After experiencing issues during the AWS strikes in the UAE, it became clear that our incident response planning had major gaps. With parts of our identity stack, including Azure Entra for SSO and various authentication services, going offline, we struggled to determine what systems could still authenticate users. Surprisingly, many legacy applications with local accounts and some custom-built tools continued operating as usual despite the SSO outage. This situation highlighted a critical blind spot: if a targeted attack had occurred, we would have been oblivious to what was still accessible.
For others managing hybrid environments, how do you ensure you can see authentication paths that don't rely on your primary identity provider? We discovered our SIEM only shows flows through Azure Entra, leaving everything else unseen until it breaks or we conduct manual audits. We're looking for strategies that work with both modern SSO-enabled applications and older systems that use their own authentication methods. How can we effectively map out the entire authentication landscape, beyond just the straightforward path through our identity provider?
3 Answers
To uncover all access points, you could perform an internal audit using a ghost user account or device that bypasses your standard authentication services. It’s a little tedious, but you might be surprised by what you find. You could also consider hiring pen testers to help with this—it’ll give you a clearer priority list on what to address. I feel for you, though; dealing with SSO issues can be a real headache!
Honestly, it's concerning that this wasn't part of your disaster recovery or business continuity planning. In situations like these, you should have a contingency in place. If I were managing this, I would definitely re-evaluate the IT planning teams involved and consider some serious training or restructuring.
It sounds like you might want to consider implementing a hybrid model that includes local instances of Entra Domain Services. This way, even if your cloud services go down, you can still authenticate locally and minimize disruptions. I've seen setups where teams maintain small VMs on-premise specifically for this purpose, allowing them to log in without major issues during outages. It might be worth exploring if that fits your organization’s infrastructure!
That’s a smart approach! Even just having some small VMs can save you from a lot of downtime, especially if you have limited bandwidth between sites.
Right? A well-structured BCP is essential. It’s not just about having the infrastructure; it’s about planning for the worst-case scenario.