Azure Active Directory syncing to on-premises AD: Is it as secure as you think?

The cloud. Those of us in IT for any length of time have been hearing about this elusive creature for a decade or more now. At first, we rejected it. “That’ll never happen. My infrastructure isn’t going into the cloud!” Sound familiar? It should; I’ve said it myself many times.

But time marches on, and so does technology. So fast forward to today’s IT world, and we find ourselves — most of us anyway — managing a hybrid scenario in which we’re syncing our on-premises Active Directory (AD) to the ever-so-blue, intangible Azure AD cloud. Why? Because there are some pretty cool features, such as platform-as-a-service (PaaS) and software-as-a-service (SaaS) offerings, that actually save our companies’ money, lighten IT administrative loads and offer a secure environment — or so they say.

This, of course, brings me to my topic for this blog post. Those stated assumptions are laced with truth and misconceptions, and it’s my goal to examine these with you. So, let’s puzzle this out together, apply some logic and see what we can uncover.

Let’s tackle the main issue first: security. Microsoft has invested a great deal in the security of Office 365 and Azure AD. In fact, Microsoft not only touts this, they back it up with built-in guarantees and service-level agreements (SLAs). However, the top ways companies are breached or harmed include:

  • Insider threats — People who have been granted access and abuse that access
  • Social engineering — Someone gaining the trust of or enough information from an internal employee to use that person’s privileges to gain access
  • Accidental harm — Someone with privileged access making a mistake and causing harm to the environment

None of these qualify as external threats. Every scenario already has access internally. If we apply these methods to our hybrid or even pure cloud environments, we can see that we still have the same old vulnerabilities — people — that existed before the current well-formed cloud was even a misty dream in someone’s mind.

Here’s an example of a hybrid scenario to help illustrate, even in a small way, what I’m trying to convey. Let’s use sensitive data and sensitive access to drive this home.

A company has an on-premises finance group that’s part of the Azure AD sync. The group is intended to give just its members — upper management and finance executives — access to sensitive data. Before cloud resources were even part of this company’s environment, this group provided access to the company’s finance applications as well as access to sensitive data stored in places like shares or a warehouse.

Now that the company utilizes cloud resources, a SaaS-based finance application has been introduced, and an Azure storage location contains sensitive data. These cloud resources can be either in addition to the on-premises solutions or maybe replacements.

The important point is that the hybrid, on-premises group is the source record for these members and all resources — on premises or in the cloud. The on-premises version of the group provides access to on-premises resources, and the cloud version of the group provides access to cloud resources. Another important point is that on-premises user accounts are also synced to the cloud.

Now that we’ve established the groundwork sufficiently, let’s place a member of IT in this mix that has enough access to modify the membership of the on-premises group. Maybe this person misunderstood a work order request, or accidentally selected the wrong group when making a change. Whatever the reason, this person accidentally adds a bunch of other members to this group that aren’t supposed to be there. With AD Connect syncing your environment, this mistake replicates into Azure AD. These unwanted members now have access to everything on premises as well as in the cloud.

If you don’t have auditing in place or, even better, preventative measures that don’t allow this kind of mistake to even occur, this mistake could go undetected for quite some time. Definitely long enough for an unscrupulous person to realize they have this access and take advantage of it or simply make an innocent mistake. Either way, a security breach has occurred.

This example shows that the cloud is no more secure than any other environment without proper management, auditing and reporting.

A hybrid Active Directory environment only increases the surface attack area. So, the other two assumptions about saving money and lightening the IT admin’s load are only true if both the on-premises and cloud environments are well managed.

In short, the same old truths apply today as they did a decade ago (and longer). The good news: Quest offers the comprehensive solutions you need to manage, audit and secure your complex, sometimes overwhelming, hybrid environment. Our solutions include on-premises and SaaS offerings that can proactively prevent, quickly recognize, alert on, restore from and manage to reduce surface attacks, giving your company the visibility required to turn an intangible element like the cloud into something tangible that can truly deliver those promised assumptions.

For more information, check out this white paper, Azure Active Directory and Office 365 Security — Don’t Let Your On-Premises AD Be Your Achilles' Heel, where we explore a best-practices methodology for governing your hybrid environment.

Download White Paper

Anonymous