Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

1/16/2020
10:00 AM
Raz Rafaeli
Raz Rafaeli
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Active Directory Needs an Update: Here's Why

AD is still the single point of authentication for most companies that use Windows. But it has some shortcomings that should be addressed.

Tried and true, Active Directory has been managing permissions and access to networked resources for decades. It's a system that has weathered storms — cyber, organizational, and competitive — and has remained the backbone of most IT environments.

AD remains the single point of authentication and authorization for most companies that use Windows networking products or operating systems. It controls access to all critical resources, and it's the linchpin for any major project or initiative. And that remains true even in an era when more companies are leveraging the cloud and supporting a mobile-first approach.

The Cloud, On-Premises, and the AD Identity Crisis
One of the secrets of AD's longevity has been its ability to evolve in response to new needs and challenges. As such, the topic of "the need for Active Directory modernization" has become a major point of IT industry discussion in recent years. AD has been accused by some of having an identity crisis (pun intended), although there are almost as many opinions on how to solve that crisis as there are users of AD.

With that, there are three issues that need to be addressed for AD to serve the next generation of computing:

Issue 1: User management in multiple environments. IT systems today are made up of a combination of environments and platforms, both on-premises and cloud-based, and users access them using a variety of methods, from desktops and laptops to mobile devices and virtual desktop infrastructure (VDI). To manage authentication across environments, organizations use the Azure Active Directory (AD) Connect management tool that connects on-premises identity infrastructure to Microsoft Azure Active Directory.

However, the security controls on Azure Active Directory are different from those of on-premises AD deployments; Azure AD, for example, supports multifactor authentication (MFA), while AD does not natively support MFA. So why not just switch to Azure AD? Because, as Microsoft says, "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD." Clearly, an update to AD is needed.          

Issue 2: Security. Azure AD has the right idea; MFA is more secure than the Kerberos-based single sign-on (SSO) authentication used by AD. AD users have the option to implement MFA — but not in hybrid environments, where SSO is in control and gives users access to online resources. With the threat landscape so vast — and increasingly lethal — today, the need for multiple authentication factors is a must both for cloud-based systems and on-premises systems.

Issue 3: Regulations. One major factor that demands an AD update is the increasing security requirements of regulatory bodies. Increasingly, regulators are requiring that online services utilize MFA. Previously, customers would ask about Active Directory modernization when they needed help with AD migration, consolidation, or restructuring. Today, with data breaches wreaking havoc, the push for AD modernization is converging with the need for strong cybersecurity.

The Drive for Digital Transformation Makes AD More Important
All these factors play into the need for AD modernization. The popularity of AD has become its own Achilles' heel; because companies relied so strongly on it during the on-premises computing era, they built their entire IT infrastructure around it. Now, as data, services, and activity move to the cloud, there is a "disconnect" between the authentication methods used by organizations and the authentication requirements for online services, whether they're required for the security of the service or by regulators.

Many AD infrastructures are 10 to15 years old and have grown significantly over time. Those relying on AD have learned that these early deployments are often ill-equipped to meet the needs of today's technologies and business demands; this is especially true for large organizations with complex infrastructures. Without proper cleanup and consolidation, organizations could face security and compliance risks once they get to the cloud.

Identity Management with Identity Crisis
The key to AD security is balancing the need to streamline user access to maximize productivity against the need to protect sensitive data and systems from both accidental and deliberate privilege abuse.

But AD authentication is limited to either passwords or smart cards, which carry respective drawbacks. Passwords, of course, can be lost, forgotten, and of course, hacked. [Editor's note: The author's company is one of a number that offer passwordless MFA.] If AD relies on a username and password for its efficient SSO that allows authenticated users access to everything, a hacker who steals, guesses, or tricks a user into giving up their credentials will be able to access systems, with AD as an active accomplice. The philosophy of AD authentication was based on simpler times — before there was a plethora of malware to steal user credentials, and before hackers were able to use social engineering techniques to extract credential information from users.

AD also allows logins using smart cards, eliminating the possibility that imposters will be able to log in to systems with compromised authentication information. But card management has its own issues; it's more expensive than username/password authentication — the company has to buy the cards, which can be lost, meaning more costs for new cards. Presumably, employees will report immediately if they lose their cards, but since card authentication is based on trusting certificate authority certificates, which can be hacked, simply not losing one's card doesn't necessarily guarantee anything.

MFA for All
Cognizant of the problems and sensing a market opportunity, vendors by the dozen offer MFA solution add-ons for AD. Second factors can include one-time passwords sent via text message, biometric authentications (thumbprints, etc.), smart cards, tokens, and even voice authentication.

While these are certainly more secure than username/password authentication, there are no guarantees; second factors can be hackable, some more than others. And if the username/password is already compromised, we're back where we started. For a more secure user experience, it would be best to do away with that first factor altogether, and implement more secure authentication methods. This, of course, would significantly impact AD, which is so strongly associated with credential-based SSO, speaking to the need for a major update.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How to Keep Security on Life Support After Software End-of-Life."

Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus, is a results-driven business executive with more than 25 years of technology and leadership experience in the software, security, semiconductor, and telecom industries. Previously, Raz was the CEO of MiniFrame and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
couponwafy
50%
50%
couponwafy,
User Rank: Apprentice
1/29/2020 | 10:08:09 AM
This Important
i think this final alert :)
MORS
50%
50%
MORS,
User Rank: Apprentice
1/19/2020 | 5:24:32 AM
Re: Issue
We completely agree 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11484
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
CVE-2020-11485
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the u...
CVE-2020-11486
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-11487
PUBLISHED: 2020-10-29
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead ...
CVE-2020-11488
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to i...