Your Zero Trust Strategy Depends on Active Directory Integrity
The exponential increase in remote work caused by the COVID-19 crisis has ricocheted across the IT landscape. Within a matter of days, corporate IT faced an unprecedented 180-degree turn in its client networking model. Organizations that treated remote work as a rare exception suddenly found themselves almost entirely remote. According to JPMorgan, Zoom usage is up more than 300% since before the crises. Microsoft reports a Teams usage increase of 200% since March 16th.
As companies grapple to accommodate this suddenly remote workforce by hurriedly adopting or ramping up remote access capabilities, cloud-focused applications, and security strategies, you must not forget that these strategies depend upon the integrity of your core on-premises identity systems.
Different architectures, one identity source
Many businesses depend on a VPN access strategy for remote access, in which users are authenticated by a directory service – usually, Active Directory – and are allowed onto the corporate network. As a solution with scalability challenges and reliance on network perimeter security, VPNs alone aren’t the answer for the modern remote worker.
A rapidly growing segment of companies has their users sign in to a web-based identity and access management service (we used to call them IDaaS – identity as a service – think Azure AD or Okta) with their corporate credentials to access SaaS apps such as Zoom or Office 365 directly through the internet. This method uses a zero-trust model where a user’s identity – not their network location – is key to gaining access to the application.
Some of these companies go further by extending this model into their on-premises networks. They deploy devices that create a software-defined perimeter between applications and the users attempting to access them. These proxy devices (for example Azure AD Application Proxy or Symantec Secure Access Cloud) grants the user access to only the proxy-published application instead of the broad network access granted by a VPN. Because traffic is routed through the IAM service, the session can have sophisticated access controls such as device integrity, session risk, or type of client app used.
Whether you’re logging in to the corporate network with VPN or signing into a web portal to access SaaS or on-premises apps, identity assurance is crucial. VPNs rely upon an on-premises corporate identity source. Modern cloud IAM services rely on many factors such as device health, location, and behavior patterns to contribute to an identity’s assurance level. But the cores of these massive cloud services are still based on the user’s account credentials. Because most organizations use a hybrid identity model (projecting their on-premises identity to internet services), the identity source for these credentials is the keystone of the entire sophisticated architecture. And for 90% of enterprises, this identity source is Active Directory (AD).
Securing the source
We’ve established the importance of Active Directory to your security architecture. How do you ensure its integrity and the integrity of its data?
Minimize AD’s attack surface
- Implement a least-privilege administrative model and get rid of all your unnecessary administrators. This 20-year-old advice is still relevant today.
- Lock down administrative access to the AD service by implementing administrative tiering and secure administrative workstations.
- Secure AD domain controllers against attack by applying recommended policies and settings.
- Scan AD regularly for misconfigurations – accidental or malicious – that potentially expose your forest to abuse or attack.
Monitor AD for signs of compromise and roll back unauthorized changes
- Enable both basic and advanced auditing. You can’t know about changes to your AD if you haven’t enabled mechanisms to log the changes. Then you need to actually look at key events via a centralized console.
- Monitor object and attribute changes at the directory level. The security event log will show you most, but not all changes made to AD. For example, the DCShadow attack circumvents the event log entirely. The only way to ensure you’re aware of all activity in your AD forest is to monitor the directory changes shared across domain controllers.
Plan for when compromise happens – because it will
- Monitoring for undesired AD changes is important. But you must also be able to quickly roll back those undesired changes or you only have a partial solution.
- Prepare for large-scale compromise. Widespread encryption of your network, including AD, requires you have a solid, highly automated recovery strategy that includes offline backups for all your infrastructure components.
Though you can implement a zero-trust network in a variety of ways, its core principles are based on user identity. Whether you’re accessing your network through a VPN or signing into an identity service’s web portal, the odds are good that your identity depends upon Active Directory. Therefore, ensuring the integrity of Active Directory is foundational to your company’s security.