Security on Azure – Identity and Access Management (IAM)

Introduction

One of the most critical parts of Cloud Computing is access. Many different identities, devices or services want to gain access to your apps and data for daily business or services you provide to your customers.

Azure delivers the advantage of being able to access resources whenever and from wherever you want. But every advantage has a downside, as Yoda would say: “When you look at the dark side, careful you must be. For the dark side looks back.”

This new availability of resources leads to a shift in security conditions and triggers the need for a complex Identity and Access Management.

Force of Identity and Access Management on Azure

Managing identities describes the process of authenticating, authorizing and controlling different entities. In this context entities are called Security Principals, which can include services, applications, users, groups, etc.

Azure Active Directory (Azure AD) is the key point of Identity and Access Management and provides a variety of security benefits:

  • Holistic User Management
  • SSO access to applications
  • Role Based Access Control (RBAC)
  • Conditional Access
  • Multi Factor Authentication (on-premises and cloud)
  • Security monitoring and reporting
passwordhash

– Source: Microsoft

Best Practices – Balance of the Force

Corresponding to on-premises infrastructures, the security measures must be chosen wisely and match the security requirements. The aim is to identify use-cases and the right scope to achieve a balance between security and usability.

Here are some highly recommended best practices:

Identities are the (new) primary security perimeter

The first recommendation describes a general change in the classical approach, that the network is the first line of defense. When Cloud Computing is in use, Network Perimeter’s defense cannot be as effective as in the past. The usage of BYOD devices, cloud applications and other services leads to spongier network perimeters.

Security concepts and controls must be built around user and service identities. Azure AD provides the possibilities to do so:

– Source: Own representation

Multi Factor Authentication

The first operational task which should be done, is to protect privileged accounts with Multi Factor Authentication (MFA). You could be compromised while you are reading this blog!

Attackers who get control of an administrator account can do massive damage to the environment. Ultimately, MFA should be mandatory for all users.

– Source: Microsoft

Usage of a strong password management

The usage of password policies is an old element of security concepts. You have to make sure that passwords are strong and you have to protect them. Azure AD password protection is the way to go in order to prevent the abuse of self-service password resets.

Conditional Access

As in on-premises environments, used devices must meet security and compliance standards. Azure AD Conditional Access ensures that only devices which meet those standards can access resources.

Check how a resource is accessed and build up a Conditional Access Policy to reach an automated and controlled access, based on conditions. For example, block older/legacy authentication protocols to avoid an exploitation.

– Source: Microsoft

Use roles and grant access with role based access control (RBAC)

Create groups or individual roles to control access and avoid security risks. Restrict access and actions based on the need to know and least privileged security principles with RBAC. RBAC provides segregation of duties by assigning permissions to users, groups and applications at a certain scope.

Avoid giving everybody unrestricted permissions and only allow necessary actions!

– Source: Microsoft

Visibility

Without visibility, the detection of suspicious behaviour or activities is impossible. Identities must be monitored methodically to identify threats. With Azure AD you can monitor things such as suspicious IP addresses, user logins from multiple locations, Brute Force Attacks, etc.

Additional to the monitoring of identities, an alerting is mandatory.

A new hope

In the universe of Cloud Computing, on-premises security concepts and technologies became obsolete. At first sight, the changes and new challenges seem stressful and overwhelming. People must be trained and a new mindset must be reached. With these Best Practices, you are prepared to manage the challenges and to perform your first steps to secure the new first line of defense. Microsoft Azure provides a great toolset to reach your goal to protect and manage your identities!

Keep calm and use the force of identity and access management!

Dominic-Iselt-rund

Dominic Iselt

IT – Security Engineer

Scheer GmbH
Uni Campus Nord
66123 Saarbrücken
Germany

T+49 681 96777 738
Contact

About the author

As a security engineer at Scheer GmbH I work in the Managed Services division of the company. I am responsible for the secure operation of the infrastructure including its strategic development in respect of security organisation and technologies.

My extensive experience gained from working in security related projects and the running of workshops plays a major role in my work. My focus lies in the tasks of developing and implementing security concepts. In this context, I concentrate on cloud security as well as the adherence to and implementation of compliance requirements in the cloud. .