How to Deploy Zero Trust Identity Security
This is the second article in the Zero Trust Security in Microsoft 365 series. Here you will gain an understanding of the strategies to deploy Zero Trust Identity Security.
Managing identity will always be at the forefront of this security model. Environments with proper identity policies are better placed to handle attempts at gaining access to their account credentials. The Zero Trust principles of verifying explicitly, providing least privileges to accounts and assuming breaches is applied to all types of access requests originating from user accounts, applications, devices and services.
Establish your identity foundation with Azure AD
Several environments still use on-premises solutions to decide whether an access request is approved or rejected. However, you must consider routing the role of policy decision-making to Azure AD, so that you can impose the Zero Trust principles of explicit verification, controlled privilege access, and assumption of breaches. This means placing Azure AD in the path of every access request.
Azure AD Connect
In order to achieve this, you must use the Azure AD Connect tool to sync on-premises users to Azure AD. This tool is capable of filtering users; hence, you can also exclude unwanted items from syncing to the cloud.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Choosing the right authentication methods is a vital step. Microsoft provides you with the following methods:
- Cloud Authentication: Here the responsibility of authentication is borne by Azure AD. You can deploy this type of authentication using 2 options:
- Password Hash Synchronization – When coupled with seamless SSO, on-premise credentials can be used by the users in cloud.
- Pass-Through Authentication – A software agent needs to be installed on the on-premises servers. Its suitable when on-premises user sign-in hours and password policies need to be used in the cloud.
- Federated Authentication – The authentication will happen in on-premises via ADFS.
This graph here shows the factors that would influence your decision. For more information please refer to this article.
Integrate all your applications with Azure AD
All the applications must authenticate via Azure AD. Single Sign-On must be used, so that users can sign in to all the applications seamlessly. Application using OAuth 2.0 and SAML frameworks can authenticate in Azure AD using SSO. Azure AD Application Proxy must be used to bring form-based and Kerberos applications under Azure AD. You can also migrate existing Identity Management solutions to Azure using the Microsoft tools mentioned here.
Apart from using passwords, Azure AD Multifactor Authentication adds another layer of protection. You can force users to use SMS, calls, authenticator app, or even go passwordless. The various means to do this are displayed here with the level of safety for each.
Passwordless authentication is by far the safest. Azure AD MFA can be deployed by creating conditional access(CA) policies. When these conditions are met, users would be required to authenticate using MFA. You can use several criteria in CA policies like group membership, location, IP address, device type, application being accesses, among others.
Block Legacy Authentication
Legacy authentication protocols like POP3, IMAP4, EAS, Outlook Anywhere, EWA, and others pose a security risk. Hence these must be disabled in your tenant. Again you can create a CA policy to achieve this.
Conditional Access policies
As seen in the previous section, CA policies play a crucial role in deploying the Zero Trust Identity Security model. You can control access to resources bases on several criteria.
Apart from enabling MFA using CA policies, you can also block sign-ins from risky users.
Enable Azure AD Hybrid Join or Azure AD Join
Several environments use on-premises AD to manage user devices. If you wish to move to cloud-based device access policies, then you must enable Azure AD Hybrid Join. In this setup, devices can join on-premises AD and be registered in Azure AD. Such devices can use SSO to access both cloud and on-premises resources.
Enable Microsoft Intune
Mobile devices must be managed so that only valid devices are allowed to access your organization’s resources. This is where Intune comes in handy. The Microsoft Endpoint Manager (EMS) must be used on mobiles, laptops, and tablets. It provides you with an inventory of the devices and their current status. You can also check individual device status under ‘All Devices’.
You can configure compliance polices via this portal. Microsoft does provide a few baseline policies which can be further customized.
Use Azure AD Privileged Identity Management (PIM)
Admin roles in cloud-like Global admin, Security Admin, Exchange Admin, and other roles are all high privilege access roles. Hence, it’s important to control how these roles are used. One of the tenets of the Zero Trust Security model is to provide just-in-time access to such Admin roles. Azure AD PIM is a tool that will help you to achieve this goal.
Following are the key points in Azure AD PIM:
- Whenever users need elevated admin roles, they must activate that role using PIM.
- Users need to authenticate themselves via MFA.
- A reason must be provided for the admin role request.
- Users would have to choose the duration for which they need the role.
This feature requires Azure AD Premium P2 or EMS E5 licenses.
Deploy Passwordless Authentication
Deploying passwordless authentication is a vital step in the journey towards safeguarding your users from attacks. Passwordless authentication methods:
Windows Hello for Business – This is best suited for users with dedicated Windows machines. Here a biometric or a PIN are tied to the machine. Biometric sign-ins include facial and fingerprint recognition. More details are available here. Microsoft Authenticator App – This app uses the user’s iOS or Android phone for passwordless authentication. It provides users with a notification on their phones while signing into any platform or browser. And they can sign in using a biometric method or using a PIN.
FIDO2 security keys – Fast Identity Online(FIDO) is termed as an unphishable way of authentication by Microsoft. This involves users signing in through physical USB sticks or Bluetooth. Users need to register and then select FIDO2 Security Key as the method of authentication. This method can be used on Azure AD or Hybrid Azure AD joined Windows machines.
Use better Identity Protection strategies
The Azure AD portal has the Identity Protection page where you can get a bird’s eye view of several security aspects of your tenant. This page will show you the risky user, risky sign-ins, high and medium risk users, and also unprotected risky sign-ins. These reports would help you to extract a list of users who are at risk and then you can take actions like:
- Reset the user password
- Confirm user compromise
- Dismiss user risk
- Block users from signing in
- Investigate further using Azure ATP
The main principles of Identity Protection are:
- Detecting Risks and Remediation: Several types of risks can be configured to be detected like Leaked Credentials, Anonymous IP addresses, Atypical travel, among others.
- Risk Investigation: It’s essential to regularly review risky users, risky sign-ins and risk detections reports.
- Exporting Risk Data: You can export information from Identity Protection using Graph API for further investigation to other tools.
Enable Microsoft Cloud App Security(MCAS) Integration with Azure Information Protection(AIP)
You can apply classification labels automatically to files by integrating MCAS with AIP. With MCAS you can view all the files in one location, investigate events according to classification levels and also create policies to manage file. You can perform this integration from the MCAS portal under settings.
You can label files automatically, control how files are shared, and also apply labels directly to files using policies in MCAS.
Enable restricted sessions for use in access decisions
Access to SharePoint and exchange online from unmanaged devices must be blocked. Following is a screenshot of the setting from the SharePoint admin center to block access from unmanaged devices.
You can also ‘allow limited web-only access’ for such unmanaged devices. At the same time, you must also block access from devices not using modern authentication. This setting is found on the same page. Access to Outlook on the web from unmanaged devices can be blocked using CA policies.
Under session, you must select ‘use app enforced restrictions. This will force Azure AD to provide device information to Sharepoint Online and Exchange Online. This helps them to block access to unmanaged devices.
Use Microsoft Defender ATP
Microsoft Defender ATP checks the health of windows devices and reports of any anomalies or compromised. It involves discovery and remediation of risks, AIR, secure score for devices. It provides a centralized configuration and can be integrated with other solutions like MCAS, Azure Sentinel, Intune, Microsoft Defender for Identity and Office 365. You may refer this link for more information.
Zero Trust Identity Security is an amalgamation of all the security features in use in the identity area. However, with this security model, Microsoft has defined all the components that ensure that the overall identity security of the environment is enhanced. The ‘Zero Trust’ security approach is to verify everything and to trust none, and you can take advantage of that approach by deploying zero trust in the identity sphere of your infrastructure. Next week we shall see how Zero Trust EndPoint Security can be deployed in your environment.