It’s easy to build a perfectly secure house; just leave out all the windows and doors. Your possessions will be safe, but you won’t be able to get at them. In the same way, it would be easy to build a perfectly secure network by establishing a formidable perimeter around the sensitive resources and not letting anyone at all through it. This would be pointless, of course. Workers need access to those sensitive resources, and identities are the basis of that access. In enterprise networking, an identity is a collection of attributes uniquely describing a security principal—a specific individual and the resources they can access.
For data to be secure, the most fundamental types of protection are as follows:
- Authentication Confirming that the individuals accessing the data really are who they claim to be
- Authorization Confirming that the individuals have been granted appropriate levels of access to the data they need
Securing network users’ identities is the process of making these procedures as safe and impenetrable as they can be.
The identities of an organization’s users are a prime target for cybercriminals because stealing a user’s name and credentials enables the attacker to access everything the user knows about the company. News stories regularly report thefts of large blocks of identities from major companies, which endanger the companies’ sensitive data and their employees’ personal lives. For example,
- For employees The theft of the names, addresses, and Social Security numbers that are part of any organization’s human resources records leaves users open to credit fraud and numerous other criminal intrusions.
- For the organization Identity theft can be catastrophic in many ways, resulting in data theft, damage, or destruction that can prevent the company from doing business and cost it vast amounts of money.
Attacks attempting to steal user identities can be extremely simple or incredibly sophisticated. A major security breach for an organization can begin with a single intruder that calls an unsuspecting employee on the phone, claims to be Jack Somebody from account maintenance in the IT department, and talks the employee into disclosing their login name and password. Once the intruder has one user’s credentials, it becomes easier for them to gain others. This sort of lateral movement within the organization’s security infrastructure can be a slow and methodical process for the intruder that eventually yields access to an identity with high-level network access, leading to a major security event. This is why administrators should take pains to protect all the organization’s identities, not just the ones with elevated privileges.
In Microsoft 365, Microsoft Entra ID (formerly known as Azure Active Directory) allows administrators to create user identities, as shown in Figure 3-39, and performs the authentication and authorization processes. Entra ID is a cloud-based directory service alternative to Active Directory Domain Services (AD DS), the on-premises directory service for Windows networks since 1999. The primary objective of creating Entra ID is to service identities and authenticate and authorize cloud-based resources. This is an essential element of administering Microsoft 365.
FIGURE 3-39 Azure Active Directory in Microsoft Entra admin center
An Entra-based Active Directory implementation is necessary for Microsoft 365, even when an AD DS installation is already in place, because AD DS is limited to providing on-premises security functions. Users must access the on-premises network to sign in to their organization’s AD DS domain controllers. The only way a remote user can authenticate to the company network using AD DS is to establish a connection to an on-premises server, such as a virtual private network (VPN) connection.
Entra ID is strictly cloud-based and enables users working anywhere and with any device to sign in to the organization’s Microsoft 365 network and gain access to its services. Another advantage of a cloud-based directory service is that administrators can create identities for people outside the organization, such as partners, clients, vendors, or consultants, who need occasional or restricted access to company resources.
Note Using Entra ID with AD DS
Entra ID and Active Directory Domain Services are not mutually exclusive. For an organization with an AD DS infrastructure in place, it is possible to deploy Entra ID and create hybrid identities by synchronizing the two directory services using a tool called Azure AD Connect. For more information, see “Describe identity and access management solutions of Microsoft 365” later in this chapter.
Creating an identity in Microsoft 365 is a simple matter of supplying name values in a form like the one from the Azure Active Directory section of the Microsoft Entra admin center shown in Figure 3-40. The Microsoft 365 admin center contains a similar form that also enables the identity creator to assign product licenses, such as a Microsoft 365 license, to the user. While creating identities is a quick and easy process, securing them can be considerably more complicated.
FIGURE 3-40 Creating an Entra ID user account
Identities apply to users and devices, services, applications, or any other network entities that access protected resources. In a Microsoft 365 environment based on Zero Trust, all identities are authenticated and authorized by Azure Active Directory each time they request access to a new protected resource. Depending on the sensitivity of the requested resource, this process can also include multifactor authentication and/or the application of conditional access and least privileges policies.
Leave a Reply