Identity has, by and large, remained fairly static over the past two decades. The concepts of “usernames” and “passwords” have aged (not gracefully, as headlines reveal) but still are in use by most organizations. Here at New Signature, we’ve championed the use of “passphrases” (e.g. “I went to dinner, with style!”) over the past several years, as well as the use of modern devices to prevent security compromises.
Yet for many organizations, the trade-offs in the complex balance between availability and confidentiality (two of the three legs of the CIA triangle of security, the third being data integrity) have been difficult to handle. Let’s take a classic example: user lock-out. Originally conceived as a way to prevent malicious actors from gaining access to passwords, our guidance (and Microsoft’s) has shifted over the past ten years as the number of denial-of-service attacks via password lockout has become more prevalent. If a malicious actor wishes to cause harm, performing a password DoS attack is equally if not more harmful than any attempt to guess a sufficiently complex passphrase. (Which in turn supports our guidance to always use passphrases rather than passwords)
Still, if lock-outs aren’t a viable solution, what tools does the security professional possess to increase availability while maintaining confidentiality and integrity? Enter Azure AD Premium: this service, provided through the cloud to customers running Azure Active Directory as an identity structure, goes far beyond the capability of on-premises solutions to security threats.
Take the malicious actor example from earlier. In the on-premises world, the only way to detect these bad actors is to install complex, highly expensive intrusion detection systems at the firewall level of an organization. Worst of all, these systems don’t have any intelligence about when staff roam from one site to another, or the ability to intelligently “learn” if a staff member has a vacation house they work out of, or a branch office in a distant city, let alone the knowhow to say “there’s no possible way they could travel from the US to the UK in two hours”.
With Azure AD Premium, instead of using lockouts, customers can implement their own identity solution (based upon on-premises Active Directory) or leverage Azure Active Directory for the system of record. Once implemented in either a synchronization or federation model, the reporting functions within Azure AD Premium allow a wealth of new scenarios for midmarket customers that previously only large enterprises had access to. Some of those include:
- Brute force attack reporting
- Sign-ins from “suspicious” IP ranges
- Irregular Sign Ins (from people travelling to locations they don’t often visit)
- Hiding Originating IP addresses to prevent tracing
- Anomalous Logins (from people whose accounts may be compromised)
This isn’t the full list, but it’s easy to see the picture. A good security analyst could comb these reports each day, or even once a week, and get a better risk picture than was previously available. Combine this capability with multi-factor authentication (especially for admin accounts) and role-based security (sometimes labelled “just enough administration” or JEA) and even the largest most heterogeneous organization can become best-of-class when it comes to security threats.
To mitigate, administrators have one-click access to resetting passwords, managing multi-factor authentication and, of course, ignoring events that are actually false-positives.
Is your organization this secure? Do you want to head off risks before they cause business stoppages? Azure AD Premium is only part of a complete security breakfast: to get full control over devices, data and applications you’ll want to layer on Intune and Azure Rights Management Services or get all three at a discounted price in the Microsoft Enterprise Mobility Suite. We’ll cover those capabilities in future posts. For now, come chat with us at New Signature to see how Azure Active Directory Premium can ensure your identity solution stays secure.