There are 5 Area of Interest

Users
Devices
Network
Applications
Data
Users

It's all about Identity and its verification. Microsoft Azure offers natively several tools and services to protect the user accounts, to ensure user identity, safeguard credentials, and detect any malicious login attempts. It is important to make sure, that the Right Person, has the Right Access, to Right Resources for the Right Time Duration.
Identity Governance gives you the ability to manage these configuration, and it contains 3 LifeCycles:

Identity LifeCycle

Azure AD Premium can be coupled with HR applications such as Workday and SuccessFactors for an automated maintenance of user-IDs for both AD DS and Azure AD.

Microsoft Identity Manager can be used ID records from HCM systems such as PeopleSoft or SAP HCM.

Azure AD B2B enables to share Company’s applications/services with guest users and/or external users form any other organizations.

Azure AD Entitlement Management enables to select users (internal and/or external), who is allowed to request access to applications and resources. The access can be set up with an expiration date!

Access LifeCycle

Dynamic Groups membership reduces the administrative overhead of adding and removing users to/from a security group. If any attributes of a user or device change, it evaluates the group memberships and triggers the necessary groups adds or removes.

Azure AD Access Review helps to manage effectively group memberships, applications’ access , and role assignments. Access assignments can be reviewed on a regular basis in form of an automated procedure. The unnecessary access permissions can be removed easily by Resource-Owner.

Azure AD Entitlement Management also enables to create Access-Packages containing users/user groups, application roles, and SharePoint Online roles.

Privileged Access LifeCycle

Azure AD Privileged Identity Management (PIM) provides additional controls to secure access permissions across resources, Azure AD, and other Microsoft Online Services.

Just-In-Time Access (JIT) grant elevated permission for a certain amount of time. When this time has been expired, the elevated permission will be automatically removed. Administrator don’t need elevated permission constantly.

Multi-Factor Authentication (MFA) added another layer of security to achieve elevated permission and include 3 factors: something you aresomething you know, and something you have.

Azure AD Conditional Access is a policy driven access control, that collects signals for making decisions (grant or deny access) and enforce organizational policies. Common signals are: User or group membership,  IP Location information, Device, Application, Real-time and calculated risk detection, and Microsoft Defender for Cloud Apps.

Please notice that services above may not be a complete list of all available services at the given time. You also may want to consider third-party solutions, if they are a better fit for your environment !

Devices

Similar to Users-, Groups-, or Application-Identity, Device-Identity object encompasses a specific set of attributes. These can be utilized for making access or configuration decisions. There are three common scenario for creating and managing a Device-Identity:

Azure AD Registration

It’s about utilization of End-User’s own devices (BYOD). An End-User is able to use his/her own device to access company’s resources. These kind of devices have an Azure AD account, but End-Users  need their own credential (Device local account, or Microsoft account) for sign in on their own devices.

Mobile Device Management tools such as Microsoft Intune or a Third-Party tool can be utilized to enforce company’s policies.

Some key characteristics are:
Device ownership: user or Company, SSO to cloud resources, conditional access via app protection policy and when enrolled into Intune.

Azure AD Joined

It allows you to join devices directly to Azure AD, and it requires an organizational user account for signing in to the device. Access control to resources occurs based on Azure AD account and Conditional Access Policies applied to devices. These devices are able to authenticate On-Prem resources such as File-, and Print-Servers or applications.

Some key characteristics are:
Device ownership: Company, SSO to both cloud-, and On-Prem resources. Active Directory Group Policies  are not supported in Azure AD Join devices.

Hybrid Azure AD Joined Devices

Having an existing On-Prem AD DS, you can benefit from Azure AD functionalities. In this case, devices are domain-joined and registered with your Azure AD. These kind of devices require periodically connection to your On-Prem Domain Controller, otherwise they become unusable. Users need an organizational user account for signing in to the device.

Some key characteristics are:
Device ownership: Company, SSO to both cloud-, and On-Prem resources. Device management via Group Policies, Microsoft Intune.

Network

Network security is about the operation of protecting resources from unauthorized access, as well as utilization of services to allow solely legitimate network traffic.
There are a wide array of security tools and capabilities available on Azure and I'd like to give an overview about some of those topics to be considered.

Azure Networking

Service Endpoints allow you to secure Azure service resources to connect   those only to your Virtual Networks. It also allow you to use private IP   addresses without needing a public IP address on your vNet. Service Endpoints are generally available for several Azure services like: Azure Storage, Azure SQL Database, Azure Key Vault, Azure Service Bus and few more (for a complete list of services and regions please refer to Microsoft Azure documentations).
Service Endpoint Policy can also be utilized for more granular access control to Azure Storage when connecting over Service Endpoints. It allows you to filter egress vNet traffic and data exfiltration to only selected Azure Storage Accounts.

– Azure Private Link
– Network Security Group (NSG)
– Azure Firewall

Network Access control
content
Azure Firewall
content
Secure Remote Access and Cross Connectivity
content
Availability
content
Name Resolution (DNS)
content
DMZ
content
Azure DDoS
content
Azure Front Door / Traffic Manager
content

 

 

Applications
Data

Leave a Reply

Your email address will not be published.