Your company’s assets can no longer be secured using old methodologies for on-premises networks. You need a hybrid strategy.
Part three of a series.
Prior to transforming your business to meet the needs of today’s realities, you probably created an account for your user in your company’s directory.
You likely provided that account with permissions to folders and applications on your network – perhaps individually or in groups. And you fully understand where your users will be logging in, from what devices and at what times.
But technology has stepped in and the old, tightly secured, impenetrable fortress of your on-premises network has been supplanted by this new “work from everywhere” mentality. This is a good thing, except your users’ identities and your company’s assets can no longer be secured using the old methodologies for on-premises networks.
You’ll need a hybrid strategy.
A Hybrid Strategy for Identity Control
Enter Role-Based Access Management, Privileged Identity Management, Risk-based Identity Protection and the intelligent secure graph based on machine learning and AI.
When you make a move to a hybrid cloud scenario you will need these. You will also want Intune for device management, the other side of the identity control scenario.
I use the word “hybrid” because the idea that most companies can or will forego an established, on-premises solution is not realistic based on my client experiences.
The hybrid strategy will remain until all of your existing software solutions – HR, Payroll, BOM, Receivable – are also in the cloud and you’re prepared to decommission your entire local infrastructure (we’ll talk infrastructure topics in blog 5 of this series).
This is also the case whether you’re using a Microsoft Active Directory or another third-party directory/SSO/MFA provider. Good news is you’re not throwing out that investment yet!
Steps to Identity Control in a Hybrid Environment
First, determine your Identity Management Strategy.
If you already have infrastructure available for identity management, check to see if that can be federated with Office 365 and Azure. It’s a simple process even if you need to synchronize a .local domain. In this case, you will manage your accounts on-premises, including password policies, authentication management and resource requests.
Then, determine what applications will be available in the cloud, what roles you’ll use to assign users access to resources, and most importantly, clearly define a group strategy. There are consequences to different types of group creation in Azure Active Directory and Azure Active Directory Premium that you should be aware of prior to a migration.
Keep in mind that these decisions don’t take place in a vacuum and this will have to be a carefully considered sub-project of your overall cloud migration project.
Next, have a look at the additional options available to you in the Azure Active Directory Premium subscriptions, most importantly Identity Protection and Privileged Identity Management.
- Identity Protection – risk-based logging and alerts to determine potentially harmful sign-ins, sign-ins from impossible locations, and automated remediation
- Privileged Identity Management – assign JIT (just-in-time) access to provide a user with elevated access during a specified time window, and JEA (just-enough-access) to provide least privileged access to resources
Finally, in the Azure Active Directory Premium subscription you’ll find the opportunity to create Conditional Access policies. If you don’t already have a second-factor authentication provider and policy in place, I recommend exploring the use of conditional access policies to enforce MFA and for a variety of other reasons, especially with the use of mobile devices and your Windows 10 infrastructure.