Starting from ground 0

Active Directory is currently installed in over 90% of the Fortune 1000 companies. Because of its prevalence, and the value of the information it maintains, we know it's a primary target for threat actors.

To protect Active Directory and other valuable assets of similar sensitivity, Microsoft introduced the concept of the Red Forest, a security architecture designed to protect Active Directory forests from cyberattack. Red Forest worked to containerize a hardened forest, separate from other forests, using buffer zones and policies to restrict activity. This concept, also known as Enhanced Security Admin Environment ESAE) came about in 2014.

The separation of high value, highly sensitive forests in Active Directory from other systems and assets is critically important to protect the content housed within. Using the most modern approach available at any given time will help to thwart threat actors who are continuously searching for a way to infiltrate your directories.

EAM – a more modern approach

A lot has changed since 2014. Today, directories are under constant attack. ESAE was abandoned due to its complexity and inability to cover every administrative use case. Microsoft introduced the Enterprise Access Model (EAM) in 2020 as a more modern approach to assigning and managing privileges. This is where Tier 0 comes to play.

EAM was developed to support hybrid environments which can be highly complex. The key elements of EAM can be split into Planes, otherwise known as Tiers, based on the sensitivity of the functionality and data being protected. The Planes or Tiers of EAM can be differentiated as follows:

  1. Control Plane. This includes Tier 0 assets, also known as the control plane. The control plane involves access control and resource management and also manages how data is processed. This is the most sensitive, vulnerable plane, and is typically the focus of Zero Trust initiatives. Active Directory is a Tier 0 asset, along with domain controllers and identity management solutions.
  2. Management Plane. This includes Tier 1 assets and involves the IT management functions and workload management. Tier 1 assets include Azure Resource Manager as well as desktop management systems.
  3. Data/Workload Plane. This plane is where user applications sit and where workloads are executed and data is processed. Examples of data and workload plane systems include EC2 instances, Kubernetes, and any solutions and services that manage the movement of data throughout the environment.
  4. Access Plane. This includes user and application access. These are typically Role Based Access Control (RBAC) solutions and other solutions that provide resource access.

Tier 0 protection involves the identification and segregation of highly privileged objects in Active Directory from other objects. This includes Active Directory. Threat actors target Active Directory because it provides the virtual keys to the kingdom. If a threat actor is able to breach a privileged account in Active Directory, they can gain control of the network. Once they have gained access, they often move laterally through the environment to gain control of computers and systems that are not adequately protected. Then they wait until an account with greater privileges logs on and provides them with high-value access to critical information.

Why is Tier 0 important?

The value in understanding Tier 0 is in the design and execution of a strategy that protects these business-critical assets from attack. This modern approach uses strategies and tactics to segment the Control Plane from lower-tier assets to ensure that, should a breach occur, that threat actor can go no further than the Tier they infiltrate. They don't have the ability to move through the stack to access workloads or data. This protection affords businesses the time they need to intercept a threat actor before they cause harm.

Other ways to protect Tier 0

Taking this a step further, the introduction of Just-in-Time privilege elevation can reduce the amount of standing privilege in the organization, thereby reducing the attack surface. The concept of Just-in-Time privilege elevation reduces the number of standing privilege accounts, assigning them to only the accounts that need them, when they need them, and deprovisioning them when no-longer needed. This effectively reduces the amount of standing privilege which is the avenue threat actors so often exploit. By offering threat actors fewer avenues into the environment, you provide an even greater level of protection for your Tier 0 assets.

About the Author: Richard Lambert's enthusiasm for cybersecurity and secure enterprise architecture is unmatched. He is a Subject Matter Expert in Safeguard and has worked with the platform for over six years. Richard serves as a Presales Product Architect at One Identity, where he has been part of the AD Management and Security Presales Team since 2019. Prior to joining One Identity, he worked as a Professional Services Consultant for various Quest/One Identity partners as well as the Federal Team at Dell Software. Since 2006, Richard has deployed Active Roles worldwide across nearly every industry and continues to lead Active Roles bootcamps. A native of southeast Florida, he holds a B.S. in Computer Science from Florida Atlantic University.

Richard Lambert — Presales Product Architect at One Identity https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhd0hgBsy5N8V68mvf4c9BeQohONXYizlxD9rRtf5G3fhZf80Ry3HZ-CgAWPiCFFlUExVDvNoZ5tyypZpggFTCbui1wyF1xsgx-3hRdBESp1pfDgLCbkuhPrOz0zrlbsGlDos_U8fsQVhX2hdNxZ9ncSqSSUYkqZHlCparM0Vpg7KRcUM7xdqLIOhi6z64/s728-rw-e365/Rich.png
Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.