The Importance of Identity-Oriented Cybersecurity

Why should you re-focus your cyber defense from on-premises security to identity-oriented security? Read the article and learn how to verify your remote users and improve their access and cloud application security.

Is there a threat in the cloud?

Have you ever asked yourself why there are so many news articles describing identity theft, business email compromises, phishing campaigns, deepfakes, and so on? The reason behind this is the shift in the IT field and the introduction of the cloud.

In the past, all employees came to work in the company building where they had a computer with pre-installed applications and all resources they accessed were most frequently located in the basement of the same building. At the same time, there was also a limited number of servers exposed to the internet. Therefore, few options for threat actors to penetrate the premises of the organization. If you secured the applications opened to the internet and configured the firewalls, your business was mostly secure from cybercriminals.

In the last few years and especially in 2020, we witnessed a major shift towards the cloud. In the context of cybersecurity and threats, this caused a shift in the paradigm. Suddenly, we accessed corporate resources remotely, outside of the haven of corporate network, over the (unsecure) internet. Our identities were no longer limited to on-premises environments. We obtained cloud identities. That is why your focus as a business or security professional should also change from on-premises oriented security to identity-oriented security. The most important phrase to remember is: “Do not trust, always verify”.

Rise of the cloud identity

Let’s take a look at how we can protect these so-called cloud identities. Firstly, you should determine the user flow and identify the extended perimeter of the organization. You should think about the users working from home, from other countries, and how you can protect those remote users and perform response actions in case of a compromise.

Like on-premises identities are located in the Active Directory (AD), cloud identities are located in the cloud directory. If you are within the Microsoft ecosystem, this is called Azure Active Directory (AAD). From the security perspective, it is paramount that you always keep relevant identities in your AAD up-to-date and that you promptly remove the redundant ones. The Azure AD Identity Governance solution is perfect for this task. It allows you to manage the entire lifecycle of a user identity, from the creation to the changes and termination. It also allows you to create scheduled reviews so that cloud identities which are no longer in use can be removed in a timely manner in case you forget to remove them.

How to securely access cloud applications

Not just identities escape to the cloud. Applications do as well. This triggers the question of secure access. From the identity point of view, the most important thing is to understand the habits of identities in your Azure Active Directory. If you understand the identity patterns, you can then configure alarms that are triggered every time something does not fit the identity behavior pattern. This is achieved by the power of  cloud and can be leveraged for the security of all cloud resources, not only the applications. This and much more can be leveraged by using the Conditional Access policies, which prevents access to the cloud resources if the identity requesting access does not meet the predefined requirements. For example, you can block access to the users who have risky sign-in or risky behavior, users who are using private computers and not company owned ones, and so on.

The second group of threats comes from the applications themselves, as they can be dangerous/malicious or prohibited by the organizational policies. To address the application-level threats, you should first identify all applications that you use in your business and then address the vulnerability of each application, case by case. To do this, you need a solution that can monitor the network activity of your users, even the remote ones, and provide you with insights into which applications they are using. Microsoft enables that with the Microsoft Defender for Cloud Apps (MDCA) solution. MDCA leverages the internal firewalls, APIs, and Microsoft Defender for Endpoint (MDE) agents which are installed on all devices in the organization. MDCA allows you to permit or prohibit the use of applications found in the organization, and the MDE – if correctly configured – will block the prohibited applications. By doing so, you can greatly limit the attack surface introduced by the remote users.

Securely across the clouds

To summarize this article, remote work and travel have become a normal part of our lives and will – in my opinion – only increase in the future. That is why organizations must shift from the traditional working methods (VPN, on-premises) to the cloud-based workloads, which might at first sound unsecure, but they simplify work. They should also introduce additional security features which protect organizations in a sufficient way if configured correctly.

The transition from on-premises to hybrid or cloud-only workloads can be stressful, and newly introduced risks must be analyzed well to achieve the same level of security as before. In case you need any assistance with the transition, please turn to NIL (part of the Conscia group) and our experts will help you by taking you through the smooth transition to the cloud.

Cybersec Bites Podcast