Lot's of accounts & lots of passwords = Security Breach. How to manage users identities.

I have been working with a company over the last year on trying to get them to pass a security audit. At some point I asked the question so how many identities do you have to manage? The answer was just 2; an Active Directory User and a Linux user. Hmm OK doesn't sound too bad. Within about 10 minutes that had grown to 6 usernames and passwords for every user and 5 more for some users and departments.

 

But it's not a problem because the username and password are stored by the app in question so our users don't technically need to "manage" this identity. So what happens if I my laptop needs replacing for whatever reason, what about the usernames and passwords then? Oh, ye that's a bit painful.

Almost every company in the world uses Microsoft Active Directory as a local directory service for creating and managing users and passwords. In an effort to facilitate Singel Sign On (SSO), Microsoft and others have built out applications that would essentially sync one directory with another. The net effect was that I could log into my domain, and then go to other non-trusted domains or just standalone systems and use my one application and password.

 

This all worked fine when we are just talking about the on-premises environment, or where we created VPN's to partner locations but it does not work or scale for globally dispersed public SaaS models like Office 365, SalesForce or Workday.

AAD is the cloud version of Active Directory (AD). You can install AAD in an azure subscription and have no integration with an on- premises AD or you can connect your on-premises AD to AAD. 

  • This is a multi-tenant directory
  • AD can replicate it users and groups via AD Connect
  • It offers application federation and publishing
  • It offers SSO to a multitude of cloud-based Software as a Service (SaaS) apps like Salesforce and ServiceNow. 
  • It offers a range of self-service options around areas like password reset & group management
  • Authentication can remain on premise with Active Directory Federation Services (ADFS)
  • It is regularly referred to as an identity bridge as it can act as the connector to many different services.

 

You do not need to be migrating to Exchange Online to use AAD, it can be deployed and used for;

  • SSO to cloud apps
  • Publishing internal web apps
  • MFA to cloud and on-premises resources
  • Conditional access to cloud-based SaaS apps
  • Mobile Device Management
  • Self Service password reset with write-back capabilities to on-premises AD
  • Self-Service group management
  • Advanced security reporting
  • AAD domain join for Windows 10 devices
  • Provisioning partner authentication access
  • Provisioning client based identifies 

Active Directory started out life in Windows 2000 when the world was a different place. The remote worker was a dream and work centered around the corporate office. Today we are using more cloud-based resources from ServiceNow to Workday, to Dropbox to Office 365. In a world where authentication only happened on-premises this cloud and mobile world would find it very hard to verify a user’s identity, and then keep it secure. 

AAD is the identity bridge that allows you to use a single login to access your corporate and public resources, and have the authentication request filtered through some pretty amazing behavioral profiling technologies that can apply conditional access and MFA security protection.

I recorded a YouTube Video on AAD that explores the use cases in a bit more detail.

paul keely