This is Sue Bohn, director of program management for Identity and Access Management. I’m excited to introduce the next entry in our Voice of the Partner blog series. Our partners are Microsoft 365 experts with in-depth experience to help customers implement Microsoft solutions. In this series, our partners will share insights and best practices for securing your identities and getting the most out of Azure Active Directory (Azure AD). If you haven’t already, please check out our last post from Patriot’s Consulting, which provides five useful tips that will help you with your migration to Azure AD.
Today’s post is from Edgile, a partner that focuses on identity and access management and risk management solutions. We’ve invited Bob Moore and Marvin Tansley from Edgile to share advice on developing a risk management-based strategy to guide how you migrate your apps to Azure AD. Bob and Marvin have a strong point of view about why so many security initiatives don’t meet the desired goals, along with practical suggestions on how to improve your success rate. I really appreciate their strong emphasis on understanding risk controls and prioritization. I hope you find this post as valuable as I did!
The path to passwordless is about more than technology
If you’re like many of our customers, your goal when it comes to securing identities is to migrate to passwordless authentication. Passwords are frustrating for users and ineffective at securing data but eliminating them is no easy task. You need to lock in superior authentication mechanisms for application access, such as behavioral analytics, multi-factor authentication (MFA), and biometrics. Access controls and policies must be the same between your on-premises and cloud environments. Additionally, you have a massive number of applications of different ages and origins. Many of the applications—older and brittle third-party applications as well as legacy apps that don’t use claims-based authentication (i.e. SAML / OAuth2)— aggressively resist modernization attempts.
Technology challenges are real and always take time to address, but business decisions and process often compound issues. Many organizations don’t understand all the apps that are used in the organization, and far too often, applications are modernized based on which line-of-business managers show up, rather than what makes sense for the overall enterprise. A migration strategy can help you sidestep some of these issues and move your enterprise to a more secure posture faster. Based on our years working with customers with similar challenges, we’ve identified the following steps that you can apply to your app migration initiatives:
- Inventory your apps
- Define business impact
- Apply security controls
- Implement a connected security system
Inventory your apps
Before you begin migrating your software-as-a-service (SaaS) apps to Azure AD, understand all the apps used in your organization and the risks associated with each one. This way, you can prioritize which apps to modernize first and make smart decisions about which security controls are required to secure each app. We typically start by interviewing key personnel throughout the organization. The interview process will uncover a list of applications and help you define the business impact of each.
Define business impact
Once you’ve accounted for every app used in your company—including little-used older apps that still need to be in place— answer the following questions for each one:
- What types of sensitive data (PCI, PII, PHI, Financial, Intellectual property) does the app access?
- How much revenue is associated with the app?
- What is the impact to the business when employees/partners/customers are denied access to the app?
- Who needs to access the app?
The answers to these questions help you determine each app’s impact to the organization and its risk relative to other apps. You can then group them into three categories:
- High Business Impact (HBI)
- Medium Business Impact (MBI)
- Low Business Impact (LBI).
After you have a clear understanding of the business impact of your apps, you can begin planning your migration. Consider the costs and time to migrate each app, but as much as possible prioritize your high business impact apps first.
Apply security controls
After you’ve prioritized your app migration plan, next step is to determine the controls to apply to each app. This requires a balance between simple user experience and security. For example, you may want to add more controls to an app that accesses privileged data and fewer controls to low business impact app. One of the biggest risks to enterprises is users with over-privileged access across the enterprise, so it’s also important to enable automated provisioning and de-provisioning. We also recommend that you turn on MFA across all your apps. Other examples of critical controls:
- Risk-based conditional access
- Access approval workflows
- Access re-certification
- Privileged access management
- Information protections vs classification and rights management
- Data scanning across on-premises and cloud
- Policy enforcement by monitoring, alerting and reporting
“Edgile modernized identity systems and processes and created the bridge to a fully enabled Azure security implementation across the enterprise.”
— Mike Nobile, Chief Information Security Officer, Alcoa
Implement a connected security system
Safeguarding your apps requires that you have a full view of all the risk factors. You need to understand the state of the device, the user, and the network, among other risk factors. Switching between several best-of-class technologies makes it incredibly challenging to get a view across the entire session. We recommend that you try to consolidate your security solutions as much as possible under a single vendor. Microsoft 365, which offers a connected security platform across on-premises, cloud, endpoints, and identities, is a great example of a solution that lets you look at multiple angles. Think of it like your car. You know that if you get in an accident and slam on the breaks, the airbag will automatically respond because it’s a connected system. You feel safer because it was manufactured to work together.
Our client T-Mobile benefited from this approach. “Microsoft and Edgile helped bring our identity and access security and compliance to a higher level. As a team, they demonstrated the value of M365 to T-Mobile by providing a strategy, implementation roadmap, and resources that demonstrated to senior management why EM+S E5 was well worth the investment. As a result of our E5 implementation, risk-based conditional access has decreased our user and sign-on risk while simultaneously lowering user friction.” —Koveh Tavakkol, Senior Manager Cybersecurity, T-Mobile
Updating your apps for a passwordless future is a big endeavor. We hope our risk management recommendations will ease some of the burden and allow you to achieve more of your goals.
I hope you will be able to apply some of Edgile’s recommendations to your own migration plans. You can expect another partner story in the next month. In the meantime checkout out the Voice of the Partners series for more real-world experiences with Microsoft 365 Identity and Access solutions.
Read Voice of the Customer series.
Leverage our partners for help with an implementation.