Adoption of cloud services has undeniably soared, with Microsoft calling Office 365 its fastest growing commercial product ever, and more than 70 percent of Fortune 500 companies now using at least two different Microsoft cloud services. However, while organizations are actively deploying more cloud applications, they are also keeping on-premises solutions, creating a hybrid environment of both on-premises and cloud-based applications.
To manage employee authentication, identity management and access control policies across hybrid environments, companies often leverage the Azure Active Directory (AD) Connect management tool, which performs a one-way sync from on-premises AD to the online Azure AD. The problem is that on-premises AD does not include the same types of security controls that the cloud-based version does, leaving a big hole in an organization’s security program that exposes the business to risk.
In this slideshow, Alvaro Vitta, principal solutions consultant specializing in security at Quest Systems and Information Management, recommends six steps for organizations to strengthen their hybrid directory environment to ensure successful hybrid cloud environment performance.
Securing Hybrid AD
Click through for six steps for organizations to strengthen their hybrid directory environment to ensure successful hybrid cloud environment performance, as identified by Alvaro Vitta, principal solutions consultant specializing in security at Quest Systems and Information Security.
Define and Assess User Access
Step 1: Clearly define and continuously assess each user’s level of access.
It’s crucial that companies continually assess privileges and access, establish security configuration baselines, and periodically review and report which users have access to perform which tasks. It’s particularly important to document which users have the most sensitive types of access.
Detect and Alert Suspicious Changes
Step 2: Detect and alert suspicious changes at all user levels.
Businesses should have a system in place to automatically detect and notify the IT administrator when suspicious changes occur. These might include anything from password changes by non-owners, membership changes on privileged groups, a mass deletion of accounts to multiple failed logons followed by successful logons to domain controllers.
Step 3: Automate remediation
To create a self-healing environment that does not require human intervention, administrators must automate remediation of unauthorized security changes to help them stick to assessment baselines. To do this, they should preset remediation in multiple ways, including creating a whitelist of users allowed to make changes, reverting unsanctioned changes to AD objects, detecting inactive accounts and moving them to a disabled user container, and deleting them if they remain inactive for several days.
Step 4: Restrict permissions at the most likely points of exploitation.
To avoid breaches from recurring after remediation, companies should deploy the principle of least privilege, a model to further restrict the permissions available for AD tasks and Group Policy Object (GPO) permissions. Mitigation focuses on automated controls at the most conspicuous points of exploitation. This includes externalizing AD permissions and controlling them in a proxy model, enforcing a real-time whitelisting model across AD objects and GPOs, using sequential group memberships coupled with approval workflows to lower risk within permanent memberships, and employing password vaulting to protect service accounts.
Step 5: Use forensics to identify paths to breaches.
IT teams can reveal the most likely paths to any potential data breach by using 360-degree forensics and full-text search to connect events, access activities and security configuration across multiple data sets. These searches can expose tracks to possible breaches, including any activity in AD, GPOs, files and computers by a given user during a given period; any activity containing a given word, such as “finance” or “salary”; security configuration and changes for a given user; and membership information for any given group, including recent changes to membership.
Create a Contingency Plan
Step 6: Prepare to recover by creating a contingency plan.
Finally, organizations have to adjust to the continuous state of potential data breach and insider threats by assuming a breach will take place and preparing themselves to recover. This means a contingency plan must cover various areas, including daily backup of AD database information, tight control over the rights to back up and restore AD objects, encryption of AD backups on disk and establishment of a recovery time objective (RTO) for a full AD recovery.