A frequent request I come across in my role as an Identity Architect at Increment is to improve the security posture of on-premises Active Directory, by augmenting a legacy deployment with modern controls and mitigations.
Microsoft and other vendors offer integration with modern cloud-based technologies for this purpose; examples include Entra Private Access, Entra App Proxy, the Defender suite of products, and so on.
Increment too, offers a unique approach to Privileged Access Management for Active Directory that enables just-in-time elevation, abstracts key administrative accounts from the core directory, and provides mitigation against lateral movement attacks.
While these solutions help increase security in the short term, they are all tactical mitigations that should not be considered strategic or long-term.
In an earlier life, I was an author of Microsoft’s Road to the Cloud guidance. These documents provide an overview for taking a typical, legacy on-premises Enterprise using Active Directory, and evolving the infrastructure into a cloud-only deployment. On reflection, these documents could be improved in an important way; instead of framing the conversation as “this is something you could do”, they should say “this is something you should do”.
Active Directory
Active Directory, or Active Directory Domain Services (AD DS) as it was eventually re-branded, was first previewed in 1999. Consider that date. Most enterprise infrastructures in the world today, rely on a 25-year-old Identity service.
Now reflect on how organisations were doing business in 1999. There were few cloud services, networks were isolated, remote access was rare, organisational collaboration was in its infancy and threat actors had limited opportunities for infiltration.
Today we collaborate across thousands of cloud apps, we share our resources extensively, our networks are connected to the Internet (and often more open than we realise), and Nation State threat actors employ specialists to compromise our infrastructure and to exfiltrate our intellectual property.
A recent paper co-published by ASD/ACSC (Australia), CISA (USA), NSA (USA), CCCS (Canada) and NCSC (UK) identifies seventeen of the most common Active Directory compromises and discusses detections and mitigations for each. While this is extremely valuable guidance, it also highlights the technical challenges for securing AD DS in the modern security landscape.
In 1999, Active Directory was a powerful Identity service. In 2024, it is not fit-for-purpose.
The Journey Forward
I encourage every CTO, every CISO and every technology leader to chart a course to the future. Most enterprises operate on infrastructure that has existed for decades. The path out of these environments is extremely challenging, but it’s necessary. The cloud-based tactical integrations mentioned earlier offer critical support but maintaining AD DS should not be the desired end-state.
Instead, set a five-to-seven-year goal and with intent, modernise apps, transform user experiences, cloud-connect devices, manage from the cloud and embrace modern security principles.
The Ideal End-State
Every organisation is different and carries their own requirements. In broad terms, the end-state to aim for includes:
Modern apps that utilise modern authentication protocols (OIDC, SAML, etc.) and are integrated with a modern Identity platform such as Microsoft Entra.
Cloud-only users who authenticate using phish-resistant, passwordless authentication like Passkeys (FIDO2) and Windows Hello for Business.
Cloud-attached devices managed from the cloud with an MDM such as Microsoft Intune.
Integration with cloud-based security products that benefit from the latest machine learning and AI models like the Microsoft Defender suite.
A data security implementation such as Microsoft Purview that applies controls and policies to your information.
Governance of Identity lifecycle and application access delivered by the Identity platform such as that included with Microsoft Entra Suite.
Real time authorisation controls that enforce multi-factor authentication such as those provided by Microsoft Entra’s Conditional Access.
No on-premises server or service architecture.
A Realistic End-State
In many cases, almost all the recommendations for an ideal end-state are achievable. Success is a question of time, resources and intent.
The most challenging aspects of the above are:
Modernising all apps, and
Removing all on-premises servers or services.
The legacy “tail” that continues to wag almost certainly ensures AD DS remains in some capacity. This is what Microsoft refers to as Active Directory minimised.
The most important principles to enforce in this configuration are:
Integrate the remaining infrastructure with cloud security (e.g. Microsoft Defender for Identity).
Users do not have access to the resource network (only tightly controlled administrators have this access).
Only users who require access to on-premises services are provisioned to AD DS (are hybrid users).
Access to services is provides using a Zero Trust point-to-point solution such as Entra Private Access integrated with Conditional Access.
As legacy systems age out, replace them with modern cloud alternatives.
Making it Real
The prospect of removing AD DS and shifting an enterprise to the cloud is a daunting task. As they say, “A journey of a thousand miles begins with a single step”.
The technology for transforming Identity in the enterprise exists today. The first step in achieving such a transformation is a policy decision at an organisational level to:
Examine processes and policies which may introduce new dependencies to AD DS and eliminate them.
Require that all net-new technology solutions are cloud-first.
Embrace easy wins (such as modernising user devices and enabling phish-resistant passwordless authentication).
Remove users from your resource network and provide access with using Zero Trust point-to-point technology.
Tackle app modernisation systematically and as old systems age out.
Set a sensible timeline for the desired end-state (years not months).
Take action today to secure your enterprise's future.
At Increment, we understand transformation takes time and we have developed a solution that provides just-in-time elevation, abstracts critical admin accounts from the core directory, and mitigates lateral movement risks. If you would like to understand how our solution works, please reach out.