Identity: driving Enterprise Mobility and Security
HI MY NAME IS ANTHONY VAN DEN BOSSCHE, TECHNICAL CONSULTANT
Data breaches focussed around Identity
On premise security measures
Off premise security measures
Lots of demo’s!
Data breachesFocussed around Identity
• In 2016 around 1093 major data breaches were identified!▶ Highest number since 2005 (start measuring)▶ Mainly focussed around Identities instead of hardware▶ Large number however unreported
• What we have now is insufficient, security needs to be redesigned▶ Password Policies, Auditing, DMZ usage, Priileged access, de-provisioning and many many more!
• Need for security precautions is larger than ever, on and off premise
Data breaches
63% of confirmed data breaches involve weak, default, or stolen passwords.
63% 0.6%IT Budget growth
Gartner predicts global IT spend will grow only 0.6% in 2016.
Shadow IT
More than 80 percent of usersadmit to using non-approved software as a service (SaaS) applications in their jobs.
80%
On-premises security precautionsNew AD on-prem capabilities
Just Enough Administration + DemoPrivileged Account ManagementADFS 4.0
Active Directory Domain Services FeaturesNew in Server 2016: Just Enough Administration
• Reduces risk by limiting administrator exposure• Classic RBAC features are unsufficient
▶ Need rights: Domain Admin!▶ No thorough auditing on executed tasks
• With JEA, users can:▶ Perform only tasks that they need to perform, without local admin▶ Nothing more, nothing less
• Leverages Powershell Remoting, WSMan• Powershell knowledge is a requirement• Only specific cmdlets are available
▶ To be stipulated in a Role Capability file▶ User connects to Session configuration with associated capabilities
• External commands can be used as well▶ Executables situated in the path variable
Just Enough Administration DemoAzure Virtual Machine Windows Server 2016 Domain ControllerRole Capability DNS Admin
Active Directory Domain Services FeaturesNew in Server 2016: Privileged Account Management
• Key Goal: Reduce malicious attack surface• Time-limited Group Memberships• Separate Bastion forest with Shadow Principals• Request access through PAM (MIM, REST, PoSh)• Policies decide whether access should be granted
▶ Also Multifactor Authentication is enforced to prove identity
• Access is granted for a configured limited amount of time (JIT)• MIM included in EMS E3 licenses• Auditing on performed actions• Use Cases: time-based access to servers, Application admins…
Active Directory Federation ServicesServer 2016 Features
• Rolling OS Upgrades• No passwords in the DMZ, MFA only!• Password-less Access from Compliant Devices• Logon through biometrics• Better support for Modern Authentication• Access Control Policies• Non-AD LDAP stores!• Customize sign in experience for AD FS applications• Streamlined auditing for easier administrative management• Simplified password management for federated O365 users
Off-premises security precautionsAzure Active Directory
What is it?Identity ProtectionMultifactor AuthenticationSelf Service Password ResetApplication Proxy
What is Azure Active Directory
• Multi-tenant cloud based directory• Identity bridge between on-prem AD and Applications
▶ SaaS applications▶ Internal Applications
• Numerous cloud-driven features▶ Multifactor authentication▶ Self service groups – applications - password reset/change/unlock▶ Application Proxy▶ Partner collaboration▶ Many more
• Not the same as Active Directory Domain Services• Management with Azure Portals, REST, PoSh
Azure AD is not the same as ADDS
• Azure AD can be an extension of ADDS = Identity Bridge• ADDS: Kerberos, LDAP, Global Catalog, NTLM• AAD: Web Services (SOAP), PoSh, REST..
Azure Active Directory
On Premise Active Directory
User
GroupPolicy
Organizational Unit
Print Queue
Computer
FreeBasicPremium (P1 | P2)
ProtocolWeb Services (SOAP, JAVA)RESTPoShSQL, LDAPv3
ProtocolLDAPKerberosGlobal CatalogNTLM
Identity as the core of Enterprise Mobility – the “Identity Bridge”
Single sign-onSelf-service
Simple connection
On-premises
Other directories
Windows ServerActive Directory
SaaSAzure
Publiccloud
CloudMicrosoft Azure Active Directory
Azure AD Identity Protection
• Detects potential vulnerabilities affecting your organization’s identities▶ MFA is not enforced▶ Too many Global Admins in the O365 tenant (PIM)
• Detecting user risk levels based on machine learning▶ Sign in patterns: anonymous IP’s, atypical locations, leaked credentials…
• Policies take instantaneous and appropriate action to resolve them▶ Require MFA to prove identity▶ Initiate password reset▶ Block access
• Notifications to end-users and admins
Azure AD Application Proxy
• Publish applications outside of your corporate network without DMZ• Connector(s) installed on the netwerk where the application resides• Authentication methods:
▶ Pre-authentication (optionally with Kerberos Constrained Delegation)▶ Pass-through
• Conditional access• Leverage Security Mechanisms existing in Azure AD
▶ Pre-authentication of users with known credentials▶ Identity Protection capabilities▶ Multi Factor Authentication
• Leverage ADFS for Claims Based applications
Azure AD Application Proxy – Scenario’sScenario 1: Pass-through authentication
External endpoint for application
App1
Azure On-premisesInternet
Published:app1 with
passthrough
Azure AD Application
Proxy
Azure ADApplication proxy
connector
Azure AD Application Proxy – Scenario’sScenario 2: Pre-authentication: authentication to Azure AD
External endpoint for application
Azure AD endpoint for
authentication
Azure AD
App1
Azure On-premises
AD
Internet
Possible sync
Published:app1 with preauth
Authentication
Azure AD Application
Proxy
Azure ADApplication proxy
connector
Azure AD Application Proxy – Scenario’sScenario 3: Pre-authentication with KCD
External endpoint for application
Azure AD endpoint for
authentication
App1Kerberos auth
On-premises
AD
Internet
KDCKCDKerberos token
injected into header
Possible sync
Azure AD
Azure
Published:app1 with preauth
Authentication
Azure AD Application
Proxy
Azure ADApplication proxy
connector
Azure AD Application Proxy – Scenario’sScenario 4: Pre-authentication with AAD and ADFS
External endpoint for application
Azure AD endpoint for
authentication
App1claims aware
On-premises
AD
Internet
Trust
Possible sync
Security token service
Azure AD
Azure
Published:app1 with preauth
AAD AppProxy
Authentication
Azure AD Application
Proxy
Azure ADApplication proxy
connector