“Identity Is the New Control Plane”
Have you ever heard the phrase “Identity is the new control plane”? Maybe you’ve heard Microsoft use it in a presentation or announcement, or via social media. Simple but somewhat obscure, this phrase refers to the mobile-first, cloud-first world, and it is important that you understand what it means—and then take action.
Stated more clearly, “Identity is the new control plane” means that traditional forms of cyber defence, such as firewalls and perimeter defences, are fairly meaningless in today’s IT environment, where boundaries are deeply blurred. Over Similarly, companies now need to rethink their defence strategies completely, including the identification of the people and devices—and the state of those devices—that attempt to access corporate data.
Identify the Data You Wish to Protect
If you have not already identified which of your data you want to protect, you need to deploy tools to help you with this, especially when it comes to unstructured data held on file shares, SharePoint sites and so on. But this is a topic for another article.
How Active Directory Can Help With Data Access Governance
Active Directory stores three key types of objects:
- User accounts, which represent identities in the Microsoft world
- Security groups, which govern access to data and applications
- Computers, which can govern how, if at all, user accounts can access resources
These types of objects are known as Security Principals, and you must take special care to manage and maintain them in order to protect your data.
The information in this post applies to Active Directory Domain Services for the following types of deployments:
- Purely on-premises
- Hybrid (on-premises and cloud-based)
- Solely cloud-based, using Infrastructure as a Service (IaaS) or Platform as a Service (PaaS)
This information does not apply to solely cloud-based deployments that use Software as a Service (SaaS), .
Data defence begins with the Security Principals (i.e. user accounts, security groups and computers) in Active Directory. In addition, you need to understand the threats you face. The days of hobbyist hackers or simple disruption of service are pretty much over (although you can’t discount them completely, as recent events in the UK have shown); criminal gangs now understand the rich pickings available from poorly secured IT environments. Cybercriminals seek to extract information and stay unnoticed in your environment for as long as possible. (Today, attackers reside inside a victim’s network for an average of 200 days before detection. And to paraphrase FBI Director James Comey in a 2014 interview on 60 Minutes, there are two kinds of big companies: those that have been hacked and those that don’t know they’ve been hacked.) Attackers tend to target accounts with administrative privilege or those that have not been used recently (also known as “stale accounts”), and once in control of these accounts, attackers try to elevate their privileges.
You may think you have watertight security measures, but you are likely to have leaks. For example, users who click links or open attachments in unsolicited emails, and employees who use their laptops away from the office in ways you don’t expect, are just two types of continuing threats that exist within your own company. You must assume that people you don’t know and people you don’t want on your network are going to try to access your data by any means possible. In fact, they may already be doing so, which means you have to be ever vigilant, using automated systems wherever possible.
The Roles of Active Directory Domain Services
In the Microsoft on premise and hybrid worlds, our user accounts and devices are stored in Active Directory. Access governance for identities is controlled via Active Directory Security group memberships which are managed on premise and replicated to Azure Active Directory. Access from our mobile devices is controlled via Intune. (Other MDM solutions are available, but none of them integrates with AD and System Center Configuration Manager (SCCM) as fully as Intune)
If your data was stored in safe deposit boxes in a strong room, you would need to have access to the strong room and possess a key to the safe deposit box in order to access it. This would be granted to you by the security staff. This is the equivalent of having a user account in Active Directory. This account is used to identify yourself (authentication) and to grant you the right to be a member of a security group governing access to the data (authorisation). The strong room security staff are equivalent to users with privileged group memberships in Active Directory. Therefore, you must carefully control who has access to the strong room (who has Active Directory user accounts) and who is given the keys to the safe deposit boxes (the members of our security groups). Most importantly, you need to insure yourself that you can trust the strong room security staff (privileged group memberships) since they have ultimate control of everything!
How to Protect Accounts
So how do you protect the contents of your safe-deposit boxes both now and into the future? The simple answer is not to hire security staff! Instead, implement just-in-time privileged account management (PAM), granting administrative access to AD only when required—and only with approval—and then for the shortest amount of time possible. This is akin to opening your safe-deposit box at a bank, because a member of the security staff must grant you access to the strong room at a specific time and for a limited period.
In addition to use of PAM, you need to strictly control access to and membership of the Active Directory administrative security groups, including Domain Admins and Enterprise Admins. Think of membership in an Active Directory administrative security group as the equivalent of working at the bank and having the master key: Not only can you walk into the strong room, but you also can open any safe-deposit box. By controlling access to and membership in security groups, you combat attackers’ attempts to elevate the privileges of accounts they have compromised.
The Role of Identity Management for Data Access Governance
Hijacking of stale accounts can lead to other problems if security group memberships that contain stale accounts can be used to access data. So you need to protect against two things here: stale accounts and outdated security group memberships. Ensure that the accounts in in your Active Directory should actually be there, and check on this regularly, in perpetuity, not just once. The easiest way to do this is to implement an identity management solution, which will allow you to synchronise your user accounts (and possibly security groups) between your HR and contractor management systems and Active Directory. Of course, you almost certainly will need to do an initial clean-up exercise.
You must show positive identification at a bank to access the strong room and your safe-deposit box. Similarly, you need to know who has access to your data and whether they are entitled to access it, and you need to verify that they are not impersonators. Furthermore, you need to keep tabs on your users’ permissions and identities, especially when employees are hired, leave or change roles.
How to Protect Group Memberships
The best way to ensure that security group memberships are properly maintained is to automate their control as part of the identity management solution. Most identity management solutions allow administrators to apply quite complex rules to membership maintenance (e.g. make a user a member of a specific group if that user is in the Accounts Department, is in the Western region and has a job title that contains “accounts receivable”). Such automation will suffice until you can implement both a role-based access control solution and a resource access request and approval solution.
Temporal Control of Objects for Data Access Governance
As an additional safeguard, you should configure all objects in your Active Directory to have an owner/manager and to be time-limited (i.e. created with a termination date). Most identity management solutions provide this functionality. When you apply this functionality for contractors, the length of their contracts defines the termination date of their access; for full-time employees, the termination date can trigger an end-of-year review; and for groups, the termination date can trigger a confirmation that the group is still required and that its membership is correct.
In addition, identity management solutions can trigger workflows, targeted at the owner/manager of an object, at set periods before the object “expires.” If the owner/manager does not take any action, the identity management solution can automatically disable the Active Directory account of a user or contractor, delete a distribution group and empty a security group membership. This is a reasonable solution until you can implement a proper attestation (or “recertification”) solution.
The Role of SIEM and Advanced Threat Analytics
Once you have taken the other steps outlined in this post, you must consider implementing a security information and event management (SIEM) solution to monitor and alert on unusual activity in your IT environment; manual checks are simply not good enough. Since Microsoft’s acquisition of Adallom as part of the Microsoft Advanced Threat Analytics initiative, the company has this covered for its cloud offerings on a global scale.
Future Data Access Governance Possibilities
The advice offered in this post will almost certainly change over the coming months and years as Microsoft’s cloud-based automation tools mature and Azure Active Directory Connect is able to connect to more data sources, such as HR systems, databases and LDAP directories, rather than just to on-premises Active Directory. For now, we advise that you use your on-premises Active Directory Domain Services to perform governance and that you synchronise changes to user accounts and group memberships to the cloud.
It makes sense at present to leverage your Active Directory Domain Services implementation as the basis for your data access governance strategy for both on-premises and cloud-based data. In this mobile-first, cloud-first world, identity truly is the new control plane, and the key to protecting it is automate security at all levels.