The choice to migrate to Office 365 (O365) always ultimately comes down to a weigh up between the benefits – work applications that provide freedom, flexibility and productivity – and the risks.
One of the most common concerns is the risk of company data being transitioned from inside the office walls into the cloud. This has been an ongoing process over the past two decades but there are still some parts of the company infrastructure that are considered sacred, which companies still hesitate to migrate. Active Directory (AD) is one of those and in this blog we explain why and what organisations can do to mitigate the risk of migration.
What is Active Directory?
Active Directory started off as an internal database on all employees and their security privileges. However, over time AD has grown to have much greater functionality. It manages communication between users and domains; includes login authentication and search functionality; it creates, distributes, and manages secure certificates; it supports directory-enabled applications; it provides single-sign-on (SSO) to authenticate a user in multiple web applications in a single session; and even protects copyrighted information by preventing unauthorised use and distribution of digital content.
Put simply, AD authenticates and authorises all domains, users and ‘objects’ in a network.
Why is Active Directory moving to the cloud?
Active Directory is the latest part of a company’s network – which would have traditionally been hosted on-premises – to be transitioned to the cloud. By the nature of its function, AD holds some of the most sensitive information on an organisation’s employees and their internal security makeup – which means that it is probably one of the last parts of their infrastructure to make the journey into the cloud. However, its relocation outside of the company walls as part of O365 is simply the next stage in the overall trend of eroding the traditional company perimeter.
Remember that Microsoft has been on the same cloud journey that most organisations have. Exchange has become Exchange Online, SharePoint has moved to the cloud, AD has become Azure AD.
What are the risks?
AD taken offline by attack
Active Directory is sometimes likened to a company’s “crown jewels” because it has such wide-reaching control of how users, domains and objects interact on and off the network. If criminals were to take it offline, employees wouldn’t be able to access any applications, the IT team itself would be shut out, and the organisation would grind to a standstill.
As such, a better way to look at AD is as the keys to the kingdom. It needs to be protected against the type of criminals who are not necessarily looking to steal an organisation’s valuable data or intellectual property, “the crown jewels”, but who want to stop the kingdom from being able to function altogether.
The worst-case scenario - NotPetya
The shipping conglomerate Maersk found out just how vital AD really is in 2017 when almost all of its online backups of AD were taken offline by the NotPetya malware. Maersk’s network, which covers 574 offices across 130 countries, was crippled within just seven minutes and it took nine days to get AD back online. In the end, the company was saved by chance - a power cut in Lagos meant that one of its AD backups was offline at the time of the attack - and their systems could eventually be restored.
Active Directory taken offline by Azure outage
Moreover, intentional criminal acts to take AD offline aren’t the only risk. As AD is now hosted in Azure, many organisations fully reliant on Microsoft will be brought completely offline if Azure has an outage. Understandably then, many organisations may feel more comfortable holding AD within their own infrastructure.
AD account takeover attacks
Finally, there is the risk of criminals targeting individual user’s AD accounts. At the RSA Conference in February, Microsoft announced that they believe 0.5 percent of Azure AD accounts are compromised every month.
That equates to 1.2 million accounts breached a month, with 40 percent of those attributed to simple credential stuffing attacks. Once an account is compromised, criminals can use it to launch new phishing campaigns, or escalate privileges within the organisation.
Improving Active Directory security in Office 365
Laid down on paper, the risks of migrating AD to the cloud sound quite scary. However – as with migrating any infrastructure to the cloud – migration does not have to mean that a company is compromised. The way organisations approach security and risk simply has to adapt to be fit for a cloud environment, rather than an on-premises environment.
When migrating AD to O365 there are steps that can be taken to ensure businesses are protected.
To prevent AD outage issues
It is critical that organisations have backups in place for AD in the event of an Azure outage or cyber-attack. This may mean keeping a backup on-premises or using a trusted partner to host a backup of AD outside of the Microsoft environment to assure that work can continue as usual in the event of an incident.
If an organisation is adopting a hybrid identity model and has already set up some user identities in Azure AD, it can synchronise those users to AD on-premises.
Reduce impact of large scale data breaches by protecting user accounts with more than just passwords.
To protect against attacks on user accounts
The trick to protection in a cloud environment is in utilising multiple layers of security to re-establish the barrier between cyber criminals and an organisation’s sensitive data. Those concerned about the security of Active Directory should find security providers complimentary to O365 who can provide additional protection beyond what is already provided by Microsoft.
Multi-factor authentication (MFA) – for example – will ensure that the organisation is protected even if AD is compromised, as it requires users to authenticate themselves with more than just a password. This would stop the 40 percent of AD account takeover attacks that are achieved through credential stuffing.
After setting up Office 365 subscriptions and licences for users, it’s also crucial to check that access rights and permissions are set correctly. This will ensure that users will only have access to data they need based on their functional role (or group membership) as well as preventing employees from accessing or sharing unauthorised data.
To ensure organisations are kept safe throughout their O365 journey we have created Defence365, a practical best-of-breed solution provided alongside expert advice to enhance the protection and performance of your O365 environment. To find out more about how we can help you secure your business visit our Defence365 hub.