Introduction
In our blog series, we have been going through the pillars that make up an effective Cybersecurity strategy (check out the original article if you haven’t already!). The four pillars — Identity Solutions, Device Management, Device Security, and SAAS application security — are all important individually, and tools should be selected in accordance to the requirements of your organization. However, it is equally important to consider the interaction of each of these pillars, and how the interplay can contribute to your overall security strategy. This enhances the robustness of your security strategy, and allows you to run it most effectively - both in terms of cost savings and management requirements (think reducing duplicative activities, and manual complex requirements). However, it can be challenging to apply this principle to reality.
Take, for instance, the scenario of managing devices in the Microsoft ecosystem with an identity solution that isn’t Microsoft. When a Windows device is not joined to Entra (Microsoft’s identity solution tool), we see a series of challenges arise in managing these accounts and ensuring that the security measures are effectively enacted across the security pillars of device management and identity solutions. This article provides an overview of how to handle this situation, laying out some existing solutions, and equipping you with the right questions to ask to make sure this is not an issue that is being overlooked within your organization.
Getting the Lay of the Land: How to think about the interaction between your Identity Solution and your Device Management Solution
When you are looking at how to secure your organization, there are different components that need to be taken into consideration. As discussed above, the interplay of different security pillars is just as important as the individual functionality of these pillars. So lets start by taking a look at the different components that you should be securing within your business:
While each of these components do map to specific primary security tools (for instance, users and accounts to Identity Solutions, and endpoints to Device Management), there is also overlap across them all, and being able to integrate them is a vital part of an effective (and efficient!) security strategy. Take for example, device and identity mapping, which is the process by which the specific devices in use are mapped to the accounts and user using them. A good security strategy can effectively ingrate Identity Provider and Device Manager for tasks like user account recovery, inventory tracking, and zero-touch configuration. If the two were separate, it would be challenging to execute on these important actions.
As an organization builds out their security toolkit across the key pillars, certain complications can arise when trying to effectively integration between different tool. One of the most challenging, and the topic we’re discussing today, is managing Windows devices when your identity solution lies outside of the Microsoft ecosystem.
What are the challenges if a Windows device is not enrolled in Microsoft Entra or not managed by Intune?
An organization may not choose Microsoft Entra as their IdP for a variety of reasons. The functionality or cost of other IdPs, such as Okta or Google Workspace, may lead an organization to choose those over Entra. Additionally, if they are already set up with a different tool they may be reluctant to doing a migration, due to the high thrash and burden to execute.
However, there are some unintended impacts that arise if you are choosing to manage some elements outside of the Microsoft Ecosystem. Opting to use a platform like JumpCloud or Kaseya, and operate outside of the Microsoft Ecosystem means you are not benefitting from the holistic powerhouse of Windows Device management, and devices do not have access to some features of the security toolkit, resulting in a worse user experience and increased risk exposure for these devices — for example, user being unable to do a password reset, or use Windows Autopilot, (which is the Windows equivalent of “zero-touch” deployment). Additionally, the configuration of Windows devices without Entra and Intune is harder to manage (resulting in a heavier burden on the security team).
What are the solutions?
This is a general challenge that faces organizations and security professionals, and in short there isn’t a great answer that solves this problem in a simple, clean way. If you're going to be using Windows devices without Entra as your primary IdP, you want to still be able to effectively manage those devices and allow a customer using a different primary IdP to have users enroll Windows devices without having to manage a second AzureAD-only account. There’s a couple ways to think about this:
So, how should you approach this if it applies to your organization?
Interested in learning more on this topic? Check out our latest article: What cybersecurity tools do you need to build and effective security strategy? and our other articles here.
To stay up to date on Company news, follow us on LinkedIn.