-
What To Secure?
The initial step is the definition of "Area of Interests".
Before we can talk about tools and services to be utilized, it's crucial to know, which resources we are talking about. There are two reasons for this step:
• Different set of tools for each area, and
• Multiple teams / departments are involved
There are 5 Area of Interest
Users
Devices
Network
Applications
Data
Users
It's all about Identity and its verification. Microsoft Azure offers natively several tools and services to protect the user accounts, to ensure user identity, safeguard credentials, and detect any malicious login attempts. It is important to make sure, that the Right Person, has the Right Access, to Right Resources for the Right Time Duration.
Identity Governance gives you the ability to manage these configuration, and it contains 3 LifeCycles:
Azure AD Premium can be coupled with HR applications such as Workday and SuccessFactors for an automated maintenance of user-IDs for both AD DS and Azure AD.
Microsoft Identity Manager can be used ID records from HCM systems such as PeopleSoft or SAP HCM.
Azure AD B2B enables to share Company’s applications/services with guest users and/or external users form any other organizations.
Azure AD Entitlement Management enables to select users (internal and/or external), who is allowed to request access to applications and resources. The access can be set up with an expiration date!
Dynamic Groups membership reduces the administrative overhead of adding and removing users to/from a security group. If any attributes of a user or device change, it evaluates the group memberships and triggers the necessary groups adds or removes.
Azure AD Access Review helps to manage effectively group memberships, applications’ access , and role assignments. Access assignments can be reviewed on a regular basis in form of an automated procedure. The unnecessary access permissions can be removed easily by Resource-Owner.
Azure AD Entitlement Management also enables to create Access-Packages containing users/user groups, application roles, and SharePoint Online roles.
Azure AD Privileged Identity Management (PIM) provides additional controls to secure access permissions across resources, Azure AD, and other Microsoft Online Services.
Just-In-Time Access (JIT) grant elevated permission for a certain amount of time. When this time has been expired, the elevated permission will be automatically removed. Administrator don’t need elevated permission constantly.
Multi-Factor Authentication (MFA) added another layer of security to achieve elevated permission and include 3 factors: something you are, something you know, and something you have.
Azure AD Conditional Access is a policy driven access control, that collects signals for making decisions (grant or deny access) and enforce organizational policies. Common signals are: User or group membership, IP Location information, Device, Application, Real-time and calculated risk detection, and Microsoft Defender for Cloud Apps.
Please notice that services above may not be a complete list of all available services at the given time. You also may want to consider third-party solutions, if they are a better fit for your environment !
Devices
Similar to Users-, Groups-, or Application-Identity, Device-Identity object encompasses a specific set of attributes. These can be utilized for making access or configuration decisions. There are three common scenario for creating and managing a Device-Identity:
It’s about utilization of End-User’s own devices (BYOD). An End-User is able to use his/her own device to access company’s resources. These kind of devices have an Azure AD account, but End-Users need their own credential (Device local account, or Microsoft account) for sign in on their own devices.
Mobile Device Management tools such as Microsoft Intune or a Third-Party tool can be utilized to enforce company’s policies.
Some key characteristics are:
Device ownership: user or Company, SSO to cloud resources, conditional access via app protection policy and when enrolled into Intune.
It allows you to join devices directly to Azure AD, and it requires an organizational user account for signing in to the device. Access control to resources occurs based on Azure AD account and Conditional Access Policies applied to devices. These devices are able to authenticate On-Prem resources such as File-, and Print-Servers or applications.
Some key characteristics are:
Device ownership: Company, SSO to both cloud-, and On-Prem resources. Active Directory Group Policies are not supported in Azure AD Join devices.
Having an existing On-Prem AD DS, you can benefit from Azure AD functionalities. In this case, devices are domain-joined and registered with your Azure AD. These kind of devices require periodically connection to your On-Prem Domain Controller, otherwise they become unusable. Users need an organizational user account for signing in to the device.
Some key characteristics are:
Device ownership: Company, SSO to both cloud-, and On-Prem resources. Device management via Group Policies, Microsoft Intune.
Network
Network security is about the operation of protecting resources from unauthorized access, as well as utilization of services to allow solely legitimate network traffic.
There are a wide array of security tools and capabilities available on Azure and I'd like to give an overview about some of those topics to be considered.
Service Endpoints allow you to secure Azure service resources to connect those only to your Virtual Networks. It also allow you to use private IP addresses without needing a public IP address on your vNet. Service Endpoints are generally available for several Azure services like: Azure Storage, Azure SQL Database, Azure Key Vault, Azure Service Bus and few more (for a complete list of services and regions please refer to Microsoft Azure documentations).
Service Endpoint Policy can also be utilized for more granular access control to Azure Storage when connecting over Service Endpoints. It allows you to filter egress vNet traffic and data exfiltration to only selected Azure Storage Accounts.
– Azure Private Link
– Network Security Group (NSG)
– Azure Firewall