Active Directory and Microsoft 365 Security: Predictions for 2021

The gooey sentimentality and biting sarcasm for what I got right in my 2020 predictions is over. Now it’s time to focus on 2021 and what awaits Active Directory and Microsoft 365 admins who are tasked with securing, managing and migrating users and data in their hybrid Microsoft environments. Let’s go!

2021 theme: Digital resilience

When I sat down with our various Quest security, migration and Microsoft 365 experts to collect our thoughts on where 2021 would take our customers, it became clear that a single theme is driving all of our predictions: digital resilience.

Organizations are facing massive business disruptions, an economy that wants to recover but just can’t get up off the mat, and nimble competitors already on their feet and taking swings. Meanwhile, our networks and datasets are increasingly more complex, interwoven, and global and yet local. Digital resilience turns crisis into opportunity by enabling organizations to leverage cloud technologies to find insights, connect people, and ultimately develop new and creative ways to deliver their services and goods. If the global pandemic has taught us anything about business, it’s that the organizations who digitize are the organizations who survive and thrive.

With that in mind, here are my top eight predictions for 2021, in brief. There are links included to more in-depth discussions of each prediction — and how you can get prepared.

1. Ransomware victims will face government lawsuits.

For as long as there has been cybercrime, federal authorities have been eager to identify, investigate and sanction the perpetrators. Recently, they even investigated pressing homicide charges when a ransomware attack against a healthcare organization led to a death.

Now, however, authorities are threatening to impose fines on any victim organization that pays the ransom to unlock their data. Why? Authorities are frustrated at the number of unreported ransomware attacks and concerned that paying ransom leads to more attacks. In particular, the U.S. Department of the Treasury announced it will file civil suits against not only the victims who pay ransom, but also the cybersecurity consultants assisting in the recovery efforts, the intermediaries brokering the deal with the ransomware perpetrator and even any insurance providers who encourage a payout.

This is just the nudge that organizations need to invest in immutable or air-gapped backups and fully tested recovery processes.

Read the full post on Prediction #1: Ransomware Victims Will Face Sanctions

2. Forget headline-making data breaches and DoS attacks; the battle for your org’s reputation is going to be waged in a whisper campaign.

A big data breach in the headlines is bad for any organization — but think back to the Target breach a few years ago. I for one got over it and went back to giving them my money. (Judging by how their stock price has risen, I’m not the only one.) Similarly, DoS attacks are bad, but they end.

In 2021, we’ll see a new type of attack that targets an organization’s ability to conduct business and gain market share: dynamic denial of reputation attacks. Just like a consumer’s credit score, an organization’s digital reputation is made up of lots of calculations. Factors like sender reputation, URL reputation and domain reputation determine whether you’re put on a threat protection service’s untrusted list. Once you’re on that list, your emails and website are blocked, which prevents you from doing business with your customers.

Dynamic denial of reputation turns the very tools used to defend organizations against them. In 2021, we’ll see hacktivists, nation-state actors and even bitter competitors get in the game of smearing an organization’s digital reputation — and companies looking for technologies and products to help them fight back.

Read the full post on Prediction #2: Expect Dynamic Denial of Reputation Attacks

3. Zerologon will continue to haunt us into 2021.

Zerologon is a critical vulnerability in the Windows Netlogon Remote Protocol (MS-NRPC), which Microsoft disclosed in August 2020. By exploiting this flaw, a hacker can impersonate any computer, including the root domain controller.

How serious is Zerologon? The industry-standard Common Vulnerability Scoring System (CVSS) assigned it a score of 10 — the maximum severity rating for a software flaw. Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) even issued an emergency directive requiring all civilian government agencies to patch the vulnerability immediately. Until every single domain controller is updated, your entire IT infrastructure remains vulnerable. Externally exposed systems are not the only risk; Zerologon offers any cybercriminal who already has a foothold in your network a perfect opportunity to escalate their privileges and complete their attack.

Not surprisingly, attackers have been actively targeting the flaw. But many organizations still haven’t even applied the patch Microsoft released in August. And guess what? That patch isn’t a complete solution; Microsoft promises a more complete patch in Q1 2021 that everyone will need to deploy. Active Directory admins can expect lots of headaches.

Read the full post on Prediction #3: Zerologon Will Continue to Haunt Us Into 2021

4. People will remember the hard way that they have Group Policy.

Group Policy is a fundamental part of security in any Microsoft ecosystem. It gives you centralized management of settings that determine what users, computers and applications can and cannot do. Admins have been using Group Policy objects (GPOs) for ages to block the use of removable media like USB drives, enforce password best practices, limit user access to the command prompt and Control Panel, disable forced system restarts, restrict software installation, and much more.

However, many organizations treat Group Policy as a ‘set it and forget it’ technology — it was configured a long time ago and since then it has gone untouched. That’s why hackers love Group Policy. They know it’s powerful, it’s in every Microsoft shop, and most of the time, it’s lying dusty in the closet where you never look, instead of featuring prominently in your security strategy.

By altering Group Policy settings, hackers can make it easy for themselves to slither around in your IT ecosystem, gain elevated access rights, and steal your data or achieve some other endgame, all while remaining unnoticed. In fact, that’s one of the things that makes the Zerologon vulnerability so dangerous: If someone uses that flaw to gain access to one of your DCs, they can change your GPOs however they please, which gives them enormous power over your entire domain. Accordingly, in 2021, organizations will become keenly aware of the need to closely control their GPOs and monitor for any improper or malicious changes to them.

Read the full post on Prediction #4: People Will Remember the Hard Way They Have Group Policy

5. With mergers and acquisitions on the rise, more people will realize just how hard a tenant-to tenant migration really is.

The large spending activity associated with acquisitions came to a halt during the early part of the pandemic, but 2021 will see M&A activity accelerate, and it will include newer entrants who were previously priced out of the M&A game.

For IT admins, M&As mean IT integrations, which typically involve Active Directory migrations and Azure AD and Microsoft 365 tenant-to-tenant migrations. With new companies getting in on M&As, as well as just the general IT staff turnover at organizations with established acquisition appetites, this means fewer folks experienced with the stress, timelines and Transition Service Agreements of IT integrations. On top of that, more organizations have adopted Azure AD and Microsoft 365 over the past year, which means more tenant-to-tenant migrations, which even fewer people have experience with.

Tenant-to-tenant migrations are hard, and growing datasets and more complexity are only making them harder. Although Microsoft is working to fix that, organizations will be looking for ways to ensure accurate, timely tenant-to-tenant migrations.

Read the full post on Prediction #5: M&A Activity Will Prove Tenant-to-Tenant Migrations Are Hard

6. Transitional and project-based employees will increase the risk to intellectual property (IP).

Today, IP includes not just things like secret cookie recipes, which are already zealously guarded, but all sorts of valuable intel that is necessarily developed, massaged and accessed by multiple people, from strategic plans to competitive research to proprietary designs or code. Avoiding an IP leak can mean the difference between survival and collapse in these difficult times.

Unfortunately, new business realities will put IP at increased risk. As organizations seek to stay lean and adaptive, they will hire people only when needed, and rely more on short-term employees, contractors and vendors. That means more users in your IT environment who have reduced corporate loyalty and less concern about an individual’s role in corporate security. It also means a lot more users coming in and out of your network, and more chances for over-provisioning users and failing to promptly de-provision them when they leave. Even regular full-time employees are more likely to discuss confidential information with outsiders now that they are working from home and boundaries seem fuzzier.

In short, the coming year will bring more opportunities for intellectual property to leave the organization. To reduce that risk, IT teams will need to up their game when it comes to rigorously enforcing least privilege, auditing changes and other activity, enabling easy attestation of group membership, and more.

Read the full post on Prediction #6: Short-term Employees Will Increase the Risk to IP

7. Microsoft 365 multi-geo configurations will send multi-nationals down the rabbit hole.

Microsoft rolled out multi-geo configurations in April 2020, as an add-on feature designed to help multi-national companies meet data sovereignty laws. Using Microsoft 365 multi-geo, you can specify a preferred data location (PDL) for each user that controls where their data — such as their Exchange mailbox and their OneDrive — is provisioned and stored. That way, you can ensure that a given user’s data is kept only in Microsoft’s US datacenters, only in its European data centers, or only in its Southeast or East Asia datacenters.

However, there are simply a lot of unknowns around multi-geo, including the following:

Reduce your AD attack surface

Reduce your AD attack surface.

See where you’re exposed and how to remediate it.
  • How do you migrate a tenant that has the multi-geo feature turned on?
  • How do you treat someone’s data when they move to a new country or continent? If an admin changes a user’s PDL, is there an automatic process to move the user’s data? Will their email and OneDrive be unavailable? For how long? Will their colleagues be able to continue to use the SharePoint sites the user created?
  • What happens if one user creates a SharePoint site but moves on within the organization, or leaves altogether? Can you associate the site with a different user? Does that require the site to be unavailable for a period of time?
  • What about backup and recovery? How can you ensure proper backups per region? What happens if an older backup is used in a recovery scenario and PDL wasn’t turned on at the time of that backup?
  • What if you are collaborating with someone on a document that isn’t in your PDL; can you download it locally to work offline?

These and other issues will keep multi-national organizations scrambling throughout 2021 — and probably well beyond.

Read the full post on Prediction #7: M365 Multi-Geo Will Send Companies Down the Rabbit Hole

8. Increased cloud service and telco outages will drive renewed interest in bare-minimum hybrid business continuity plans.

Availability issues related to human errors or misconfigurations — like the Azure AD and Microsoft 365 outage that plagued us in September and October — and the continued remote workforce will push organizations to build out hybrid capabilities for mission-critical content in an effort to maintain business continuity.

But building digital resilience doesn’t mean simply moving everything to the cloud. Rather, it requires determining the bare minimum data required to operate without cloud access, and building an appropriate hybrid model into your digitization plans and disaster recovery plans. Most organizations in critical industries have thought this through, but other companies are behind in this area because they never had so many users working from home.

This effort will involve educating users about how to make wise (and yet legally responsible) choices about what data to sync locally so they can keep working during outages, as well as developing a corporate strategy for maintaining an on-prem Active Directory and local data stores.

Read the full post on Prediction #8: Service Outages Will Demand New Business Continuity Plans

About the Author

Jennifer LuPiba

Jennifer LuPiba is the Chair of the Quest Software Customer Advisory Board, engaging with and capturing the voice of the customer in such areas as cybersecurity, disaster recovery, management and the impact of mergers and acquisitions on Microsoft 365, Azure Active Directory and on-premises Active Directory. She also writes thought leadership articles and blogs aimed at the c-suite to evangelize the importance of these areas to their overall business. She chairs The Experts Conference, a yearly event focused on pure Active Directory and Office 365 training at the 300 and 400 level for the boots-on-the-ground Microsoft admins and managers.

Related Articles