At the very bottom of your cybersecurity tools/technologies stack, in most medium and large enterprises worldwide, there is an Active Directory (or multiple Active Directories). While many, including Microsoft, label AD as an archaic application, the number of critical applications still using it is staggering. Last month, during the Hybrid Identity Protection (HIP) conference of 2023, participants agreed that it will take at best 5 years and at worst 15 years for AD to disappear from most organizations.
While I am writing this article, I receive an email from Calm, notifications of articles promising to make my life more zen, and alerts from life coaches' podcasts explaining how to improve my life; they all keep coming. This made me think: in terms of identity protection, what could contribute to increasing resilience and making the average CISO more 'zen'?
To answer this question, this article could span many pages, but I prefer to submit to you a list of points to analyze:
- Phishing-resistant MFA for Azure AD/Entra ID (no SMS or phone calls).
- Phishing-resistant MFA for AD administrators and administrative functions.
- Conditional access via Azure AD/Entra ID
- APM for AD
- Privileged Access Workstation (PAW, managed by tier 0 team) to access anything important.
- Access keys supported by an anti-phishing authenticator. * Windows Hello * Monitor group policy for unauthorized changes. * Implementing a Local Administrator Password Solution (LAPS) or equivalent system. * Automated basic identity lifecycle management for all user, service, and computer accounts.
- Monitor all the above elements, automate as much as possible, and leverage ITDR practices to protect and defend.
According to a statistic presented by Alex Weinert, only 30% of companies have implemented multi-factor authentication (MFA). This leads me to think that even if we do not consider multi-factor authentication, most of the items on the list above are probably not in place either. Most of these points are not difficult to implement and have minimal impact on organizations. These impacts mainly concern administrators, who (let's be honest) should be in agreement with such changes.
Most companies would be amazed at how much resilience can be increased and risks mitigated by implementing these simple elements. Have you implemented any? If so, which ones? Do you agree or disagree? Share your comments below.