At the bottom of the cybersecurity stack, in most medium and large corporations around the world, there is an Active Directory (or many Active Directories). Though many, including Microsoft, call AD a legacy application, the number of critical applications still using it is staggering. Last month at the Hybrid Identity Protection Global 2023 conference, the consensus among participants was that AD will take 5 years at best and 15 years at worst to be removed from most organizations.
As I sit here writing this post, an email from Calm, notifications of posts from life hackers promising to make my life more Zen, and alerts about podcasts from life coaches telling me how to make my life better, keep rolling in. This got me thinking, when it comes to Identity Protection, what would help to increase resilience and make the average CISO more Zen?
In answering that question, this post could go on for many pages. So instead, here is a list for your consideration:
- Phishing-resistant MFA for Azure AD/Entra ID (no SMS and no phone calls)
- Phishing-resistant MFA for AD admins and admin functions
- Conditional Access via Azure AD/Entra ID
- PAM for AD
- PAW (managed by the Tier 0 team) to access anything important.
- Passkeys supported by a phishing-resistant authenticator.
- Windows Hello
- Monitor group policy for unauthorized changes.
- Implement LAPS or equivalent.
- Basic automated identity lifecycle management for all user, service, and computer accounts
- Monitor all the above, automate to a fault, and leverage ITDR practices to protect and defend.
According to a statistic shown by Alex Weinert, only 30% of companies have implemented MFA. This leads me to believe that even while disregarding MFA, most of the above list are probably not implemented either. Most of them are not hard or even have much impact on organizations. Most of the impacts are on the administrators, who (let’s be honest) should be on board with the changes.
Most companies would be shocked at how much one can increase resilience and mitigate risk with these simple items implemented. Have you implemented some or all of them? Do you agree or disagree? Post your comments below.
Contact us to learn how Itergy can support your journey to complete security resilience.