Rapid Modernization Plan for Red Forests in hybrid environments

A Rapid Modernisation Plan (RAMP) is necessary to make Red Forests in a hybrid IT infrastructure more secure. In many cases, companies rely on an Enhanced Security Admin Environment (ESAE) for maximum security in Active Directory. This approach is a highly secure standard for local environments with separate overall structures and Red Forests. However, the modernisation is required in IT structures using Entra ID.

The use of Entra ID requires modernization

ESAE (often referred to as Red Forest, Admin Forest, or Hardened Forest) is optimized for operating on-premises AD environments. We recommend reading our article Deploying Red Forest and IAM in Active Directory environments.

We will use Zero Trust and other technologies that extend the classic ESAE approach to the cloud to update highly secure ESAE environments while using Entra ID in parallel. The way to this ultra-modern hybrid environment runs through Microsoft’s Rapid Modernization Plan (RAMP). In this article, we will show you what is important in this context and which new technologies play an important role.

RAMP with ESAE, Red Forest and Hardened Forest

For companies relying on the ESAE approach and having highly secure Red Forests or Hardened Forests in place, RAMP helps to bring the environment up to date when Entra ID is used in parallel. RAMP integrates modern security technologies like Zero Trust and the Privileged Access Strategy into existing environments to modernize them and protect against cyber-attacks targeting Azure AD / Entra ID.

ESAE focuses on dividing servers and workstations into tiered-models for management. Even if this is currently very secure, it should be expanded with Zero Trust and Privileged Access Strategies. If you use or plan to use Entra ID, Microsoft recommends combining Zero Trust and Privileged Access Strategy with ESAE. Microsoft supports this update with the Rapid Modernization Plan (RAMP). With this plan, companies bring their security environment to a modern state, recommended by Microsoft for integration into hybrid environments and protection against modern cyber-attacks.

RAMP integrates Privileged Access Strategy into Red Forests

The focus of the Rapid Modernization Plan is on implementing the Privileged Access Strategy in on-premises environments to prepare them for hybrid use and modern cyber-attacks. The Privileged Access Strategy supports on-premises Active Directory and Entra ID in parallel. This new security standard addresses security gaps that cybercriminals can exploit to successfully attack on-premises AD. The focus is on protecting the environment from increasingly sophisticated phishing attacks. These were not integrated into ESAE.

RAMP integrates the Privileged Access Strategy to protect not only AD and Entra ID but also critical business applications. These applications may be in the cloud and connected to Entra ID. User accounts in Entra ID often originate from AD and are synchronized via tools like Entra ID Connect.

To protect these new structures, modern security technologies are needed that go beyond what ESAE was originally designed for. RAMP integrates plans and structures to better protect privileged user accounts, building on the ESAE approach and further developing it.

RAMP introduces emergency accounts: Breaking Glass Accounts

As privileged user accounts, including admin accounts, are further secured by RAMP, administrators may inadvertently lock themselves out of the environment, such as Entra ID and Microsoft 365 / Teams. To prevent this, RAMP integrates new accounts called Breaking Glass Accounts.

These are emergency accounts used when access to the environment with other admin accounts is no longer possible. Such accounts are important not only in the context of Entra ID but also when using AWS, GCP, or other cloud services. Setting up such accounts should be done in parallel with securing privileged accounts.

New security services: Entra ID Privileged Identity Management and Entra ID Identity Protection

Securing accounts in Entra ID is done through Azure services like Privileged Identity Management and Identity Protection. It is expected that these services will receive new names with the renaming to Entra ID, but the functionalities will remain the same. To use these services, subscriptions to Entra ID Premium P2 or Enterprise Mobility + Security E5 are required.

Additionally, the Just-in-Time approach should be applied, where privileged accounts only get access when needed and for a limited time. This applies not only to Entra ID but also to on-premises AD environments with the ESAE approach. Extensions to the security structure may also be necessary here.

Microsoft Defender for Identity to protect Entra ID and on-prem AD

For additional protection of identities in Entra ID and on-premises Active Directory environments, Microsoft recommends using Microsoft Defender for Identity. The service monitors the use and management of user accounts in on-premises Active Directory and, concurrently, in Entra ID.

ⓘ The management of on-premises, hybrid, and Red Forest user identities can also be improved with IAM systems.

When both worlds are used in hybrid environments, using Microsoft Defender for Identity is advisable. The service is a central element of the Rapid Modernization Plan and the Privileged Access Strategy. It immediately detects suspicious behavior of user accounts, informs administrators, and automates tasks to protect the environment.

 

Modernizing on-premises Active Directory with RAMP

RAMP focuses not only on securing accounts in Entra ID in conjunction with on-premises Active Directory but also on modernizing on-premises accounts. RAMP extends the existing security structures of ESAE and brings them up to date.

On-premises AD management still occurs through Privileged Access Workstations (PAWs). These continue to exist with the new approaches to logging in to Entra ID. Logging in to PAWs should only be done with accounts specifically created for this purpose in these infrastructures.

Administrators typically work with at least two accounts. One account is used for managing Active Directory and is used on a PAW. The other account is used by the administrator for their daily work. Depending on the environment, it is possible that an admin may have multiple accounts for managing different environments.

It is important in this approach that administrators do not share accounts. RAMP clearly specifies that each administrator should have their own account. If multiple administrators manage an environment, they need their own account, which is used only for logging in to the PAW. This should already be the case with ESAE, but is an extra planning point due to the modernization with RAMP.

Multifactor authentication and passwordless login come into play

In Entra ID, multifactor authentication and passwordless login also come into play with RAMP. MFA can also be used in local AD environments and should be considered as an option in order to bring the environment up to current security standards.