Posts Tags Categories

Contents

AZ-900 [7] - Azure Identity, Access, and Security

Kalyan Mudumby included in AZ-900 Azure Fundamentals
   872 words   5 minutes 
/az-900-07-azure-identity-access-and-security/featured-image.png

Azure Azure Identity, Access, and Security

In computing, “identity” is the representation of a person, application, or device, it is usually a password, a secret key, or a cryptographic certificate, Many applications require you to log in, to use some of its functionality.

Traditionally there is a client-server model, to identify and validate user logins, and companies have written their code to handle this, which is a security risk in the current era, some of the most famous “hacks” have been on custom-created identity systems. some companies were storing the password in plain text, using a simple reversible hash algorithm like MD5, and some companies were storing the “salt” along with the data, not enforcing password change policies and password complexity rules.

Azure Active Directory (AAD)

Azure provides an identity management system based on their popular “Active Directory”. It is very popular among corporations. AAD is not the same as Windows Active Directory but has many more features to it, the traditional AD doesn’t work with Internet Protocol. Azure Active Directory provides Identity as a Service (IaaS).

Security

Unlike traditional systems, AAD takes care of user authentication, when a user logs in using their password, AAD sends a signed token back, and this token is sent to the application, the application has a trusted key via which it trusts the user’s token and provides the user access to the application. This way of authentication has many benefits as it offers many more features when compared to a traditional authentication system, this reduces the development time, has easy support, and has much-enhanced security.

Azure offers Single Sign-On with AAD, in which the user only needs to log in once to access more than one service that is developed using AAD, which eliminates the necessity to remember multiple passwords, Azure also provides integration with other Azure Services.

Authentication and Authorization

  • Authentication is proving who they are eg user-id and password.
  • Authorization is ensuring that the user is permitted to perform an action. eg edit, delete, add data.

This helps to prevent all authenticated users from having admin privileges.

Conditional Access

./conditional-access-overview-how-it-works.png
Conditional Access | Source: Microsoft

It is one of the features of AAD which allows the application to have some conditions before giving login access to the user. eg

  • User A logs into the application from the office network - has some sense of trust
  • User B logs in from outside the office network - sends an OTP for additional verification
  • User C logs in after a long time eg 4 months - additional checks to validate the identity
  • Admin D logs in from 1200 miles away from the application - more checks to the admin as they have elevated privileges.

./conditional-access-signal-decision-enforcement.png
Signal, Decision, Enforcement | Source: Microsoft
Using “Signal, Decision, and Enforcement” we can take appropriate actions to protect the application from malicious login attempts.

  • Signal - detect the login attempt using IP address, geolocation, and other details.
  • Decision - decide on validation techniques to authenticate thes user.
  • Enforcement - Enforce the rules during and after the login process.

Azure Multifactor Authentication (MFA).

There are three factors of identity.

  • Something you know i.e password
  • Something you have i.e mobile phone, access to the email account
  • Something you are - fingerprint ( Which cannot be changed)

While using a fingerprint to authenticate users might sound good, it is not very good, as not many are willing to give their biometric details to a non-critical application. So we can use a unique password and pair it with a time-limited code, which can be sent via Email, SMS, Phone call, or through an authenticator app.

Passwordless Authentication

In passwordless authentication, the user has the second factor connected to the device, like a biometric identifier such as fingerprint, iris or face recognition, pin in windows devices, and their password is their first factor, they don’t need to use OTPs as long as they are on the device.

Role Based Access Control (RBAC)

It’s Microsoft’s preferred solution for access control. It can be used to represent the common tasks of the job, we can assign granular permissions to that role, and assign the roles to a user. It’s good practice to never assign granular permissions to the user. There are some basic built-in permissions in azure to get started with.

Zero Trust Model Methodology

Don’t assume everything behind the firewall is safe There are some principles with Zero Trust

  1. verify explicitly - Use every method available to validate identity and authorization like JIT( Just in Time) or JEA ( Just enough access)
  2. use least privileged access.
  3. assume that you are breached.

This allows us to have security inside the network; encryption segmentation and threat detection

Defense in Depth

It is having all the security in layers and at every layer, in this way, we can create a secure working environment where critical applications can run in.

  1. Physical - Door Locks and key cards
  2. Identity and Acess - Azure Active Directory
  3. Perimeter - Firewall and DDoS protection.
  4. Network - NSG, use of subnets -> deny by default
  5. Compute - Limit Remote Desktop Access, Windows Updates
  6. Application - API Management
  7. Data - Virtual network endpoint
Updated on 2023-03-14
 CloudAzureAZ - 900
Back | Home