The recent wave of ransomware attacks means that it is necessary for organizations to reassess their security strategies. User identities can be the most vulnerable access point. Password synchronization between your AD and the cloud can be an effective way of protecting them. Read on to find out how to secure your business against potential threats.
The internet has become a dangerous place and at the same time, it’s established our new perimeter. With this change, security is one of the main concerns of modern organizations.
Don’t get me wrong – it was always a concern, but right now it is usually the number one issue raised by the companies when we start talking about leveraging cloud-related projects.
It is YOU who’s in charge of your company’s security. You’ve created its perimeter security, put controls on the network, created security policies. You took care of it all.
And now – someone wants to compromise it and put your users in the cloud! As well as your resources!
What the hell!
I’ve stressed it many times and I will stress it again. You can’t rely on standard measures alone these days. User identity is the new control plane and your perimeter. This is what stands between your resources and applications, and in most cases, it is also what protects your organization from being compromised.
It is much easier to break your user’s account than it is to break your network perimeter.
Therefore, we need to protect user identities. How are they secured? Usually still with passwords. We also have a few additional weapons in the arsenal which we have covered here, such as MFA, conditional access and so on.
In this article, based on our experience of projects and customers’ environments, I will provide you with all the answers you need to make the right and well-informed decision about approaching this new reality.
I will also make the case for password synchronization from a new and unexpected angle, which is a direct result of one our customers’ experience in the wake of the NonPetya world.
In the end, I will give you three reasons why password synchronization might be beneficial to your organization right now.
In our cloud projects, be it Office 365 deployment or Azure application, one of the first areas to address is setting up on-premises-to-cloud authentication and authorization.
To put it simply – let your users access cloud resources.
For that we need to establish two elements:
Identity information synchronization is usually easier to get through the organization and policies:
Now that we have it covered, it’s time for the authentication part.
There are four options you can choose from:
Let’s ditch the cloud-only accounts – no one needs additional passwords, we have too many of them. The other three options look viable.
Two of them depend on the on-premises infrastructure. Password synchronization is independent from it – at least from the point of sync to the next password change.
If you go with password synchronization, is it safe!? Why would you want to go with it anyway?!
What we see among our clients is that more and more organizations are choosing either password sync or, gradually, pass-through authentication over federation approach.
This is the usual reaction when I start this discussion with our customers.
No, it is not going to happen. Maybe others, but we are not doing it. Our passwords in the cloud! You are joking!
First of all, it is never your password that goes to the cloud. It’s the password hash! There is a huge difference between the two. The password hash is obtained by calculating a value from the original password with a mathematical function.
If done right, there is no way to derive the original password from hash. Or at least it is hard and time-consuming – which in practical terms means, no way!
Your local AD stores passwords as hashes as well.
You’ve got it right regarding Pass-the-Hash, but actually, the hash in AD is not the same as in Azure AD (cloud). The process is slightly different:
Lots of hashing on the way. This is all to ensure:
So, password synchronization is actually a safe process of password hash synchronization. Its name might mislead you to think that it is the password which is synchronized. But it is not!
Password hash synchronization just sounds too scary!
It has one key advantage over other methods – once the password is synchronized, it works completely independently from the on-premises environment.
Is it really an advantage?
Here is where we come to our customer case and the not-so-obvious case for password (hash) sync.
Have you seen the The Walking Dead TV series? Or Mad Max? They both have one thing in common – the characters in these movies need to survive in a post-apocalyptic world.
What is the equivalent of an apocalypse in IT environment? One of our large customers recently wrote their own definition of it, when all their resources were stricken and effectively destroyed by the NonPetya strike.
Anything that was not damaged, was switched off to prevent the further spread of NonPetya in the network.
All. Null. A complete IT BLACKOUT!
Can you imagine it? Everything gone, including all your Active Directory resources. You have nothing left!
Actually… not quite. The business still had its Office 365 and Azure AD up and running in the cloud.
They used AD FS (federation approach) but luckily, just shortly before the NonPetya apocalypse strike, they have synchronized their passwords (as hash) to the cloud Azure AD.
After NonPetya wiped out their network, they were still able to give employees access to cloud resources with the same passwords and enable communication flow. It was a crucial thing for recovery and keeping the company afloat at that moment.
This might not be the intended use of password synchronization, but you have to admit that it is handy. And actually, it cuts all the ties between the on-premises environment and the cloud environment, while still keeping it easy to use for users.
I hope you have all the knowledge right now about what password synchronization is and what it means for your organization.
To make sure you are FULLY prepared for a discussion and decision, I will provide you now with three additional benefits of syncing passwords to the cloud.
Word of advice here – if you do enable it, then make sure that you are taking the security of your AAD Connect infrastructure seriously. And that you protect its service account and access to the service. It is handling crucial operations of receiving and re-hashing your AD password hash.
If someone takes over the service account, they will gain the privilege to obtain these hashes from your AD and can abuse them.
I hope this article will help you in your daily work and discussion with your peers.
If you have any more questions related this subject, then feel free to contact us!
I covered security in GitHub last time. But some of you likely use Azure DevOps for building your products, so let’s t...
Sometimes it feels like I'm pushing too much with security and software development, but then you prove me wrong. Rec...