Control backup data leaks with device-based authentication
These alarming numbers are a call to attention for all IT professionals to take every possible step to protect data from accidental data losses, corruption, unauthorized access, and leaks.
Reliable and regular data backups from business endpoints have always been an essential measure to mitigate data loss. As you will see in this blog post, good backup solutions are also designed to protect themselves against data leaks.
How BluVault helps prevent data leaks
Parablu’s BluVault allows enterprises to restrict unauthorized access of backed up data by ensuring that only registered end-users have access to BluVault agent and portal, and ONLY from business devices (laptop/desktops). With support for a Device-based Authentication feature, BluVault prevents access of even authorized users, if they are coming in from an unauthorized device (like a home laptop or PC).
Enabling Device-based Authentication
The process involves the following steps:
- Get your local AD synchronized with Azure AD. There are several ways to do this. One approach we discuss here is using ADFS (Active Directory Federation Services), although there are other ways.
- Ensure your devices are Hybrid Azure AD joined. This means the corporate devices that are registered to your local Active Directory should also be registered with Azure Active Directory.
- Setting up Conditional Access (Device Based Authentication).
Setting up a link between your AD and Azure AD and configure Hybrid Azure AD joining
To do this, you need to run the Azure AD Connect wizard which sets up the link between your AD and Azure AD. This lets you configure Hybrid Azure AD joining, and also a SCP (Service Connect Point).
Note: The SCP is important for your corporate devices to be able to discover your Azure AD tenant information.
Running the Azure AD Connect wizard
1. Download the Azure AD Connect wizard from here.
2. Install the downloaded package. Refer to this link if you need help.
3. Launch Azure AD Connect, and select Configure
4. Under the Additional tasks section, select Configure device options and click Next
5. In the Connect to Azure AD tab, enter the credentials of the global administrator for your Azure AD tenant
6. In the Device options tab, select the Configure Hybrid Azure AD join option, and click Next
7. In the SCP configuration section, specify the following details for each AD forest where you want Azure AD Connect to configure the SCP, and click Next
- Select the Forest
- Select an Authentication Service
- Select Add to enter the enterprise administrator credentials
8. On the Configuration complete screen, select Exit
To test whether this is working, log in to one of your corporate AD joined devices as a domain user. The device should now also be registered as a Hybrid Azure AD joined device. You can check for this in your Azure AD console:
What to do if you do not see your device registered as a Hybrid Azure AD joined device
- Check for a few basic things like network connectivity, the SCP configuration settings, etc.
- Check in ADFS to see if the WindowsTransport endpoint is disabled.
- Try logging into Microsoft 365 or a similar cloud service and verify that Single Sign-On is functioning.
Note: In case you find that SSO is not working, there is a known issue with Google Chrome and older versions of Windows 10. Ensure you are running on Windows 10 version 1703 or above to access the application using a Google Chrome browser.
Setting up Device-Based Authentication:
To set up device-based authentication, Parablu uses Azure AD’s Conditional Access Policy. With a Conditional Access Policy, an administrator can make use of signals from conditions like risk, device platform, or location to enhance policy decisions.
Here is a screenshot that lists out details of setting up Conditional Access Policy in Azure that will only allow Hybrid Azure AD joined devices to access applications.
Note: CA policy in Azure required License Azure AD Premium P1 or Azure AD Premium P2.