, organisations are unlikely to account for the changes in the risk environment that can provide ample opportunities for hackers to capitalise on new points of exposure.
Accept that AD and AAD are completely different. This can make it difficult to know where to start or what steps are needed.
SecureScore will also provide a quick understanding of the environment. It’s not perfect, but it will define all the security settings and help to give a sense of how secure your environment is. From here, administrators can dig deeper to enhance security or gain an understanding of what they might need to look for from third parties to achieve effective protection.
Native or third-party tools are available that can reduce the complexity of security and lower security risk, both during and after the rollout of your hybrid environment. And for many organisations, this will be the easiest, simplest solution.
To read more articles of this nature, Semperis’ Active Directory Security Halftime Report, available at https://pages.semperis.com/2021-ad-security-halftime-report/ will be updated on a periodic basis to serve as a timely, concise index of resources for organisations that have prioritised hardening their Active Directory and Azure Active Directory defences against escalating cyberattacks.
For more on the topic of securing Active Directory, Dan Bowdrey is speaking at the upcoming International Cybersecurity Expo at 10.30am on 29 September 2021 in the Product Innovation Theatre on ‘Would your organisation fail the Active Directory security assessment?’
For security teams charged with defending hybrid and multi-cloud environments, Semperis ensures integrity and availability of critical enterprise directory services at every step in the cyber kill chain and cuts recovery time by 90%. Purpose-built for securing Active Directory, Semperis’ patented technology protects over 40 million identities from cyberattacks, data breaches, and operational errors. The world’s leading organisations trust Semperis to spot directory vulnerabilities, intercept cyberattacks in progress, and quickly recover from ransomware and other data integrity emergencies. Semperis is headquartered in New Jersey and operates internationally, with its research and development team distributed between San Francisco and Tel Aviv.
