In this article by Jochen Nickel from the book, Mastering Identity and Access Management with Microsoft Azure, we will first start with a business view to identify the important business needs and challenges of a cloud-only environment and scenario. Throughout thisarticle, we will also discuss the main features of and licensing information for such an approach. Finally,we will round up with the challenges surroundingsecurity and legal requirements.
The topics we will cover in this articleare as follows:
- Identifying the business needs and challenges
- An overview of feature and licensing decisions
- Defining the benefits and costs
- Principles of security and legal requirements
(For more resources related to this topic, see here.)
Identifying business needs and challenges
Oh! Don’t worry, we don’t have the intention of boring you with a lesson of typical IAM stories – we’re sure you’ve been in touch with a lot of information in this area. However, you do need to have an independentview of the actual business needs and challenges in the cloud area, so that you can get the most out of your own situation.
Common Identity and Access Management needs
Identity and Access Management(IAM) is the disciplinethat plays an important role in the actual cloud era of your organization. It’s also of valueto smalland medium-sizedcompanies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuringappropriate and secure access to resources inside and across company borders,such as cloud or partner applications.
The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is arecommended requirement of reviewing and overworking this strategyin order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it’s very important that your IAMIAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can’t implement a successful IAM-functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs inIAM.
The following three groups show the typicalindicators for missing IAM capabilities on the premises and for cloud services:
- Your employees/partners:
- Same password usage across multiple applications without periodic changes (also in social media accounts)
- Multiple identities and logins
- Passwords are written downinSticky Notes, Excel, etc.
- Application and data access allowed after termination
- Forgotten usernames and passwords
- Poor usability of application access inside and outside the company (multiple logins, VPN connection required, incompatible devices, etc.)
- Your IT department:
- High workload on Password Reset Support
- Missing automated identity lifecycles with integrity (data duplication and data quality problems)
- No insights in application usage and security
- Missing reporting tools for compliance management
- Complex integration of central access to Software as a Service (SaaS), Partner and On-Premise applications (missing central access/authentication/authorization platform)
- No policy enforcement in cloud services usage
- Collection of access rights(missing processes)
- Your developers:
- Limited knowledge ofall the different security standards, protocols, and APIs
- Constantly changing requirements and rapid developments
- Complex changes of the Identity Provider
Implications of Shadow IT
On top of that, often the ITdepartment will hear the following question:When can we expect the new application for our business unit?Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, butsuddenly another popular phenomenon pops up:The shadow IT!. Most of the time, this introduces another problem— uncontrolled information leakage. The following figure shows the flow of typical information — and that what you don’t know can hurt!
The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that,[R1] and in which manner they are being used. Simplymigrating or ordering a new service in the cloud won’t solve common IAMneeds. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in aregulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify thatyou are responsible for data classification, IAM, and endpoint security in every model:
|
Cloud Service Modell |
IaaS |
|
PaaS |
|
SaaS |
|
|
Responsibility |
Customer |
Provider |
Customer |
Provider |
Customer |
Provider |
|
Data Classification |
X |
|
X |
|
X |
|
|
End Point Security |
X |
|
X |
|
X |
|
|
Identity and Access Management |
X |
|
X |
X |
X |
X |
|
Application Security |
X |
|
X |
X |
|
X |
|
Network Controls |
X |
|
X |
X |
|
X |
|
Host Security |
|
X |
|
X |
|
X |
|
Physical Security |
|
X |
|
X |
|
X |
The mobile workforce and cloud-first strategy
Many organizations are facing the challengeof meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional way of business communication.
Let’s dive into a short, practical but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On the premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it’s always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with oneFull-time Equivalent(FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:
Let’s analyze this extreme example to revealsome typical problems,so that you can match some ideas to your IT infrastructure:
- Provisioning, managing,and de-provisioning identities can be a time-consuming task
- There are no single identity and credentials for the employees
- There is no collaboration support for partner and consumer communication
- There is no Self-Service Password Reset functionality
- Sensitive information leaves the corporation over email
- There are no usage or security reports about the accessed applications/services
- There is no central way to enable multi-factor authentication for sensitive applications
- There is no secure strategy for accessing social media
- There is no usable, secure,and central remote access portal
Remember, shifting applications and services to the cloud just introduces more implications/challenges, not solutions. First of all, you need your IAM functionality accurately in place.You also need to alwayshandle on-premises resourceswith minimal printer management.
An overview of feature and licensing decisions
With the cloud-first strategy of Microsoft, the Azure platform and their number of services grow constantly, and we have seen a lot of costumers lost in a paradise of wonderful services and functionality. This brings usto the point of how to figure out the relevant services for IAMfor you and how to give them the space for explanation. Obviously, there are more services available that stripe this field [R2] with a small subset of functionality, but due to the limited page count of this book and our need for rapid development we will focus on the most important ones, and will reference any other interesting content. The primary service for IAMis the Azure Active Directory service, which has also been the core directory service for Office 365 since 2011. Every other SaaS offering of Microsoft is also based on this core service, including Microsoft Intune, Dynamics, and Visual Studio Online. So, if you are already an Office 365 customer you willhave your own instance of Azure Active Directory in place. For sustained access management and the protection of your information assets, the Azure Rights Management services are in place. There is also an option for Office 365 customers to use the included Azure Rights Management services. You can find further information about this by visiting the following link:http://bit.ly/1KrXUxz. Let’s get started with the feature sets that can provide a solution, as shown in the following screenshot:
Including Azure Active Directory and Rights Managementhelps you to provide a secure solution with a central access portal for all of your applications with just one identity and login for your employees, partners, and customers that you want to share your information with. With a few clicks you can also add multi-factor authentication to your sensitive applications and administrative accounts. Furthermore, you can directly add a Self-Service Password Reset functionality that your users can use to reset their passwordfor themselves. As the administrator, you will receive predefined security and usage reports to control your complete application ecosystem. To protect your sensible content, you will receive digital rights management capabilities with the Azure Rights Management services to give you granular access rights on every device your information is used.
Doesn’t it sound great? Let’s take a deeper look into the functionality and usage of the different Microsoft Azure IAMservices.
Azure Active Directory
Azure Active Directory is a fully managed multi-tenant service that provides IAMcapabilities as a service. This service is not just an instance of theWindows Server Domain Controller you already know from your actual Active Directory infrastructure. Azure AD is not a replacement for the Windows Server Active Directory either. If you already use a local Active Directory infrastructure, you can extend it to the cloud by integrating Azure AD to authenticate your users in the same way ason-premise and cloud services.
Staying in the business view, we want to discuss some of the main features of Azure Active Directory. Firstly, we want to start with the Access panel that gives the user a central place to access all his applications from any device and any location with single-sign-on.
The combination of the Azure Active Directory Access panel and the Windows Server 2012 R2/2016 Web Application Proxy / ADFS capabilities provide an efficient way to securely publish web applications and services to your employees, partners, and customers. It will be a good replacement for your retired Forefront TMG/UAG infrastructure.
Over this portal,your users can do the following:
- User and group management
- Access their business relevant applications(On-premise, partner, and SaaS) with single-sign-on or single logon
- Delegation of access control to the data, process, or project owner
- Self-service profile editing for correcting or adding information
- Self-service password change and reset
- Management of registered devices
With the Self-Service Password Reset functionality, a user gets a straight forward way to reset his password and to prove his identity, for example through a phone call, email, or by answering security questions.
The different portals can be customized with your own Corporate Identity branding. To try the different portals, just use the following links: https://myapps.microsoft.com and https://passwordreset.microsoftonline.com.
To complete our short introduction to the main features of the Azure Active Directory, we will take a look at the reporting capabilities. With this feature you get predefined reports with the following information provided. With viewing and acting on these reports, you are able to control your whole application ecosystem published over the Azure AD access panel.
- Anomaly reports
- Integrated application reports
- Error reports
- User-specific reports
- Activity logs
From our discussions with customers we recognize that, a lot of time, the differences between the different Azure Active Directory editions are unclear. For that reason, we will include and explain the feature tables provided by Microsoft. We will start with the common features and then go through the premium features of Azure Active Directory.
Common features
First of all, we want to discuss the Access panel portal so we can clear up some open questions. With the Azure AD Free and Basic editions, you can provide a maximum of 10 applications to every user. However, this doesn’t mean that you are limited to 10 applications in total. Next, the portal link: right now it cannot be changed to your own company-owned domain, such ashttps://myapps.inovit.ch. The only way you can do so is by providing an aliasin your DNS configuration; the accessed link is https://myapps.microsoft.com. Company branding will lead us on to the next discussion point, where we are often asked how much corporate identity branding is possible. The following link provides you with all the necessary information for branding your solution:http://bit.ly/1Jjf2nw. Rounding up this short Q&Aon the different feature sets isApplication Proxy usage, one of the important differentiators between the Azure AD Free and Basic editions. The short answer is that with Azure AD Free, you cannot publish on-premises applications and services over the Azure AD Access Panel portal.
|
Features |
AAD Free |
AAD Basic |
AAD Premium |
|
Directory as a Service (objects) |
500k |
unlimited |
unlimited |
|
User/Group management (UI or PowerShell) |
X |
X |
X |
|
Access Panel portal for SSO (per user) |
10 apps |
10 apps |
unlimited |
|
User-based application access management/provisioning |
X |
X |
X |
|
Self-service password change (cloud users) |
X |
X |
X |
|
Directory synchronization tool |
X |
X |
X |
|
Standard security reports |
X |
X |
X |
|
High availability SLA (99.9%) |
|
X |
X |
|
Group-based application access management and provisioning |
|
X |
X |
|
Company branding |
|
X |
X |
|
Self-service password reset for cloud users |
|
X |
X |
|
Application Proxy |
|
X |
X |
|
Self-service group management for cloud users |
|
X |
X |
Premium features
The Azure Active Directory Premium edition provides you with the entireIAMcapabilities, including the usage licenses of the on-premises used Microsoft Identity Manager. From a technical perspective, you need to use the Azure AD Connect utility to connect your on-premises Active Directory with the cloud and the Microsoft Identity Manager to manage your on-premises identities and prepare them for your cloud integration. To acquire Azure AD Premium, you can also use the Enterprise Mobility Suite(EMS) bundle, which contains Azure AD Premium, Azure Rights Management, Microsoft Intune,and Advanced Threat Analytics(ATA) licensing. You can find more information about EMS by visitinghttp://bit.ly/1cJLPcM and http://bit.ly/29rupF4.
|
Features
|
|
|
Azure AD Premium |
|
Self-service password reset with on-premiseswrite-back |
|
|
X |
|
Microsoft Identity Manager server licenses |
|
|
X |
|
Advanced anomaly security reports |
|
|
X |
|
Advanced usage reporting |
|
|
X |
|
Multi-Factor Authentication (cloud users) |
|
|
X |
|
Multi-Factor Authentication (on-premises users) |
|
|
X |
Azure AD Premium reference:
http://bit.ly/1gyDRoN
Multi-Factor Authentication for cloud users is also included in Office 365. The main difference is that you cannot use it for on-premises users and services such as VPN or web servers.
Azure Active Directory Business to Business
One of the newest features based on Azure Active Directory is the new Business to Business(B2B) capability. The new product solves the problem of collaboration between business partners. It allows users to share business applications between partners without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process,each company federates once with Azure AD and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization,access is automatically disallowed. Inside Azure AD, the user will be handled as though a guest, and they will not be able to traverse other users in the directory. Real permissions will be provided over the correct associated group membership.
Azure Active Directory Business to Consumer
Azure Active Directory Business to Consumer(B2C) is another brand new feature based on Azure Active Directory. This functionality supports signing in to your application using social networks like Facebook, Google, or LinkedIn and creating accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided with this scenario. Additionally, Multi-Factor Authentication introduces a higher grade of security to the solution. Principally, this feature allows small and medium companies to hold their customers in a separated Azure Active Directory with all the capabilities, and more,in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions.
Azure Active Directory Privileged Identity Management
Azure AD Privileged Identity Management provides you the functionality to manage, control, and monitor your privileged identities. With this option, you can build up an RBAC solution over your Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune. The following activities can be reached with this functionality:
- You can discover the actual configured Azure AD Administrators
- You can providejust in time administrative access
- You can get reports about administrator access history and assignment changes
- You can receive alerts about access to a privileged role
The following built-in roles can be managed with the current version:
- Global Administrator
- Billing Administrator
- Service Administrator
- User Administrator
- Password Administrator
Azure Multi-Factor Authentication
Protecting sensible information or application access with additional authentication is an important task not just in the on-premises world. In particular, it needs to be extended to every used sensible cloud service. There are a lot of variations for providing this level of security and additional authentication, such ascertificates, smart cards, or biometric options. For example, smart cards have a dependency on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware or. The following table gives you an overview of different attacks and how they can be mitigated with a well designed and implemented security solution.
|
Attacker |
Security solution |
|
Password brute force |
Strong password policies |
|
Shoulder surfing Key or screen logging |
One-time password solution |
|
Phishing or pharming |
Server authentication (HTTPS) |
|
Man-in-the-Middle Whaling (Social engineering) |
Two-factor authentication Certificate or one-time password solution |
|
Certificate authority corruption Cross Channel Attacks (CSRF) |
Transaction signature and verification Non repudiation |
|
Man-in-the-Browser Key loggers |
Secure PIN entry Secure messaging Browser (read only) Push button (token) Three-factor authentication |
The Azure Multi-Factor Authentication functionality has been included in the Azure Active Directory Premium capabilities to address exactly the attacks described in the previous table. With a one-time password solution, you can build a very capable security solution to access information or applications from devices that cannot use smart cards as the additional authentication method. Otherwise, for small or medium business organizations a smart card deployment, including the appropriate management solution will, be too cost-intensive and the Azure MFA solution can be a good alternative for reaching the expected higher security level.
In discussions with our customers, we recognized that a lot don’t realize that Azure MFA is already included in different Office 365 plans. They would be able to protect their Office 365 with multi-factor out-of-the-box but they don’t know it! This brings us to Microsoft and the following table, which compares the functionality between Office 365 and Azure MFA.
|
Feature |
O365 |
Azure |
|
Administrators can enable/enforce MFA to end-users |
X |
X |
|
Use mobile app (online and OTP) as second authentication factor |
X |
X |
|
Use phone call as second authentication factor |
X |
X |
|
Use SMS as second authentication factor |
X |
X |
|
App passwords for non-browser clients (for example, Outlook, Lync) |
X |
X |
|
Default Microsoft greetings during authentication phone calls |
X |
X |
|
Remember Me |
X |
X |
|
IP Whitelist |
|
X |
|
Custom greetings during authentication phone calls |
|
X |
|
Fraud alert |
|
X |
|
Event confirmation |
|
X |
|
Security reports |
|
X |
|
Block/unblock users |
|
X |
|
One-time bypass |
|
X |
|
Customizable caller ID for authentication phone calls |
|
X |
|
MFA Server – MFA for on-premises applications |
|
X |
|
MFA SDK – MFA for custom apps |
|
X |
With the Office 365 capabilities of MFA, the administrators are able to use basic functionality to protect their sensible information. In particular,if integrating on-premises users and services, the Azure MFA solution is needed.
Azure MFA and the on-premises installation of the MFA server cannot be used to protect your Windows Server DirectAccess implementation. Furthermore, you will find the customizable caller ID limited to special regions.
Azure Rights Management
More and more organizations are in the position to provide a continuous and integrated information protection solution to protect sensible assets and information. On one side stands the department, which carries out its business activities, generates the data, and then processes. Furthermore, it uses the data inside and outside the functional areas, passes it, and runs a lively exchange of information.
On the other hand, revision is requiredby legal requirements that prescribe measures to ensure that information is dealt with and dangers such as industrial espionage and data loss are avoided. So,thisis a big concern when safeguarding sensitive information.
While the staff appreciate the many ways of communication and data exchange, this development starts stressing the IT security officers and makes the managers worried. The fear is that critical corporate data staysin an uncontrolled manner and leaves the company or moves to competitors. The routes are varied, but data is often lost ininadvertent delivery via email. In addition, sensitive data can leave the company on a USB stick and smartphone, or IT media can be lost or stolen. In addition, new risks are added, such as employees posting information on social media platforms.IT must ensure the protection of data in all phases, and traditional IT security solutions are not always sufficient. The following figure illustrates this situation and leads us to the Azure Rights Management services.
Like itsother additional features, the base functional is included in different Office 365 plans. The main difference between the two is that only the Azure RMS edition can be integrated in an on-premises file server environment in order to be able to use the File Classification Infrastructure feature of the Windows Server file server role.
The Azure RMS capability allows you to protect your sensitive information based on classification information with a granular access control system. The following table provided from Microsoft shows the differences between the Office 365 and Azure RMS functionality.Azure RMS is included with E3, E4, A3, and A4 plans.
|
Feature |
RMS O365 |
RMS Azure |
|
Users can create and consume protected content by using Windows clients and Office applications |
X |
X |
|
Users can create and consume protected content by using mobile devices |
X |
X |
|
Integrates with Exchange Online, SharePoint Online, and OneDrive for Business |
X |
X |
|
Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector |
X |
X |
|
Administrators can create departmental templates |
X |
X |
|
Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution) |
X |
X |
|
Supports non-Office file formats: Text and image files are natively protected; other files are generically protected |
X |
X |
|
RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android |
X |
X |
|
Integrates with Windows file servers for automatic protection with FCI via the RMS connector |
|
X |
|
Users can track usage of their documents |
|
X |
|
Users can revoke access to their documents |
|
X |
In particular, the tracking feature helps users to find where their documents are distributed and allows them to revoke access to a single protected document.
Microsoft Azure security services in combination
Now that we have discussed the relevant Microsoft Azure IAMcapabilities, you can see that Microsoft provides more than just single features or subsets of functionality. Furthermore, it brings a whole solution to the market, which provides functionality for every facet of IAM. Microsoft Azure also combines clear service management with IAM, making it a rich solution for your organization. You can work with that toolset in a native cloud-first scenario, hybrid, and a complex hybrid scenario and can extend your solution to every possible use case or environment. The following figure illustrates all the different topics that are covered with Microsoft Azure security solutions:
Defining the benefits and costs
The Microsoft Azure IAMcapabilities help you to empower your users with a flexible and rich solution that enables better business outcomes in a more productive way. You help your organization to improve the regulatory compliance overall and reduce the information security risk. Additionally, it can be possible to reduce IT operating and development costs by providing higher operating efficiencyand transparency. Last but not least,it will lead toimproved user satisfaction and better support from the business for further investments.
The following toolset gives you very good instruments for calculatingthe costs of your special environment.
- Azure Active Directory Pricing Calculator:http://bit.ly/1fspdhz
- Enterprise Mobility Suite Pricing:http://bit.ly/1V42RSk
- Microsoft Azure Pricing Calculator:http://bit.ly/1JojUfA
Principles of security and legal requirements
The classification of data, such as business information or personal data, is not only necessary for an on-premises infrastructure. It is a basis for the assurance of business-related information and is represented by compliance with official regulations. These requirements are ofgreater significance when using cloud services or solutions outside your own company and regulation borders. They are clearly needed for a controlled shift of data in an area in which responsibilities on contracts must be regulated. Safety limits do not stop at the private cloud, and are responsible for the technical and organizational implementation and control of security settings.
The subsequent objectives are as follows:
- Construction, extension, or adaptation of the data classification to the Cloud Integration
- Data classification as a basis for encryption or isolated security silos
- Data classification as a basis for authentication and authorization
Microsoft itself has strict controls that restrict access to Azure to Microsoft employees. Microsoft also enables customers to control access to their Azure environments, data, and applications, as well as allowing them to penetrate and audit services with special auditors and regulations on request.
A statement from Microsoft: Customers will only use cloud providers in which they have great trust. They must trust that the privacy of their information will be protected, and that their data will be used in a way that is consistent with their expectations.We build privacy protections into Azure through Privacy by Design.
You can get all the necessary information about security, compliance, and privacy by visiting the following link http://bit.ly/1uJTLAT.
Summary
Now that you are fully clued up with information about typical needs and challenges andfeature and licensing information, you should be able to apply the right technology and licensing model to your cloud-only scenario. You should also be aware of the benefits and cost calculators that will help you calculate a basic price model for your required services. Furthermore, you canalso decide which security and legal requirements are relevant for your cloud-only environments.
Resources for Article:
Further resources on this subject:
- Creating Multitenant Applications in Azure [article]
- Building A Recommendation System with Azure [article]
- Installing and Configuring Windows Azure Pack [article]