EMS Partner Community: Trust your authentication – Azure Active Directory
The concept of identity as the new perimeter has moved from being a radical new idea to a truism with information security professionals. It’s a concept that’s also well understood by hackers. The facts are telling – identity compromise has been the cornerstone of most breaches in recent years. That’s no surprise, since successful authentication is frequently all that is required for a user to gain access to a system or to data.
The focus of the November community call and blog series is identity protection and identity management.
In an on-premises environment with on-premises users, the user’s location serves as an extra level of trust for the incoming authentication. When organizations take their first steps into the cloud, they frequently look to maintain this level of trust by confining logons to their cloud services to logins coming from their on-premises network. This is a simple model of conditional access that’s relatively easy to implement.
This model quickly runs into problems, particularly as users start bringing their mobile devices to work, and taking their laptops home to work in the evenings and on weekends. Forcing users to be in the office to access company resources impacts productivity. Some cloud services implement conditional access solutions that allowed access from company-managed devices to work around this problem, while others do not. The number of cloud services and access scenarios multiplies.
Maintaining an ever-growing list of conditional access rules in this environment is becoming nearly impossible – especially since many apps and services do not natively support conditional access. Azure Active Directory provided a single control plane for enterprises seeking to provide users with access to cloud resources in a governed way.
The problem of improving authentication strength remained, however. The easy solution of enforcing multi-factor authentication on every login solves this problem, but it is not something many users are willing to tolerate every day many times a day. Manually determining a list of rules when MFA should or should not be enforced is an exercise that becomes exponentially more difficult with every new cloud app and every new user access scenario – yet still frequently fails to account for an attacker’s ability to recreate the “trusted” login.
Azure Identity Protection
Azure Identity Protection solves this problem of “tug of war” between security and usability without forcing the administrator to write an endless list of condition-based access rules. By combining user behavior analytics, threat intelligence data – both proprietary and from global security partners, and human intelligence data from the Microsoft Digital Crime Unit – each logon and each user is evaluated and risk levels are assigned. As an administrator, you simply have to make a decision what actions to take when a risky login is detected.
The majority of users can sign in seamlessly and with little friction. Users that break their typical work pattern (for example, sign in from a new location) are prompted for a multi-factor authentication – not unlike the fraud protection with your credit cards.
This is a major leap in our ability to keep an organization’s users both secure and productive.