We all know identity management and security are critical to hardening cybersecurity ecosystems. We also know that we can make it happen using the many features and functions across Active Directory (AD), Entra ID and Microsoft 365.
The challenge is making sure these are deployed in a way that allows them to work seamlessly together, staying aligned even in environments where there’s fluidity and decentralization. It’s easier said than done when roles and attributes are similarly fluid, and where manual processes can drag down productivity, efficiency and security.
Some may be managing permissions and privileges for growing numbers of entities, bots, applications and other non-human users. They’re often distributed, dynamic and demand real-time access. This situation calls for clearly defined, strongly enforced, centrally managed policies to manage security with identity. Gartner notes, "As more organizations move to an identity-first approach to security, the focus shifts from network security and other traditional controls."
Navigating the maturity journey in identity management
While most organizations are on the path to a mix of centralized overview and decentralized operations, they’re at different stages of maturity. For IT leaders, it’s about knowing where your business is at the moment and using that knowledge to work out the best way to get to the next stage.
An early stage of maturity may mean point solutions for different authorization and delegation models. Greater maturity may lead to more integrated solutions. For example, end-to-end ITSM, leading into structured GRC, can be designed to achieve business objectives while meeting requirements within highly regulated industries.
Each organization needs to determine the best approach to identity security and management based on their needs and risk level. Comprehensive identity security and management is critical to reducing the attack surface and thereby protecting the business.
How AD supports identity management in the enterprise
The typical identity lifecycle comprises a mix of onboarding and provisioning accounts, managing and updating access and privileges, and deprovisioning and offboarding. Apply this to an enterprise with thousands of employees, and even a low percentage of employee turnover translates to hundreds of identities to be managed.
Naturally, larger organizations with a more complex identity landscape require more robust AD security. This is especially true if relying on outdated technology, adding extra risk to already expanding endpoints. Many will use AD with applications, databases, files, servers, all based on AD group policies and attributes, acting as the primary provider of authentication and authorization. The prevalence of groups is one of the functions that makes AD a top target for attackers. For example, LockBit 2.0 ransomware uses group policies to move laterally across networks and force group policy updates.
Group Policies
Group Policies allow administrators to manage, regulate and secure users in AD environments. This includes password policies, Kerberos settings, and restrictions related to software downloads, usage or removal. An Organizational Unit (OU) is the lowest-level AD container that can be assigned Group Policy settings. Settings for password policies can be applied at the domain level. Any changes made here will affect the entire domain.
Data integrity
Without strong data integrity policies, there’s no way to keep track of which identities are being added to systems, groups and resources. At best, there’s a risk of overprovisioning and privilege creep. At worst, the attack surface is widened, with no way to accurately ensure accountability and data integrity.
AD offers a starting point for identity and access management solutions to verify access requests centrally. This minimizes attack surface gaps that may threaten data integrity and helps plot a path toward implementing a Principle of Least Privilege (PoLP) model, with the appropriate access controls and auditing.
Auditing
All organizations partake in some form of auditing, both internal and external, for the purpose of complying with regulations as well as partnership commitments. AD provides some default Audit Policies, with recommended baseline settings alongside hardened versions for workstations, server products and computers.
These tools provide auditing details from logins and login failures to group deletions and changes to policies. Any changes made to the AD environment are tracked, logged and visible in the Event Viewer.
Recommended AD Attributes and Objects to audit and monitor:
- Deactivation or removal of anti-virus and antimalware system Computer objects.
- Unauthorized changes made by and to Administrator accounts.
- Suspicious or anomalous behavior by privileged accounts.
- Changes made to privileged and VIP accounts and groups in AD, in particular activity around Enterprise Admins, Domain Admins, Administrators and Schema Admins.
Privileged Access Management
AD environment compromise makes headlines, unfortunately. Compromise as a result of standing privilege is a preventable infringement, which can be overcome simply by reducing the amount of standing privilege to only what is needed by specific identities and objects at any given time. By implementing a PoLP model, active management of privileged accounts can mitigate the impact of AD environment compromise by dramatically reducing the attack surface.
The ability to view the entire identity landscape is invaluable to ensuring policies are upheld and being enforced consistently across all directories, on premises and in the cloud. AD and Entra ID currently provide visibility on a single platform per console, making it challenging to manage policies across a hybrid identity landscape.
Standing privileged accounts are appealing to attackers as an easy way to break into an organization. They are so appealing, in fact, that abuse of valid credentials accounted for 44.7 percent of all data breaches in 2023. When the networks include cloud-based infrastructure, including Entra ID, the attack surface has the potential to widen further.
Why implement Entra ID?
The modern enterprise is often multi-cloud and multiplatform. That’s why many organizations use Entra ID to extend their on-premises AD environments to the cloud. Users can then access the necessary cloud-based software and applications.
However, as the list of required resources grows, users and administrators are faced with managing multiple identities and logins across multiple Entra ID tenants and Active Directory domains. The risk arises when combining hybrid and on-premises environments without consistent policy implementation and enforcement, much of which is done manually.
Privileged identity management and hybrid identity management
Privileged access users have a higher level of access to corporate resources, making them a high-value target for threat actors. What’s more, their privileges potentially allow any malicious behaviors to remain undetected for longer.
For example, Blacktech actors used their elevated privileges in an attack on Cisco routers to establish persistent backdoor access and obfuscate future malicious activity. In the face of these risks, PIM offers a way to control, limit, and retain visibility of who has access and what they are doing.
The role of delegation in identity management
Delegation and authorization are two important components of any identity management strategy. However, the power to delegate only comes after granting the power of authorization. It’s not possible for an unauthorized user to delegate.
When the flow works correctly, there’s continuous accountability throughout the identity lifecycle, providing a transparent record for governance, compliance and internal auditors. Authorization rules define what accounts can do, with dynamic delegations that happen according to the authorization model.
By unifying processes and reducing the number of manual decisions needed, organizations can more easily visualize, report and make ongoing adjustments to support Zero Trust least privilege. Delegations can follow PoLP, with permissions only delegated when necessary. This combination of authorization and delegation provides greater control, visibility and security for identity management.\
AD, Entra ID and Microsoft 365: Layered defense for complex threats
AD takes the role of protecting internal networks. Policies, auditing, permissions, privileges, and active management can deliver PoLP for local files, applications and resources.
Entra ID provides cloud-based identity management. Access controls secure distributed teams, with their virtual tools provisioned As-A-Service on the internet.
Microsoft 365 can then provide the tools and resources to work, collaborate and communicate, while incorporating cybersecurity features such as encryption and allowing users to set conditions for file sharing, access and expiry provide defensive measures.
When you have multiple solutions operating together, bridging gaps between on-premises and cloud, seamless integration becomes business-critical. An identity fabric can be exploited by emerging threats, and policies and permissions need to be constantly checked for potential misconfigurations. That’s where authorization and delegation come in.
Authorization and delegation: The pivotal relationship in identity management
Authorization and delegation, working together, can help streamline an identity framework, providing granular access to the right people at the right time.
When accomplished with holistic visibility and control across the identity ecosystem, this combination will help reduce risk and complexity in an AD/Entra ID environment while adding efficiencies that free up resources to focus on strategic tasks.
Add automation of policies to the mix and you can streamline identity management processes even further while reducing the burden of manual policy deployment and reducing the risk of human error.
Conclusion
To find out more about how to deliver this dynamic and balanced approach to identity management, check out this on-demand session: The relationship between authorization and delegation in the identity world. You’ll hear from industry experts who will share insights on creating flexible security frameworks with authorization and delegation, review authorization model best practices, and discuss integration and delegation strategies and mechanisms.
