Manage Device Identity

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
22 hours 10 minutes
Difficulty
Intermediate
CEU/CPE
24
Video Transcription
00:00
>> Hey everybody and welcome back.
00:00
In this lecture,
00:00
we're going to be talking about managing
00:00
your device identity within Azure AD.
00:00
The learning objectives for this are going to
00:00
be to explore how
00:00
device identity works with Azure AD,
00:00
like how it ties into that.
00:00
Then we want to discover the device
00:00
>> registration options.
00:00
>> How you can basically connect your devices to Azure AD,
00:00
how that whole process works.
00:00
Then we're going to follow that up with
00:00
exploring Conditional Access.
00:00
The basics of device identity are as follows.
00:00
You can manage the device identity
00:00
and protect corporate devices.
00:00
What that means is you want to protect
00:00
the corporate data that's on devices.
00:00
You want to protect the resources,
00:00
like the applications,
00:00
what resources the device
00:00
can manage and what kind of assets it can manage.
00:00
You want to protect when it accesses
00:00
those resources and put
00:00
conditional policies in place to
00:00
prevent things like impossible travel from happening.
00:00
Maybe you want to monitor those devices to ensure that
00:00
impossible travel doesn't happen and for
00:00
those of you that don't know what that is,
00:00
impossible travel just basically
00:00
means I live and I work out of
00:00
New York and I log in and within five minutes,
00:00
my same account and my device or my account
00:00
magically logs in an IP based in LA.
00:00
That right there is impossible travel because there's
00:00
no way I could get from one point
00:00
to another within five minutes,
00:00
so we want to block that.
00:00
That'd be an indicator of compromise and we can
00:00
detect these things and we can protect
00:00
our devices by shutting devices
00:00
down from accessing critical resources
00:00
that are valuable to
00:00
an organization when things like this occur.
00:00
That's just a brief example.
00:00
With device identity, we can
00:00
implement a framework once we've fine
00:00
tuned the policies and the process
00:00
>> that we have in place
00:00
>> for how we want to protect
00:00
laptops and phones and what have you,
00:00
whether it be like a BYOD situation,
00:00
where employees are allowed to bring their own devices
00:00
or it's a situation
00:00
where the organization provides the devices.
00:00
We can set up a framework and make the deployment
00:00
of our security control on
00:00
these devices much more streamlined.
00:00
If it's not going to be security controls on
00:00
devices because we don't own devices, like a BYOD,
00:00
we can at least restrict how
00:00
those devices engage with our critical assets,
00:00
that whole sensitive data.
00:00
In addition to all that,
00:00
by leveraging the device identity solution
00:00
within Azure AD,
00:00
we're able to also leverage
00:00
something called Microsoft Intune,
00:00
which helps us with device compliance because it
00:00
secures because it acts as
00:00
a MDM and an MAM solution in which basically is
00:00
your mobile device management solution
00:00
and your mobile application
00:00
>> management solution as well.
00:00
>> Again, this is the coin term
00:00
for managing a device and how it engages in
00:00
the environment and an MAM would be managing
00:00
what applications the device is allowed to
00:00
install and what it can do with those applications.
00:00
A little bit more granular at a different level,
00:00
but these are just some of the
00:00
>> wonders that you can have.
00:00
>> The granular control and the security that you could
00:00
have by leveraging device identity.
00:00
Some ways that you can tie in your devices,
00:00
register them into your Azure environment
00:00
>> are as follows.
00:00
>> We can do something called Azure AD registered,
00:00
which is basically when
00:00
the user brings in their own device.
00:00
Maybe they have an Android device
00:00
or they have their own laptop.
00:00
Maybe the organization issue them their own computer,
00:00
but they're also allowed to leverage
00:00
>> some personal stuff.
00:00
>> I do this on my own sometimes,
00:00
where I want to maybe log in to
00:00
my work account and put on
00:00
an PTO request and I can do that because
00:00
my organization allows me to do that on my own device.
00:00
I don't have to necessarily tie into
00:00
the corporate issue device that I was given.
00:00
I can do that on my own in my BYOD device.
00:00
You can also, in this type of situation,
00:00
you can put certain policies in place to
00:00
prevent and users from using things
00:00
like rooted Android devices or
00:00
jailbroken iPhones to access
00:00
the company resources or from
00:00
logging into something like Outlook.
00:00
Obviously, we would want to do that
00:00
because in those situations,
00:00
those devices could be compromised.
00:00
We don't know the type of
00:00
software that's being installed on those devices,
00:00
so we want to protect
00:00
our organizational assets and our data.
00:00
We might inspect the device
00:00
to make sure that we want to check for
00:00
those types of changes in
00:00
the hardware before allowing the end-user to log in.
00:00
In another situation, we can do what's called an
00:00
Azure AD joined method of registration,
00:00
which basically is when
00:00
the organization actually owns and manages
00:00
the devices being provided and
00:00
the devices tying in directly
00:00
into an Azure AD environment.
00:00
In this situation, there is
00:00
no Active Directory server on-premise,
00:00
everything ties into the Cloud.
00:00
Then on the flip side,
00:00
we have the hybrid Azure AD joined environment,
00:00
where we do have
00:00
Active Directory servers sitting
00:00
on-premise and as you can see here,
00:00
there are some differences.
00:00
With Azure AD joined,
00:00
we are able to support
00:00
Windows 10 operating systems and Windows Server
00:00
2019 devices, 2019 servers.
00:00
[LAUGHTER] Then with hybrid Azure AD joined,
00:00
we can go back a little bit and that
00:00
>> will insist some of
00:00
>> the legacy operating systems like Windows 7,
00:00
8.1, Windows 10, which is current.
00:00
But we can also mess around and tie in and
00:00
register Windows servers that are
00:00
2008 or even later than that,
00:00
which we don't recommend.
00:00
But if you have to, you can do that.
00:00
To wrap this lecture up,
00:00
I want to talk about Conditional Access control
00:00
and with Azure we have something called common signals.
00:00
This allows us to establish
00:00
policies in place on
00:00
what users and devices can and cannot do.
00:00
Some examples of that would
00:00
be with users and group membership,
00:00
we could set policies in place that
00:00
are targeted to specific users,
00:00
giving administrators fine-grain control over
00:00
what access they have to resources
00:00
and maybe servers or data or files
00:00
or whatever file stores
00:00
within the hybrid and environment.
00:00
We could set IP location information or
00:00
restrict where users can log in from.
00:00
We know that a user is
00:00
going to be based out of a certain state,
00:00
we know that they do not travel,
00:00
they're based out of that one particular office,
00:00
so we can say yes,
00:00
allow them access to
00:00
the sensitive marketing storage that we
00:00
have in our server or in our Cloud storage.
00:00
They can do their work as long as they're
00:00
sitting in the IP block that's
00:00
already predefined and is okay,
00:00
it already checked the box.
00:00
We're good to go there, so
00:00
he's compliant or she's compliant.
00:00
If they come out of that area,
00:00
we block that access,
00:00
so they cannot get into there.
00:00
Another thing we can do is something
00:00
called device state,
00:00
which basically says,
00:00
the device is compliant,
00:00
we go ahead and allow them in
00:00
or the device is not compliant,
00:00
we do not allow them in.
00:00
This could be done with an MDM or something like that.
00:00
There's a lot of other options we have here.
00:00
We use in common signal types,
00:00
we are able to
00:00
restrict the type of access that users and devices
00:00
have to things that we want them
00:00
to make sure that they should be having access to.
00:00
This is a way to ensure that we're being secure,
00:00
that we're doing our due diligence or the end-users
00:00
are in a good standing and they're not compromised.
00:00
That the right people are accessing
00:00
>> the sensitive things,
00:00
>> the data and the information that they need to access.
00:00
One common example of this,
00:00
there's a lot of examples,
00:00
but one common one would be like,
00:00
maybe we want an end-user
00:00
to make sure that they authenticate and do
00:00
a multi-factor authentication before they
00:00
access the sensitive info that
00:00
>> they're trying to access.
00:00
>> If they can't do a multi-factor,
00:00
then no cigar for you there buddy,
00:00
you can't get in and that's just what
00:00
>> we're going to do.
00:00
>> That would be a good example and you can do that using
00:00
the device identity solution
00:00
that's provided to you through Azure AD.
00:00
To summarize this lecture up,
00:00
we covered the basics of device identity in Azure.
00:00
We also talked about how you can register your devices,
00:00
different methods that you have there,
00:00
and then we talked about access control for devices.
00:00
If you have questions or
00:00
you're curious about learning more,
00:00
the Azure documentation is super helpful,
00:00
but you can always reach out to me online.
00:00
Feel free to do that and I'd be happy
00:00
to answer any questions you might have.
00:00
If I don't know the answer,
00:00
we can definitely explore it together.
00:00
That about wraps up this lecture.
00:00
I will see you guys in the next one.
Up Next
Use RBAC and Design a Custom Role Lab
1h
Module 2 Conclusion
1m
Introduction to Module 3
2m