Fences, guard dogs, Zero Trust and Active Directory security

 
The Zero Trust model introduces a fundamental shift to an organization’s security strategy. From the outset, a Zero Trust model assumes that attackers will get in rather than solely focusing on keeping attackers at bay outside of a perimeter. Don’t get me wrong, a fence around your digital resources is still a valid security tactic but by itself doesn’t stand a chance against modern threats. A loud and suspicious modern day guard dog is what is needed today. The key function of Zero Trust is to continuously authenticate identities. Any time a user – human or machine – requests access or modifies data, its permissions and identity must be verified. The theory is even if an invader is successful getting through the perimeter security, they still will not have open access to resources. ‘Never trust, always verify’ is the Zero Trust mantra. It highlights that key difference from a traditional cybersecurity approach.

While Active Directory is a fundamental part of many organizations’ IT infrastructure, its native functionality is rooted in a much simpler time when ‘trust but verify’ was good enough. Not so much anymore with an ever-changing and increasingly sinister cybersecurity landscape, as well as the need to monitor for internal threats. However, Zero Trust can be implemented a few ways within Active Directory (AD). There are still steps that organizations can take to bring Zero Trust to AD.

Pain points - Four reasons why Zero Trust is top of mind

So, what are the security pain points bringing Zero Trust to the forefront, and what are best practices that organizations can use to enhance Active Directory security? To discuss these pain points and associated best practices that can alleviate them, we have created a limited podcast series: Better Together - Zero Trust and Azure AD/AD Cybersecurity Strategies hosted by Microsoft and One Identity.

In the first episode of the Better Together podcast series, One Identity President and General Manager, Bhagwat Swaroop, and Microsoft CTO of Global Partner Solutions, David Totten, sat down and discussed why Zero Trust is a focus for organizations moving forward.

1. Mass migration to the cloud
   

   “Some of us in IT have been waiting for decades to move to the cloud,” said Swaroop. “I remember a time where it would always be next year is the adoption of the cloud. But what we went through in the last two years resulted in is a very quick migration to the cloud with distributed identities, distributed application rights and entitlements.”

2. Identity sprawl
   

   “So, we have this notion of what we call identity sprawl,” said Swaroop. “It means an increase in number of identities. You have human identities, machine identities and application identities. If you layer in the notion of a metaverse, then you have digital identities that have rights to conduct a certain set of functions including ecommerce.”
   With potentially thousands or hundreds of thousands of identities within an organization, it makes sense that the importance of identity security is increasing.

3. The reach of identity access rights
   

   This is the notion that everything is in the cloud, and applications are available everywhere. It also means identity access rights are everywhere as well. Identity sprawl by itself is not a bad thing. However, if an organization’s security model is not built to defend and protect those identities, it can make the problem worse. Often organizations have solutions for endpoints, but they are often very siloed. Siloed access rights and siloed access-management solutions.
   
   “We’ve seen large organizations with 25 different solutions trying to manage aspects of identity, access and entitlements. And that can make things worse,” said Swaroop. “When you don’t have full visibility it’s hard to protect the full picture.”

4. Increase of entry points
   

   The explosion in the number of devices, access points, bandwidth, technology improvements, paired with an ever-increasing amount of data, significantly increases the threat vector radius. “We want everyone to have access to their information, wherever they are,” said Microsoft’s Totten. “Over the last few years, people working remotely, people working from home, people working from different offices, whether it’s partners, customers, distributors, we want everyone to have more access to their information. However, what that does is it increases that threat vector ratio. In the context of a security posture, let’s make sure people get access to that data from wherever they are, but that obviously introduces complexity with the security model.”

Each of these pain points brings Zero Trust to the forefront and ignites conversations around how to better secure Active Directory instances. In episode 2 of our podcast series, Dan Conrad, Active Directory Security and Management Team Lead at One Identity, shared four ways to enhance Active Directory security.

How to Enhance Active Directory Security

1. Do not trust passwords alone
   

   Strong passwords are great. However, the best thing you can do is never reuse one. Across applications, email addresses are usernames on a lot of systems. If you have reused passwords as well, theoretically if you have an email-based username and password, you could probably get into that person’s bank account. A better option is to use a multi-factor authentication solution that integrates with Active Directory and requires an additional method of verification.

2. Do not trust admin accounts
   

   If you review many recent breaches, often a common factor is privilege escalation. These types of breaches are effective because all of these systems, servers, workstations, applications are joined to Active Directory, including privileged user accounts. This means a threat actor that has a compromised privileged credential can use the SSO functionality to own everything in an organization. But if you have control of privileged credentials, it is a big step in securing Active Directory and other systems. Part of this is that when an admin account requires elevated privileges, they can get just-in-time access, where the access rights are temporarily granted, and then those rights are cut off as soon as they are no longer needed – meaning as soon as a task is completed, or a session expires.

3. Do not automatically authenticate an on-prem AD user with Azure AD
   

   Usability and functionality are key goals to enable user productivity without compromising security. With Zero Trust, the policy is to never trust, always verify. Users should be re-authenticated each time they need access to a critical resource, including if they move from an on-prem/AD-controlled resource to an Azure AD-managed resource. This move is another opportunity to verify and be sure the user is who they say they are and that they have authorization to access the target resources. With most organizations operating with hybrid environments, this is a critical cybersecurity function.

4. Monitor all access to sensitive data
   

   Instead of only requesting a password to access sensitive data, users could be granted a session after a multifactor authentication process is successfully completed. Then, on the backend, the session can be monitored for abnormal activities, and recorded for forensic investigations and compliance considerations. For example, if an admin were to log onto a session and hand a keyboard to someone else, it will not be a secret as this session is being monitored to note key patterns, mouse movements, time, IP address, which systems are being accessed and what commands are being run. If any characteristic or behavior varies from the user’s baseline profile, the session can be limited or shut down immediately. This offers an incredible layer of protection and visibility into who has access to what, when and how.

As we said at the beginning, Zero Trust is a fundamental shift from a traditional perimeter-based security model. Fences are valuable security tactics, but a watchful, ever-suspicious and loud guard dog patrolling inside the fence is what modern threats require. We’ve mentioned just a few of the topics covered by our Better Together podcast series. Go to the podcast page to view all the episodes at your convenience. Learn how you can overcome your cybersecurity pain points to make the shift to a Zero Trust security model via your Active Directory infrastructure. As the current landscape continues to shift, taking steps to fortify your organization’s security posture will pay dividends.