Mas a nossa identidade reside na nuvem: compreender por que razão a identidade na nuvem é fácil de gerir — e difícil de recuperar

So I did a I did a session here last year on Active Directory and the the one of the the major questions that came out of that was what you see up here. Well, I should say statements. People kept coming up to me and said, but our identity, it lives in the cloud. And I said, you know what, I probably should have talked about that. So I’m happy to be back here again this year. I’m James Ravenel. I’m a senior solutions architect at Semperis. We’re an identity, resiliency and security company. We help you with pretty much everything hybrid identity. So we’re going to get into why, you know, cloud identity especially is really easy to run. Right? You guys, raise your hand if you use you said you use Entra. Are you maintaining Entra, those of you who raised your hand? Yes? Okay. So one of let’s let’s get into this thing. So today’s discussion, what we’re going to discuss, we’re going to talk about things that I hear in the field all the time. I’m a pre sales engineer, so I talk to customers about their identity all day long. It’s so much fun. And lessons that we learn from Active Directory is the next thing that we’re going to talk about. And sorry. Hey, Mike. How can I get my appraisal up here on on the screen? Oh, it’s not working here? No worries. No worries. No worries. So folks, because I don’t see that well, if you see me step off stage, it’s because I cannot see. Everybody’s okay with that, right? Don’t let the four eyes fool you, I still cannot see. We’re going to then talk about really briefly what ITDR is. We’re going to talk about core assumptions, recovery reality, and then finally what you can do in your own environments to make sure that you are protected. So, these are the things that I hear in the field all the time. This first in fact, I’m going come down here. Can you all still hear me alright? Alright, good. This first thing, we are safe, we sync everything to the cloud. I’ve heard that way more times than I’m comfortable hearing it and it’s just a reality, right? What we many of us perceive to be the case with having hybrid sync is that it’s another layer of just protection, but we don’t consider all of the aspects, I’ll get into that. All of our domain controllers are in the cloud and we back up our DCs there. That’s another sometimes when I ask people if they’re in a hybrid environment, they’re like, yes, but the truth is that they’re using an on premise solution and they have virtual domain controllers for their Active Directory that are just an infrastructure as a service. Right? It’s just their DCs are virtual and they’re in a cloud. And then the scariest one, and I’m not trying to scare you but this scares me, is when people say, well, we’re a hundred percent cloud, so we should be good to go. And yes, that’s a real quote I heard someone say many times. So that’s why I’m here talking about this stuff because this one is probably the most vulnerable answer that you can give when we’re talking about your identity. I want to share my time on the other side of the room because they look like they want some attention over here too. So what did we learn from recovering Active Directory? First thing is, now I’m talking about myself here, so I spent twenty five years at Verizon, I left there in twenty fifteen. So yes, if you’re looking at me you’re probably like, this guy doesn’t know math, I’m the president of the unofficial young dinosaurs. I don’t necessarily look as old as I am, but I spent many years there as a sys admin and what I can tell you is that when we were deploying AD, I did I helped to deploy AD at Verizon and we were coming off of Banyan, Vines and Novell Networks. Raise your hand if you’ve heard of that. Wow, you’re really old. It’s true though. Right? So we were replacing those things back then and, you know, it was just like one directory is just a directory services and so we didn’t anticipate that Active Directory would last twenty six years. So what is the thing that we you know, it’s true about many of us is that we’re not we were not necessarily security focused. We we really had this set it and forget it mentality that as long as identity identity was up and working and people could log in, that that is all that we really needed to do. And then we started hearing breaches and more breaches and we didn’t understand why that was the case. Well, it was because we didn’t do enough to secure AD. And, you know, understanding how to recover AD if you lost access to all of your domain controllers it’s also very challenging to do. Right? So it essentially became a specialized skill. Microsoft said that, you know what, we’re going to create this it’s essentially a twenty nine step recovery guide, it’s about a hundred and fifty pages if you print everything. You’re shaking your head, sir. Right? Because you know that it’s a very painful process and it’s all in Microsoft speak. Now, this is not a Microsoft bash, I want to say that out loud, but their documentation is also often very technical and it’s hard to make sense of some of the things that they’re telling you about. But in this guide, this line here, it’s not designed with cyber incidents in mind. So, these are the things that we started to learn about on prem Active Directory. The key I want you to pay attention to is that very last line on that slide that says, your data and its security is your organization’s responsibility. Have you heard of the Microsoft shared model of responsibility? Anybody in here? Right? So in that document, and I’m going to show you, it tells you what they are responsible for and what you are responsible for. Here is really quickly the segment that the sector that Gartner created for this was ITDR, that’s what we’re discussing. Right? Identity, threat detection and response. Right? And I’ll let you take a screenshot of that because all of that text is a little overwhelming for me sometimes even on my own slide, but take a picture if you want or later on you’ll see it in the deck. But the sector that we’re talking about is ITDR space. Now, why are we talking about this? Well, identity recovery is not easy. It’s actually very challenging whether you’re doing it for your on prem AD or you’re doing it in a hybrid environment. There are a lot of little nuance steps that you must know how to do. They have to be done in a specific order if you want to be successful in bringing your identity back. So why do I keep talking about bringing your identity back? You guys have you’re we’re here at a cyber security conference and what do we talk about all day? Threats. Right? And identity being really the king, the the keys to your castle, if it is compromised, what do you do? Right? Most of the things that you rely on are not going to work if your identity is down. And some of you that those of you that were here last year, you heard me talk about that, it starts with AD and then it goes into all of these like little someone came up to me earlier and they were asking me about SAP. I don’t see him in here, but that’s like a micro identity service, right? You’re still getting your feed typically from AD or you’re sending information from like your HR systems, you’re sending that data into AD. But AD is not eliminated from this. So then when you start talking about moving into the cloud, you’ll find that you lose some additional protections. So the core assumption here, right, you heard me talk about it earlier, backing up domain controllers is all we need to recover Active Directory. Have you have any of you ever lost a domain controller? You said it sucks, right? And because you think, oh wow, I can just recover from that backup and then you’re good to go. But who’s the authoritative source at that point? When that DC’s down, what happens to replication? All of these little things that you have to consider. Syncing from on prem to cloud IDP is a backup for your on prem. I hope none of you believe that, but it is what a lot of people do assume. And then my cloud IDP provider will recover my data. He’s it’s right? That’s the appropriate response that I wanted, that chuckle, right, because you learn really quickly, again we talked about shared model. The reality is that your backup, even if you do all the backup, that’s also not the same as recoverability. It’s not enough to just say, well, I backed up my DCs. It’s not enough to say that I backed up my cloud data even. How do you make sure that it comes back in a way that is usable and trustable? Microsoft shared responsibility model. I’m just going to walk over here because I don’t know how clearly this how clear this is for you. If you can see it clearly and you want to take a screenshot, please take a picture of it, please do. But right over here, this says your responsibilities is responsibility always retained by the customer, right? Information and data, devices, mobile and PCs, accounts and identities. You see that? Right? For whether it’s on prem, infrastructure services, I forgot past means, and software service, in each of those cases, your accounts and identities are whose responsibility? Yours. It’s never their responsibility. Now, they may help you get some of it back if if pressed, right? But it’s it’s ultimately your role as a customer, as you see here, it’s your job to make sure that your data is secure. So your identity is like a wedding cake. And here I say what recovering data in your IDP looks like. So when I’m talking about your IDP, I’m referring right now to Entra ID. Many of you are using a hybrid environment using Entra, it could be Okta, right? If you let’s think about this as a as you’re at a wedding and I don’t know about you all, but I always get nervous at a wedding reception when the cake is being rolled out, especially when it was my wedding, I’m since divorced, but but during my wedding, as the cake was being rolled out, I said, please don’t drop that cake. Why? Why am I worried about the cake dropping? Right? It’s an important part of the wedding and if it falls, it’s not a thing that I could just say, okay, well I have another one. Right? It’s something that took time to prepare. Right? They had all the ingredients and then the cake was made and then it was rolled out and was decorated and got the love thing on the top of it. So yay, pretty cake on the floor now. So if this is your identity, think about that. Right? What happens if your identity falls over? It’s a threat actor gets in, especially if you’re talking about having it in a hybrid environment, being in your Entra. If I delete a user in Entra, let’s say that user has Office three sixty five as well, can I just recreate that user and then they’re automatically connected? Anyone know? What was that? They have a new They have a new SID. Sir, you deserve a prize for that answer because you are that is the that is the key thesis to this discussion. If I just simply said, you know what? That cake has fallen over and now you call me, I’m Microsoft, your your cake is on the ground and I’m Microsoft, and you say, hey, I want my cake back. And I say, hey, no worries. I’m gonna go I’m gonna get you the ingredients. And I roll out the ingredients and put it on the table and I say, here you go. You wanna eat that? You don’t wanna eat just raw eggs and milk and well, maybe the milk, but the flour. That’s not going to get you back to where you were before the cake fell over. So think about that analogy as we go through this next part. So let’s think about the identity blast radius radius. Something happens and your identity source are we good? Okay. The identity source, identity platform, right, maybe you if you’re talking your cloud, right, we’re talking your Entra ID, well, maybe all of your identity was being synced up to the cloud. That’s fine. But what about your your MFA, your conditional access policies, your applications and roles that you built so that those identities can be used for all the applications, all the things that you do on a daily basis. What happens if something gets corrupted there? Have any of you ever built a conditional access policy? Was it fun? Does it how long did it take you? Ten minutes? Longer? Longer. Right? Do you have a lot of them or do you just have one? You have a lot. You ever delete one accidentally? Yes. Did you have to rebuild it? Yes. Did it go into a recycle bin? No. Okay. Now I believe Microsoft will it has enabled in their new backup and recovery for Entra, the ability for a conditional access policy to now go into the recycle bin. Sometimes people don’t notice that something might have been deleted. So at least you get thirty days now. But if I was a threat actor inside of your Entra, do you think I’m going to be nice? What’s your name? Bridget, I would be nice to you, Bridget. Could you smile nicely at me? But what’s your name? Ward. I don’t know Ward. I might have to be mean to you because I was nice to Bridget. Right? So if if not the threat actor that’s in your in your identity now, I wanna make your life a living, HE double hockey sticks. Right? And so I’m gonna start deleting stuff, and not just a soft delete. I’m gonna hard delete it. And now you say, well, that’s alright. I got the documentation. I’m just gonna rebuild it. But what did you say back here? Where are you again? I gave someone points over here. And you said the object ID changes, right, on things. The critical relationship, just like when you’re making a cake. Right? It’s not enough to just have the ingredients. These things have to relate to each they already relate to each other and they relate by unique IDs. In this case, it’s simply the object ID. So if you have lost your MFA or your policies through some type of hard deletion, if you lose your applications or your app reg, you know what else goes with that. Right? All the API permissions that you had. And I’m seeing some anguish in some of your faces because you’re like, I don’t remember what API permissions I’ve put on the fifteen hundred apps that I have in my environment. Or like last week I had a guy, a small company, they said they had three hundred three thousand applications and He was freaked out at the idea of having to rebuild any of that. Right? Your roles, all of these things that are that have relationships to each other, they start typically with that unique ID. On an active directory, it’s the what? It’s like the SID or I forget the other one. But somebody you guys know what I’m talking about. And then, so if all of that is not working, this is all, you see like the little arrows that I have, each of these is a breakdown that affects upstream. And then eventually, once you get to like things like your SaaS and M365, now the business starts to feel it. And I don’t know who’s responsible for what here, but I do know that no one in here wants to get a call from their c suite saying, why the heck is everything offline right now? Why are we not in business? And it’s because of things that happen throughout this process. So, I want to talk about critical cloud native objects. How am I doing on time? Good? Ten minutes. Ten minutes. Alright. Cloud critical cloud native objects, your applications and service principles, your conditional access and authorization policies, your MFA registration and roles. These are things that even if you were syncing from on prem, you’ve created these natively in your Entra ID. Right? So how are you securing those? How do you make certain that if something gets hard deleted, keeping in mind that the hard deletion is like the cake ding on the floor. There’s there’s something unique and it’s like I said the object ID that allows them to be connected to each other. So, I say it’s a cold, hard delete world. How do you recover from a hard deletion of your users, your groups, your roles, your cats, your service principles and applications. Do you have something that does that now in your environment? And you don’t have to tell me, but if you’re feeling any angst over that question, then you need a solution. And I’ll tell you that Microsoft’s Entra ID backup and recovery is a start because there are some things that already have essentially the recycle bin. But a threat actor getting in is not already knows that and they’re not going to make it easy for you, they’re going to start hard deleting things. So you need to be able to get your cake back. Maybe your cake is not going to be an exact replica. Right? You saw on the cake it had the little love sign on the top. It was cute. It was eight minutes. It had the little love sign on the top. It had some decorations. So maybe you don’t have the decorations. Right? When I was back when I was in high school we used to learn Pascal programming and my professor would always say, make it work then make it pretty. So maybe you don’t get the exact you remember that, right? You may not get the exact cake back, but is your business able to function with what you are able to recover? And if you right now, especially those of you who are responsible for on prem AD and your hybrid environment. If you do not have an answer to this question on what you do, knowing that this is literally your data. These things are the data that Microsoft says you are responsible for. If you don’t have an answer, you must find an answer. You can come talk to us later, but you definitely need to have something that allows you to get back in business not later but sooner. So just without going too deep into this, your object IDs, service principles, permissions and secrets, you know, those are the types of things that disappear when you have a hard deletion. And so that I level set. Hard deletion, what I mean by that is that you have deleted an object, whatever it is, from your IDP. This case I’m talking about Entra ID. And then, if that is an object that can go into the deleted objects folder whatever or, you know, they have different names depending on where you are in Entra ID. But but essentially, yes. It’s it’s like your recycle bin. You know on your computer you have a recycle bin and then you go in there and when you know that you’re done with it, you say delete these things from the recycle bin. So when I’m talking about a hard delete, that’s what I’m referring to. And the Microsoft backup and recovery for Entra ID, it will only it will only help you with soft deletions. Anything that is hard deleted is just gone. And things like like enterprise apps, if that is deleted, you may not realize that it’s still there if you don’t use their PowerShell module. It just looks like it’s gone. So there there are if you know PowerShell and you know those commands, you can you can recover like an enterprise app, but if you don’t know that, you may be blind to the fact that it’s still there and could be recovered. So solutions that can look at both a recycle bin and also what is hard deleted and be able to recover it no matter what is a good idea to have. But the key here is I show you the relationships between user apps, policies, roles and your GUID or object GUID, that’s the word I was looking for earlier. Your GUID object object ID, you know, when that changes it breaks the dependencies because that’s what, you know, if you have a user it’s roles and it’s apps and it’s whatever it’s permitted to do, its groups, all of those things are based on that object ID. So now that’s gone, you can recreate the same name but it won’t reassign them to what they were in before because it thinks it’s a new thing. So by that happening, you five minutes, four minutes, when that happens it makes you more insecure because you now are responsible with remembering what the heck you had before when you’re trying to recover them. So I want to be clear, your identity platforms are just control control planes. I’ll even like Entra ID, it’s a control plane. It’s not a backup, more importantly a recovery solution. It’s just there to help you do things like authentication, policy enforcement, right? It’s built for that. It’s not designed for rolling back to a previous state. So when you are, you know, going through your normal operations on an identity, if you make a mistake, you’re lucky that they’ve built something in there that can help you. The recycle bin, right? You’re lucky that they built something in there. But that’s not really what they were built for. They’re not intended to they were never intending to build that stuff out initially. Customers complaining that, hey, this is I want another way to resolve this is what led to that type of innovation. Right, so they guarantee the uptime of the present not recovery of the past. Now, what can you do? So, the first thing I would say to you is that it’s really important that you implement some type and again, I want to be clear that I’m talking about Entra ID, but if you have hybrid environment where you’re looking at AD, you should have something for that as well. But you should have something that you know you can trust for hard deleted objects, right? You need a solution for that unless you just are a magician and knowing how to, you know, recreate things that have been hard deleted. But just think about the time and how things scale, if you delete two minutes. If you delete one conditional access policy, just think about how long that takes to recreate and then have to scale it across your entire organization. Protect your highest impact objects first. So, you know, those those groups that you consider privileged or or like maybe your c suite or your own team, right, you want to do what you can to make sure that, you know, you protect those. For hybrid identities, maybe you’re able to restore from your source of authority if AD is your source of authority and you’re concerned about your Entra, maybe you can recover from there first and then have some workflows around how to rehydrate or repopulate everything. Reduce the chance of hard deletions, right? You want to tighten your admin permissions, use just in time approval before people are doing things in that environment, right? And then, more importantly, and I said this to you last year, those of you here, and I’m going say to all of you, you have to test this stuff. You should be testing regularly your ability to recover your environment. So I think I’m just about done. Yep. I finished. He didn’t have to give me the sign in the back. And so let’s keep in touch. You can come by our table when you come into the room over there, we’re all the way in the back near the windows. And you can visit us at centperis dot com to find out how we can help you. And you can keep in touch with me on LinkedIn. It has been a pleasure. Thank you once again for welcoming me, and I look forward to talking to you all soon.