This is the first in a blog series that aims to lessen some confusion around identity by sharing with you some of the terms used at Microsoft. Terms like MFA, PIM, PAM, MIM, MAM, MDM, and a few others. What do they mean and how do they relate to each other?

Multi-Factor Authentication or MFA

Let’s start with what identity means to Microsoft. Identity is the ability to clearly and without doubt ensure the identification of a person, device, location, or application. This is done by establishing trust verification and identity verification using what Microsoft calls Multi-Factor Authentication or MFA. This is a combination of capabilities that allow the entity to establish trust and verify who or what they are.

MFA is an authentication method in which a computer user is granted access only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: something the user and only the user knows (such as a password or PIN), something the user and only the user has (such as a mobile device or FIDO key), and something the user and only the user is (a biometric such as a fingerprint or iris scan).

Microsoft does this with technologies such as Azure Active Directory (Azure AD) in the cloud combined with Windows Hello. Azure AD is Microsoft’s identity and access management solution. Windows Hello is a Windows capability that allows a user to verify who they are with an image, a pin, or other biometric. The person’s identity is stored via an encrypted hash in the cloud, so it’s never shared in the clear (unencrypted). A cryptographic hash is a checksum that allows someone to proof that they know the original input (e.g., a password) and that the input (e.g., a document) has not been modified.

Privileged Identity Management or PIM

What is Privileged Identity Management or PIM? Organizations use PIM to assign, activate, and approve privileged identities in Azure AD. PIM provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions to sensitive resources.

Key features of PIM include:

• Just-in-time privileged access to Azure AD and Azure resources.
• Time-bound access to resources.
• An approval process to activate privileged roles.
• MFA enforcement.
• Justification to understand why users activate.
• Notifications when roles are activated.
• Access reviews and internal and external audit history.

Privileged Access Management or PAM

What is Privileged Access Management or PAM? Often confused with PIM, PAM is a capability to help organizations manage identities for existing on-premises Active Directory environments. PAM is an instance of PIM that is accessed using Microsoft Identity Manager or MIM. Confused? Let me explain.

PAM helps organizations solve a few problems including:

• Making it harder for attackers to penetrate a network and obtain privileged account access.
• Adding protection to privileged groups that control access to domain-joined computers and the applications on those computers.
• Providing monitoring, visibility, and fine-grained controls so organizations can see who their privileged admins are and what they are doing.

PAM gives organizations more insight into how admin accounts are being used in the environment.

Microsoft Identity Manager or MIM

But I also mentioned MIM… What is this? Microsoft Identity Manager or MIM helps organizations manage the users, credentials, policies, and access within their organizations and hybrid environments. With MIM, organizations can simplify identity lifecycle management with automated workflows, business rules, and easy integration with heterogenous platforms across the datacenter. MIM enables Active Directory to have the right users and access rights for on-premises apps. Azure AD Connect can then make those users and permissions available in Azure AD for Office 365 and cloud-hosted apps.

OK, so now we know that:

• PIM is a capability to help companies manage identities in Azure AD.
• PAM is an on-premises capability to manage identities in Active Directory.
• MIM helps organizations manage users, credentials, policies, and on-premises access.

Mobile Application Management or MAM

What’s left… Oh yes: Mobile Application Management or MAM. MAM is important because if organizations can only manage identities—but not the apps then they miss a key aspect of protecting data. MAM is connected to a Microsoft capability called Microsoft Intune and is a suite of management features to publish, push, configure, secure, monitor, and update mobile apps for users.

MAM works with or without enrollment of the device, which means organizations can protect sensitive data on almost any device using MAM-WE (without enrollment). If organizations enable MFA, they can verify the user on the device. MAM also helps manage that apps the trusted user or entity can access. If you add in the Mobile Device Management or MDM feature of Intune, you can force enrollment of devices and then use MAM to manage the apps.

It’s well known that Microsoft has a lot of acronyms. This is the first in a series of blog posts aimed to assist you in navigating the acronym forest created by companies and industry. The Microsoft Platform includes a powerful set of capabilities to help encourage users to make the right decisions and gives security leadership, like you, the ability to manage and monitor identities and control access to critical files and network assets.

The post Microsoft identity acronyms—what do they mean and how do they relate to each other? appeared first on Microsoft Security Blog.

Specifically, they come to me with the following three questions:

1. We are interested in Microsoft and already have many of your security solutions. How do these tools translate to a hybrid-cloud solution and where do we start?
2. Security impacts many parts of the organization outside of the security team. Who do we need to bring to the table across the organization for this to be a successful migration to a secure cloud?
3. Can we create a roadmap or strategy to guide our journey to the cloud?

It really comes down to balancing agility with governance. Many of my customers have found that the Azure enterprise scaffold and Azure Blueprints (now in preview) can help them balance these two critical priorities. I hope my suggestions and insight help you to understand how to use these tools to smooth your cloud migration.

Establish a flexible hierarchy as the baseline for governance

Scaffolding and blueprints are concepts borrowed from the construction industry. When a construction crew builds a large, complex, and time-consuming project they refer to blueprints and erect scaffolding. Together these tools simplify the process and provide guardrails to guide the builder. You can think of the Azure enterprise scaffold and Azure Blueprints in the same way.

• Scaffolding is a flexible framework that applies structure and anchors for services and workloads built on Azure. It is a layered process designed to ensure workloads meet the minimum governance requirements of your organization while enabling business groups and developers to quickly meet their own goals.
• Blueprints are common cloud architecture examples that you can customize for your needs.

Customers find the Azure enterprise scaffold valuable because it can be personalized to the needs of the company for billing, resource management, and resource access. It is grounded in a hierarchy that gives you a structure for subdividing the environment into up to four nested layers to match your organization’s structure:

Enterprise enrollment—The biggest unit of the hierarchy. Enterprise enrollment defines the specifics of your contracted cloud services.

Departments—Within the enterprise agreement are departments, which can be broken down according to what works best for your organization. Three of the most popular patterns are by function (human resources, information technology, marketing), by business unit (auto, aerospace), and by geography (North America, Europe).

Subscriptions—Within departments are accounts and then subscriptions. Subscriptions can represent an application, the lifecycle of a service (such as production and non-production), or the departments in your organization.

Resource groups—Nested in subscriptions are resource groups, which allow you to put resources into meaningful groups for management, billing, or natural affinity. This hierarchy serves as the foundation for security policies and processes that you will layer on next.

Safeguard your identities and privileged access

When I talk with security executives about implementing security policies, we always start our discussion with identity. You can do the same by identifying who and what systems should have access to what resources—and how you want to control this access. Once you connect your Azure Active Directory (Azure AD) to your on-premises Active Directory (AD)—using the AD Connect tool—you can use role-based access control (RBAC) to assign users to roles, such as owner, contributor, or others that you create. Don’t forget to set up Multi-Factor Authentication (MFA) and adhere to the principle of granting the least privilege required to do the work. See Azure identity management best practices for more resources and security tips.

With your hierarchy established and resources assigned, you can use Azure Policy and Initiatives to define policies and apply them to subscriptions.

A couple examples of popular policies include:

• Restrict specific resources to a geographical region to comply with country or region-specific regulations.
• Prohibit certain resources, such as servers or data, from being deployed publicly.

Policies are a powerful tool that let you give business units access to the resources they need without exposing the enterprise to additional risk.

You will also need a plan for securing privileged accounts. I recommend creating a privileged access workstation when you start building out your security forest for administrators. Privileged access workstations provide a dedicated operating system for sensitive tasks that separates them from daily workstations and provide additional protection from phishing attacks and other vulnerabilities. With a good identity and access policy in place you have started down the path of “trust but verify” or building a “zero-trust” environment.

Gain greater visibility into the security of your entire environment

One big advantage of moving to the cloud is how much more visibility you get into the security of your environment versus on-premises. Azure offers several additional capabilities that allow you to protect your resources and detect threats. The Azure Security Center provides a unified view of the security status of resources across your environment. It includes advanced threat protection that uses artificial intelligence (AI) to detect incoming attacks and sends alerts in a way that’s easy to digest. Security DevOps toolkits are a collection of scripts, tools, and automations that allow you to integrate security into native DevOps workflows. Azure update management ensures all your servers are patched with the latest updates.

Get started with Azure Blueprints

Using the scaffolding and blueprints framework can help you establish a secure foundation for your Azure environment by safeguarding identities, resources, networks, and data. I’ve touched on a few of the components, and you can dig into the nitty gritty in this article. When you’re ready to get started, Azure Blueprints are available in preview. This capability will allow you to deploy the Azure enterprise scaffold model to your organization. Numerous organizations have used the blueprints and followed the scaffolding approach to successfully roll out their cloud strategy securely and faster than they expected.

As a final note of consideration as you work through your organization’s cloud/security strategy—make sure you have all the stakeholders in the room. Many times, there are other parts of the organization who own security controls but are outside of the security organization. These might include operations, legal, human resources, information technology, and others. These stakeholders should be brought into the scaffolding and blueprint discussions, so they understand their roles and responsibilities as well as provide input.

If you want to discuss this further or need assistance, please reach out to your Microsoft account team. Also, learn more at our CISO series page.

The post CISO series: Build in security from the ground up with Azure enterprise appeared first on Microsoft Security Blog.