Moving your Microsoft environment to zero trust
Zero trust is a concept that’s easy to grasp but incredibly difficult to implement. It touches almost every system, component, application, and resource within an enterprise, and requires a strategic framework and specific tools and technologies to achieve best practice results.
As organizations move Microsoft environments towards zero trust, it’s vital to ensure that all the pieces fit together perfectly. Microsoft’s foray into passwordless authentication, including Windows Hello for Business, introduces clear benefits but also challenges. Newer technologies must integrate with legacy systems, including Windows 8 and older platforms.
How can an organization build out a zero trust environment with diverse Microsoft technologies? A modern identity management and authentication framework is at the center of everything and must integrate seamlessly with Active Directory and cloud environments like Azure.
Passwordless authentication is in play
Although Microsoft has established itself as a leader in the enterprise identity and security space with Azure AD and Windows Hello, they do not address the full spectrum of enterprise identity requirements, particularly as organizations expand beyond Windows workstation and Microsoft cloud environments.
What quickly becomes apparent is that supplemental capabilities are needed to enhance and complement Microsoft identity management and authentication tools. The goal is to fill in gaps and make the overall experience as convenient, seamless, and secure as possible for both users and security teams.
It’s no simple task. Organizations often struggle to integrate legacy support for Windows and other technologies. Other problems include trust on first use issues such as:
- Granting access without a user ID and password
- Securing non-Windows devices
- Managing passwordless functions across virtual and higher privilege environments
- Coping with end-user frustrations that may arise, for example, when there’s no way to eliminate a password in a specific application. When this occurs, there must be a way to reset a password and gain access to helpdesk support, if necessary.
Windows Hello is only the beginning
At the heart of the Windows identity management challenge is a basic fact: Not all hardware and software running in an enterprise is Windows, or even Microsoft. Consequently, it’s critical to support previous generations of Windows devices, but also accommodate MacOS, Unix, Linux, iOS, and Android. Some of these devices may be compatible with today’s biometrics, others not. The need to support contractors who bring their own devices but require authentication adds another layer of complexity.
Identity management must support anything and everything that can be tossed its way. Yet, this is achievable. Using a decentralized identity model (DID), an organization can deliver broad Windows ecosystem support for Active Directory, LDAP, HR systems, and physical access control systems.
In fact, through DID and cryptographic keys, an organization can bind a vetted identity to the individual using biometrics and, in the process, reduce risks like social engineering, credential theft, credential stuffing and brute force attacks.
Making identity management more manageable
Implementing distributed digital identity involves five critical steps:
- Consistent verification. It’s essential to verify a user’s identity every time an access request takes place. This is possible when a verified identity is tied to a specific account. With advanced identity management that supports WebAuthn — and numerous other protocols — an enterprise can use different authentication methods for different devices and incorporate nicknames and other variations. This includes legacy and non-federated logins.
- Secure access for privileged activities: Risk is everywhere, but users with elevated privileges represent some of the highest threats. That’s why it’s critical to secure remote machines (RDP, VDI, Citrix, Domain Controllers) and desktops with multi factor authentication (MFA). MFA is required in most cases and device-based biometrics like Windows Hello for Business do not work here. Special care and attention need to be placed on securing these systems with MFA that only allows verified users to initiate authentication requests. This will prevent SMS prompt-bombing attacks, like the one used in the Uber breach, from succeeding.
- Making all desktop logins passwordless. By unifying verified identity with FIDO2 authentication, it’s possible to layer on passwordless access. Suddenly, various versions of Windows — along with non-Windows devices — are equipped for passwordless. Equally important, security begins at startup and extends throughout and across sessions.
- Establishing trust on first use. With every user identity verified and confirmed, an organization can enable secure passwordless access to new devices without requiring the use of a user ID and password. Not only does this greatly simplify things for an enterprise and IT staff, but it also makes it much simpler for employees and others. A change in device doesn’t require an extensive authentication setup process.
- Incorporating passwordless multifactor authentication (MFA). Within this state-of-the-art framework, an organization can add modernized MFA to virtual and higher privilege accounts, implement passwordless access to domain controllers, and support passwordless on virtual desktops and virtual machines.
- Protect legacy technology. Interoperability with legacy systems and internally built technologies is a big step in taking security to a zero-trust level. What’s more, with the ability to support applications that require passwords and cannot be updated to modern standards, much of the complexity goes away. It’s possible to accommodate password resets without help desk support, even in remote environments.
As authentication processes within Microsoft environments become more complex — including a need to support remote and hybrid workers using a diverse array of devices — it’s wise to modernize identity and access management. This can trim costs, reduce frustration, improve productivity, and boost security. By tying a verified user identity to a passwordless credential it’s possible to achieve the promise of zero trust within your Microsoft environment.