Identity is the new security perimeter

With the explosion in remote access and cloud-powered applications over the last few years, identity has quickly become the new security perimeter. Every request for access, authorisation, permission, or privilege has an identity at the heart of it. In most cases, the very first interaction you have with a new workplace is you being provisioned your organisational identity – often in the form of your email address. Attackers will always try to exploit existing access to a company’s resources instead of finding a new route in, and that means your organisational identity is at risk. The convenience and functionality that cloud identities provide needs to be balanced with modern security measures to ensure that your identity stays yours and yours alone. This article will cover off some of the tools and techniques you can use to better protect yourself against bullies.

Identity security 101

Every single organisation with cloud identities should, at minimum, have two core features in place: multi-factor authentication (MFA) and conditional access (CA). Any outside authentication request should be subject to an MFA request, preferably with added protections like number matching. Over 99% of would-be attackers are thwarted by MFA. The bad guys know if they can’t replicate the token, app and/or biometrics possessed by the legitimate identity, they’ll have little chance in succeeding in their attack. SMS and phone call MFA requests are less secure due to techniques such as SIM swapping, but still better than having no MFA in place at all.

After the request satisfies MFA, the next hurdle to clear should be conditional access. Even though they’ve proven their identity, security teams can provide any number of conditions that need to be satisfied before the authentication request is completed. This could be forcing the request to come in from a device enrolled in Microsoft Intune, from an allow list of preapproved IP addresses or ranges, using a compliant browser and lots more. This belt-and-braces approach ensures that legitimate requests to company resources are granted, with as little friction to the user experience as possible. New conditional access capabilities in preview include token protection, which creates a cryptographically secure link between the authentication token being provisioned and a specific device, and helps protect against Adversary in the Middle (AITM) attacks.

Just-in-time access with Privileged Identity Management

A core tenant of Zero Trust (ZT) best practice is to not permanently assign elevated permissions and privileges, and instead, enable these elevated rights as and when they’re needed. This means that an account that may have powerful permissions, like Security Administrator or Global Administrator, isn’t at risk of being abused 100% of the time. To think of it in very simple terms, if you take away the average working day, that means an account like that is sitting dormant with those elevated rights for 2/3 of the day. Instead of accepting or mitigating the risk of this scenario, consider implementing just-in-time (JIT) access with Microsoft Entra Privileged Identity Management (PIM), so that those who require additional privileges in their role must request access on a temporary basis. This can follow any approval workflows you want to put in place, or it can be completely no-touch instead, and take advantage of new functionality that will prompt the user for MFA – even if they’ve already authenticated. This makes sure that whenever elevated permissions are needed in your organisation, you can rest assured that there’s a legitimate request behind it, and the permissions aren’t left to stagnate in accounts that may be forgotten about over time.

Identity governance

To complement the security features that have been described already, there are some governance-focused capabilities that can help with the housekeeping and administration of your organisational identities. These fall under the umbrella of Microsoft Entra Identity Governance.

Microsoft Entra entitlement management enables an organisation to select which users and/or guests are allowed to access which resources. These resources, such as SharePoint sites, Teams, shared mailboxes and more, can be bundled up into Access Packages. When a new employee or guest in the environment is added to this package, subsequent access is granted to all underlying resources. This means that one addition or removal is all it takes to grant or remove access to resources in bulk, respectively.

Another feature of entitlement management is access reviews which allow for recurring review cycles to be applied to groups of resources. Admins can create a campaign that will place responsibility on the resource owner, not IT, to determine if those with access to resources should still have that access. This can help clean up dormant accounts, or aid in cleaning up permissions when employees or guests move departments or leave the organisation altogether. Policies can be crafted so that if a resource owner doesn’t audit the membership list by a deadline, accounts can be automatically removed from access to ensure that resources are protected by default, and not left open for exploitation.

Permissions management

A relative newcomer to the identity security space is Microsoft Entra Permissions Management, a cloud infrastructure entitlement management (CIEM) solution which works across Microsoft Azure, Google Cloud Platform and Amazon Web Services to provide comprehensive visibility into permissions assigned to all identities across these platforms.

In the first instance, this can be used for cross-cloud identity discovery, shining a light on areas that may have been kept in the dark up until now. Each identity is assigned a Permissions Creep Index (PCI), an aggregated metric that evaluates risk levels associated with unused or excessive permissions, and automation can be put in place to scale back over provisioned rights and permissions without an administrator having to intervene.

The insight gained from Microsoft Entra Permissions Management can augment a security team’s perspective on whether a user account is compromised or not, and can immediately stop an account takeover in its tracks if it’s deemed to be an attacker exploiting a user identity to traverse an environment.

Conclusion

Protecting identities has never been more important. A single compromised account is often an attacker’s single entry point into an environment. If these identities can have their posture improved and have additional monitoring set up around them, it could often crush a bad guy’s only route into an organisation they’re targeting. Even if they do manage to succeed in their initial account compromise, the increased monitoring around accounts to ensure they’re functioning “normally” means attackers will stick out like a sore thumb if they try and use an account for their nefarious actions.

The defence of identities in your organisation should be conducted in layers, with each of the Microsoft Entra features detailed above considered as an additional hurdle an attacker must jump over to gain access. The more features in place, the more frustrating it will be for the bad guys when they target one of your accounts.

Quorum Cyber can help your organisation with any of the capabilities described in this article; whether you need help adding any of these features to your defences, or if you want a sanity check to ensure what’s in place already is best configured to keep attackers at bay. Take a look at our services and get in touch today.