One of the most critical parts of Cloud Computing is access. Many different identities, devices or services want to gain access to your apps and data for daily business or services you provide to your customers.
Azure delivers the advantage of being able to access resources whenever and from wherever you want. But every advantage has a downside, as Yoda would say: “When you look at the dark side, careful you must be. For the dark side looks back.”
This new availability of resources leads to a shift in security conditions and triggers the need for a complex Identity and Access Management.
Force of Identity and Access Management on Azure
Managing identities describes the process of authenticating, authorizing and controlling different entities. In this context entities are called Security Principals, which can include services, applications, users, groups, etc.
Azure Active Directory (Azure AD) is the key point of Identity and Access Management and provides a variety of security benefits:
- Holistic User Management
- SSO access to applications
- Role Based Access Control (RBAC)
- Conditional Access
- Multi Factor Authentication (on-premises and cloud)
- Security monitoring and reporting
Best Practices – Balance of the Force
Corresponding to on-premises infrastructures, the security measures must be chosen wisely and match the security requirements. The aim is to identify use-cases and the right scope to achieve a balance between security and usability.
Here are some highly recommended best practices:
Identities are the (new) primary security perimeter
The first recommendation describes a general change in the classical approach, that the network is the first line of defense. When Cloud Computing is in use, Network Perimeter’s defense cannot be as effective as in the past. The usage of BYOD devices, cloud applications and other services leads to spongier network perimeters.
Security concepts and controls must be built around user and service identities. Azure AD provides the possibilities to do so:
Multi Factor Authentication
The first operational task which should be done, is to protect privileged accounts with Multi Factor Authentication (MFA). You could be compromised while you are reading this blog!
Attackers who get control of an administrator account can do massive damage to the environment. Ultimately, MFA should be mandatory for all users.
Usage of a strong password management
The usage of password policies is an old element of security concepts. You have to make sure that passwords are strong and you have to protect them. Azure AD password protection is the way to go in order to prevent the abuse of self-service password resets.
As in on-premises environments, used devices must meet security and compliance standards. Azure AD Conditional Access ensures that only devices which meet those standards can access resources.
Check how a resource is accessed and build up a Conditional Access Policy to reach an automated and controlled access, based on conditions. For example, block older/legacy authentication protocols to avoid an exploitation.
Use roles and grant access with role based access control (RBAC)
Create groups or individual roles to control access and avoid security risks. Restrict access and actions based on the need to know and least privileged security principles with RBAC. RBAC provides segregation of duties by assigning permissions to users, groups and applications at a certain scope.
Avoid giving everybody unrestricted permissions and only allow necessary actions!
Without visibility, the detection of suspicious behaviour or activities is impossible. Identities must be monitored methodically to identify threats. With Azure AD you can monitor things such as suspicious IP addresses, user logins from multiple locations, Brute Force Attacks, etc.
Additional to the monitoring of identities, an alerting is mandatory.
A new hope
In the universe of Cloud Computing, on-premises security concepts and technologies became obsolete. At first sight, the changes and new challenges seem stressful and overwhelming. People must be trained and a new mindset must be reached. With these Best Practices, you are prepared to manage the challenges and to perform your first steps to secure the new first line of defense. Microsoft Azure provides a great toolset to reach your goal to protect and manage your identities!
Keep calm and use the force of identity and access management!
Author: Dominic Iselt, IT Security Engineering Expert