One Organization’s Dilemma: Adding Security for Cloud Apps With Less User Disruption
Late last year, we began conversations with the Tuck School of Business at Dartmouth College about their current security concerns. Like many organizations, a portion of their workloads is moving from on-premises to the cloud. One of the big concerns about moving to the cloud is how to secure infrastructure as companies currently do from within the defined perimeter of their internal network. They also needed to provide added security without heavily impacting the end-user (students, faculty, and staff) experience. Because these are common concerns for many other organizations, I’d like to share how we helped this customer overcome these security concerns.
Tuck’s information technology team wanted to solve two primary use cases:
- Stronger Security for Virtual Desktops
- Stronger Security for Microsoft Office 365
In addition, they needed to leverage an existing investment in an MFA solution used by highly privileged users.
Stronger Security for Virtual Desktops
For the first use case, the school was looking for stronger security around virtual desktops accessed both internally and externally. Existing security only required username and password. Once logged in, users were “in” the university network, which offers malicious actors with access to valid credentials easy access.
To address this, Preempt can trigger conditional identity verification and can use several attributes, based on information obtained from scanning AD as well as by inspecting each authentication request that a domain controller receives. Whether or not to trigger MFA for a user is adaptive and can be decided based on a variety of conditions such as user risk score, user behavior, type of source endpoint, recent successful identity verification, or in this case, is the destination endpoint a virtual desktop.
Two problems for this school were instantly solved with this approach:
- Reduction of the number of MFA requests (identity verifications)
- Secured virtual desktops with step-up authentication
Stronger Security for Office 365
The second primary use case, Office 365 access, also only required username and password for access. Rather than requiring users to verify identity with each authentication (which would be the case with conventional MFA), they wanted to be able to have adaptive identity verification to Active Directory Federation Services (ADFS) enabled applications like Office 365. This provides the ability to block a connection if a user fails identity verification. Preempt’s integration with ADFS, which enables the same exact conditional controls to federated services accessed via a web browser or desktop applications, including Office 365. This also includes additional applications that are configured for SSO via the ADFS federation.
Preempt integrates with ADFS by acting as a secondary authentication provider to the ADFS farm. Each time a user logs in via ADFS, the Preempt policy engine will be called and the authentication will be evaluated based on the defined rules. If required by the policy rule, interactive MFA will be integrated into the authentication flow. The conditions vary and can be based on metadata (the type of user or endpoint, what role they play in the network, etc.) or behavior-based such as security risk score, endpoint association, and more.
Adding a layer of security can lead to resistance (or even rejection) without proper training, setting expectations, and gaining acceptance with the user community prior to deployment. Conventional MFA without flexibility leads to unnecessary time and focus taken away from a user’s primary objective. With Preempt’s integration with ADFS, security teams are able to provide this added security to the cloud, without heavily impacting the workflow of the end-user.
The Tuck School information technology team is successfully demonstrating Preempt’s ADFS functionality with the goal of rolling it out to all users by fall. All Tuck users will be requested to verify their identity when accessing a virtual desktop (conditionally based on several factors). Additionally, identity verification will be conditionally triggered when accessing Office 365. All of this is done without the need for a workstation agent or an endpoint managed by the school. As a result, the school is confident in its ability to add security without compromising user satisfaction.
Posted by Phil Meneses on May 31, 2018 1:42 AM