In this guest blog post, Ron Rasin, Senior VP of Product Management & Strategic Alliances at Silverfort, discusses how enterprises can extend multi-factor authentication (MFA) to have real-time protection against compromised credentials across any resource in their hybrid environment.
Identity-based attacks that utilize compromised credentials to access targeted resources are increasing in scope and sophistication. According to Microsoft, multi-factor authentication (MFA) can block over 99.9 percent of account compromise attacks.
While MFA has proven to be the most effective security measure against identity-based attacks, it typically cannot be deployed to critical enterprise resources such as legacy applications, command-line access to servers and workstations, file shares, databases, and more. This creates a gaping blind spot for enterprises by exposing their sensitive data to threat actors who have gained access via a user’s compromised credentials.
Most concerning hybrid environment identity protection challenges
Identity protection challenges enterprises face should be a top priority for all organizations. Here are the three most concerning identity protection challenges that enterprises face in hybrid environments:
Couldn’t be protected with MFA and conditional access: On-premises resources were developed before MFA technology was widely available, resulting in these resources not natively supporting its implementation in their default authentication process. To successfully integrate MFA into these resources, enterprises would need to make code changes to the resource, which is not the recommended route to take.
Can’t support modern authentication protocols: These resources are stuck with legacy authentication protocols. They typically authenticate to Active Directory over NTLM and Kerberos protocols, which also do not support MFA. Therefore, they are commonly targeted in many data breaches and ransomware attacks.
Lack of unified visibility and context into users’ activities: The fragmentation of a hybrid environment that includes Active Directory for the on-premises and Azure Active Directory (Azure AD) for the software-as-a-service (SaaS) environments deprives security teams of having centralized visibility into the full context of each user account’s behavior, significantly reducing their ability to detect an attempted authentication as malicious and trigger MFA step-up. This gap significantly reduces security teams’ ability to detect and respond to attacks moving from on-premises to the cloud or vice versa.
These challenges leave on-premises resources unprotected against incoming identity-based attacks that utilize compromised credentials, leaving organizations at a fork in the road: MFA is required, but it seems impossible to implement with on-premises resources. How can that be solved?
Extending Azure AD conditional access and Azure MFA
Silverfort extends Azure AD conditional access and Azure MFA to all resources that don’t natively support it, such as homegrown and legacy apps, IT infrastructure, file shares and databases, Remote Desktop Protocol, industrial systems, and command-line tools including PowerShell, Windows Management Instrumentation (WMI), PsExec, and Secure Shell Protocol (SSH). With this integration, organizations can centralize the identity protection for all on-premises and cloud resources in Azure AD, while providing enterprise users with a consistent user experience across all resource access.
Now, enterprises can extend MFA protection to any user, system, and environment. This native integration enables organizations to have real-time protection in place against the use of compromised credentials across any resource in their hybrid environment.
How Silverfort’s integration with Azure MFA works
Silverfort integrates corporate resources and third-party identity and access management (IAM) platforms, enabling organizations to enforce an MFA policy on every incoming access attempt. This includes Active Directory, Active Directory Federation Services (ADFS), and remote authentication dial-in user service (RADIUS) on Azure AD, including hybrid and multi-cloud environments.
When a user authenticates to Active Directory to access any on-premises resource that doesn’t natively support Azure MFA, Silverfort notifies Microsoft to push an Azure MFA notification to the user. Once verified or denied, Microsoft then passes the user response to Silverfort, which instructs the identity provider on whether the access request can be granted.
Depiction of how Silverfort works.
How Silverfort’s Azure AD bridge works
Silverfort enables organizations to discover and choose which applications and resources they want to bridge to Azure AD based on their usage and dependencies. Silverfort can seamlessly connect any type of server, application, or admin access tool into Azure AD as if it were a modern web application. Each bridged asset appears as an application in Azure AD. Now it is possible to apply authentication and access policies on these applications from the Azure AD console.
Silverfort customers can manage and optimize their identity protection by consolidating all their on-premises and multi-cloud resources in Azure AD. With Silverfort’s Azure AD bridge capability, enterprises can now apply Azure AD security controls across all resources and access attempts.
Depiction of how Silverfort's Azure AD bridge works.
Centralize your enterprise’s identity protection in Azure AD
With this integration, Silverfort can trigger a conditional access policy and MFA on the authentication request whenever a user attempts to access an on-premises resource. Users can approve their identity using any supported Azure AD authentication method, such as push notifications (via Azure MFA), number matching, one-time passwords, or FIDO 2 security keys, without any additional user enrollment required.
Now organizations can centralize the identity protection for all on-premises and cloud resources in Azure AD, while enterprise users get a consistent user experience across all resource access.
Depiction of how the extended Azure MFA user experience works.
Silverfort’s native integration with Active Directory and Azure AD enables organizations to have unmatched real-time detection and prevention of identity threats in a unified manner across all resources and environments.