Introduction

More than 10 years ago, at the Professional Developers Conference (PDC) October 2008 in Los Angeles, Microsoft officially launched its Azure cloud platform. Back at the time, it was called Windows Azure and people were kind of sceptic on how these new cloud services from Microsoft would turn out. Especially when people started talking about IT security. The cloud in general had a big trust issue to cope with at that time.

However over the years, Azure and other cloud platforms as well have developed and new features are constantly added or changed. Currently there are over 600+ (I stopped counting overtime) services and features contained within Azure.

A full details of all services can be found here: https://azure.microsoft.com/en-us/services/

However, this article is not set up, just to talk about all the features in Azure. This article has been written in order to give some guidance in the security landscape within Azure. Even in the security landscape within Azure, allot of changes are going on. Allot of new features are added in a rapid pace. Sometimes, these are just too hard to follow. For me as a security consultant/architect, it is vital to know the capabilities there are within Azure and match them against business requirements. And I do know, for allot of IT consultants and administrators out there as well, things might also become too much and confusing.

To give some guidance in the security offerings out there, one should first understand that there are categorizations out there for each of the Microsoft security assets. 

Now some solutions may not fit within one category and will span multiple categories. However these will serve as guidelines for easy reference. The security categories can be split up into the following categories:

·        Identity & Access management, Governance & Auditing

·        Datacenter & Infrastructure (Management) related security

·        Endpoint device Security

·        Data Security

·        Application Security

Now because there are allot of features out there, I will split up these categories into several articles. Like the title says, this article will go deeper into the Identity & Access management, governance and auditing options. Why identities first? Because it is the new control mechanism for most things you will be doing in the cloud. View identities as the key you use to open the lock with, or your passport when you are traveling abroad.

Now, I will have to start off with a disappointment. This article, will not be talking about how to implement all of these features. However what this article is more about, is to gain insight in to the features and what they can/can’t do for your organization. In addition, also some best practices are given on these features.

Identity and access management features, tools & best practices

 Azure Identity Protection

As quoted by Microsoft: “The vast majority of security breaches take place when attackers gain access to an environment by stealing a user’s identity. Over the years, attackers have become increasingly effective in leveraging third-party breaches and using sophisticated phishing attacks. As soon as an attacker gains access to even low privileged user accounts, it is relatively easy for them to gain access to important company resources through lateral movement.”

Azure Identity Protection (AIP) is built and designed to help you out here. It will provide you with monitoring to gain insights in how secure your identities really are. But this features is just more than a monitoring tool. It also provides you with risk based policies, that you can configure to automatically take action. For example if a user’s credentials have been compromised, you can configure policies to automatically reset the password of the user.

Basically this tools provides the following features:

·        Detecting vulnerabilities and risky accounts

·        Investigation on risk events

·        Risk-based Conditional Access policies

Conditional Access

With Conditional Access, you can implement automated access control decisions for accessing your cloud apps that are based on conditions. Sounds confusing? This is nothing more than a statement like: If This Then That.

This option will allow you to customize access to your cloud apps, based on the conditions you define and are matched against your business.

For example, lets take remote workers from their home office. There are allot of security concerns with remote access. For example you wouldn’t know if their connection is secure or that somebody else is using the device of a user (For example family of an employee). To make the connection more secure, you could make a policy that states, if a user works from any non-corporate owned network/ip-address, they would have to authenticate using MFA.

Now you can make these policies very complex or as simple as you like. But just to get you started, here are some best practices: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/best-practices

Geen alternatieve tekst opgegeven voor deze afbeelding

Access Review

Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User’s access can be reviewed on a regular basis to make sure only the right people have continued access.

Access review helps organizations keep track of their users and their permissions within the environment. Over time, people in an organization, switch roles or switch departments. Often what is forgotten, is that they still have allot of the permissions of their old job role. This could cause a possible security threat, especially in certain industries. In for example financial industries, a strict separation of duties is required.

Basically, you set up policies that defined when you should conduct your access review. A report is then sent to the reviewer, which in turn reviews if access still is required to a certain resource. The reviewer can then approve or revoke the access.

Now when is the best time to use this tool? I have listed a few of these points you can use to determine if Access Review is the right tool for you:

·        Too many users in privileged roles

·        When automation is infeasible or to costly

·        When a group is used for a new purpose

·        Business critical data access

·        Ask group owners to confirm they still need guests in their groups

·        Reviews/audits that recur periodically

·        Quickly changing companies, with allot of job hopping/promotions

Geen alternatieve tekst opgegeven voor deze afbeelding

Privileged Identity Management

Azure Active Directory (Azure AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in your organization. This includes access to resources in Azure AD, Azure resources, and other Microsoft Online Services like Office 365 or Microsoft Intune.

IM essentially helps you manage the who, what, when, where, and why for resources that you care about. Here are some of the key features of PIM:

·        Provide just-in-time privileged access to Azure AD and Azure resources

·        Assign time-bound access to resources using start and end dates

·        Require approval to activate privileged roles

·        Enforce multi-factor authentication to activate any role

·        Use justification to understand why users activate

·        Get notifications when privileged roles are activated

·        Conduct access reviews to ensure users still need roles

·        Download audit history for internal or external audit

Entitlement management

Employees in organizations need access to various groups, applications, and sites to perform their job. Managing this access is challenging. In most cases, there is no organized list of all the resources a user needs for a project. The project manager has a good understanding of the resources needed, the individuals involved, and how long the project will last. However, the project manager typically does not have permissions to approve or grant access to others. This scenario gets more complicated when you try to work with external individuals or companies.

Azure Active Directory (Azure AD) entitlement management can help you manage access to groups, applications, and SharePoint Online sites for internal users and also users outside your organization.

Here are some of capabilities of entitlement management:

 ·        Create packages of related resources that users can request

·        Define rules for how to request resources and when access expires

·        Govern the lifecycle of access for both internal and external users

·        Delegate management of resources

·        Designate approvers to approve requests

·        Create reports to track history

Subscription/RBAC Roles

Azure RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management to Azure resources, such as compute and storage. Azure RBAC includes over 70 built-in roles. There are four fundamental RBAC roles.

These roles are:

·        Owner

·        Contributor

·        Reader

·        User Access Management

The rest of the built-in roles allow management of specific Azure resources. For example, the Virtual Machine Contributor role allows the user to create and manage virtual machines. For a full overview of these roles I would like to refer to the following link: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

In addition it is also possible to create custom roles as well. Over-time you might find that the built-in roles aren’t granular enough for your organization. Now to keep this article limited in size, here is also a link in what custom roles are and how you can configure them. https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Multi-factor Authentication

Multi-factor authentication (MFA) is nothing short of using two or more authentication factors when trying to authenticate. Compromising multiple authentication factors presents a significant challenge for attackers. Even if an attacker manages to learn the user’s password, it is useless without also having possession of the additional authentication method. It works by requiring two or more of the following authentication methods:

·        Something you know (typically a password)

·        Something you have (a trusted device that is not easily duplicated, like a phone)

·        Something you are (biometrics)

Azure MFA supports the following options:

·        Password

·        Security questions (only for self-service password reset)

·        E-mail address (only for self-service password reset)

·        Microsoft Authentication App

·        App password

·        OAUTH Hardware tokens

·        Phone call

·        SMS/Text

Password-less authentication

IT security is currently undergoing a massive change, where passwords are considered as a relic of the past. The costs now outweigh the benefits of using passwords, which increasingly become predictable. Even the strongest passwords are now easily phish-able. Just a while back I executed a phishing campaign against a company to create awareness for this topics.

However I noted that almost 20% gave their credentials without thinking. Even allot of IT personnel, the CEO and CIO were blind to this phishing campaign.

Password-less authentication, is a form of multi-factor authentication that replaces the password with a secure alternative. This type of authentication requires two or more verification factors to sign in that are secured with a cryptographic key pair.

Microsoft has created several options, to easily secure your environment and going password less. Allot of these features involve something you own, have or are (biometrics).

Just a quick overview of the features available:

·        Windows Hello (using biometrics, for example facial or fingerprint recognition)

·        Microsoft Authenticator App (software app on your mobile phone)

·        FIDO2 Security keys (basically a specific piece of hardware you use, like an usb dongle).

(De)Centralized Management of identities

Many consider identity to be the primary perimeter for security. This is a shift from the traditional focus on network security. Network perimeters keep getting more porous, and that perimeter defense can’t be as effective as it was before the explosion of BYOD devices and cloud applications.

Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management, and identity protection into a single solution.

Most organizations today will be in a hybrid scenario, where you have multiple directories, that are linked together to form a forest of identities. For example linking your on-premises environment to Azure AD. IT admins have several options to keep these identities in sync and manageable.

Newer organizations, on the other hand, might be born in the cloud and live in the cloud. Those organizations might have only solely cloud identities.

IT Architects should make decisions on what to do with these identities and how to manage them. One of the solutions is to centralize management of identities and form a single pane of glass. Now to make things easy, know there are several options and best practices out there to help you. Down below I have given several lists, on each of these topics you could use to have a better management of your identities. But also please note, that each option would have to be viable for your organization.

Best practice when designing your Identity Management:

·        Establish a single Azure AD instance. Consistency and a single authoritative sources will increase clarity and reduce security risks from human errors and configuration complexity.

·        Don’t synchronize accounts to Azure AD that have high privileges in your existing Active Directory instance

·        Turn on password hash synchronization. Password hash synchronization is a feature used to synch user password hashes from an on-premises Active Directory instance to a cloud-based Azure AD instance. This sync helps to protect against leaked credentials being replayed from previous attacks. Even if you decide to use federation with Active Directory Federation Services (AD FS) or other identity providers, you can optionally set up password hash synchronization as a backup in case your on-premises servers fail or become temporarily unavailable.

·        Enable SSO

·        Manage and control access to corporate resources by using Condition Access

·        Set up self-service password reset (SSPR) for your users

·        Monitor how or if SSPR is really being used

·        Enable Multi-Factor Authentication

·        Segregate duties within your team and grant only the amount of access to users that they need to perform their jobs (RBAC & PIM)

·        For new application development, use Azure AD for authentication.

o  Azure AD for employees

o  Azure AD B2B for guest users and external partners

o  Azure AD B2C to control how customers sign up, sign in, and manage their profiles when they use your applications

·        Manage, control, and monitor access to privileged accounts

·        Ensure all critical admin roles have a separate account for administrative tasks in order to avoid phishing and other attacks to compromise administrative privileges

·        Identify and categorize accounts that are in highly privileged roles

·        Implement “just in time” (JIT) access to further lower the exposure time of privileges and increase your visibility into the use of privileged accounts.

·        Define at least two emergency access accounts

·        Have a “break glass” process in place in case of an emergency

·        Require all critical admin accounts to be password-less (preferred), or require Multi-Factor Authentication

·        For critical admin accounts, have an admin workstation where production tasks aren’t allowed (for example, browsing and email)

·        Deprovision admin accounts when employees leave your organization

·        Regularly test admin accounts by using current attack techniques.

Now there are also allot of synchronization options when trying to synchronize your on-premises AD with Azure AD.

Basically you have 3 mayor options:

·        Federated identity (example ADFS)

·        Azure AD Pass-through Authentication

·        Azure AD password hash synchronization

To make the right decision, in what is right for you organization, you can always use the following link as a reference guide:

https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn

 This link, also a good decision making tree, as shown down below.

Geen alternatieve tekst opgegeven voor deze afbeelding

Auditing & Logging

Last but not least, there is also the Auditing & logging features within Azure. Now basically for most things (if not everything) there is logging and auditing available. However we will focus on auditing an logging available in regards to identities in this article.

With Azure Active Directory (Azure AD) reports, you can get the information you need to determine how your environment is doing.

The reporting architecture consists of the following components:

·        Activity

o  Sign-ins – The sign-ins report provides information about the usage of managed applications and user sign-in activities.

o  Audit logs – Provides traceability through logs for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.

·        Security

o  Risky sign-ins – A risky sign-in is an indicator for a sign-in attempt that might have been performed by someone who is not the legitimate owner of a user account.

o  Users flagged for risk – A risky user is an indicator for a user account that might have been compromised.

Next to that know that Azure Active Directory provides you with a variety of reports, containing useful information for applications such as SIEM systems, audit, and business intelligence tools.

By using the Microsoft Graph API for Azure AD reports, you can gain programmatic access to the data through a set of REST-based APIs. You can call these APIs from a variety of programming languages and tools.

You can use the API or graph explorer to access and view these API’s and pull information into your management applications as well. More information on this topic can be found here:

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-reporting-api

Closure & summary

In this article we talked about how azure has grown over the last decade and some of the challenges that come with it. In addition I have provided tooling, features and best practices which you can use to design your organization’s identity solution. Now just remember it is not a race to get all of these features implemented. You need to look at each feature, best practice or tool and determine if these will work out for your organization’s needs.

So the next time, if people ask you what options there are to manage your (hybrid/Cloud) identities, you can say there is a plethora of options available!

Any questions, remarks or comments, please don’t hesitate to contact me directly.

Source used for this article: https://docs.microsoft.com/en-us/azure/

DutchEnglish