Cyber insurance requirements for Active Directory

If you’ve noticed that your organization’s cyber insurance premiums have increased over the last year, you’re not alone. With evolving cyber threats, the rise in ransomware attacks, and the ubiquity of hybrid and remote workforces, insurers are responding by raising prices, tightening eligibility requirements, and reworking the scope of their coverage.

But what does this all mean for your organization? One area that insurance underwriters are heavily scrutinizing is Active Directory access controls for those still using Microsoft’s on-premises identity and access management system for authentication and access permissions. Due to identity and password compromise remaining one of the top threats for a cyberattack, insurance companies want to understand more details about privileged account use and visibility, offboarding processes, and authentication policies.

Here’s a look at why cyber insurance rates are on the rise, and what your organization needs to be eligible.

The demand for cyber insurance

There are several factors at play when it comes to the increased premiums for cyber insurance, many of which have been evolving for many years but were accelerated by pandemic-related trends. First is the rise of remote work. Virtual employee setups mean there are more devices and more networks within any given organization, which makes remote organizations more vulnerable to cyber-attacks.

The pandemic was also a driving factor behind the issues faced by the supply chain industry, which was particularly vulnerable to cyber-attacks and breaches. As a result of these breaches, there was a demand for more coverage, specifically in the event of a ransomware attack.

As cybersecurity becomes more critical and complex, cyber insurance rates will continue to rise in order to provide maximum coverage. But there are certain policies and security measures your company can put into practice to reduce the insurance rate needed.

Eligibility requirements and Active Directory

Insurance providers favor companies that can demonstrate the reliability of their security controls over those that are more likely to incur massive financial losses. When applying for cyber insurance coverage, it is standard to describe the current security measures your company has in place, typically in the form of a self-audit questionnaire. This helps the insurer assess the risks that may be involved when providing coverage.

Some of the security policies and practices insurers may look for include endpoint detection and response, multi-factor authentication, end-user training, vulnerability management, and more. Every cyber insurance policy may have different requirements to meet eligibility, or may assess different risks to determine the rate. In general, these are elements that most cybersecurity programs should have in place.

For organizations using Active Directory, here’s what you need to prepare if you are considering cyber insurance, or updating your existing coverage. 

Privileged access management and privileged accounts use

Cyber liability insurance companies are asking more pointed questions about how privileged access management is handled in the organization’s Active Directory infrastructure, including who has access to privileged accounts and the visibility of their use by IT. In addition, they want to see processes in place to audit these accounts. In some cases, you may be considered high-risk if you have more than 5 domain admin accounts.

  • What is the number of user accounts in the Domain Administrators group, including service accounts?
  • Do you require system administrators to have unique privileged credentials for administrative tasks, separate from their user credentials for everyday access?
  • Do privileged accounts (including domain administrators) require multifactor authentication?
  • Do you have stronger password policies for your domain admin accounts than regular users?
  • Do you have stronger password policies for your service accounts than regular users?

Offboarding processes for terminated employees

Does the organization have an offboarding process in place for handling terminated employees? Stale accounts left in Active Directory pose a tremendous threat, and some insurance providers may consider your organization high-risk if off-boarding doesn’t happen within 24 hours. In the now infamous Colonial Pipeline attack, attackers used stale VPN credentials to gain access to the internal network. Having the proper visibility and tools to discover stale Active Directory credentials is essential, along with the proper offboarding processes to ensure stale accounts are processed correctly.

  • What is your target time to off-board users?
  • Is the offboarding process automated?

Authentication requirements

Authentication and password security are critical when considering general Active Directory security and Active Directory specific attacks such as Kerberoasting. Suppose an attacker can infiltrate the network initially and compromise a low-level account. They can then use Kerberoasting and other attacks to compromise higher-level accounts, such as service accounts connected with a service principal name. Most service accounts are not secured with multi-factor authentication due to being tied to critical services running in the environment.

Remote access

Authentication requirements for employees who are remotely accessing the corporate network is another consideration. It is important to note that Active Directory Domain Services does not have native multi-factor authentication built into the solution. As multi-factor authentication has become a requirement for a strong cybersecurity posture, organizations with on-premises Active Directory user accounts will need to consider how to implement multi-factor authentication effectively.

  • Does your business require by policy multifactor authentication for all employee remote access to corporate resources?
  • Does your business require by policy multifactor authentication for all remote access to corporate resources (vendors, and contractors)?

Active Directory best practices

In addition to the above, insurance providers may also look for these best practices when evaluating your Active Directory security posture:

  • Patching and OS updates for domain controllers: Is Active Directory kept up-to-date with the latest security patches and updates to address known vulnerabilities?
  • Monitoring and auditing: Are monitoring and auditing mechanisms used to track user activity, detect unauthorized access attempts, or suspicious behavior?
  • Encryption: Is encryption used to protect data transmitted between Active Directory components, and to protect sensitive data stored in Active Directory?
  • Cyber awareness training: Does your business provide ongoing cyber awareness training to employees, and is the scope/frequency of the training adequate?

How Specops can help

One of the challenges with native Active Directory is the visibility of password security risks. Blind spots in Active Directory can lead to compromise, even with multi-factor authentication. While MFA does make it more challenging for attackers to compromise accounts, it is not impossible. With additional security layers, like the NIST recommended breached password check, organizations can strengthen their authentication posture.

In situations where stolen or breached passwords can be used to target an entire organization, increased cybersecurity measures around password protection can make the difference between a secure digital environment, and a costly recovery. Raising awareness around breached passwords is key, and can be done through the free Specops Password Auditor tool, which can identify accounts using compromised passwords.

specops password auditor 7.5 main reporting screen

Specops Password Auditor also provides visibility to admin accounts, stale accounts, delegable admins, and other dangers in Active Directory. You can quickly scan your Active Directory environment, discovering account and password-related vulnerabilities. Many of the capabilities provided by Specops Password Auditor allow organizations to meet the account auditing requirements of cyber insurance, while helping to strengthen the password posture of the environment.

A strong password policy is just one way to keep your organization’s data secure from cyber threats, and eligible for cyber insurance. As cybercrime continues to evolve and grow in complexity, your cybersecurity policies and solutions must evolve with them.

(Last updated on April 17, 2023)

darren james

Written by

Darren James

Darren James is a Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions. 

Back to Blog