Employees need the ability to access and share data wherever they are, using a variety of corporate and personal devices. As a result, security policies can no longer be based solely on whether a request originates from inside or outside the corporate perimeter. Therefore, organizations should follow the ‘Zero Trust’ Security model, starting with strong identity management. Microsoft recommends four steps for implementing strong identity for a Zero Trust security model: enable multi-factor authentication (MFA), implement policy-based access solutions, strengthen identity protection and allow only secure access to SaaS and on-premises apps.
A compromised identity credential, even one with low-level privileges, is all hackers need to gain entry into an organization to begin moving laterally, undetected, to gain access to business- critical systems and data. To implement strong identity, organizations need a way to rapidly detect compromised identities and proactively prevent them from being misused. Azure AD Identity Protection uses heuristics and adaptive machine learning to detect anomalous behavior and suspicious incidents that indicate potentially compromised identities. Administrators can configure risk-based policies within Azure AD Identity Protection to automatically respond to detected risks. Policies can be configured to automatically block access when a specified risk threshold has been reached. Administrators can also set policies for responding to suspicious user activity or risky sign-ins. Azure AD Identity Protection can proactively detect vulnerabilities that impact user identities, such as users without MFA registration, unmanaged cloud apps, users with unnecessary privileged access and weak authentication for role activation.
The Identity Protection dashboard provides information on users flagged for risk as well as suspicious and anomalous activity and vulnerabilities. Azure AD supports three directory roles for managing an Identity Protection implementation:
A Global Administrator role with full access to Identity Protection and rights to onboard Identity Protection
A Security Administrator role with full access to Identity Protection but no rights to onboard Identity Protection or to reset user passwords
A Directory Reader role with read-only access and no ability to onboard Identity Protection, configure policies or reset passwords
Azure AD role-based access control regulates the access management to Azure AD resources. Azure AD supports two types of identity service role definitions: built-in and custom roles. Built-in roles are out of box roles that have a fixed set of permissions. These role definitions cannot be modified. There are many built-in roles that Azure AD supports, and the list is growing. To round off the edges and meet your sophisticated requirements, Azure AD also supports custom roles. Granting permission using custom Azure AD roles is a two-step process that involves creating a custom role definition and then assigning it using a role assignment. A custom role definition is a collection of permissions that you add from a preset list. These permissions are the same permissions used in the built-in roles.
“When an organization moves to the cloud and starts using identity protection, it is very important to properly configure the number and scope of administrator roles. This is particularly important because many avoidable errors can arise later on simply from the situation where the scope of administrator roles is not appropriate or too many people have such roles within the organization. It is therefore fundamental to ensure that everyone is only and exclusively authorized to do the job they are supposed to do. Noventiq can help its customers in this process from the very beginning. We assess your organization and its operations, thereby developing a global administration strategy tailored to the needs of your organization, with the right roles and positions. We will also develop individual roles for the organization if they are required to function properly. From the starting point, we will get the organization to a point where its operations are fully defined, structured, and developed in terms of administrator roles and rights.” - commented one of our experts.
If you feel your identity posture is not strong enough, whether it is about identity protection, authorization or policies, contact us, Noventiq has international experiences and is happy to help you to build a strong identity for your organization.
Strong identity is one of the foundational pillars of Microsoft’s Zero Trust security model, which provides a framework for moving from controlling access based on implicit trust assumptions to an approach that requires real-time verification of all users, devices, locations and other signals. Microsoft recommends four steps for implementing strong identity: Multi-factor authentication, Policy-based access, Identity protection and Secure access to SaaS and on-premises apps. Multi-factor authentication is a foundational one to strong identity. “Condition-based access and controls such as MFA are important to prevent unauthorized access to corporate applications, services and data. MFA spamming has become more prevalent with increasing adoption of strong authentication. Azure AD offers a broad range of flexible authentication methods to meet the unique needs of your organization and helps keep your users protected.” - Balázs Maar, Microsoft Solutions Sales Manager.
Identity is one of the six foundational pillars of a Zero Trust framework, along with devices, applications, data, infrastructure and network. Identities – whether they represent people, services or Internet of Things (IoT) devices – define the Zero Trust control plane. Out of the 4 recommended steps (multi-factor authentication, policy-based access, identity protection and secure access to SaaS and on-premises apps) that helps implementing Strong identity, policy-based access is a must because “With policy-based access we have near real time protection alongside an optimized for productivity user experience that omits all unnecessary or excessive security prompts and checks. That way, we all can focus on our work, knowing that we are protected” - Vitan Kostov, Noventiq’s Solution Sales Manager.
The Zero Trust framework helps businesses modernize their security technologies and processes effectively, maximizing protection against the current threat landscape. In the following summary, we focus on the first two pillars of the Zero Trust framework, identities and endpoints—and provide hands-on guidance on how to keep them secure.
In the era of digital transformation and the rise of hybrid work models, cybersecurity's significance has surged. With cybercriminals evolving and exploiting every vulnerability, organizations must prioritize security. According to Microsoft, 98% of cyberattacks can be prevented by an adequately defended system. Read the summary of a Microsoft article which explores six core domains demanding attention: email, identity, endpoint, Internet of Things (IoT), cloud, external.