Strong identities are a logical starting point and foundation when implementing a Zero Trust security model step-by-step. Microsoft suggests four recommended steps to create strong identity: Multi-factor authentication, Policy-based access, Identity protection and Secure access to SaaS and on-premises apps. In this article we summarize Microsoft’s Azure AD Application Proxy and Cloud Access Security Broker (CASB) to protect on-premises and non-native cloud applications.

Software-as-a-service (SaaS) solutions have simplified remote collaboration, accounting, human resources, and numerous other business functions. They’re quick to set up and easy to use. So easy, that it makes organizations vulnerable to security breaches. Therefore, in a hybrid environment, where organizations have on-premises applications or non-native cloud applications using legacy authentication, solutions such as single sign-on (SSO) application proxy or cloud access security broker (CASB) are necessary to govern the access to these applications. Using these solutions organizations can enforce a centralized strong authentication, monitor and control risky end-user activities, also monitor and remediate risky legacy applications activities, and detect and prevent sensitive data transmission.

Azure AD Application Proxy

By connecting the sign-in experience for all their apps (on-premises, cloud and third-party SaaS apps) from any device and managing user directories together, organizations can gain better control and visibility, also simplify user experience. Companies can reduce the risk posed by multiple credentials for external apps if they are connected to a single sign-on process. Azure AD has an app gallery of thousands of pre-integrated third-party SaaS apps to simplify single sign-on for users. Plus, you can add your own custom applications easily in the portal. Azure AD Application Proxy enables organizations to implement secure remote access to on-premises applications so remote users can access them in the same manner that they access cloud applications. Because Azure AD Application Proxy is hosted in the cloud, no additional software components or network changes are required to enable remote access to on-premises applications.

Cloud Access Security Broker (CASB)

To reduce risk of a cyberattack, discovering shadow it or managing data in cloud application while taking advantage of the productivity of the cloud, organizations can consider a cloud app security broker (CASB) solution as a next step in identity protection. CASBs help control how SaaS apps are used in the company and how information is shared through them. CASBs use a three-step process to offer visibility across sanctioned and unsanctioned applications and control over enterprise data in the cloud.

• Discovery: the CASB identifies all cloud applications in use as well as affiliated employees
• Classification: the CASB assesses each application, identifies its data, and calculates a risk factor
• Remediation: the CASB creates a tailored policy for the enterprise based on its security needs. From there the CASB identifies and remediates any incoming threats or violations.

Some of the reasons why organizations choose CASB implementation:

• Know which apps their employees use. A CASB discovers all the apps and cloud services in use. It doesn’t matter if those apps are managed by IT or if your employees access the apps inside or outside your network—they’re all identified. 
• Allow only the apps that meet your standards.
• Protect your sensitive data. A CASB identifies what files and information are stored in which apps and who has access to them. If there are issues, a CASB provides tools to remove external sharing permissions, encrypt or delete files, among other security features. 
• Use AI and automation to stop attacks. A good CASB learns the behavior of users and builds a behavioral profile around them. Then it alerts you when something suspicious is detected, such as anomalous user behavior, data exfiltration, malware.
• Stay on top of regulations.

Many organizations don’t even use the solid foundation of strong identity. Microsoft statistics show that only 11% of organizations implement basic Multi-factor Authentication. “Nowadays when hybrid work has become natural in most enterprises, strong identity is essential for the balance between providing data- and identity security, while enabling good employee work experience. Strong identity starts with foundational elements like Multi-factor authentication, Policy-based access, Identity protection, and Azure AD Application Proxy. As a next step advanced solutions, like Cloud Access Security Broker (CASB) are also necessary for strong security. Better not to wait for the first security breach but prevent it with the appropriate solutions. Noventiq can help organizations to find the necessary solutions to secure their identity and data and implement them.” – commented Nikolay Dinev, Regional Services Lead of Noventiq.

Zero Trust is a journey, not a destination, and identities are a logical starting point for implementing a phased Zero Trust security model. Contact us and start your Zero Trust Security journey with strong identity management.