The Most Important Area of Cybersecurity? Perhaps Identity and Access Management?

The Most Important Area of Cybersecurity? Perhaps Identity and Access Management?

Meet Microsoft Entra

Which area of cybersecurity is often not talked about, but it is actually one of the largest areas of development, and is at the core of the security for users and organisations? It’s identity and access management. Overall, it is the basic process of proving our identity and then mapping it to our rights on a system — and which is at the core of organisational security. Unfortunately, our world of authentication is still based on the world of mainframe computers and where we had simple login identifiers and passwords.

A changing digital world

Our digital world is now a whole lot more complex than just logging into a single computer system or a locally networked system … we now (typically) integrate with multiple clouds, link with distributed services, and use multiple identities. Unfortunately, in the past, we have been sloppy (aka lazy!) with the rights we assign to users. But, this will change with the rise of zero trust, and where we do not trust anything (users, resources and services) — until they provide the required proof of identity and rights — zero trust. And, finally, no single identity system fits every application, and we much match the challenge levels to the risks that we face. A low-level service might just need a single PIN number, while a high risk service may require biometrics and hardware tokens. There is no “one-size-fits-all” approach any more.

The leader in this field is obviously Microsoft and where their Active Directory infrastructure rules over most corporate systems. But, our world is changing, and where we are generally moving into the Cloud, and towards MFA (Multifactor Authentication), Single Sign-on, and passwordless systems. Along with this, identity is now used to not only provide access control, but supports so many aspects of our lives (such as your login to WhatsApp, Facebook and Amazon). Basically, it’s one reason we created the Blockpass ID Lab in the university — as identity and rights are at the core of rebuilding the Internet.

Decentralised IDs, The Cloud and Active Directory

Think about your password for a little while. Don’t you know find it strange these days to have to enter it — along with remembering your user ID? Our world is thus moving towards the removal of these legacy identifiers that are created, managed, and controlled, towards something that users and organisations can control themselves. Obviously, to move to these new types of identifiers we need to find ways to integrate with our existing Active Directory infrastructure.

And, so, this week one of the leaders in identity and access management — Microsoft — took a massive step forward by annoucing new integration into their Microsoft Entra platform [here]:

Overall it is an Azure-based service and bundles together a number of products. As required by many organisations it integrates directly with Azure Active Directory:

The core of the offers involves Entra Permissions Management, Entra Verfied ID, Entra Workload Identities, and Purview Information Protection.

Entra Permissions Management

Entra Permissions Management is a cloud infrastructure entitlement management (CIEM) dashboard and where there is a single integration into the resource usage across and access policies for an entire cloud infrastructure. With many organisations moving to a zero-trust infrastructure, Entra Permission Management supports the restricting of access to services based on identity. Along with this, many organisations interact with more than one cloud provider (such as AWS and Azure) and more than one identity provider (such as Google and LinkedIn). This provides an increased surface of attack, and where an adversary could gain access tokens from a vulnerable cloud identity provider. In Figure 1, we see that the Microsoft Entra permissions management allows for identities from different identity providers to be integrated to allow access control across multiple cloud environments.

Entra Verified ID

One of the major growth areas in cybersecurity will be in the usage of digital wallets, and we will finally start to integrate our digital credentials into a single place — our wallet. With Entra Verified ID, we have the integration of a digital ID with a digital wallet. This can be core within the integration of identity with mobile devices.

The product is based on a DID (Decentralised Identifier), and is a move away from using simplistic identifiers (such as login IDs and email addresses) towards a proper digital identifier. This will generally scale identifiers so that there is not one single source of the identifier — and which is assigned by a single entity (such as Google or Microsoft).

Figure 2 outlines Microsoft’s DID approach, and which integrates digital identifies with the Microsoft Authenticator App. An important aspect is that this DID can be ported to other systems. We can see that the Authenticator App will place an increasing role in our online security, and will generally be mapped to the rights to access a service through the Microsoft Resolver.

Like it or not, your Authenticator App will play an increasing role in your life, and will be key to virtually everything that you do within a corporate environment. It will thus move from being a basic authenticator to being the core prover of your corporate identity.

Entra External ID

The new product within Microsoft Entra is Microsoft Entra External ID. This has a core focus on CIAM (customer identity and access management) solutions — in a nutshell it is “Active Directory for Customers”. It also provides an opportunity to be used to on-board external entities within a B2B environment. This might include assigning short-time rights to external consultants. As with Federated ID systems, the External ID solution provides a way to integrate with identity providers such as Google and Facebook. One feature that Microsoft are pushing is built-in fraud management, and the opportunity to define group roles and policies.

Other services

With Microsoft Entra there are other core identity services, such as Entra Workload Identities (controlling how apps, users and services connect and consume cloud resources), Entra Identity Governance (for automated cloud control), and Purview Information Protection (previously known as Information Protection product — and supports the classification, discovery, and protection of sensitive data related to Microsoft 365 applications).

Conclusions

The scale-up of the DID (Distributed Identifier) has finally arrived — when Microsoft adopts something for a corporate environment, you know it is on the way up. Active Directory has been at the core of building corporate systems, and Microsoft Entra is just a natural evoluation towards building complete corporate systems in the Cloud.

If you are interested in our research work in DIDs, please contact us. We are working towards a world where privacy and rights are controlled by the citizen, and digital IDs and digital signing are at the core of building a new digital world. Our EU-funded GLASS project is at the heart of this work, and moving towards the integration of the e-ID — and thus further allowing freedom of movement across the EU. For us, the citizen fully owns their own wallet, and where there is no monitoring of it from the state.

Personally, I love this area as it needs proper cryptography to work — and cryptography that breaks out of the centralised control of any entity. So, it has taken around four decades to get to where we are now — with great advancements in cryptography — but we stand at the forefront of the next generation of the Internet. I cannot underline enough the change that DIDs and digital wallets will bring to our on-line world. It is a debate we all need to get involved with, as the law makers probably do not understand how all this works.

And, on my doorstep (well, a single Edinburgh bus journey away), a great Scottish company is advancing DIDs: