According to Forrester, “identity and threat protection are high on customers’ minds. Getting identity right is a critical part of a Microsoft 365 project and is the first place we start.” At MessageOps, organizations we talk to face many challenges related to identity and access in their organization:

  • Explosion of apps, devices, and users across and outside of the corporate network. As the organizational barriers blur between who is in your network and out of it, organizations struggle to manage identities for not only their employees but external partners, suppliers and distributors, and even end-consumers and customers or citizens.
  • Identity attacks continue to increase. (Microsoft recently researched that there was a 300% increase in identity-related attacks last year)
  • Evolving regulations that you must comply with to protect your privacy and your customers’ privacy and security (e.g. GDPR)
  • Demands for increased productivity and IT modernization, enabled by identity (e.g. digital transformation)

Which of these are priorities for your organization? Are they competing priorities? Oftentimes the hardest part is balancing multiple, often competing, priorities of reducing cost and increasing efficiency, security, and user experience. Watch our on demand webinar to see the discussion around this topic.

Service Reliability and Availability is one of the top considerations in choosing an Identity and Access Management Solution

With Azure AD being the largest enterprise cloud identity service, reliability and security of our service is a top priority for Microsoft.  It starts with operational excellence in the cloud (clock-wise on the globe):

  • Physical security
  • Operational security
  • Global cloud fabric that runs our clouds (Office365, Azure) and our security services

The first side is the secure foundation of our cloud services. This is about how we operate our own cloud services, Azure, Office 365 and so forth. We have some of the world’s best physical security, with
fences and barbed wire and so on to provide secured building environments and within those buildings, secure server environments.

Providing maximum availability, we design and distribute our physical datacenters to be highly redundant, so that there are no single points of failure. We look for multiple levels of isolation, ways to elastically scale, and fine grained, physically separate domains to minimize risk while also offering decorrelated backup authentication services.

To enter a server environment, for example, a person would have to pass through multiple physical layers and provide multiple forms of identification. They would also be scanned for metal in their pockets to make sure that they are not bringing devices in to steal information. So, there’s a great deal of physical security in place that we do on behalf of all of our customers in our cloud services and that make it possible for our customers to really leverage the investment that we’ve made in that respect.

Operational security – One of the ways this comes to life is in our continual testing of our services, making sure that that we’re finding vulnerabilities faster than the bad guys can. We have a big focus on red team, blue team exercises. If you’re not familiar with those, the idea is that we have dedicated professionals whose job it is to be on the good side but act like the bad guys—they’re constantly trying to find ways to penetrate the services, find ways that hackers might attack us so that we can shore up our defenses.

Another example of our operational excellence is around restricted access. When Microsoft employees need elevated access so that they can do maintenance on a service, or so they can investigate a customer support issue, they only have access to exactly the resources they need to access and for only exactly the amount of time that they need it. So, they have just in time and just enough access to do their work, and then they get out. They don’t have any standing elevated access that allows them to view customer data.

And this is something, again, where we can make an investment at Microsoft that gets heavily leveraged because all of our customers benefit.

Lastly, customer controls are a huge important part of this. This is something that we get asked about a lot when we talk to customers about our cloud services. What are the things that I have at my control so that I can decide how I want to manage my data and access to it? Access controls, of course, are the very foundation of it. Multi-factor authentication for admins at customer sites who are in charge of operating Azure for that customer or operating Office 365. Having multi-factor authentication of course is a basic that we think is fundamental.

And finally, network and distributed denial of service protection is in place for all of these services. We do basic protection to ensure our services work reliably, and Azure customers can take advantage of additional protection at the network layer to suit their needs.

Microsoft Azure Active Directory

Microsoft Azure Active Directory provides a full-featured platform with capabilities for you to manage and secure identities for your organizations. With identity as the control plane and Azure AD, you unlock world-class security.

Azure AD can help you:

  1. Connect your workforce to any app with seamless single sign-on and secure access from any location. Increase productivity and reduce costs with automated identity processes, such as the user lifecycle, by adding new access rights when an employee joins or moves teams, and revoking them when the person leaves. The self-service portal will save you time & money in resetting passwords and setting up multi-factor authentication for your users.
  2. Protect and govern access: Safeguard user credentials using a Zero Trust approach. Zero Trust is a security model where the organization always verifies first before they trust a user or device. It requires visibility into the users and devices, a policy engine, and access management. Strong authentication (MFA) and intelligent conditional access policies in Azure AD, combined with endpoint management and security in M365 E3/E5, can give you everything you need to implement a Zero Trust approach. (more on Zero Trust here: https://cloudblogs.microsoft.com/microsoftsecure/2018/06/14/building-zero-trust-networks-with-microsoft-365/). Start with a baseline of strong two-factor auth and adaptive, risk-based conditional access.
  3. Engage with customers and partners and grow your business using user-centric tools and modern collaboration. Move your customer and partner identities to the cloud to provide better experiences and greater security. Easily invite partners to collaborate and manage their access. Personalize the user journeys for registration and sign-in to your apps and services from a web or a mobile device with our B2C solution.
  4. Accelerate adoption of your apps:  As organizations move their identity systems to the cloud, you need applications that you use and develop to integrate with that identity system. With Azure AD as your platform, developers can and should integrate and build identity connected applications into the Azure AD and Microsoft identity ecosystem. This will enable applications that you build to be more widely adopted in your organization or if you’re an ISV, in the enterprise.

 Conditional Access + Identity Protection

What is Conditional Access? It’s critical that only the right people with the right resources on secure devices can access your data from anywhere. Microsoft Conditional Access is an intelligent policy engine built for this challenge. Its robust controls allow you to define specific conditions for how users authenticate and gain access to apps and data. You can customize and manage automated policies and get reporting on the policies applied for each sign-in.

Microsoft Conditional Access gives you the power to enforce the core principle of Zero Trust—never trust, always verify. The Zero Trust security model relies on a security policy engine to make access decisions you can enforce throughout the digital estate. Microsoft Conditional Access enables organizations to fine-tune access policies based upon contextual user, device, location, and session risk information. That gives you better control on how users access corporate resources.​ You can then use additional challenges such as multi-factor authentication (MFA), Terms of Use, or access restrictions to decide whether to allow, deny, or control access.

How it works? Conditional Access takes in over 40TB of identity-related security signals—including user behavior, location, state of device, application being accessed, and the risk score of the sign-in. Using machine learning, our technology analyzes the signals and determines the appropriate policy to apply for access to a resource, such as allowing, limiting, or blocking access, or additional verification measures.

For example, you might have a policy that requires MFA if the user attempts access from a new location. When the user enters their credentials, an MFA challenge such as a push notification from the Microsoft Authenticator app prompts them to prove their identity before they are granted access. These capabilities also extend to Azure. You can set Conditional Access policies to define conditions under which users can access cloud resources. Within Azure you also get access to MFA, Customer Lockbox, and role-based access control.

In today’s complex, modern work environment, Conditional Access provides protection without compromising productivity. Conditional Access with Identity Protection is the best way to secure your identities and keep the bad guys out.

What is Identity Protection? Identity Protection lets you automatically protect against identity compromise by taking advantage of cloud intelligence powered by advanced detections based on heuristics, User and Entity Behavior Analytics (UEBA), and machine learning (ML) across the Microsoft ecosystem.

How it works: Over 171TB of identity-related security signals – like user behavior, location, state of device, application being accessed, and the risk score for user and sign-in are analyzed. Using machine learning, the signal is analyzed, and appropriate policy is enforced- such as: allow, limit, block access, password reset or request additional verification. You can create policies and apply them to your external users, including business partners that your employees collaborate with. For example: You might have a policy that requires MFA if the user is accessing from a new location. So when a user signs in from unfamiliar location they get an additional verification prompt before they are given access.

Azure AD Identity Governance

Access is easy to grant but much harder to keep track of. You need to track who was given access to what resources, and revoke access it a timely manner when it is no longer needed. Controls should apply to both internal and external users.

Azure AD Identity Governance, a native part of Azure AD, allows you to protect, monitor, and audit access to critical assets. Specifically, it will help with the following scenarios:

  1. Ensure that only authorized users have access based on policies
  2. Provide employees and guest users with workflows to request access
  3. Establish regular access reviews to validate if access if still needed
  4. Establish effective controls with time-limited access for Privileged roles assignments

 Think about these important points as you consider how to implement your identity and access management solution:

  1. Security is only as strong as the foundation. Connect all of your access points together to maximize security effectiveness. Azure AD can connect to any cloud or web-enabled app you have. Do an audit (the MS Cloud App Discovery tool can help) and start getting more apps connected to Azure AD for optimal control and visibility.
  2. Passwords are a security risk. Strengthen your credentials by using multifactor authentication and start replacing passwords with stronger authentication methods.
  3. Use Conditional Access strengthened by identity protection to determine real-time user and sign in risk, then automatically apply access policies to protect your resources.
  4. Increase visibility into identity risk and get correlated investigation and recommended actions based upon user and sign-in behavior.
  5. Finally, balance your organization’s need for security and employee productivity with the right processes and visibility. Azure AD Identity Governance provides you with capabilities to ensure that the right users have the right access to the right resources, and it allows you to protect, monitor, and audit access to critical assets while ensuring employee productivity.

Contact MessageOps to learn more about Azure Active Directory plans and Microsoft 365, which includes Azure AD Premium. We can also assist with these services and many companies can qualify for funding from Microsoft:

  • Security & Compliance Assessment
  • Advance Workload POC
  • Security POC
  • Compliance POC

For more information call 877-788-1617 or submit a request form.

Was this article helpful?
YesNo