Securing your Azure Identity Infrastructure
Download as PPTX, PDF1 like439 views
The document provides an overview of securing identity infrastructure in Azure. It discusses five key steps: 1. Strengthening credentials by implementing strong authentication like multi-factor authentication and password policies. 2. Reducing the attack surface by blocking legacy authentication protocols and restricting access points. 3. Automating threat response with tools like Azure AD Identity Protection for automated risk detection and remediation. 4. Utilizing cloud intelligence by monitoring Azure AD logs, events, and health to detect anomalies and threats. 5. Enabling self-service options for users like self-service password reset and access reviews to balance security and productivity. The document provides examples and recommendations for each step and references
Securing your Azure Identity Infrastructure
- 1. Securing your Azure Identity infrastructure Vignesh Ganesan | MCSE ,MCSA , MCT & ITIL V3 Enterprise Cloud Architect & Technology Strategist https://www.linkedin.com/company/pdcconf @PDCConf https://www.facebook.com/pdcconf
- 2. Thank you to all our generous sponsors Supported by Powered by Organized by Sponsored by
- 3. Vignesh Ganesan Securing your Azure Identity infrastructure @cloudvignesh https://www.linkedin.com/in/vigne sh-ganesan-mcse-mcsa-mct-itilv3- 9246384a/ Powered By September 16th & 17th Online Event International Conference Speaker
- 4. What to expect from today’s session Strengthen your credentials Automate threat response Utilize cloud intelligence Enable end-user self-service Reduce your attack surface
- 5. About Me
- 6. Assumptions • Office 365 Administrator /Developer • Azure Administrator/Developer • Active Directory Administrator • Security Analyst • Cloud Security Architect • Cloud Solutions Architect • C-Suite
- 7. Azure Active Directory • Microsoft’s cloud-based identity and access management service • Azure AD provides access to both external and internal resources • Many similarities with Active Directory • Features include: • Multi-factor authentication • Single sign-on • Conditional Access • Multiple license options Azure AD Pricing : https://www.microsoft.com/en-in/security/business/identity-access- management/azure-ad-pricing?rtc=1
- 8. Comparison between Active Directory , Azure AD and Azure AD Domain Services Ref : https://www.ciraltos.com/active-directory-domain-service-azure-active-directory-and-azure-active- directory-domain-service-explained/
- 9. Open Standards { JSON } OData
- 10. 2,000,000+ active apps Azure Active Directory Cornerstone OnDemand Workplace by Facebook Canvas Concur Salesforce Clever SuccessFactors Google G Suite Workday ServiceNow World’s largest enterprise IDaaS service based on SaaS app user traffic. Request additional integrations at aka.ms/AzureADAppRequest
- 11. A complete IAM solution
- 12. Federation Server IDP Connector Provisioning Engine HR System(s) App Proxy Event Logs Sign-in provider MFA Server Directory Database(s)
- 13. IAM Today Authentication& Authorization Directory Management IdentityGovernance& Administration IdentityforIaaS (VMAccess Management) IdentityDeveloper Platform Customer IAM SingleSignon (SSO + Federation) Identity Governance RBAC Microsoft Identity Platform Azure AD B2C / B2B Multi-Factor Authentication HybridIdentity Passwordless Conditional Access Provisioning Microsoft Graph Identity Protection Secure HybridAccess Group Management Azure AD DS
- 14. Strengthen your credentials Reduce your attack surface Automate threat response Utilize cloud intelligence Enable end- user self- service Step 2 Step 1 Step 3 Step 4 Step 5 Ref : https://docs.microsoft.com/en-us/azure/security/fundamentals/steps-secure-identity Five steps to securing your identity infrastructure
- 15. 1. Strengthen your credentials Make sure your organization uses strong authentication Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules. Protect against leaked credentials and add resilience against outages Implement Azure AD Smart lockout /AD FS extranet smart lockout Take advantage of intrinsically secure, easier to use credentials Most enterprise security breaches originate with an account compromised with one of a handful of methods such as password spray, breach replay, or phishing
- 16. Make sure your organization uses strong authentication Azure AD MFA Azure AD Security Defaults Azure AD MFA: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks Azure AD Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults
- 17. Start banning commonly attacked passwords and turn off traditional complexity, and expiration rules. Azure AD Password Protection Azure AD Password Protection for Active Directory Domain Services Custom banned password list Brand names Product names Locations, such as company headquarters Company-specific internal terms Abbreviations that have specific company meaning * Global and Custom banned password list
- 18. Design principles - Azure AD Password Protection for Active Directory Domain Services • Domain controllers (DCs) never have to communicate directly with the internet. • No new network ports are opened on DCs. • No AD DS schema changes are required. The software uses the existing AD DS container and serviceConnectionPoint schema objects. • No minimum AD DS domain or forest functional level (DFL/FFL) is required. • The software doesn't create or require accounts in the AD DS domains that it protects. • User clear-text passwords never leave the domain controller, either during password validation operations or at any other time. • The software isn't dependent on other Azure AD features. For example, Azure AD password hash sync (PHS) isn't related or required for Azure AD Password Protection. • Incremental deployment is supported, however the password policy is only enforced where the Domain Controller Agent (DC Agent) is installed. Ref : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises
- 19. Protect against leaked credentials and add resilience against outages •The Users with leaked credentials report in the Azure AD management warns you of username and password pairs, which have been exposed on the "dark web." An incredible volume of passwords is leaked via phishing, malware, and password reuse on third-party sites that are later breached. Microsoft finds many of these leaked credentials and will tell you, in this report, if they match credentials in your organization – but only if you enable password hash sync or have cloud-only identities! •In the event of an on-premises outage (for example, in a ransomware attack) you can switch over to using cloud authentication using password hash sync. This backup authentication method will allow you to continue accessing apps configured for authentication with Azure Active Directory, including Microsoft 365. In this case, IT staff won't need to resort to personal email accounts to share data until the on-premises outage is resolved. Password hash synchronization is one of the sign-in methods used to accomplish hybrid identity. Azure AD Connect synchronizes a hash, of the hash, of a user's password from an on-premises Active Directory instance to a cloud-based Azure AD instance. Required for premium features such as Identity Protection and Azure AD Domain Services
- 20. Implement Azure AD smart lockout / AD FS extranet smart lockout Smart lockout helps lock out bad actors that try to guess your users' passwords or use brute-force methods to get in. Smart lockout can recognize sign-ins that come from valid users and treat them differently than ones of attackers and other unknown sources. Attackers get locked out, while your users continue to access their accounts and be productive. • AD FS in Windows Server 2012R2 Implement ADFS extranet lockout protection • AD FS in Windows Server 2016 Implement ADFS extranet smart lockout protection
- 21. Password-less with Windows 10 Hello Password-less authentication User-friendly experience Enterprise-grade security 47M enterprises have deployed Windows Hello for Business active Windows Hello users 6.5K Hello Melanie Take advantage of intrinsically secure, easier to use credentials
- 22. Demo
- 23. 2. Reduce your attack surface Given the pervasiveness of password compromise, minimizing the attack surface in your organization is critical. Eliminating use of older, less secure protocols, limiting access entry points, and exercising more significant control of administrative access to resources can help reduce the attack surface area. Block legacy authentication Block invalid authentication entry points Restrict user consent operations Implement Azure AD Privileged Identity Management
- 24. Block legacy authentication Legacy authentication apps authenticate on behalf of the user and prevent Azure AD from doing advanced security evaluations. The alternative, modern authentication, will reduce your security risk, because it supports multi-factor authentication and Conditional Access. Apps using legacy authentication are POP3, IMAP4, or SMTP clients 1.Block legacy authentication if you use AD FS. 2.Setup SharePoint Online and Exchange Online to use modern authentication. 3.If you have Azure AD Premium, use Conditional Access policies to block legacy authentication, otherwise use Azure AD Security Defaults.
- 25. Corporate Network Geo-location Microsoft Cloud App Security MacOS Android iOS Windows Windows Defender ATP Client apps Browser apps Google ID MSA Azure AD ADFS Require MFA Allow/block access Block legacy authentication Force password reset ****** Limited access Controls Employee & Partner Users and Roles Trusted & Compliant Devices Physical & Virtual Location Client apps & Auth Method Conditions Machine learning Policies Real time Evaluation Engine Session Risk 3 40TB Effective policy Block invalid authentication entry points
- 26. Commonly applied CA policies • Requiring multi-factor authentication for users with administrative roles • Requiring multi-factor authentication for Azure management tasks • Blocking sign-ins for users attempting to use legacy authentication protocols • Requiring trusted locations for Azure AD Multi- Factor Authentication registration • Blocking or granting access from specific locations • Blocking risky sign-in behaviors • Requiring organization-managed devices for specific applications Ref : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access- policy-common
- 27. Restrict user consent operations
- 28. Implement Azure AD Privileged Identity Management
- 29. Demo
- 30. 3. Automate threat response Azure Active Directory has many capabilities that automatically intercept attacks, to remove the latency between detection and response. You can reduce the costs and risks, when you reduce the time criminals use to embed themselves into your environment Implement user risk security policy using Azure AD Identity Protection Implement sign-in risk policy using Azure AD Identity Protection
- 31. Implement user risk security policy using Azure AD Identity Protection Identity Protection is a tool that allows organizations to accomplish three key tasks: Automate the detection and remediation of identity-based risks. Investigate risks using data in the portal. Export risk detection data to your SIEM. Type of Risks which Identity Protection can detect •Anonymous IP address use •Atypical travel •Malware linked IP address •Unfamiliar sign-in properties •Leaked credentials •Password spray •and more...
- 32. Implement sign-in risk policy using Azure AD Identity Protection
- 33. Azure AD Identity protection policies Ref : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies
- 34. Demo
- 35. 4. Utilize cloud intelligence Auditing and logging of security-related events and related alerts are essential components of an efficient protection strategy. Security logs and reports provide you with an electronic record of suspicious activities and help you detect patterns that may indicate attempted or successful external penetration of the network, and internal attacks. Monitor Azure AD Monitor Azure AD Connect Health in hybrid environments Monitor Azure AD Identity Protection events Audit apps and consented permissions
- 36. • Application sign-in Success/Failure • User display name and UPN • Session conditions: location, IP, Date/Time • MFA info: Required, Method, Result • Client conditions: Device ID, browser, OS • Conditional Access: Policy, Controls, Result • Correlation ID! • Latency is 2 to 5 mins Monitor Azure AD -Azure AD Sign-in Logs
- 37. • Actions performed that change the state of a resource, e.g. • Password Reset • Privileged Identity Management (PIM) Elevations • Terms of Use Acceptance • B2B Redemptions • SaaS App Configuration/Provisioning • Latency is 2 to 5 mins Monitor Azure AD – Azure AD Audit Logs
- 38. • Users flagged for risk • High, Medium, Low • Risk events/Risky sign-ins • leaked credentials, anonymous IPs, • impossible travel, unfamiliar locations • Vulnerabilities • Users without MFA, Unused Admin Privileges Monitor Azure AD – Azure AD Security Logs
- 39. • Global Administrator • Global Reader • Security Administrator • Security Reader • Reports Reader • Application Admin • No difference in data scope between roles • Users can access their own sign-in logs Who can access logs in Azure AD
- 40. Monitor Azure AD Connect Health in hybrid environments Azure Active Directory (Azure AD) Connect Health provides robust monitoring of your on-premises identity infrastructure. It enables you to maintain a reliable connection to Microsoft 365 and Microsoft Online Services. This reliability is achieved by providing monitoring capabilities for your key identity components. Also, it makes the key data points about these components easily accessible.
- 41. Monitor Azure AD Identity Protection events • Azure AD Identity Protection is a notification, monitoring and reporting tool you can use to detect potential vulnerabilities affecting your organization's identities. It detects risk detections, such as leaked credentials, impossible travel, and sign-ins from infected devices, anonymous IP addresses, IP addresses associated with the suspicious activity, and unknown locations. • Enable notification alerts to receive email of users at risk and/or a weekly digest email.
- 42. Audit apps and consented permissions Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365- security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in- microsoft-365
- 43. Demo
- 44. 5. Enable end-user self-service As much as possible you'll want to balance security with productivity. Along the same lines of approaching your journey with the mindset that you're setting a foundation for security in the long run, you can remove friction from your organization by empowering your users while remaining vigilant. Implement self-service password reset Implement self-service group and application access Implement Azure AD access reviews
- 45. SSPR Solution Architecture Implement self-service password reset
- 46. Implement self-service group and application access
- 47. Implement Azure AD access reviews • Provide oversight for which users have access to what resources • Prompts users to ensure their access is limited to the resources they need • Applies to employees and guest users
- 48. Demo
- 49. References: • Azure AD Licensing : https://www.microsoft.com/en-in/security/business/identity-access-management/azure-ad-pricing?rtc=1 • MFA : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa • Security defaults : https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults • Password protection : https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad • Azure AD Password protection for ADDS: https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-password-ban-bad-on-premises • Authentication methods for Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authn • Implement password hash synchronization with Azure AD connect sync : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect- password-hash-synchronization • Azure AD Smart lockout : https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-password-smart-lockout • ADFS Extranet Lockout Protection : https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection • Windows Hello for Business overview : https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-overview • Conditional Access overview : What is Conditional Access in Azure Active Directory? | Microsoft Docs • Conditional Access : Block legacy authentication : https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy- block-legacy • PIM : https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure • Azure AD Identity protection policies : https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-policies • Audit logs in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs • Illicit consent grant attack in Microsoft 365 : https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent- grants?view=o365-worldwide#what-is-the-illicit-consent-grant-attack-in-microsoft-365 • Azure AD SSPR : https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-sspr • Self-service group management in Azure AD : https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-self-service-management • Azure AD entitlement management : https://docs.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-overview • Azure AD Access reviews : https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview
- 50. Thank you!