I have touched on the idea that Identity is the new security boundary in a previous blog about how we think about admin accounts. This change is largely due to the dramatic effect cloud computing has had on how we interface with our technology services.

We are now forced to move to zero trust infrastructure designs where we have to be absolutely sure a request for a service is coming from who it claims to be, only give the required access it needs and be able to do this for requests coming from anywhere… sounds easy right?

Well it can seem to be if we focus on just the cloud and its identity management as it has to be secured by design, there has to be an assumption that the request for service is a bad actor pretending to be a legitimate user.

Cloud services like the Microsoft 365 cloud have technologies like Multifactor authentication (MFA), just in time access (JIT), just enough access (JEA), privileged identity management (PIM), Conditional access and Defender for Identity… the list is very long and quite distinguished. There are very good articles about this concept on the Microsoft website, take a look here

Microsoft describe zero trust as

• Verify explicitly

• Use least privilege access

• Assume breach

When we introduce hybrid Identity management things get a little more difficult. We can still use the aforementioned technologies for the cloud services but we are limited to the preventative actions we can take due to the on premise identity management (Active Directory) being the master provider.

There are many other zero trust technologies available to on-premise and hybrid environments like Zscaler ZIA and ZPA, but I want to continue to draw the spotlight on identities.

The AD Connect service has come a long way in the past few years and we now can offer self-service password reset functionality even in hybrid environments, but this has not been enough for many enterprises so they have had to introduce additional identity products and by nature additional expense to fill the gap.

There is light at the end of the tunnel. This recent article from Microsoft outlines the new approach and direction its Defender service is taking to detecting and responding to potential identity breaches.

What I am most excited to see is the investment Microsoft are making into extending their best of breed response actions back to the on premise world. We can see now how these technologies will be integrated into Active Directory where I believe there is currently the most risk.

If you miss it in the comments of that link, I am also happy to say that Microsoft 365 MFA is coming to active directory identities.