Advania UK logo  Advania UK logo compact

Using Global Secure Access to ‘step up’ authentication to your premises

Advania blog - GSA
Posted On
Written by
Duration of read
8  min
Share Article
Subscribe via email

Since multi-factor authentication (MFA) has become more prevalent, it’s always been a challenge to integrate solutions with on-premises resources, and doing so typically introduces a poorer user experience.

On-premises MFA solutions often introduce their own unique token lifetime concerns, not to mention that integration is often only possible via reverse proxies, and the total operational effect would increase complexity and administrative burdens significantly – so on-premises MFA never became especially widespread. This was even true with Azure MFA Server, which Microsoft started deprecating in 2022, in advance of turning it off in the next month.

Once these workloads started to move to modern authentication protocols (often when they moved to cloud resources), MFA became normalised – to the extent that Microsoft has just announced that they are making MFA compulsory for Azure, Intune and Entra portal sign-in as of October. Meanwhile, the on-premises MFA struggles were known to IT and security teams, so on-premises applications, servers and services remain accessible with only username and password, a token, or a ticket. In other words, only one factor.

Given that most organisations still use Active Directory Domain Services (AD DS) as their ‘source of authority’ for users, groups, service accounts, and more, our protections have been painfully misaligned.

Strengthening legacy security with Entra technologies

With the advent of Entra ID Private Access (part of Global Secure Access), we can now start to tackle this legacy and change it comprehensively for all user authentication to applications and services that depend on Active Directory. We can also invoke MFA for access to network segments that use some other authentication service (including their own internal authentication methods).

There is no longer a significant barrier to requiring MFA for all on-premises resources, which is one of the primary reasons we put forward Global Secure Access as your most important technology for Zero Trust adaptations.

And we needn’t limit our thinking to MFA; we can use this same network intermediary to invoke ‘step up’ authentication to any Entra ID-supported authentication methods. Although this is just one narrow lens for inspecting new Global Secure Access uses, it’s the most illustrative example of the transformative power we have to-hand.

For Entra ID-integrated applications and services, we have had the flexibility and strength we need to put up a strong defence against increasingly sophisticated attacks. For on-premises applications and services, we have been largely reliant on defensive measures outside of our authentication stack to plaster over those cracks. Pass-the-Hash, Pass-the-Ticket, Overpass-the-Hash, Golden Tickets and other token/ticket theft techniques have been unsolved Active Directory security problems for decades.

We have attempted to mitigate these risks with detection and response capabilities, but we need to complement those detective skills and technologies with protections that prevent theft up-front.

Although there is no direct way to invoke MFA when a service uses an NTLM (New Technology LAN Manager) token or a Kerberos ticket for authentication, if network access is only available via a Global Secure Access-brokered connection, we can now require whatever we like on the way to that service.

Microsoft puts forward the approach of limiting access to Domain Controllers with Global Secure Access, so it isn’t possible to acquire a Kerberos ticket without fulfilling MFA requirements first. This is a great illustrative concept (which optimises for performance over security), but arguably we are only solving part of the problem if we stop there, since a token or a ticket can still be stolen and used directly to access any resources that aren’t also brokered by Global Secure Access. So, let’s not stop with that illustration.

Let’s use Entra ID as a source of strength on the way to all your on-premises resources, even if you are also working from the same premises. The strength we require can be as weak or as strong as you like; as common or diverse as you like across different resources.

Maybe you start by strengthening Domain Controllers as a first step, and move on to everything else later. Or maybe you find that for your networking context, you can only viably add Global Secure Access for Domain Controller access.

If you must fall back to this network performance-optimised stance, you will have at least mitigated password theft risks, and your existing detection and response capabilities can continue to support token and ticket theft attack vectors. All options are available in this extremely flexible policy engine.

Conditional access for everything

Bringing these on-premises resources into the conditional access fold doesn’t just strengthen authentication. By virtue of modernising authentication to legacy resources with Global Secure Access, we now also gain these related improvements:

  • A single control pane and aggregated reports in Entra ID – no more on-premises MFA user synchronisation and support on top of those same needs in Entra ID
  • Simplified user experience, with no need for multiple authenticator apps, weak, interceptable one-time codes via SMS, or potentially even key fobs
  • A single behavioural view across Entra ID applications and on-premises resources, richer logging, and Source IP addresses restored in logs that would otherwise log the SSE vendor’s infrastructure as the requesting client
  • Continuous access evaluation, improving revocation timescales to near-real time, and the scope of revocation to include the newly protected resources
  • Authentication methods beyond MFA, offering password-less and phishing resistant methods out of the box, and the ability to align methods to strengths, so users can satisfy the strength requirement with whichever method is most suitable for that user
  • Granular decision making, supporting narrow exclusions, and authentication requirements defined by whichever authentication strengths are most suitable to that resource or a group of resources sharing similar sensitivity
  • Device-based conditions, as a unique or supplementary requirement to user authentication strengths – for instance, you might require a hybrid-joined device to access on-premises resources
  • Block access from risky locations, such as any countries you have a need to distrust. Although we generally want to steer away from putting trust in locations as authenticators (since they are weaker than other options), they can still be a useful way of blocking less sophisticated attacks – especially if you know your organisation is targeted from a specific location.

 

In other words, we can now uplift security for legacy resources to modern standards. Step-up authentication has been a topic in identity circles since at least the advent of SAML 2, but the number of times we’ve seen it implemented on-premises can be counted on one hand.

Now, with Global Secure Access, we don’t just ‘step up’ user authentication according to the sensitivity of the resource. We can step up legacy username and password on a vulnerable protocol to the full power of Conditional Access over much safer tunnels. We can finally align Zero Trust aspirations to resources that have been stuck with 20- to 30-year-old protections (AKA weaknesses), and we can do so in a stack that has been designed with the whole picture in mind, rather than taping together 17 pieces of jigsaw from different puzzles.

Holistic security with Global Secure Access

In earlier posts about Global Secure Access, we have described how it has been built respectfully on top of the virtues we already have in Entra ID. This is Microsoft’s unique proposition as an SSE vendor. It doesn’t simply plonk something in the middle of users and their stuff, getting that intermediary to handle every security decision and outcome. Microsoft does add an agent to the mix as a new source of telemetry and an enforcement point, but everything else is already integral. We stand a much better chance of winning this way.

Other security vendors and some security buyers are fond of raising the ‘all your eggs in one basket’ question when considering Microsoft as a security vendor. You will certainly see this message from other SSE vendors now. However, in our view, Global Secure Access is the perfect illustration of how a harmonised, respectful security architecture can drastically improve security outcomes, making Zero Trust aims broadly achievable for the first time.

Holism has more virtues than risks, unless you fully distrust the capability of the vendor. We should be assessing Microsoft’s entry into the SSE market as the leading IDaaS provider (with one of the largest and fastest global backbones) adding 10%-20% new coverage to join these dots in a novel way, rather than as an 100% new entrant to the market.

Many people seem open to accepting the virtues of holism when it comes from Apple, even if some of their specific preferences get bulldozed along the way. But when Microsoft takes a similar approach to end-to-end security with its own unique reach and capabilities, some security buyers react differently, even if they carry an iPhone. Why is that?

It’s impossible to bottom out the root of this religious thinking in a blog post, but we at least want buyers to evaluate this choice clearly, since the holistic benefits are so evident. Global Secure Access puts more eggs in this growing Microsoft Security basket, but the net effect is desirable, unless you don’t trust Microsoft.

If that is your position, you need to look clearly at your entire stack, considering the risks of doubling up protections where heterogenous technologies overlap, and the risks of leaving gaps in protections where they don’t reach.

The total costs and operational complexity of this stack also needs to be focal. Your ability to service this stack and respond to security incidents should also be a major preoccupation. Global Secure Access begs these questions. This whole stack is available now through a single consolidated license in the new Entra Suite at an attractive price given the transformative capabilities at hand.

Identity has become the focus for attackers in recent years, and on-premises weaknesses have given attackers an obvious place to establish their foothold once those weaknesses have been exploited.

Rather than a source of strength, the firewalled premises have become an attacker’s fortress within your kingdom. Your home has become your attacker’s base. They are like a bed bug. Our ability to prevent bed bugs from getting in, and to prevent them from spreading if they do get in, has now been boosted considerably with Global Secure Access. 

Looking for Global Secure Access advisory services?

Get in touch today to set up a meeting with our cyber experts and get started on enhancing your security posture.

Sign up to receive insights from our experts

Get the latest news and developments from Advania delivered to your inbox

Other blog articles that might interest you

Driven by client success

We’re proud to work with the some of the most ambitious and innovative organisations.

MANAGED IT SERVICES

Sign up to receive insights from our experts

Get the latest news and developments from Advania delivered to your inbox.