Granting and restricting access to data with Azure Active Directory
This blog post is the latest in our series about how EMS can support you in your journey to EU GDPR compliance. We last looked at how Azure Information Protection helps keep your data protected, whether its stored on-premises or in the cloud. Today, Im going to talk about how you can protect access to your data using Azure Active Directory, Microsofts Identity and Access Management solution.
Hackers work hard to steal credentials. Stealing credentials is the easiest way to sneak into a network undetected, which is why controlling and protecting identities needs to be your first line of defense. Considering the majority of cybersecurity attacks traced back to lost, weak or compromised user credentials, its clear you need more security than passwords will ever give you.
Below are some of the great features in Azure AD that put stronger locks on your front door so you only let in people you trust.
Set conditions to protect access
Protecting data starts with securing identities and controlling access and Azure Active Directory helps you protect your organization beginning at the front door. But one critical aspect of good security is that its nearly invisible to good users. Excessive friction inhibits productivity, and good users will find ways to work around things that block their productivity, creating risk. While you could challenge every user at every login with multi-factor authentication (MFA), ideally youd maximize productivity by allowing good users to get their work done with few interruptions, all while stopping the bad guys in their tracks.
Azure AD Conditional Access allows you to do just that. Previously, you mightve had to say, No access from off the corporate network or, No access from a personal device, but Azure AD Conditional Access allows you to basically say, Yes, but there are conditions.
The group that users belong to, the location from which theyre accessing corporate resources, the health of their device, the sign-in, and the user risk are conditions to consider when youre deciding whether youd like to block access, grant access, or challenge the user with MFA.
Evaluate risk before granting access
Azure AD Identity Protection lets you define conditional access policies based on risk calculation enhanced by Microsofts Intelligent Security Graph the cumulative intelligence we collect from our products, services, internal teams, and external sources. Based on this data, we calculate the risk of an individual user or a sign-in attempt. Azure AD Identity Protection will notify you if it detects suspicious behavior, help you investigate, and take automated action like blocking a sign-in or triggering a password reset.
Give people the right level of permissions, only when they need it
The higher the users privileges, the bigger the potential damage if their account gets compromised. Azure AD Privileged Identity Management helps you bring hygiene to your privileged accounts by providing visibility into admin accounts so you can monitor their activity. With this visibility you can revoke permanent privileged access from people who dont need it all the time and give just-in-time privileged access temporarily.
Define special controls for groups and their members
The Dynamic Groups feature automatically adds or removes members from a group based on user attributes that you define. You can use these groups to provide access to applications or cloud resources like SharePoint sites.
Get information on users, groups, and managed applications
Azure AD reporting gives you insight into the detailed activities happening in your environment. View sign-in activities for individual users and understand which applications people are using and whos using them. Audit logs will show you a list of privileged actions, such as role creation, password resets, and changes to groups, as well as show you applications that have been added, updated, or removed.
We encourage you to:
- Learn more about Azure Active Directory by reading through our technical documentation
- Download our whitepaper to learn how EMS supports your GDPR compliance journey
- Explore these capabilities with a free EMS trial
- Learn more about Microsofts commitment to the GDPR and how we can help you on your journey to compliance on Microsoft’s GDPR website
In the next blog post of this series, well be digging into how to protect data in cloud apps with Microsoft Cloud App Security.
Thank you for attention and support!
Enterprise Mobility + Security Marketing Team