One of the most critical parts of Cloud Computing is access. Many different identities, devices or services want to gain access to your apps and data for daily business or services you provide to your customers.
Azure delivers the advantage of being able to access resources whenever and from wherever you want. But every advantage has a downside, as Yoda would say: “When you look at the dark side, careful you must be. For the dark side looks back.”
This new availability of resources leads to a shift in security conditions and triggers the need for a complex Identity and Access Management.
Managing identities describes the process of authenticating, authorizing and controlling different entities. In this context entities are called Security Principals, which can include services, applications, users, groups, etc.
Azure Active Directory (Azure AD) is the key point of Identity and Access Management and provides a variety of security benefits:
Corresponding to on-premises infrastructures, the security measures must be chosen wisely and match the security requirements. The aim is to identify use-cases and the right scope to achieve a balance between security and usability.
Here are some highly recommended best practices:
Identities are the (new) primary security perimeter
The first recommendation describes a general change in the classical approach, that the network is the first line of defense. When Cloud Computing is in use, Network Perimeter’s defense cannot be as effective as in the past. The usage of BYOD devices, cloud applications and other services leads to spongier network perimeters.
Security concepts and controls must be built around user and service identities. Azure AD provides the possibilities to do so:
The first operational task which should be done, is to protect privileged accounts with Multi Factor Authentication (MFA). You could be compromised while you are reading this blog!
Attackers who get control of an administrator account can do massive damage to the environment. Ultimately, MFA should be mandatory for all users.
The usage of password policies is an old element of security concepts. You have to make sure that passwords are strong and you have to protect them. Azure AD password protection is the way to go in order to prevent the abuse of self-service password resets.
As in on-premises environments, used devices must meet security and compliance standards. Azure AD Conditional Access ensures that only devices which meet those standards can access resources.
Check how a resource is accessed and build up a Conditional Access Policy to reach an automated and controlled access, based on conditions. For example, block older/legacy authentication protocols to avoid an exploitation.
Create groups or individual roles to control access and avoid security risks. Restrict access and actions based on the need to know and least privileged security principles with RBAC. RBAC provides segregation of duties by assigning permissions to users, groups and applications at a certain scope.
Avoid giving everybody unrestricted permissions and only allow necessary actions!
Without visibility, the detection of suspicious behaviour or activities is impossible. Identities must be monitored methodically to identify threats. With Azure AD you can monitor things such as suspicious IP addresses, user logins from multiple locations, Brute Force Attacks, etc.
Additional to the monitoring of identities, an alerting is mandatory.
In the universe of Cloud Computing, on-premises security concepts and technologies became obsolete. At first sight, the changes and new challenges seem stressful and overwhelming. People must be trained and a new mindset must be reached. With these Best Practices, you are prepared to manage the challenges and to perform your first steps to secure the new first line of defense. Microsoft Azure provides a great toolset to reach your goal to protect and manage your identities!
Keep calm and use the force of identity and access management!
Author: Dominic Iselt, IT Security Engineering Expert
Daniel SchillingerExpert Cloud Operations
© 2023 Scheer GmbH
Wir nutzen Cookies auf unserer Website. Einige von ihnen sind technisch notwendig, während andere uns helfen, diese Website zu verbessern oder zusätzliche Funktionalitäten zur Verfügung zu stellen.
Notwendige Cookies ermöglichen grundlegende Funktionen und sind für die einwandfreie Funktion der Website erforderlich.
Statistik-Cookies sammeln aggregierte Informationen darüber, wie die Website genutzt wird. Diese anonymen Informationen werden unternehmensintern verwendet um die Funktionalität, Attraktivität und den Inhalt der Website zu verbessern.
Marketing Cookies stammen von Drittanbietern, diese sammeln Informationen, um zielgruppenorientierte Inhalte auszuspielen.
Um Inhalte von Videoplattformen und Social Media Plattformen anzeigen zu können, werden von diesen externen Medien Cookies gesetzt.