Common blockers to avoid when transforming with a hybrid estate

The importance of maintaining a secure external perimeter and securing the blurred lines between cloud surface and On-Prem is key. It seems too obvious to mention, but it is critical that all externally facing services for corporate services, whether they are cloud or On-Prem, are protected by MFA.

With that in mind, here are four key steps to secure cloud configuration:

Set up and mandate MFA across the board for all users who require remote access.

Ensure that all users have completed this process in a timely manner. In certain situations, attackers can exploit users with a poor or breached password to set up MFA themselves.

Be aware that sometimes conditional access may prevent MFA setup from occurring (e.g. if a user always uses a Virtual Private Network (VPN) to enter into their corporate network). During the migration process, it may be useful to consider changing conditional access to force MFA for all criteria.

Turn off legacy authentication for all domains.

Legacy email protocols do not support MFA, making it possible for attackers to easily bypass MFA. 99% of credential password sprays use legacy protocols. Critically, a phishing attack from internal "trusted" users is more likely to succeed.

Often, we hear concerns about a board member's old iPad or something similar, so turn audit mode on first to find out if there are any users actively using legacy authentication.

Set up and use conditional access to ensure that MFA is mandated for circumstances which require it based on your policy.

The modern security perimeter now extends beyond an organisation's network to include user access and devices, so this approach will ensure that they can only be accessed by devices that meet your standards for security and compliance.

Audit and review On-Prem LAN security.

Once modern cloud implementations are in place, it's often the case that "legacy" aspects are neglected. This is true of externally-facing services and internal networks, where examples such as relatively open network shares become an unused treasure trove for attackers.

Successful corporate password and identity access management (IAM) requires a layered approach to secure the many facets that compromise an enterprise environment and the same is true for cloud services. MFA aspects should be considered an extra layer in this layered approach.

Again, there are five actions that organisations can take here:

Implement fine-grained password policies. 

This will ensure that administrative accounts are subject to more stringent password complexity and account lockout policies. In Active Directory, the domain functional level must be Windows Server 2008 or greater.

Use passwords and blacklists.

You'll be able to block the use of common passwords such as "Password1!" and "[Month][Year]." This can be implemented through third-party solutions through Microsoft Azure's Active Directory Password Protection.

Harness managed service accounts or privileged access management.

This will enforce random and complex 100+ character passwords that are managed automatically by Active Directory or a third party tool. If this is not feasible, service accounts should use 25+ character passwords.

Enable MFA for all internal sensitive systems and externally-facing portals.

Do this even if via text message or mobile application. Disable push notifications to prevent users from inadvertently approving a login request.

Separate administrative accounts.

This is especially true for users who perform a privileged function, ideally from a privileged access workstation. The separate administrative account should not have email or internet access.