Using Azure Active Directory for Security Protection
Microsoft this week played up the machine learning features of Azure Active Directory (AD) to protect against cyber attacks.
The 56-minute talk by Brad Anderson, corporate vice president for Enterprise Mobility, and Alex Simons, director of program management for Active Directory, was part of an ongoing "Success with Enterprise Mobility" Webinar series that included a live Q&A portion along with a prerecorded dialog. Last month, the series described mobility management capabilities, including aspects associated with Windows 10. Today's talk mostly focused on security threats and the use of the Azure AD Premium service, which Microsoft offers as part of its Enterprise Mobility Suite licensing.
Simons described the past use of Microsoft's traditional AD tool as establishing a "control plane" where the whole computing environment was contained. About 95 percent of Microsoft's customers use AD for identity management he added.
Organizations want to take advantage of cloud-based services, Simons said, but they also want have compliance and auditing capabilities. He added that "the cloud is happening now," saying that there are now 4.5 million organizations in the world are using Azure AD to access Microsoft Azure or some third-party cloud service. Microsoft has performed as many as 18 billion Azure AD authentications in one week, he claimed.
Security via Machine Learning
With all of the data that Microsoft tracks, the company is capable of using its machine learning capabilities to spot abnormal end user use patterns that might indicate security breaches. Simons described Azure's capability of tracking end user location and time information as an example. For instance, concurrent log-in attempts into a single account coming from both Taipei and Los Angeles will get flagged by the service as a potential security issue, he said.
One of the main ways that security gets breached in organizations is through phishing attacks, but those kinds of problems typically are difficult for IT shops to track. Simons said that, in such cases, an organization needs to have a service that will check the behavior of end users, and not just check that a particular end user is valid. He contended that Microsoft's Azure service uses "billions of inputs" every day to create a "fine-grained picture." Through Microsoft's reports, the service can show if a device was infected or whether it's under control of a botnet. The service will show the IP address of the affected machine so that IT pros can act, Simons explained.
Anderson claimed that organizations can stave off phishing attacks by using Azure's multifactor authentication capability. He said that if an organization has a phished account, having multifactor authentication will block an attacker. Multifactor authentication accomplishes the same thing as changing your password once a week, he added.
The password storage issue was brought up during the talk. AD users can store user password on premises. Simons said that there are about 20,000 organizations today around the world that keep their passwords stored on premises using ADFS (Active Directory Federation Services). However, about 50,000 organizations around the world have synchronized their encrypted copies of passwords using Microsoft's cloud. That approach is a lower cost option compared with storing passwords on premises, Simons contended.
The talk noted that end users are accustomed to using apps for productivity at home and they want the same capabilities at work, so they are using applications such as Dropbox, Box and OneDrive, which could break an organization's security policies. Microsoft built a cloud-app discovery service in Azure that allows IT shops to see what apps are being used, Simons explained. They can use that list of apps to suggest that end users use a less risky alternative, he added.
Anderson said that some organizations have found that as many as 300 to 400 software-as-a-service (SaaS) apps were being used by end users via this discovery service. Microsoft's service will provide a rating on the risk of using such unmanaged SaaS apps, he said. Simons added that Microsoft's service also shows which apps can be managed through AD. IT can turn off access to the app later, if wanted, when a user leaves a company, he added. Anderson said that Microsoft now has more than 2,400 SaaS apps that are integrated with Azure service that can be managed with the Azure AD service.
Questions and Answers
Anderson and Simons were asked if the Enterprise Mobility Suite will work with existing mobility device management (MDM) solutions. Microsoft designed protections at the device, app, file and identity layers, Anderson said. He claimed that Microsoft is the only MDM solution vendor that has provided protection at all four layers. Other MDM vendors, such as MobileIron and AirWatch, can protect at the device and app level, but they don't have the assets to protect at the file or identity levels, Anderson claimed. Microsoft's solutions do not integrate with AirWatch and MobileIron solutions, he added.
They were asked whether having single sign-on passwords stored in the cloud was a risk. Simons said that all of your passwords, whether stored on premises or in the cloud, are encrypted with AD. Microsoft is using a new advanced algorithm for its cloud AD service that is harder to hack. He said that Microsoft estimates it would take 100 years to crack it using all of the compute power in the world. Customers who are uncomfortable with storing passwords in the cloud can use Active Directory Federation Services on premises, he added.
Microsoft was asked if Windows 10 would be needed for some of the Azure AD management capabilities mentioned and whether iOS and Android would have the same management approach. Simon said that the management capabilities are carried out through the MDM solution. Microsoft Intune takes advantage of the full iOS and Android management capabilities. Intune registers an app in the directory and puts a certificate on a device that the directory can then recognize. This certificate then can be used to authenticate users as well. Each operating system platform has different capabilities, but all of them have, or support, certificate-based authentication, which is what Microsoft uses for identity.
Anderson explained that the telemetry that Microsoft collects for security purposes applies to all platforms. He said that Windows 10, though, will bring security additions that will be "super interesting." More information will be coming out in the next few weeks about it and System Center Configuration Manager. So far, Microsoft has seen very few issues when testing Windows 10 with Configuration Manager and Intune, he said. There will be updates released to the Configuration Manager 2007, 2012 and 2012 R2 versions to support Windows 10 with just "minor compatibility issues," Anderson added.
They were asked about the use of the cloud in Europe. Anderson pointed customers to Microsoft's Trust Center, which shows the certifications for various Microsoft products. Azure currently has 19 different service regions and Microsoft is making the investments to support data if it has to reside within a country, he said.
One of the questions was about how to characterize the Azure AD Premium service. Simons said that it's a challenging question because traditional premises-based AD was based on separate categories (such as directories, Internet, ID management, connectors, standalone MDM, rights management and DLT), but those things are rapidly merging in the cloud-based version. Customers want a solution that does more than just MDM, he added. Azure AD Premium has MDM capabilities, but it also provides things like directory service, security monitoring and two-factor authentication that might have been thought of previously as separate app categories.
One question was whether the functionality of Forefront Identity Manager would be brought into Azure AD. "That's absolutely our plan," Simons said. He said that Forefront Identity Manager will become Microsoft Identity Manager and will be added to Azure AD Premium.
Microsoft's next "Success with Enterprise Mobility" talk happens on March 3, with sign-up available here.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.