How are corporate endpoints going to be Authenticated and Authorized when your Active Directory is migrated to the Cloud?
Currently, many Network Access Control (NAC) solutions support 802.1X authentication on wireless and wired networks by using Microsoft Domain attributes, such as the credentials of domain users or computer domain membership. In addition, there are plenty of domain-group synchronization scenarios for applying access policies and posture assessments.
Let’s think of an example, such as an organization where the members of a development team are allowed to connect to the corporate wireless network and are then assigned a VLAN or an access list upon successful authentication. Another example could be a finance team whose members are authorized access to the network once their endpoints are running the latest versions of antivirus and their drives are adequately encrypted, while at the same time, helpdesk team members are only required to have the most recent antivirus updates.
Most NAC solutions can handle these basic scenarios with an on-premises RADIUS server and an on-premises Active Directory, but what are you going to do if your organization decides to move the Active Directory to the cloud, for example, to Azure?
Azure AD and 802.1X
As part of the global trending increase in cloud data consumption, Gartner predicts that by 2023 80% of enterprises will also adopt two or more cloud-based security services. In this category we have seen a shift in enterprises from using on-premises Active Directories to cloud-delivered Active Directories. This significant change has added the need to consider certain adjustments to corporate information security.
One of these adjustments pertains to 802.1X authentication by domain attributes. Have you ever thought about 802.1X and Azure AD together? Or how network access control solutions will be able to adapt from the former on-premises legacy security vision to pure cloud-to-cloud integrations?
Converting your access and authentication controls to suit Azure AD requires the ability to have visibility into all devices before they connect to the network no matter where they are connecting from – VPN, wired, wireless or cloud. If security best practices are important at your organization, this visibility should include checking each endpoint, profiling it in terms of its security posture and providing it with a certain score. Once your system has this information it is possible to mitigate risks by applying controls that either prohibit suspicious endpoints from connecting to the enterprise network or more sensitive sections of it, or forcing them to update their security to be able to gain access.
Pure Cloud to Cloud Integrations
This is where cloud-delivered NAC solutions can benefit our new Azure AD players. One of the pioneer features in cloud-delivered NAC is pure cloud to cloud integration with Active Directory in Azure. By deploying it, you will be able to authenticate and authorize users and endpoints by Az-AD attributes without installing anything on-premises. Enabling Azure Active Directory Domain Services is not mandatory for authentication, so everything can be cloud-based and agentless.
If your organization is in the middle of a migration process, and you have both on-premises and AD-Az users, the ideal solution is to enable integration with Azure via a hybrid NAC solution, where your Azure users are managed by a cloud-delivered NAC and Azure integration, and your non-Azure users are managed by an on-premises NAC Directory Broker.
Furthermore, it is recommended to have a NAC solution with a readily available integration with Microsoft Intune cloud service where you will be able to use Intune agents for setting your company’s risk assessment policies and thus enhance a pure cloud-to-cloud interaction in your organizational services.
For those interested in reviewing the future of simplified cloud-delivered network security, I would recommend reading more about how it works here.