Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/16/2020
10:00 AM
Raz Rafaeli
Raz Rafaeli
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Active Directory Needs an Update: Here's Why

AD is still the single point of authentication for most companies that use Windows. But it has some shortcomings that should be addressed.

Tried and true, Active Directory has been managing permissions and access to networked resources for decades. It's a system that has weathered storms — cyber, organizational, and competitive — and has remained the backbone of most IT environments.

AD remains the single point of authentication and authorization for most companies that use Windows networking products or operating systems. It controls access to all critical resources, and it's the linchpin for any major project or initiative. And that remains true even in an era when more companies are leveraging the cloud and supporting a mobile-first approach.

The Cloud, On-Premises, and the AD Identity Crisis
One of the secrets of AD's longevity has been its ability to evolve in response to new needs and challenges. As such, the topic of "the need for Active Directory modernization" has become a major point of IT industry discussion in recent years. AD has been accused by some of having an identity crisis (pun intended), although there are almost as many opinions on how to solve that crisis as there are users of AD.

With that, there are three issues that need to be addressed for AD to serve the next generation of computing:

Issue 1: User management in multiple environments. IT systems today are made up of a combination of environments and platforms, both on-premises and cloud-based, and users access them using a variety of methods, from desktops and laptops to mobile devices and virtual desktop infrastructure (VDI). To manage authentication across environments, organizations use the Azure Active Directory (AD) Connect management tool that connects on-premises identity infrastructure to Microsoft Azure Active Directory.

However, the security controls on Azure Active Directory are different from those of on-premises AD deployments; Azure AD, for example, supports multifactor authentication (MFA), while AD does not natively support MFA. So why not just switch to Azure AD? Because, as Microsoft says, "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD." Clearly, an update to AD is needed.          

Issue 2: Security. Azure AD has the right idea; MFA is more secure than the Kerberos-based single sign-on (SSO) authentication used by AD. AD users have the option to implement MFA — but not in hybrid environments, where SSO is in control and gives users access to online resources. With the threat landscape so vast — and increasingly lethal — today, the need for multiple authentication factors is a must both for cloud-based systems and on-premises systems.

Issue 3: Regulations. One major factor that demands an AD update is the increasing security requirements of regulatory bodies. Increasingly, regulators are requiring that online services utilize MFA. Previously, customers would ask about Active Directory modernization when they needed help with AD migration, consolidation, or restructuring. Today, with data breaches wreaking havoc, the push for AD modernization is converging with the need for strong cybersecurity.

The Drive for Digital Transformation Makes AD More Important
All these factors play into the need for AD modernization. The popularity of AD has become its own Achilles' heel; because companies relied so strongly on it during the on-premises computing era, they built their entire IT infrastructure around it. Now, as data, services, and activity move to the cloud, there is a "disconnect" between the authentication methods used by organizations and the authentication requirements for online services, whether they're required for the security of the service or by regulators.

Many AD infrastructures are 10 to15 years old and have grown significantly over time. Those relying on AD have learned that these early deployments are often ill-equipped to meet the needs of today's technologies and business demands; this is especially true for large organizations with complex infrastructures. Without proper cleanup and consolidation, organizations could face security and compliance risks once they get to the cloud.

Identity Management with Identity Crisis
The key to AD security is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse.

But AD authentication is limited to either passwords or smart cards, which carry respective drawbacks. Passwords, of course, can be lost, forgotten, and of course, hacked. [Editor's note: The author's company is one of a number that offer passwordless MFA.] If AD relies on a username and password for its efficient SSO that allows authenticated users access to everything, a hacker who steals, guesses, or tricks a user into giving up their credentials will be able to access systems, with AD as an active accomplice. The philosophy of AD authentication was based on simpler times — before there was a plethora of malware to steal user credentials, and before hackers were able to use social engineering techniques to extract credential information from users.

AD also allows logins using smart cards, eliminating the possibility that imposters will be able to log in to systems with compromised authentication information. But card management has its own issues; it's more expensive than username/password authentication — the company has to buy the cards, which can be lost, meaning more costs for new cards. Presumably, employees will report immediately if they lose their cards, but since card authentication is based on trusting certificate authority certificates, which can be hacked, simply not losing one's card doesn't necessarily guarantee anything.

MFA for All
Cognizant of the problems and sensing a market opportunity, vendors by the dozen offer MFA solution add-ons for AD. Second factors can include one-time passwords sent via text message, biometric authentications (thumbprints, etc.), smart cards, tokens, and even voice authentication.

While these are certainly more secure than username/password authentication, there are no guarantees; second factors can be hackable, some more than others. And if the username/password is already compromised, we're back where we started. For a more secure user experience, it would be best to do away with that first factor altogether, and implement more secure authentication methods. This, of course, would significantly impact AD, which is so strongly associated with credential-based SSO, speaking to the need for a major update.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus, is a results-driven business executive with more than 25 years of technology and leadership experience in the software, security, semiconductor, and telecom industries. Previously, Raz was the CEO of MiniFrame and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
couponwafy
50%
50%
couponwafy,
User Rank: Apprentice
1/29/2020 | 10:08:09 AM
This Important
i think this final alert :)
MORS
50%
50%
MORS,
User Rank: Apprentice
1/19/2020 | 5:24:32 AM
Re: Issue
We completely agree 
SEODan
100%
0%
SEODan,
User Rank: Apprentice
1/16/2020 | 11:41:03 AM
Issues
The 2nd issue you mentionned is the most concerning imho.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.