identity: driving enterprise mobility and security - … · identity: driving enterprise mobility...

32

Upload: trinhtram

Post on 29-Aug-2018

230 views

Category:

Documents


0 download

TRANSCRIPT

Identity: driving Enterprise Mobility and Security

HI MY NAME IS ANTHONY VAN DEN BOSSCHE, TECHNICAL CONSULTANT

Data breaches focussed around Identity

On premise security measures

Off premise security measures

Lots of demo’s!

Data Breaches focussed aroundIdentity

Data breachesFocussed around Identity

• In 2016 around 1093 major data breaches were identified!▶ Highest number since 2005 (start measuring)▶ Mainly focussed around Identities instead of hardware▶ Large number however unreported

• What we have now is insufficient, security needs to be redesigned▶ Password Policies, Auditing, DMZ usage, Priileged access, de-provisioning and many many more!

• Need for security precautions is larger than ever, on and off premise

Data breaches

63% of confirmed data breaches involve weak, default, or stolen passwords.

63% 0.6%IT Budget growth

Gartner predicts global IT spend will grow only 0.6% in 2016.

Shadow IT

More than 80 percent of usersadmit to using non-approved software as a service (SaaS) applications in their jobs.

80%

On-premises security precautionsNew AD on-prem capabilities

Just Enough Administration + DemoPrivileged Account ManagementADFS 4.0

Active Directory Domain Services FeaturesNew in Server 2016: Just Enough Administration

• Reduces risk by limiting administrator exposure• Classic RBAC features are unsufficient

▶ Need rights: Domain Admin!▶ No thorough auditing on executed tasks

• With JEA, users can:▶ Perform only tasks that they need to perform, without local admin▶ Nothing more, nothing less

• Leverages Powershell Remoting, WSMan• Powershell knowledge is a requirement• Only specific cmdlets are available

▶ To be stipulated in a Role Capability file▶ User connects to Session configuration with associated capabilities

• External commands can be used as well▶ Executables situated in the path variable

Just Enough Administration DemoAzure Virtual Machine Windows Server 2016 Domain ControllerRole Capability DNS Admin

Active Directory Domain Services FeaturesNew in Server 2016: Privileged Account Management

• Key Goal: Reduce malicious attack surface• Time-limited Group Memberships• Separate Bastion forest with Shadow Principals• Request access through PAM (MIM, REST, PoSh)• Policies decide whether access should be granted

▶ Also Multifactor Authentication is enforced to prove identity

• Access is granted for a configured limited amount of time (JIT)• MIM included in EMS E3 licenses• Auditing on performed actions• Use Cases: time-based access to servers, Application admins…

Active Directory Federation ServicesNew features

Federation – ADFS (2)

Active Directory Federation ServicesServer 2016 Features

• Rolling OS Upgrades• No passwords in the DMZ, MFA only!• Password-less Access from Compliant Devices• Logon through biometrics• Better support for Modern Authentication• Access Control Policies• Non-AD LDAP stores!• Customize sign in experience for AD FS applications• Streamlined auditing for easier administrative management• Simplified password management for federated O365 users

Off-premises security precautionsAzure Active Directory

What is it?Identity ProtectionMultifactor AuthenticationSelf Service Password ResetApplication Proxy

What is Azure Active Directory?

What is Azure Active Directory

• Multi-tenant cloud based directory• Identity bridge between on-prem AD and Applications

▶ SaaS applications▶ Internal Applications

• Numerous cloud-driven features▶ Multifactor authentication▶ Self service groups – applications - password reset/change/unlock▶ Application Proxy▶ Partner collaboration▶ Many more

• Not the same as Active Directory Domain Services• Management with Azure Portals, REST, PoSh

Azure AD is not the same as ADDS

• Azure AD can be an extension of ADDS = Identity Bridge• ADDS: Kerberos, LDAP, Global Catalog, NTLM• AAD: Web Services (SOAP), PoSh, REST..

Azure Active Directory

On Premise Active Directory

User

GroupPolicy

Organizational Unit

Print Queue

Computer

FreeBasicPremium (P1 | P2)

ProtocolWeb Services (SOAP, JAVA)RESTPoShSQL, LDAPv3

ProtocolLDAPKerberosGlobal CatalogNTLM

Identity as the core of Enterprise Mobility – the “Identity Bridge”

Single sign-onSelf-service

Simple connection

On-premises

Other directories

Windows ServerActive Directory

SaaSAzure

Publiccloud

CloudMicrosoft Azure Active Directory

Azure AD Identity ProtectionDetecting and mitigating potential vulnerabilities

Azure AD Identity Protection

• Detects potential vulnerabilities affecting your organization’s identities▶ MFA is not enforced▶ Too many Global Admins in the O365 tenant (PIM)

• Detecting user risk levels based on machine learning▶ Sign in patterns: anonymous IP’s, atypical locations, leaked credentials…

• Policies take instantaneous and appropriate action to resolve them▶ Require MFA to prove identity▶ Initiate password reset▶ Block access

• Notifications to end-users and admins

Identity Protection DemoTrial Azure AD Premium tenant

Multifactor Authentication DemoSelf Service Password Reset Demo

Azure AD Application ProxyNo need for a DMZ!

Azure AD Application Proxy

• Publish applications outside of your corporate network without DMZ• Connector(s) installed on the netwerk where the application resides• Authentication methods:

▶ Pre-authentication (optionally with Kerberos Constrained Delegation)▶ Pass-through

• Conditional access• Leverage Security Mechanisms existing in Azure AD

▶ Pre-authentication of users with known credentials▶ Identity Protection capabilities▶ Multi Factor Authentication

• Leverage ADFS for Claims Based applications

Azure AD Application Proxy – Scenario’sScenario 1: Pass-through authentication

External endpoint for application

App1

Azure On-premisesInternet

Published:app1 with

passthrough

Azure AD Application

Proxy

Azure ADApplication proxy

connector

Azure AD Application Proxy – Scenario’sScenario 2: Pre-authentication: authentication to Azure AD

External endpoint for application

Azure AD endpoint for

authentication

Azure AD

App1

Azure On-premises

AD

Internet

Possible sync

Published:app1 with preauth

Authentication

Azure AD Application

Proxy

Azure ADApplication proxy

connector

Azure AD Application Proxy – Scenario’sScenario 3: Pre-authentication with KCD

External endpoint for application

Azure AD endpoint for

authentication

App1Kerberos auth

On-premises

AD

Internet

KDCKCDKerberos token

injected into header

Possible sync

Azure AD

Azure

Published:app1 with preauth

Authentication

Azure AD Application

Proxy

Azure ADApplication proxy

connector

Azure AD Application Proxy – Scenario’sScenario 4: Pre-authentication with AAD and ADFS

External endpoint for application

Azure AD endpoint for

authentication

App1claims aware

On-premises

AD

Internet

Trust

Possible sync

Security token service

Azure AD

Azure

Published:app1 with preauth

AAD AppProxy

Authentication

Azure AD Application

Proxy

Azure ADApplication proxy

connector

Azure AD Application Proxy DemoPass-through / pre-authenticationHow to set it up

Q&A