It may be time to ditch your on-premises authentication services in favor of native cloud authentication

Many organizations today are still employing on-premises authentication services like Active Directory Federation Services (AD FS), as the primary authentication solution for both on-premises and cloud-based SaaS applications. Is it time to consider moving to a cloud-native authentication framework?

The National Cyber Security Centre in the UK thinks so and so do we. In this article, we’ll take NCSC’s recommendations and provide you additional detail and recommendations.

On February 14, 2019, the National Cyber Security Centre, a part of GCHQ (one of the UK’s three intelligence agencies), released an advisory entitled Securing Office 365 with better configuration. It suggests that “anyone with an Office 365 account would benefit from acting on the security recommendations in this advisory.” Many organizations, from small businesses to larger multi-national enterprises have adopted cloud computing in one form or another.

Securing Cloud Resources 

The NCSC advisory adds that in the UK, 42% of enterprises depended on cloud computing services in 2018, which is up from only 24% just four years prior in 2014. Cloud computing has matured and has become an integral part of the enterprise both in the private and public sector. 

However, securing cloud resources continues to pose a serious challenge for many organizations. Enabling multi-factor authentication (MFA) should be a top priority as it helps reduce the risks posed by threat actors that have become adept at stealing credentials through password spray, password guessing, and phishing attacks. Enterprises using Office 365 should ensure that each of their accounts has enabled a second factor. Organizations that have purchased the Enterprise Mobility and Security suite (EM+S) should leverage Conditional Access to enforce MFA for access to cloud and on-premise resources. 

Which Authentication Method Should You Use? 

Another area to consider is which authentication model to use as more and more resources move to the cloud. Microsoft recommends that organizations first choose the correct authentication method when preparing to move their apps to the cloud. The reasons for this are: 

  • It’s the first decision for an organization that wants to move to the cloud
  • The authentication method is a critical component of an organization’s presence in the cloud.  It controls access to all cloud data and resources
  • It’s the foundation of all the other advanced security and user experience features in Azure AD
  • The authentication method is difficult to change after it’s implemented

Identity is the new control plane of IT security; therefore, it is important to choose an authentication model and identity platform that strengthens security and keeps cloud resources safe from intruders. For ‘green field’ implementations, the preferred hybrid identity model in order of preference is as follows: 

  1. Password Hash Sync with Seamless Single Sign-On 
  2. Azure AD Pass-through Authentication plus Seamless SSO AND Password Hash Sync
  3. Federated Authentication with Password Hash Sync 

What if you have already deployed and are already using Federated Authentication, with AD FS?   

For these organizations, the recommendation is to consider a migration to cloud-based native authentication, i.e. Seamless SSO with Password Hash Sync. The NCSC advisory states that “…organisations using Azure AD as their primary authentication source will actually lower their risk compared with AD FS.” This is because: 

  • It’s the hashes of your password hashes that are sent to Azure AD, and not the reusable NTLM hashes commonly discussed in “pass the hash” attacks (Microsoft explains further in their Azure AD Connect documentation). This means that the credentials sent to Azure AD can’t be used to authenticate to any of your on-premises infrastructure that relies on Active Directory. 
  • We are already relying on Azure AD to make access control decisions regulating who can see which data, hosted in Office 365. So, we already need to trust that it’s built and operating securely. Storing password hashes doesn’t change that security requirement. 
  • The availability of Office 365 will no longer be affected by any outages or downtime suffered by your on-premises AD FS or Active Directory infrastructure. 
  • The full set of Microsoft’s credential protection technologies only work on accounts that are fully synchronized with the cloud. Benefits include the service identifying users with passwords that are easily guessed and flagging accounts whose reused passwords have been leaked through data breaches from other services. 
  • Extensions to Conditional Access that include an assessment of the health of a device will, in the future, probably only be available for users that are authenticating directly to Azure AD. 

Organizations that have requirements not natively supported by Azure AD, such as sign-on using smart cards or certificates or multi-site on-premises authentication solutions, should consider enabling Password Hash Sync as a fallback authentication method so that if AD FS is not available, users are still able to access cloud resources. 

Identity is the new control plane and security perimeter. It is therefore vital that organizations choose the identity model that will provide the most robust security and protection for cloud resources. IT security groups and those in charge of making such decisions should carefully review their current identity model and consider moving to a native cloud-authentication model. 

Want to learn more?

OCG has a number of resources to help you learn about authentication, including:

You can also contact us to find out how Oxford Computer Group can help you improve systems and protocols to better secure your organization.