Mastering Identity and Access Management with Microsoft Azure: Start empowering users and protecting corporate data, while managing Identities and Access with Microsoft Azure in different environments

Identity and Access Management (IAM) is the discipline that plays an important role in the actual cloud era of your organization. It's also of value to small and medium-sized companies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuring appropriate and secure access to resources inside and across company borders, such as cloud or partner applications.

The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is a recommended requirement of reviewing and overworking this strategy in order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it's very important that your IAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can't implement a successful IAM functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs in IAM.

The following three groups show the typical indicators for missing IAM capabilities on the premises and for cloud services:

Implications of Shadow IT

On top of that, often the IT department will hear the following question: When can we expect the new application for our business unit? Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, but suddenly another popular phenomenon pops up: The shadow IT! Most of the time, this introduces another problem - uncontrolled information leakage. The following figure shows the flow of typical information - and that which you don't know can hurt!

The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that, and in which manner, they are being used. Simply migrating or ordering a new service in the cloud won't solve common IAM needs. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in a regulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify that you are responsible for data classification, IAM, and end point security in every model:

Cloud Service Modell	IaaS	PaaS	SaaS
Responsibility	Customer	Provider	Customer	Provider	Customer	Provider
Data Classification	X		X		X
End Point Security	X		X		X
Identity and Access Management	X		X	X	X	X
Application Security	X		X	X		X
Network Controls	X		X	X		X
Host Security		X		X		X
Physical Security		X		X		X

The mobile workforce and cloud-first strategy

Many organizations are facing the challenge of meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional means of business communication.

Let's dive into a short, practical, but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it's always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with one Full-time Employee (FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:

Let's analyze this extreme example to reveal some typical problems, so that you can match some ideas to your IT infrastructure:

• Provisioning, managing, and de-provisioning identities can be a time-consuming task

• There are no single identity and credentials

• There is no collaboration support for partner and consumer communication

• There is no Self-Service Password Reset functionality

• Sensitive information leaves the corporation over email

• There are no usage or security reports about the accessed applications/services

• There is no central way to enable Multi-Factor Authentication (MFA) for sensitive applications

• There is no secure strategy for accessing social media

• There is no usable, secure, and central remote access portal

  Note

  Remember, shifting applications and services to the cloud just introduces more implications/challenges, not solutions. First of all, you need your IAM functionality accurately in place. You also need to always handle on-premises resources with minimal printer management.

Azure Active Directory is a fully managed multi-tenant service that provides IAM capabilities as a service. This service is not just an instance of the Windows Server Domain Controller you already know from your actual Active Directory infrastructure. Azure AD is not a replacement for the Windows Server Active Directory either. If you already use a local Active Directory infrastructure, you can extend it to the cloud by integrating Azure AD to authenticate your users in the same way as on-premise and cloud services.

Staying in the business view, we want to discuss some of the main features of Azure Active Directory. Firstly, we want to start with the Access panel that gives the user a central place to access all his applications from any device and any location with SSO.

Over this portal, your users can do the following:

With the Self-Service Password Reset functionality, a user gets a straight forward way to reset his password and to prove his identity, for example through a phone call, email, or by answering security questions.

To complete our short introduction to the main features of the Azure Active Directory, we will take a look at the reporting capabilities. With this feature you get predefined reports with the following information provided. With viewing and acting on these reports, you are able to control your whole application ecosystem published over the Azure AD access panel.

From our discussions with customers we recognize that, a lot of the time, the differences between the different Azure Active Directory editions are unclear. For that reason, we will include and explain the feature tables provided by Microsoft. We will start with the common features and then go through the premium features of Azure Active Directory.

The Azure Active Directory Premium edition provides you with the entire IAM capabilities, including the usage licenses of the on-premises used Microsoft Identity Manager. From a technical perspective, you need to use the Azure AD Connect utility to connect your on-premises Active Directory with the cloud and the Microsoft Identity Manager to manage your on-premises identities and prepare them for your cloud integration. To acquire Azure AD Premium, you can also use the Enterprise Mobility Suite (EMS) license bundle, which contains Azure AD Premium, Azure Rights Management, Microsoft Intune, and Advanced Threat Analytics (ATA) licensing. You can find more information about EMS by visiting http://bit.ly/1cJLPcM and http://bit.ly/29rupF4.

Azure AD Premium reference:

http://bit.ly/1gyDRoN

One of the newest features based on Azure Active Directory is the new Business to Business (B2B) capability. The new product solves the problem of collaboration between business partners. It allows users to share business applications between partners without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process, each company federates once with Azure AD and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization, access is automatically disallowed. Inside Azure AD, the user will be handled as though a guest, and they will not be able to traverse other users in the directory. Real permissions will be provided over the correct associated group membership.

Azure Active Directory Business to Consumer (B2C) is another brand new feature based on Azure Active Directory. This functionality supports signing in to your application using social networks like Facebook, Google, or LinkedIn and creating developed accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided with this scenario. Additionally, MFA introduces a higher grade of security to the solution. Principally, this feature allows small, medium and large companies to hold their customers in a separated Azure Active Directory with all the capabilities, and more, in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions. Azure B2C takes care about all the IAM tasks for own development application.

Azure AD Privileged Identity Management provides you with the functionality to manage, control, and monitor your privileged identities. With this option, you can build up an Role-based Access Control (RBAC) solution over your Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune. The following activities can be carried out with this functionality:

The following built-in roles can be managed with the current version:

Protecting sensible information or application access with additional authentication is an important task not just in the on-premises world. In particular, it needs to be extended to every sensible cloud service used. There are a lot of variations for providing this level of security and additional authentication, such as certificates, smart cards, or biometric options. For example, smart cards depend on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware or. The following table gives you an overview of different attacks and how they can be mitigated with a well designed and implemented security solution.

The Azure MFA functionality has been included in the Azure Active Directory Premium capabilities to address exactly the attacks described in the previous table. With a one-time password solution, you can build a very capable security solution to access information or applications from devices that cannot use smart cards as the additional authentication method. Otherwise, for small or medium business organizations a smart card deployment, including the appropriate management solution, will be too cost-intensive and the Azure MFA solution can be a good alternative for reaching the expected higher security level.

In discussions with our customers, we recognized that many don't realize that Azure MFA is already included in different Office 365 plans. They would be able to protect their Office 365 with multi-factor out-of-the-box but they don't know it! This brings us to Microsoft and the following table, which compares the functionality between Office 365 and Azure MFA.

With the Office 365 capabilities of MFA, the administrators are able to use basic functionality to protect their sensible information. In particular, if integrating on-premises users and services, the Azure MFA solution is needed.

More and more organizations are in the position of providing a continuous and integrated information protection solution to protect sensible assets and information. On the one hand is the department, which carries out its business activities, generates the data, and then processes. Furthermore, it uses the data inside and outside the functional areas, passes it, and runs a lively exchange of information.

On the other hand, revision is required by legal requirements that prescribe measures to ensure that information is dealt with and dangers such as industrial espionage and data loss are avoided. So, this is a big concern when safeguarding sensitive information.

While staff appreciate the many methods of communication and data exchange, this development starts stressing the IT security officers and makes managers worried. The fear is that critical corporate data stays in an uncontrolled manner and leaves the company or moves to competitors. The routes are varied, but data is often lost in inadvertent delivery via email. In addition, sensitive data can leave the company on a USB stick and smartphone, or IT media can be lost or stolen. In addition, new risks are added, such as employees posting information on social media platforms. IT must ensure the protection of data in all phases, and traditional IT security solutions are not always sufficient. The following figure illustrates this situation and leads us to the Azure Rights Management services.

Like its other additional features, the base functional is included in different Office 365 plans. The main difference between the two is that only the Azure RMS edition can be integrated in an on-premises file server environment in order to be able to use the File Classification Infrastructure feature of the Windows Server file server role.

The Azure RMS capability allows you to protect your sensitive information based on classification information with a granular access control system. The following table, provided by Microsoft, shows the differences between the Office 365 and Azure RMS functionality. Azure RMS is included with E3, E4, A3, and A4 plans.

In particular, the tracking feature helps users to find where their documents are distributed and allows them to revoke access to a single protected document.

Now that we have discussed the relevant Microsoft Azure IAM capabilities, you can see that Microsoft provides more than just single features or subsets of functionality. Furthermore, it brings a whole solution to the market, which provides functionality for every facet of IAM. Microsoft Azure also combines clear service management with IAM, making it a rich solution for your organization. You can work with that toolset in a native cloud-first scenario, hybrid, and a complex hybrid scenario and can extend your solution to every possible use case or environment. The following figure illustrates all the different topics that are covered with Microsoft Azure security solutions: