Why is Directory Federation so critical to business?
Paul Colmer
As a Certified Cloud Security Professional (CCSP), one of the most common cloud services that I encounter across both the consumer and business worlds is the Microsoft Office 365 suite of services. It is classed as a Software-as-a-Service and it provides a graphically driven user-interface that enables businesses to send emails, collaborate, create and share intellectual property both within their organisation and with their key external partners. Here is a quick overview of the services.
Now, if you've happily signed up to a simple home plan, you'll likely only have access to the Office Pro Plus Apps, which we have all known and loved for years. Apps such as Excel, PowerPoint, Word etc… But if you're running a business with say 100+ users, you'll probably already using the Office 365 Enterprise E1 subscription, which includes the Pro Plus Apps, plus the suite of cloud services. These cloud services will likely include Email, Contacts, SharePoint and many others, including Azure Active Directory.
The diagram below shows a screenshot of a lesser known service called Delve:
This is a great illustration of how Microsoft is innovating by allowing users to intuitively view and find data that they have access to, that may have been shared by colleagues. The Active Directory federation keeps all the data in a single synchronised entity , which allows services such as Delve to work efficiently and present a single source of truth to the end-user.
This means if you're using an existing on-premise Active Directory service, with your servers housed in a data centre, or possibly in your small office, and are now using Office 365 services, you now have two Active Directories to worry about. This means your users are already logging into your company Active Directory to gain access to their files in your office, and then having to login again to gain access to the Office 365 resources.
This is where directory federation, in this case Active Directory federation, adds huge value to end-users. By federating the two Active Directories together, you create a single logical security entity that provides huge user-experience benefits:
- Users only need to sign-in once and they can access resources that reside on the company on-premise servers as well as the Office 365 services and resources in the cloud.
- All the contact information that is stored in your on-premise directory is replicated to the cloud and kept in sync, so there is still only a single source of truth for information.
- Because you have integrated not only Office 365 services, but also Microsoft Azure services, you now open up the entire Azure platform for end-user business development enablement.
This diagram below shows some of the complexity of the federation process, which is hidden from the end-user:
For example if you now wish to add Multi-Factor authentication (MFA) as a second security step when users are logging in, it is straight forward to integrate the Azure MFA with your Azure Active Directory, resulting in a 2nd step in the process that requires users to click accept on the Azure MFA app on their phones. The Azure MFA is easy to download and install and simply requires the user to establish their identity, the first time they use it.
More information on using Azure Active Directory Connect to join your two Active Directories can be found here.
More detailed information on using and configuring Azure Active Directory can be found here.
And more detailed information on using and configuring Azure Multi-Factor Authentication can be found here.
This security measure ensures that if a user's laptop or table device is lost or stolen and they have saved their passwords in the browser, a malicious actor is unable to login as that person. By having a second factor that requires interaction on another separate device, you completely avoid this risk.
The next step is then to ensure your company has some really cool and fun security awareness training for end-users to further strengthen our security posture. We could do this over a half a day, involving role play and introduce some simply gaming techniques to make it fun and test how well everyone is doing. Items that we should cover include:
- Keep your main laptop / tablet in separate locations from your phone, to reduce the risk of them being stolen together. For example, keep your phone in your pocket and store your laptop in a case.
- Only install Azure MFA on your phone and never use the phone to login to Office 365.
- You can use OneDrive for Business on your phone, as the credentials are not cached on the phone, but make sure that you secure your phone with a complex password, so that if your phone is stolen it is much harder to crack the phone and view the OneDrive data.
- Use complex passwords for your Office 365 login, using a combination of letters, numbers and symbols.
- Check that BitLocker encryption is enabled on all your Windows 10 devices, to make it very difficult for a malicious actor to steal the cached data, in the event the device is lost or stolen.
- Notify your company immediately if your phone is lost or stolen. Your access to OneDrive for Business can be disabled through Active Directory, or your password can be reset immediately.
- Enrol your mobile phone with Apple, Google or a reputable 3rd party from the app store, so that you can track, disable and delete data on your device in the event that it is lost or stolen.
The diagram below shows how the OneDrive for Business service is actually a SharePoint Online instance running in Office 365, which explains why OneDrive contains features relating to information rights management:
You can see that security of the physical mobile phones is now becoming critical, which is where products such as Microsoft InTune or VMware AirWatch can help companies manage and track mobile phone device security. This is known as Mobile Device Management or MDM.
VMware AirWatch also allows you to control the deployment of apps, from public app stores integrated to a private business app store. The level of control and the ease with which end-users can choose corporate apps, allows businesses to step up their end-user experience, whilst strengthening their security posture.
The key with implementing strong security controls is to ensure it is matched with a superior end-user experience that empowers the business to go out and 'change the world'. By introducing Active Directory federation we have not only improved the end-user experience, but we have strengthened our security model and set the business up to allow federation to other 3rd parties, such as Office 365, Dropbox, Azure, AWS, in fact anyone that supplies a Software-As-A-Service experience using SAML tokens.
The picture below shows the Active Directory Marketplace which allows you to federate to your favourite Software-As-A-Service providers, such as Dropbox, Concur, ServiceNow and Google amongst others:
We've also strengthened our security posture using multi-factor authentication, setting up the business to adopt biometric or fingerprinting technology that will ultimately replace the Azure MFA app once the technology matures.
In addition we've also tackled security awareness through a fun and engaging half-day course which we can run for a large number of employees, say 50 at a time. So for a 500 strong company this would involve 5 days of engagement and be far cheaper and more effective than eLearning.
Paul Colmer is the lead digital architect ALC Training and Consulting. He is responsible for creating and running all the cloud security courses, which include CCSP, AWS, Azure, Office 365 and cloud foundation certifications. For more information visit: https://www.alctraining.com.au/courses/cloud-computing/ Or engage with Paul on his crazy adventures on twitter: @musiccomposer1 using the hashtag #CCSP