SANS Cloud Security Exchange 2024: Microsoft Session

SANS Institute · Intermediate ·📰 AI News & Updates ·1y ago

Key Takeaways

The video discusses identity modernization, zero trust network access, and conditional access, emphasizing the importance of transitioning from traditional frameworks to agile, secure platforms like Entra ID, and leveraging Microsoft services such as Azure AD and Conditional Access to improve security and visibility.

Full Transcript

Angelica and Simon are going to be coming up here momentarily to do their talk on identity modernization and so very quick introduction here Angelica Faber she is a senior security architect at Microsoft and out of the many things that she does there for example leveraging entri ID and Sentinel for threat detection and IR helping various customers secure cloud workloads and so on but previously was at Citrix and had a long career at Oracle as well now Simon Vernon Simon is is at Sans designs bills maintains numerous Sans CTF environments and ranges was the chief security officer at a hosting company and after getting started with Sans via the Cyber Academy quickly joined the instructor ranks teaching SEC 488 with that I'm going to go ahead and kick it over to you Angelica Simon please take it away hello welcome thank you for the lovely introduction there Frank it's always a pleasure to come and join these kind of conversations and kind of produce some useful information that's relevant and right up to that date and uh you know and it brings in so much interest um so yeah as Frank said my name is Simon Vernon I I work for Suns and head up the R&D inside uh Emir build lots of ranges ctfs and teach 488 and 549 more recently um also get the pleasure of working with the counter hack team to create ctfs um one of the things that we're doing at the moment is creating CTF around identity which is what we're going to discuss today so our topic of identity moderation but before we get started I will let my Hing crime who I've been working with over the past three months introduce herself thanks Simon um Angelica favor I'm a security architect at Microsoft I work with the Microsoft security Enterprise Services team that's basically the Consulting arm that focuses on making sure that organizations are secure and one of the big things that we focus on is identity modernization which is our topic today identity as a whole is really near and dear to my heart it has been for many years for people that know me they know that for many years I've been working on identity it is also something that our team spends a lot of time on helping our customers navigate that tricky identity management so I'm super excited to be here with Simon and with all of you and to share some insight hopefully give you some useful takeaways that you can apply also to your own work excellent okay so I'll I'll move on our slide so we've just been listening to to Brandon Brandon and Anton and they made some amazingly good points particularly around identity which is what we're really going to focus on today during our next 45 minutes or so we keep seeing sort of problems come across uh and the problems that we see from organizations regardless of whether or not they're anme or if they're a brand new startup if they're a vast Enterprise is identity and so for the next 45 minutes we're really going to take a dive into what Microsoft uh are producing and what capabilities and what resources they have in order to make identity work for us and this is an issue because identity is the Forefront of everything that we do in the cloud you know exactly as we've seen in our first session today that you know keeps cropping up is that everything that we do in the cloud comes back down to Identity the primary reason for that well we everything is basically public you know we're St we're hosting we're storing things in the cloud the everything is being presented to the world from that service and the only control we have over that our new perimeter for all of the things that we're putting there is identity so we're going to look at some of the challenges that organizations have we going to look at some customer stories of organizations that we've been dealing with uh both myself and Angelica about where these whereabouts in their Journey they are in in relation to Identity and what their s next steps could or should be um and then we're going to look at a couple of the product services and systems that Microsoft are coming out things that have come out in preview recently some new technologies and what we actually do with some of the older Legacy technology and you know what's next what's coming up next in the Journey of identity and we'll have also some like Simon was saying some stories from the field some of the headaches that come with Legacy system things like outdated protocols misconfigurations that the previous presentation was talking about that pesky technical de that we all have to deal with I guess we won't spend too much time on the agenda so we can jump right into to the rest of the content because we do have a lot of content we do we got quite a few slides to go through in this in this very short 45 minut minutes so we mentioned that identity being the Forefront of organizations and the problems that they face but why why is identity such an issue yeah and I I actually be honest with you I've personally been waiting for years for identity to become like the focus area and I know that we're calling it the the new perimeter but it's been I guess it's been a few years now I read I actually I read an article last week from black hat where they were talking about how this year this it has become an area of focus like we were talking about previously because it is the backbone of everything authentication authorization access control that's what it's going to keep everything else secure so to make sure that you you have the right people having the right access to to the right stuff and it's really crucial to keeping your data safe you know so we're talk we talk about data we talk about ident entities separately but it kind of go hand inand right so it's not just about Regulatory Compliance but it's also about keeping things uh safe and and actually the the other thing that we're going to talk about here as we mentioned before that a lot of organizations are stuck with a lot of Legacy systems that were built on things like active directory an active directory I think it turned 25 years old this year it's hard to imagine but it is it has been 25 years so you know and so for organizations that are still dealing with active directory and trying to modernize things there are some challenges that come along with that so we're going to talk about some of those uh things as we go along I cannot believe active directory is 25 years old it's just just made I think that's just aged me about another five years just in this sort of five minutes of this session I I distinctly remember one of the first major critical failures of any identity system was actually in was an T4 server that I had to recover and you know act when active directory came along and it we had to like be integrated services and it was just amazing it made life so much easier and so much simpler but we are so far beyond that point now and I've still meet up with companies who are still talking about Legacy technology as something that they're actually you know they're wanting to acquire or they're they're in the process of implementing it somewhere you know somewhere along the line of their services and it's just in saying that it's been around for so long I mean zero trust has been around for quite a long time now as well but I I've never or I've never seen an organization who of 100% accomplished zero trust as in yep job done you know we have everything in here because it just doesn't work like that it's more of a more of a theory but we're going to talk about how we can utilize some of the the strengths of zero trust and how the implementation can actually make our lives a lot easier particularly when it comes down to things like Microsoft identity enter ID and all of the additional services that go with it the problem is we are um we still see a awful lot of organizations who are entirely reliant on active directory I've been dealing with one actually in the in the past three four months I run a small consultancy practice and I'm very very particular about the organizations that I work with because I don't have a massive amount of time sounds funny know keeps me very busy but this organization have just gone through the process of having an app developed for them and it doesn't support single sign on now the problem that they have is that they want to integrate sort of single sign on zero trust they've heard a lot about these terms and the services are available and yet they've had this application built where they've gone down the route of not including single sign on Services they're now talking about building out a federation service linking it to their internal active directory in order to then go forwards and I and I've been repeating L that this is not a forward movement this is a step backwards they are really going in the wrong direction but this is what we see and from the conversations I had with Angelica over the past three this organization is not alone no and actually I I was telling Simon that I am surprised that a new company that has the ability to go straight to Cloud still is relying on old technology like active directory because what we see a lot our team does work mostly with strategic customers so they're very large organizations that we work with and so what we find is that a lot of these companies have active directory because they inherited it you know because it's been there for years and so there's a lot of applications that are still dependent on it um but you know any opportunity to move to to a mod authentication uh should be taken what I think what we find a lot is probably the case of your the organization that you're working with Simon it might be that just lack of information lack of guidance maybe you know to make the the to whats of it to know what is available and what you can do and what you should do as well and I think you know there's there's you know active directory sometimes and I I probably going to get um so some some push back on this but I think sometimes I find that organizations have this what I call baggage you know having applications that are still dependent upon these Legacy protocols but sometimes they're attached to that it's like because it's what they know it's what they feel comfortable with but it's it's just you know so sometimes it's a matter of opening um the eyes of the of the people that are managing the systems to explain to them you know there are better ways to do it that are not complex or it's actually in fact are probably a lot less complex than what you're dealing with right now so if you're able to manage active directory you can uh evolve uh and then hopefully work with those application owners to be able to to incorporate modern authentication protocols so and and I understand in some cases you just you know let's be realistic right sometimes you just can't modernize some of those applications so there's got to be a way to bring the the protections that are provided by these modern authentication systems into those Legacy systems that are just stock there for very valid reasons and we'll we'll talk about that a little bit later how how do you do that how do you get to that point I don't know maybe we need to move on to some of the uh other slides yeah good yeah so this brings us really nicely into actually you know the challenges that organizations face because it's it's really quite simple to approach a company who having problems like this and and simply say you know you need to upgrade you need to move away from these from an active directory service you need to move into a you know a directory service that's that's cloudbased that doesn't have this baggage that comes with it unfortunately you mentioned technical debt the support of Legacy products and requirements means that you know this is this is not always a simple journey I used to as mentioned as Frank mentioned when on our on the introduction I worked with a data ental organization who were basically a springboard in for for more for companies who were moving into public Cloud but weren't ready for it yet and they essentially provided them with kind of like a mid Cloud platform that allowed them to both uh collaborate with their consultants and their integrators in order to get organizations into a public Cloud uh infrastructure and I work with a lot of a lot of councils and things like that and we looked and reviewed a lot of the security uh controls how these organizations were moving into the cloud and every time we got into the same situation when it came to Identity which was you know deploying into Cloud's really complex you have to move lots of things at once there's a Reliance on this Legacy application that it's behind it we don't necessarily have the people here who can design these uh security systems and and who can architect these kinds of platforms and there's the whole you know well actually how do we deal with data that's sensitive when we put it into the public Cloud if we haven't already solved our identity problem and so the whole thing becomes this horrible circle of nastiness that you know there isn't a direct pathway from that into something that's more secure and better architected so the challenges are very real they varies massively depending on the kind of organization you are dealing with as well now I've got a lot more experience with smaller organizations Angelica works with much larger Enterprises and so the difficulties are similar but I'll let you explain the differences yeah and actually I think in in our case like I was saying before there's a lot of things that are inherited by the people that are maintaining the system they might not have even been the ones that set them up and yet they're still maintaining them so if they if they had had the opportunity to set them up initially they would have uh done it completely different you know knowing what they know uh but some times you just have to you know deal with what you were um inherited and then and then go from there and and it also I think and and we mentioned in this slide here that deploying Cloud Solutions can be complex like Simon you were explaining as well also so if the technology isn't fully understood it can lead to some pretty poor decisions and sometimes that leads to insecure implementation so what we find what our team finds sometimes when we go in there is that not only do we have to look at whatever Legacy authentication systems you have in there but we also have to look at your entra setup because you know again even even if even if the the setups are are done perfectly there's also a lot of configuration that is in there a lot of applications or service uh principles that have been created and have a ton of permissions that have been assigned to them so even even on the modern identity side you have to make sure um that the configuration is done properly so we we go in and we'll will evaluate both the active directory and the tenants will make recommendations on settings because if you're going to go through the process of making sure that all these applications are going to be connecting to your modern authentication and authorization systems those systems that are going to be receiving it better be secure you know it better be in in a condition that that it's ready to to support the all of the systems and then there's also the you know the the challenges of having to deal with the lack of skilled Personnel I actually experien that first it is hard to find skilled people and people that are really good at managing identity Solutions um and and when you don't have the right people in place it also makes everything that much more complicated as well so that's some of the things that that we try to help with our organiz iations so not only by by by you know sharing our expertise but also by working side by side with the people that are going to maintain the system so that they can learn to continue to maintain them going further and maybe we can maybe we're ready to move on because we have a few other challenges more specific to active directory in this slide actually I'll I'll let you go along Simon so uh I mean you know my my journey over 20 years ago into to into infrastructure design and cyber security often always you know LED back to a lot of active directory challenges the issue we have now is as we approach you know more newer and more capable identity services that have the ability to stretch across multiple Services sites multiple Cloud platforms older systems Legacy Services Etc is that we've got to bring some of that baggage with us and we've got but we've got to also learn how to offload a lot of it as well the problem we have with active directory is it's outdated it's 25 years old it uses some protocols that are now deter deemed and deted as being you know insecure it's easy to make misconfigurations there are multiple ways to have it synchronized with your new identity providers or your your enter ID Services um and which you know which one's best in fact as was about eight months ago I did an entire talk about how to decide you know what kind kind of synchronization you're going to use with your on Prem active directory now and only eight months later go the line I'm looking at this from uh the perspective of a consultant and saying well actually how do we get rid of your active directory Microsoft clearly don't want you to have one anymore they don't want you to have your own exchange they don't want to have your own SharePoint your own SQL servers no they they want this product to be offloaded they want this out uh and into the cloud environments unfortunately to do that we've got to get rid of that technical debt as well but knowing what you can and can't bring with you is fundamentally important which is why you need the right people to help you make the design decisions about how you adopt so the you know uh enter ID or or dedicated enter ID Services rather than utilizing these you know these on Prem and incloud Hybrid models really how we start looking at things like zero trust and zero trust network access we're changing the approach to Identity to include things like you know authentication without or with verification and no you know you know no trusted objects as such which is really a fundamental part of what active directory was yeah and actually you you you were talking about the misconfigurations I've seen miscon or tiny little misconfiguration can cause enormous problems so so when you're trying to modernize especially when you're trying to modernize your it systems it really can you know a small mixed configuration can mean you know very uh significant security risk so paying attention to those having one one of the last things we have in here are assessments um lack of Assessments is another another issue that we see lack of monitoring anybody that has talked to me ever before knows that I'm a huge fan of monitoring identity monitoring specifically because what most most companies that we go to work with they know they have issues but rarely do I see an organization that actually knows the extent of what the issues are especially for the for the umrem systems and and so without these assessments without monitoring in place is very easy for problems to go completely unnoticed until Pro some attacker shows you the way this is how it is risky which by by then is you know a bit too late so making sure that you have those assessments ongoing making sure that you're addressing your security risks and and you know dealing with some of the challenges because at the end of the day I know and we're talking about active directory challenges but at the end of the day some of these systems still have to remain in place which is some of the subjects that we're going to be covering later okay so we're moving on to outdated system and we kind of talked a little bit about some of these like Legacy protocols and and upgrade constraints I don't know if you want to cover anything else in this slide before we move on no I mean one of the one of the main points on this one in particularly with particularly with smmes I think more than anybody else and less startup more kind of established organizations who perhaps you know gone through a process of acquisition or have acquired another organization and are on that kind of trajectory to get it to becoming a you know a bigger bigger organization is that they really do struggle with the the knowledge required in order to take their identity further I had an incident actually which is really relevant to this one it was an identity based breach it was a business email compromise effectively and one of the things that they they wanted to know how it had happened so we went through a process of determining you know the a pathway through the logging what had what had occurred and one of the things that they decided to do immediately after that and during a follow-up conversation was they told me they'd then gone off and turned on Sentinel to which my response was no turn it off you're you're going to how many people do you have who are on your permanent analyst desk that you're going to be looking at these logs and they said well nobody we we've only got you know and I'm thinking you're going to drown in data none of it's going to make any useful uh sense to you and you're not going to protect yourselves from you know further incursions by doing this it's like you've got to cover the basics first you've got to implement things like putting conditional access policies set up uh a trust relationships which means that you're not automatically trusting services or systems or users once they've authenticated you know you're going to go through this process you're going to generate some more data and generate more logs showing the actions and behaviors of your users and then create rules that are going to spot that from those logs in order to give you at least half a chance of seeing something that's happening the best solution would be to contract a thirdparty organization to do some of this for you not try and bring out bring all this inhouse at once soes really do struggle with this as a process they often don't have the resources they don't have the technical knowledge they don't have the in-house advisors Etc and again this is where a lot of the organizations who approach me and a few of my sort of Partners come to and they're literally just kind of scratching to find people who can help them across this journey and unfortunately with you know Legacy protocols in active directory and of the technology that supports it and the services that they're running including Legacy kit means that you know they just they this problem comes across them more often than not yeah but then we come down to things like misconfiguration which causes a huge amount of issues particularly when it comes to adopting you know enter ID um or as your's directory services or even if you're utilizing things like third party ones from AWS and from gcp and you're authenticating through those into your azur environments so now we're not talking about just between your Cloud version and your on Prem we're now introducing things like multiple cloud services and on Prem and introd and you know and trying to link all of those into Legacy uh active directory protocols as well this is where problems occur and this is often where we find uh organizations really miss some very basic lwh hanging fruit of security vulnerabilities they're exposed they get breached they don't necessarily have good visibility over it and all of a sudden when things go horribly wrong they have this kind of knee-jerk reaction that they got to go off and do something else and that's again how we see misconfiguration coming into play and one quick note on misconfigurations one that we see I think everywhere is trust so we'll see trust across different domains on Prim and then one domain might be maintained like really stringent really secure but then the other one that it has trust with not quite the same like nobody knows what's going on but that that trust right there whatever you know vulnerabilities you have open over here guess what now they part of that other domain that is secure so making sure that you're aware of what it is that how these systems are integrated our team has actually become really good at at discovering this this misconfiguration so that's a lot of what we see has has actually to do with that and I'm trying to keep an eye on the clock to make sure that we're moving forward so we can talk about some of the things that you should do yeah absolutely we have almost like a technical death of slides to get through a problem one of the issues that we do we do see very frequently is this accumulation of technical debt like it it's an ongoing problem um you have to pick and choose the battles um um and the uh and the wins that you can accomplish and the things that you can change to make the security posture uh for you better one of the problems that we have in uh or is you know foreseen in organizations who are moving into the cloud is this increased attack service the fact that not only we now we're running operating systems contained Services we're running directory services that are both on Prem and in the cloud is that we've got this API service that sits behind that has access to absolutely everything which changes our approach from changed our approach to security so this increased setac surface and sometimes the visibility of it isn't great you got to be very specific about the things that you want to see the things that you're looking for means that again that is just accumulating additional technical debt yeah and also the sometimes these system so because this other system doesn't support a modern protocol it kind of hold back all the other ones that can move forward because you have to set your rules to the to the one that is going to be holding the other ones behind because all the rules have to be sometimes taken into consideration all these systems so it's it's make you know that that lack of uh consistency uh across these systems can also affect your security uh posture um because it prevents you from from evolving all the other systems so it's kind of holding you back uh we see a lot of of that um going on and and actually that's why I'm so excited about some of the new uh entri ID solutions that allow you to to expand to to cover even Legacy systems that can't be touched you know because nobody knows how it I was actually working so those are some of the things that I think are going to make a huge difference for some of these larger organizations that we work with um all the time and one of the one of the things that um I've come across on a couple of occasions recently as well as this the challenges in consolidation and the you know organizations have looked at the approach of utilizing a a cloudbased identity provider maybe even going outside of the big three ecosystems and utilizing third party things like you know one password or OCTA essentially and then they see in the press that all you know these these recent incidents that have happened and the breaches and and you know they don't necessarily tie that to user Behavior or miscon configuration they T to directly to the platform or the brand that considering again which is another massive problem it just creates more issues as as organizations approach these challenges and along those lines actually there there was I think it was about a year ago I can't remember but there was a whole lot of talk about like MFA bypass and MFA spamming and and and there was I had a whole presentation that was just dedicated to explaining the various different flavors of MFA you you know from from the from the least safe one to the fishing resistant one and then going to explain the reasons why why it was fishing resistant so to make sure that people understood that when you see the headline of MFA bypass it does affect some of them but doesn't affect all of them you know there are options that you can have so a lot I I agree with you you know they'll associate it with with with the you know Cloud solution but not with you know the actual how you have it set up how you have it configured yeah the negative the negative connotation gets banded around quite a lot and an MFA bypass could be well someone stole a mobile phone number through a cell company fishing anything as simple as that and it's still classed as an MFA bypass y so what we've got for you now is actually kind of three customer stories effectively about some organizations who we've either had engagements with or you know we've been doing some Consulting work over the over the past 8 to 12 months and this we've determined that there's around three main phases or states that organizations find themselves in um this first one being the locked in State uh they got an organization with very rigid identity systems they're inflexible they're not doing as many updates as they'd like to they've got security threats that are numerous and coming in they may be dealing with third party sock as a service for example um and they're looking to you know modernize their entire ad infrastructure I'll hand this over to you and like we you know you were you mentioned one earlier today and I was like this is definitely the one we want to talk about this morning this afternoon this morning we see this a lot so to be clear we see this a lot which is which is you know sad but I this is what I locked in I I associate this with the ones that have the baggage but they're also attached to their baggage and actually my previous boss used to say don't boil the ocean that's how you go about dealing with some of these organizations because it really nearly impossible to in some cases with the amount of Legacy infrastructure that you have to deal with to be able to move it all at the same time right so what we do when we come in here we'll gradually replace parts of the old system with something more flexible more modern more secure so that they can evolve over time you start migrating some of the Legacy authentication like if they have adfs move on to enter ID there are some there's actually like a really nice wizard that is available to allow you to do that we start by implementing fishing resistant I was talking about the bypass MFA implementing fishing resistant authentication wherever possible like starting with your privileged users and then you go from there and adopting that hybrid approach and with there's a lot more things that you can do another one that comes to mind is with provisioning it can start to evolve to a provisioning to a cloud first approach and I know it takes a while to get there but but if you have the end in mind it allows you to make theis ISS the right decisions to be able to get to what that end state is is trying to to achieve too and maybe we can start talking a little bit about our second one because it's kind of similar our second user story The migratory the ones I've actually started on it go ahead Simon yeah so I was going to say this is this you know this often we find that organizations are already in a migratory State they've started they had a plan they may be moving forward with that plan they got to 50% of the processor there but then all of a sudden everything grinds to a halt things start to slow down they come across something that's Legacy that's not going to transfer particularly well there's prot there's you know inconsistent security protocols or gaps in invisibility when it comes to adopting sort of a cloud first strategy I've seen this on numerous occasions with organizations particularly began working with the data center where you know they got 40 50% 60% into the public cloud and then all of a sudden everything just grinds to a halt because they come across this thing that they didn't know about they've come across a protocol that they required to support or they've got something that's on Prem that just does not work in public cir infrastructure and that the you know even a graduated lift and shift approach isn't going to work and they actually requires re-engineering and this can take an awful lot of time and effort and design work and so you know uh there are some technologies that we're going to introduce and going to mention in a few sides time that can really assist in this process and actually alleviate a lot of the problems that come across with stalled phased migrations yeah and and this migratory State like like Simon was saying it's got a mixture of a little bit of cloud a little bit of legacy and that blend sometimes can create some challenges we'll see like Legacy applications that can maybe only speak ldap that's all that's all they were configured to speak and sometimes because maybe that's all they knew and sometimes there's a like a more modern version of that same application that actually supports monotor authentication people just haven't looked at it because if it's not what is if it's not broke don't T don't touch it so you know there are opportunities and and it's just through going through those applications to finding those opportunities to modernize those the way that those applications are integrated with your identity systems where you take the opportunity to remove some of the risks within them also uh inconsistencies like I was saying before sometimes it actually prevents you from actually putting the the same type of policies across systems which is a big issue that we find well they'll have like well we use this system for the policies for this one and then we use this other system for the policies for this one but that prevents you from having like a whole consistent set of policies which should be easier to handle so that's why the some of the solutions that we're going to be talking about later going to make live Easier uh but also a lot more secure yeah I had one of these it was a uh a government Department an organization who were moving from an on-prem data center into a private Cloud environment and they uh they didn't want to take their ad with them they wanted to utilize some public Cloud infrastructure to support their authentication system unfortunately the project stalled they came across some technical issues which was actually an application that required Microsoft Federation services to work it was a a single sign on service requiring SML and they you know they got they basically cornered themselves and unfortunately they'd sold the building they were in to some housing developers and so every time I went to site as part of the Consulting process theyd lost another portion of the building and eventually they even lost the plant room and so they had air conditioners like pumping air into the data center and literally there was a door way to Nowhere if you went through it you fell down four flights as into this basically a pit where they were building all those new houses but yeah this is how you know this is the pressure that some organizations find themselves under whereas there is one other state that we come across as well the outsourced State now there is nothing wrong with Outsourcing and a lot of organizations find this is massively useful particularly for Security Services because it's expensive to bring it in house it's expensive to build a sock it takes an awful lot of time for a sock to become mature one instance though in particular was a a colleague of mine contacted me and said what would you suggest we do about this scenario and essentially it was a startup company that built a lab in an on Prem environment and they they utilizing a thirdparty open lightweight directory access protocol Service as their authentication system and he said we want to expand beyond the Realms of this and you know how what do we do and my first question to him was well why did you choose that particular service in the first place and his answer will go to my grave with me which was well basically it's just what we've always done we used it in another part of the organization and so these flawed decision processes that had been happening and that had been decided upon by somebody else who subsequently left the organization had this Legacy and this effect that just went forward with every decision that they made made now I've had some recent conversations with them and I tried not to get involved in I just gave him a little bit of advice but one of the issues that we seem to come across fairly regularly is this you know you get some advice gets given at some point it's not necessarily the right one and then it becomes the thing and this is like now an issue before them and for this organization because they are relying on this third party uh platform and service that's behaving like an active directory but actually isn't it's just an L app as a service this is a bit of a strange scenario because most startups have the ability to be very flexible and dynamic but some of these early decisions it's best to get good advice on there I'm actually got of surprise to hear especially when you have a startup where you can actually go straight to the best you know without having to deal with all these Legacy stuff and you know Miss missed the opportunity there the other thing that I would say about any out sours I spent a lot of my career working with msps of All Sorts so my recommendation to anybody is to you know make sure that you that you vet them so it's one of the things that we have in here vetting them and making because they're not all going to have the same level of security implemented or the same level of you know with within this within their systems and the services that they provide so I would say highly recommend betting and continuous assessment so it's not like just one set it and forget get it make sure that going further going in the future you still continue to to to check in on them and making sure that they still serving the purpose that you sign them up for that's just my two sents on this one because I don't deal with a whole lot of this case scenario yeah there a there's a pretty unique one was that one but so yeah any there's uh there's obviously some solutions that are out there that in order to facilitate and help organizations are in either one of these three states and you can almost fit every company is who's got some sort of cloud strategy regardless of whether or not it's minimal or if they're Cloud burst it doesn't matter they're always in one of those three states and there are some technologies and some capabilities that we're going to talk about now that are produced by Microsoft and the Aur environments that they're going to help you get through some of these some of these difficulties we hear a lot about oh sorry go on I'll let you go for this no I mean I'll I'll talk all this about this if you know me I'll talk all day about this I'm super excited about this one most most people that I work with are already familiar with conditional aess but I'm just going to give like a super fast overview of how it works it's it's basically about making decisions on certain signals so it follows simple if then else kind of logic so if a condition is met then a certain action is taken and if not then something else happens that's how conditional access in a gist works and the signals are fed into this decisions so that things like identity the role the device they're using the location so then it's processed in real time to evaluate and it uses those sorts of bells and whistles including machine learning to make decisions to decide whether it's going to allow the access or whether it's going to require additional steps like maybe another MFA factor or it's going to block the Axis or it's going to restrict the access like you get some of it but not all of it but what's exciting is that we can now expand conditional access to any application with some of the uh services that were we recently introduced at Microsoft so it's a big deal it's a big deal to us but it's also a big deal to to our customers and to any organization that is using conditional access I'm assuming Simon that you work with corporations that use conditional access for for for their um authentication yeah almost every organization I do any any sort of work with outside of ss it's one of the conditions I actually I actually enforce or say you know you have to have this in place it's not good enough just to turn on security defaults in Azure you've got to be utilizing things like conditional access and the fact that you can now extend this on to Legacy applications as well as things like even proxy Services I spent year I spent oh I think six seven months working with a developer once to create create a product Suite that basically checked your level of privilege before determining whether or not you're going to be allowed out onto the internet and this is something you can do in literally three rules in conditional access so you know there's a lot of the solutions that organizations will come across or problems that they'll come across that can actually be solved by some of these Services now it doesn't stop there we can go a lot further with this as well and we can actually start taking out and removing not just identity based Legacy Services as well but also network communication based Legacy essentially what I'm talking about is getting rid of virtual private networks oh this is going to create some some at least I get a couple of comments anyway I am a massive proponent and a fan of virtual private networking there you know there being able to secure Communications over private encrypted channels is an app is super valuable when it comes to security but not everything supports it and so utilizing things like identity services in the cloud plus conditional access policies means that sometimes we get to the point where well actually some of the bpn services that we're going to be utilizing might not be sufficient anymore but we have the ability to mitigate that and this is where we're bringing things like identity Centric ssse Solutions as a zero trust network access policies I will let Angelica explain yeah and I love that you mentioned that it's either identity Centric because that is a very biggest difference so it's built on the principles of zero trust which you Euros talk about and they're actually noted here here but that verify explicitly use with privilege assumed breach so what it does is it's going to verify each identity using risk-based context to ensure that users only get access to the applications the resources the destinations that they actually need to get access to but it it is it is it's a big difference from the VPN that Simon was talking about because the VPN uh once you're in you're in you know everything it's the same level right uh but you don't have the same requirements for each of the applications right uh so what we see is customers have all sorts of different there's some high value uh assets that need stringent controls and then there's what I always refer to as the party planning app that maybe doesn't need as a as stringent controls as a you know an HR System for example will need access to it so so even though a VPN served the purpose a while back it you know you now you need granularity you need to be able to to do that and more importantly we were talking about those Legacy systems previously some of these applications and probably Simon you've seen the same thing were like the last developer that knew how this thing worked left five years ago and nobody knows how it's working so you still need to be able to put some guard drills around that application so that people you can still enforce things like fishing resistant MFA in front of that very Legacy old application before they even get to access it so this is a huge help for for organizations that are Stu dealing with some of those Lexi systems that we were talking about previously and and and you know being able to do that in a granular manner it's a big uh it's a big help as well so being able to set M everything to to give different different restrictions depending on what they actually need and sorry yeah got I'll let you look at the time to see how how we're doing and whether we need to jump into Q&A or whether we can continue digging into this I think we're okay we'll got another another couple of we've only got a few more slides to go so I think we're good few few more slides few more minutes Simon Angelica okay great so I guess we'll go a little deeper in some of the features for the Legacy systems one of the features that I kind of started talking about was the app segmentation so this going to allow limit to to you to limit the thread exposure by you defining specific segments or micro segments you know within user within process device level um so it makes it a whole lot more precise so whether that and by the way this is going to work we're This Ss we're actually focusing on private access which is our ctna solution Within ssse ssse has another piece of it which is the the internet access so we're focusing on ctna because that's the the subject of our talk but I wanted to make clear that you know there there's other pieces to this and there's also the the per act controls so you can and actually some of the some of the things that are highlighted in this slide are that it doesn't because before we used to have the application proxy and that was HTP hdps for as this one is like any TCP any UDP Port so that's why you see in the slide the reference to RDP SMB FTP so it's you know all those Legacy ports that are needed to access your systems are also supported and the last big feature that I'm going to mention here but I'm super excited but it is mentioned in the slide is the continuous access evaluation that's a feature within entra that basically evaluates the the all those signals that we were talking about previously throughout the session so it's not just when you're logging in but if but if in the middle of the session something changes my my standard example if you heard me talk before is about a person that is sitting here inside the company but then they go across the street to Starbucks you know suddenly the the the source of the IP that they're connecting to changes so changes in the middle of that session you know would would be reflected in the way that the system handles it and you know access might be blocked things might be prevented and think of all of that being available also to your legacy applications that's a huge huge step forward I think and now having the having the ability to provide you know a user identity plus information from their endpoint device and the remote Network that they're on to be able to continuously evaluate that user session from that device from that location and communicate with Legacy protocols such as SNB well this changes everything because this means that this problem that we had with uh the baggage the Legacy services that we're having to bring into the cloud environments well we don't necessarily need to move everything across at once it makes our migratory process a whole lot easier it also improves our security and the visibility of it because now we're no longer relying on a multitude of different systems to generate that identity and access data we're seeing it all from a single place from a single source so it just encompasses lots of these different Technologies and the ability to do things like you know the the zero trust approach uh to Cloud Centric and cloud-centric identity means that we get like visibility accountability and our authorization all in one place um plus the network communications controls that go through there as well it's it's a a remarkable switch that I think is probibly going to allow organizations who are already in the Realms of utilizing things like Casp in Reverse proxy mode you're effectively doing the same thing but now you're utilizing an identity service to do a lot of that workload for you comp complex Etc yeah on that positive note hey we are gonna have to segue into a break here to get give people time before our next session Simon that was nicely summarized Angelica what is the the last word from you before we break here actually I'm just going to say thank you to Simon it was great working with him the last few months we wrote this paper together we've had a lot of fun and thank you to Sans for having me Angelica Simon thank you so much there were a lot of questions and we'll try to get to them on the panel that you're on later Angelica Perfect all right thank you everybody virtual Round of Applause for Angelica and Simon we are going to take a short break for just over five minutes here and come back at the top of the hour for the next talk thank you guys so much appreciate you sharing all that knowledge thanks let's go ahead and get to our next session here

Original Description

Identity Modernization Understand the critical need for identity modernization and how to transition from traditional frameworks to agile, secure platforms like Entra ID. The session will emphasize modernizing private app access with Zero Trust Network Access (ZTNA) and expanding Conditional Access controls.
Watch on YouTube ↗ (saves to browser)
Sign in to unlock AI tutor explanation · ⚡30

Playlist

Uploads from SANS Institute · SANS Institute · 0 of 60

← Previous Next →
1 SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS FOR610: Reverse Engineering Malware: Malware Analysis Tools & Techniques
SANS Institute
2 SANS Institute Cybersecurity Training Customer Stories
SANS Institute Cybersecurity Training Customer Stories
SANS Institute
3 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
4 SANS Institute UK Cyber Academy
SANS Institute UK Cyber Academy
SANS Institute
5 CISSP® Prep Exam, MGT414, by SANS Institute
CISSP® Prep Exam, MGT414, by SANS Institute
SANS Institute
6 SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute's Rob Lee Discusses The OPM.GOV Hack on CNN
SANS Institute
7 Information Security Training from SANS Institute - Student Testimonials
Information Security Training from SANS Institute - Student Testimonials
SANS Institute
8 SANS NetWars
SANS NetWars
SANS Institute
9 SANS DFIR NetWars
SANS DFIR NetWars
SANS Institute
10 Hack The Drone - SANS Cyber Academy UK
Hack The Drone - SANS Cyber Academy UK
SANS Institute
11 SANS VetSuccess Immersion Academy
SANS VetSuccess Immersion Academy
SANS Institute
12 SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Cybersecurity Training, Certifications & Placement for Veterans
SANS Institute
13 The 2015 SANS Holiday Hack Challenge
The 2015 SANS Holiday Hack Challenge
SANS Institute
14 SANS VetSuccess Academy: Hands-on Skills
SANS VetSuccess Academy: Hands-on Skills
SANS Institute
15 SANS VetSuccess Academy Overview
SANS VetSuccess Academy Overview
SANS Institute
16 SANS ICS Security Summit & Training 2017
SANS ICS Security Summit & Training 2017
SANS Institute
17 Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
Exploring the Unknown Industrial Control System Threat Landscape – SANS ICS Security Summit 2017
SANS Institute
18 WannaCry recap, patches, and analysis
WannaCry recap, patches, and analysis
SANS Institute
19 If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
If We’re Doing So Well at Cyber Security, Why Are We Still Doing So Poorly?
SANS Institute
20 Graduation Day - SANS HM Gov Cyber Retraining Academy
Graduation Day - SANS HM Gov Cyber Retraining Academy
SANS Institute
21 Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
Incentivizing ICS Security: The Case for Cyber Insurance – SANS ICS Security Summit 2017
SANS Institute
22 SANS Data Breach Summit & Training 2017
SANS Data Breach Summit & Training 2017
SANS Institute
23 SANS Secure DevOps Summit & Training 2017
SANS Secure DevOps Summit & Training 2017
SANS Institute
24 How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
How Threats Are Slipping In the Back Door - SANS ICS Security Summit 2017
SANS Institute
25 SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Webcast – Continuous Opportunity: DevOps & Security
SANS Institute
26 SANS Cybersecurity Programs for the Department of Defense
SANS Cybersecurity Programs for the Department of Defense
SANS Institute
27 SANS Pen Test HackFest Summit & Training 2017
SANS Pen Test HackFest Summit & Training 2017
SANS Institute
28 SANS SIEM & Tactical Analytics Summit & Training
SANS SIEM & Tactical Analytics Summit & Training
SANS Institute
29 If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
If We’re Doing So Well, Why Are We Still Doing So Poorly? – SANS ICS Security Summit 2017
SANS Institute
30 SANS Institute
SANS Institute
SANS Institute
31 ICS515: ICS Active Defense and Incident Response
ICS515: ICS Active Defense and Incident Response
SANS Institute
32 SANS Institute
SANS Institute
SANS Institute
33 Introducing the NEW SANS Pen Test Poster
Introducing the NEW SANS Pen Test Poster
SANS Institute
34 SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute - An Inside Look at the Newly Updated ICS515 Course
SANS Institute
35 SANS ICS Security Training, Munich, Germany
SANS ICS Security Training, Munich, Germany
SANS Institute
36 SANS Automotive Summit Webcast
SANS Automotive Summit Webcast
SANS Institute
37 Privesc Playground - SANS Pen Test HackFest Summit 2017
Privesc Playground - SANS Pen Test HackFest Summit 2017
SANS Institute
38 Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
Introduction to Reverse Engineering for Penetration Testers – SANS Pen Test HackFest Summit 2017
SANS Institute
39 Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
Honey, Please Don’t Burn Down Your Office: Fun with Smart Home Automation
SANS Institute
40 SANS Security Operations Summit & Training 2018
SANS Security Operations Summit & Training 2018
SANS Institute
41 Sh*t Happens!  (But You Still Need to Drink the Water) – SANS ICS Summit 2018
Sh*t Happens! (But You Still Need to Drink the Water) – SANS ICS Summit 2018
SANS Institute
42 ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
ICS Threat Intelligence: Moving from the Unknowns to a Defended Landscape – SANS ICS Summit 2018
SANS Institute
43 You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
You’re Probably Not Red Teaming (And Usually I’m Not, Either) – SANS ICS Summit 2018
SANS Institute
44 A Sneak Peak at the New ICS410
A Sneak Peak at the New ICS410
SANS Institute
45 Jumping Air Gaps – SANS ICS Summit 2018
Jumping Air Gaps – SANS ICS Summit 2018
SANS Institute
46 Introduction to Linux
Introduction to Linux
SANS Institute
47 Introduction to Malware Analysis
Introduction to Malware Analysis
SANS Institute
48 You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
You’re Probably Not Red Teaming (And Usually I’m Not, Either) Webcast by Deviant Ollam
SANS Institute
49 Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
Hacking your SOEL: SOC Automation and Orchestration – SANS Security Operations Summit 2018
SANS Institute
50 Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
Hunting for Post-Exploitation Stage Attacks with Elastic Stack and the MITRE ATT&CK Framework
SANS Institute
51 Apples and Oranges?:  A CompariSIEM – SANS Security Operations Summit 2018
Apples and Oranges?: A CompariSIEM – SANS Security Operations Summit 2018
SANS Institute
52 SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Webcast - Perimeter Security and Why it is Obsolete
SANS Institute
53 SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Webcast - Trust No One: Introducing SEC530: Defensible Security Architecture
SANS Institute
54 The Science of Security: The Psychological Impacts of Security Awareness Programs
The Science of Security: The Psychological Impacts of Security Awareness Programs
SANS Institute
55 How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
How I Pulled Off an Edgy Security Campaign – SANS Security Awareness Summit 2018
SANS Institute
56 Practical Advice for Submitting to Speak at a Cybersecurity Conference
Practical Advice for Submitting to Speak at a Cybersecurity Conference
SANS Institute
57 SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Webcast - Consuming OSINT: Watching You Eat, Drink, and Sleep
SANS Institute
58 SANS Webcast - Zero Trust Architecture
SANS Webcast - Zero Trust Architecture
SANS Institute
59 SANS STX Cyber Range
SANS STX Cyber Range
SANS Institute
60 Part 1 – SANS Institute and Tenable talk about cloud security
Part 1 – SANS Institute and Tenable talk about cloud security
SANS Institute

The video teaches the importance of identity modernization and how to transition from traditional frameworks to agile, secure platforms, emphasizing the use of zero trust network access and conditional access to improve security and visibility. It provides actionable steps for implementing these solutions, including setting up trust relationships and generating data logs. The video also highlights the challenges of legacy systems and the need for a cloud-centric approach to identity and access m

Key Takeaways
  1. Implement conditional access policies
  2. Set up trust relationships
  3. Generate more data and logs showing user actions and behaviors
  4. Gradually replace parts of the old system
  5. Implement phishing-resistant authentication
  6. Migrate Legacy authentication to Azure AD
  7. Adopt a hybrid approach
  8. Evolving to a cloud-first approach
💡 The video highlights the importance of a cloud-centric approach to identity and access management, emphasizing the need to transition from traditional frameworks to agile, secure platforms like Entra ID, and leveraging Microsoft services to improve security and visibility.

Related Reads

📰
AI Is Not the Enemy of Journalists, but a Test of Journalism’s Integrity
AI is transforming journalism, but its impact depends on the integrity of journalists, who must learn to work with AI tools while maintaining ethical standards
Medium · AI
📰
Apple Sends Letters to Dozens of Former Employees Now at OpenAI
Apple is taking aggressive legal action against former employees now at OpenAI, demanding document preservation and meetings with lawyers, in relation to a recent lawsuit
Daring Fireball
📰
At 50, AI Didn’t Just Change How I Work. It Gave Me a New Hobby With My Granddaughter.
Discover how AI can spark new hobbies and income streams, even at 50, by combining passions with cutting-edge technology
Medium · ChatGPT
📰
Canada’s ‘AI For All’ Fails to Define AI At All
Canada's 'AI For All' strategy lacks a clear definition of AI, which is crucial for its successful implementation and understanding
Medium · LLM
Up next
What is SynthID Explained with Examples
VLR Software Training
Watch →