Before jumping into the architecture and deployment of the Microsoft Azure IAM capabilities, we will first start with a business view to identify the important business needs and challenges of a cloud-only environment and scenario. Throughout this chapter, we will also discuss the main features of and licensing information for such an approach. Finally, we will round up with the challenges surrounding security and legal requirements.
The topics we will cover in this chapter are as follows:
Identifying business needs and challenges
An overview of feature and licensing decisions
Defining the benefits and costs
Principles of security and legal requirements
Oh! Don't worry, we don't intend to bore you with a lesson of typical IAM stories - we're sure you've come across a lot of information in this area. However, you do need to have an independent view of the actual business needs and challenges in the cloud area, so that you can get the most out of your own situation.
Identity and Access Management (IAM) is the discipline that plays an important role in the actual cloud era of your organization. It's also of value to small and medium-sized companies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuring appropriate and secure access to resources inside and across company borders, such as cloud or partner applications.
The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is a recommended requirement of reviewing and overworking this strategy in order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it's very important that your IAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can't implement a successful IAM functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs in IAM.
The following three groups show the typical indicators for missing IAM capabilities on the premises and for cloud services:
Your employees/partners:
Same password usage across multiple applications without periodic changes (also in social media accounts)
Multiple identities and logins
Passwords are written down in Sticky Notes, Excel, etc.
Application and data access allowed after termination
Forgotten usernames and passwords
Poor usability of application access inside and outside the company (multiple logins, VPN connection required, incompatible devices, etc.)
Your IT department:
High workload on Password Reset Support
Missing automated identity lifecycles with integrity (data duplication and data quality problems)
No insights in application usage and security
Missing reporting tools for compliance management
Complex integration of central access to Software as a Service (SaaS), Partner and On-Premise applications (missing central access/authentication/authorization platform)
No policy enforcement in cloud services usage
Collection of access rights (missing processes)
Your developers:
Limited knowledge of all the different security standards, protocols, and APIs
Constantly changing requirements and rapid developments
Complex changes of the Identity Provider
On top of that, often the IT department will hear the following question: When can we expect the new application for our business unit? Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, but suddenly another popular phenomenon pops up: The shadow IT! Most of the time, this introduces another problem - uncontrolled information leakage. The following figure shows the flow of typical information - and that which you don't know can hurt!
The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that, and in which manner, they are being used. Simply migrating or ordering a new service in the cloud won't solve common IAM needs. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in a regulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify that you are responsible for data classification, IAM, and end point security in every model:
Cloud Service Modell |
IaaS
|
PaaS
|
SaaS
| |||
Responsibility |
Customer |
Provider |
Customer |
Provider |
Customer |
Provider |
Data Classification |
X
|
X
|
X
| |||
End Point Security |
X
|
X
|
X
| |||
Identity and Access Management |
X
|
X
|
X
|
X
|
X
| |
Application Security |
X
|
X
|
X
|
X
| ||
Network Controls |
X
|
X
|
X
|
X
| ||
Host Security |
X
|
X
|
X
| |||
Physical Security |
X
|
X
|
X
|
Many organizations are facing the challenge of meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional means of business communication.
Let's dive into a short, practical, but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it's always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with one Full-time Employee (FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:
Let's analyze this extreme example to reveal some typical problems, so that you can match some ideas to your IT infrastructure:
Provisioning, managing, and de-provisioning identities can be a time-consuming task
There are no single identity and credentials
There is no collaboration support for partner and consumer communication
There is no Self-Service Password Reset functionality
Sensitive information leaves the corporation over email
There are no usage or security reports about the accessed applications/services
There is no central way to enable Multi-Factor Authentication (MFA) for sensitive applications
There is no secure strategy for accessing social media
There is no usable, secure, and central remote access portal
With the cloud-first strategy of Microsoft, the Azure platform and their number of services grow constantly, and we have seen a lot of costumers lost in a paradise of wonderful services and functionality. This brings us to the point of how to figure out the relevant services for IAM for you and how to give them the space for explanation. Obviously, there are more services available that stripe this field with a small subset of functionality, but due to the limited page count of this book and our need for rapid development, we will focus on the most important ones, and will reference any other interesting content. The primary service for IAM is the Azure Active Directory service, which has also been the core directory service for Office 365 since 2011. Every other SaaS offering of Microsoft is also based on this core service, including Microsoft Intune, Dynamics, and Visual Studio Online. So, if you are already an Office 365 customer you will have your own instance of Azure Active Directory in place. For sustained access management and the protection of your information assets, the Azure Rights Management services are in place. There is also an option for Office 365 customers to use the included Azure Rights Management services. You can find further information about this by visiting the following link: http://bit.ly/1KrXUxz.
Let's get started with the feature sets that can provide a solution, as shown in the following screenshot:
Including Azure Active Directory and Rights Management helps you to provide a secure solution with a central access portal for all of your applications with just one identity and login for your employees, partners, and customers that you want to share your information with. With a few clicks you can also add MFA to your sensitive applications and administrative accounts. Furthermore, you can directly add a Self-Service Password Reset functionality that your users can use to reset their password for themselves. As the administrator, you will receive predefined security and usage reports to control your complete application ecosystem. To protect your sensible content, you will receive digital rights management capabilities with the Azure Rights Management services to give you granular access rights on every device your information is used.
Doesn't it sound great? Let's take a deeper look into the functionality and usage of the different Microsoft Azure IAM services.
Azure Active Directory is a fully managed multi-tenant service that provides IAM capabilities as a service. This service is not just an instance of the Windows Server Domain Controller you already know from your actual Active Directory infrastructure. Azure AD is not a replacement for the Windows Server Active Directory either. If you already use a local Active Directory infrastructure, you can extend it to the cloud by integrating Azure AD to authenticate your users in the same way as on-premise and cloud services.
Staying in the business view, we want to discuss some of the main features of Azure Active Directory. Firstly, we want to start with the Access panel that gives the user a central place to access all his applications from any device and any location with SSO.
Note
The combination of the Azure Active Directory Access panel and the Windows Server 2012 R2/2016 Web Application Proxy / ADFS capabilities provide an efficient way to securely publish web applications and services to your employees, partners, and customers. It will be a good replacement for your retired Forefront TMG/UAG infrastructure.
Over this portal, your users can do the following:
User and group management
Access their business relevant applications (On-premise, partner, and SaaS) with single-sign-on or single logon
Delegation of access control to the data, process, or project owner
Self-service profile editing for correcting or adding information
Self-service password change and reset
Manage registered devices
With the Self-Service Password Reset functionality, a user gets a straight forward way to reset his password and to prove his identity, for example through a phone call, email, or by answering security questions.
Note
The different portals can be customized with your own Corporate Identity branding. To try the different portals, just use the following links: https://myapps.microsoft.com and https://passwordreset.microsoftonline.com.
To complete our short introduction to the main features of the Azure Active Directory, we will take a look at the reporting capabilities. With this feature you get predefined reports with the following information provided. With viewing and acting on these reports, you are able to control your whole application ecosystem published over the Azure AD access panel.
Anomaly reports
Integrated application reports
Error reports
User-specific reports
Activity logs
From our discussions with customers we recognize that, a lot of the time, the differences between the different Azure Active Directory editions are unclear. For that reason, we will include and explain the feature tables provided by Microsoft. We will start with the common features and then go through the premium features of Azure Active Directory.
First of all, we want to discuss the Access panel portal so we can clear up some open questions. With the Azure AD Free and Basic editions, you can provide a maximum of 10 applications to every user. However, this doesn't mean that you are limited to 10 applications in total. Next, the portal link: right now it cannot be changed to your own company-owned domain, such as https://myapps.inovit.ch. The only way you can do so is by providing an alias in your DNS configuration; the accessed link is https://myapps.microsoft.com. Company branding will lead us on to the next discussion point, where we are often asked how much corporate identity branding is possible. The following link provides you with all the necessary information for branding your solution:http://bit.ly/1Jjf2nw. Rounding up this short Q&A on the different feature sets is Application Proxy usage, one of the important differentiators between the Azure AD Free and Basic editions. The short answer is that with Azure AD Free, you cannot publish on-premises applications and services over the Azure AD Access Panel portal.
Features |
AAD Free |
AAD Basic |
AAD Premium |
Directory as a Service (objects) |
500k
|
unlimited
|
unlimited
|
User/Group management (UI or PowerShell) |
X
|
X
|
X
|
Access Panel portal for SSO (per user) |
10 apps
|
10 apps
|
unlimited
|
User-based application access management/provisioning |
X
|
X
|
X
|
Self-service password change (cloud users) |
X
|
X
|
X
|
Directory synchronization tool |
X
|
X
|
X
|
Standard security reports |
X
|
X
|
X
|
High availability SLA (99.9%) |
X
|
X
| |
Group-based application access management and provisioning |
X
|
X
| |
Company branding |
X
|
X
| |
Self-service password reset for cloud users |
X
|
X
| |
Application Proxy |
X
|
X
| |
Self-service group management for cloud users |
X
|
X
|
The Azure Active Directory Premium edition provides you with the entire IAM capabilities, including the usage licenses of the on-premises used Microsoft Identity Manager. From a technical perspective, you need to use the Azure AD Connect utility to connect your on-premises Active Directory with the cloud and the Microsoft Identity Manager to manage your on-premises identities and prepare them for your cloud integration. To acquire Azure AD Premium, you can also use the Enterprise Mobility Suite (EMS) license bundle, which contains Azure AD Premium, Azure Rights Management, Microsoft Intune, and Advanced Threat Analytics (ATA) licensing. You can find more information about EMS by visiting http://bit.ly/1cJLPcM and http://bit.ly/29rupF4.
Features
|
Azure AD
Premium
|
Self-service password reset with on-premises write-back
|
X
|
Microsoft Identity Manager server licenses
|
X
|
Advanced anomaly security reports
|
X
|
Advanced usage reporting
|
X
|
Multi-Factor Authentication (cloud users)
|
X
|
Multi-Factor Authentication (On-premises users)
|
X
|
Azure AD Premium reference:
One of the newest features based on Azure Active Directory is the new Business to Business (B2B) capability. The new product solves the problem of collaboration between business partners. It allows users to share business applications between partners without going through inter-company federation relationships and internally-managed partner identities. With Azure AD B2B, you can create cross-company relationships by inviting and authorizing users from partner companies to access your resources. With this process, each company federates once with Azure AD and each user is then represented by a single Azure AD account. This option also provides a higher security level, because if a user leaves the partner organization, access is automatically disallowed. Inside Azure AD, the user will be handled as though a guest, and they will not be able to traverse other users in the directory. Real permissions will be provided over the correct associated group membership.
Azure Active Directory Business to Consumer (B2C) is another brand new feature based on Azure Active Directory. This functionality supports signing in to your application using social networks like Facebook, Google, or LinkedIn and creating developed accounts with usernames and passwords specifically for your company-owned application. Self-service password management and profile management are also provided with this scenario. Additionally, MFA introduces a higher grade of security to the solution. Principally, this feature allows small, medium and large companies to hold their customers in a separated Azure Active Directory with all the capabilities, and more, in a similar way to the corporate-managed Azure Active Directory. With different verification options, you are also able to provide the necessary identity assurance required for more sensible transactions. Azure B2C takes care about all the IAM tasks for own development application.
Azure AD Privileged Identity Management provides you with the functionality to manage, control, and monitor your privileged identities. With this option, you can build up an Role-based Access Control (RBAC) solution over your Azure AD and other Microsoft online services, such as Office 365 or Microsoft Intune. The following activities can be carried out with this functionality:
You can discover the actual configured Azure AD Administrators
You can provide just in time administrative access
You can get reports about administrator access history and assignment changes
You can receive alerts about access to a privileged role
The following built-in roles can be managed with the current version:
Global Administrator
Billing Administrator
Service Administrator
User Administrator
Password Administrator
Protecting sensible information or application access with additional authentication is an important task not just in the on-premises world. In particular, it needs to be extended to every sensible cloud service used. There are a lot of variations for providing this level of security and additional authentication, such as certificates, smart cards, or biometric options. For example, smart cards depend on special hardware used to read the smart card and cannot be used in every scenario without limiting the access to a special device or hardware or. The following table gives you an overview of different attacks and how they can be mitigated with a well designed and implemented security solution.
Attacker |
Security solution |
Password brute force |
Strong password policies |
Shoulder surfing
Key or screen logging
|
One-time password solution |
Phishing or pharming |
Server authentication (HTTPS) |
Man-in-the-Middle
Whaling (Social engineering)
|
Two-factor authentication
Certificate or one-time password solution
|
Certificate authority corruption
Cross Channel Attacks (CSRF)
|
Transaction signature and verification
Non repudiation
|
Man-in-the-Browser
Key loggers
|
Secure PIN entry
Secure messaging
Browser (read only)
Push button (token)
Three-factor authentication
|
The Azure MFA functionality has been included in the Azure Active Directory Premium capabilities to address exactly the attacks described in the previous table. With a one-time password solution, you can build a very capable security solution to access information or applications from devices that cannot use smart cards as the additional authentication method. Otherwise, for small or medium business organizations a smart card deployment, including the appropriate management solution, will be too cost-intensive and the Azure MFA solution can be a good alternative for reaching the expected higher security level.
In discussions with our customers, we recognized that many don't realize that Azure MFA is already included in different Office 365 plans. They would be able to protect their Office 365 with multi-factor out-of-the-box but they don't know it! This brings us to Microsoft and the following table, which compares the functionality between Office 365 and Azure MFA.
Feature |
O365 |
Azure |
Administrators can enable/enforce MFA to end-users |
X
|
X
|
Use mobile app (online and OTP) as second authentication factor |
X
|
X
|
Use phone call as second authentication factor |
X
|
X
|
Use SMS as second authentication factor |
X
|
X
|
App passwords for non-browser clients (for example, Outlook, Lync) |
X
|
X
|
Default Microsoft greetings during authentication phone calls |
X
|
X
|
Remember Me |
X
|
X
|
IP Whitelist |
X
| |
Custom greetings during authentication phone calls |
X
| |
Fraud alert |
X
| |
Event confirmation |
X
| |
Security reports |
X
| |
Block/unblock users |
X
| |
One-time bypass |
X
| |
Customizable caller ID for authentication phone calls |
X
| |
MFA Server - MFA for on-premises applications |
X
| |
MFA SDK - MFA for custom apps |
X
|
With the Office 365 capabilities of MFA, the administrators are able to use basic functionality to protect their sensible information. In particular, if integrating on-premises users and services, the Azure MFA solution is needed.
More and more organizations are in the position of providing a continuous and integrated information protection solution to protect sensible assets and information. On the one hand is the department, which carries out its business activities, generates the data, and then processes. Furthermore, it uses the data inside and outside the functional areas, passes it, and runs a lively exchange of information.
On the other hand, revision is required by legal requirements that prescribe measures to ensure that information is dealt with and dangers such as industrial espionage and data loss are avoided. So, this is a big concern when safeguarding sensitive information.
While staff appreciate the many methods of communication and data exchange, this development starts stressing the IT security officers and makes managers worried. The fear is that critical corporate data stays in an uncontrolled manner and leaves the company or moves to competitors. The routes are varied, but data is often lost in inadvertent delivery via email. In addition, sensitive data can leave the company on a USB stick and smartphone, or IT media can be lost or stolen. In addition, new risks are added, such as employees posting information on social media platforms. IT must ensure the protection of data in all phases, and traditional IT security solutions are not always sufficient. The following figure illustrates this situation and leads us to the Azure Rights Management services.
Like its other additional features, the base functional is included in different Office 365 plans. The main difference between the two is that only the Azure RMS edition can be integrated in an on-premises file server environment in order to be able to use the File Classification Infrastructure feature of the Windows Server file server role.
The Azure RMS capability allows you to protect your sensitive information based on classification information with a granular access control system. The following table, provided by Microsoft, shows the differences between the Office 365 and Azure RMS functionality. Azure RMS is included with E3, E4, A3, and A4 plans.
Feature |
RMS O365 |
RMS Azure |
Users can create and consume protected content by using Windows clients and Office applications |
X
|
X
|
Users can create and consume protected content by using mobile devices |
X
|
X
|
Integrates with Exchange Online, SharePoint Online, and OneDrive for Business |
X
|
X
|
Integrates with Exchange Server 2013/Exchange Server 2010 and SharePoint Server 2013/SharePoint Server 2010 on-premises via the RMS connector |
X
|
X
|
Administrators can create departmental templates |
X
|
X
|
Organizations can create and manage their own RMS tenant key in a hardware security module (the Bring Your Own Key solution) |
X
|
X
|
Supports non-Office file formats: Text and image files are natively protected; other files are generically protected |
X
|
X
|
RMS SDK for all platforms: Windows, Windows Phone, iOS, Mac OSX, and Android |
X
|
X
|
Integrates with Windows file servers for automatic protection with FCI via the RMS connector |
X
| |
Users can track usage of their documents |
X
| |
Users can revoke access to their documents |
X
|
In particular, the tracking feature helps users to find where their documents are distributed and allows them to revoke access to a single protected document.
Now that we have discussed the relevant Microsoft Azure IAM capabilities, you can see that Microsoft provides more than just single features or subsets of functionality. Furthermore, it brings a whole solution to the market, which provides functionality for every facet of IAM. Microsoft Azure also combines clear service management with IAM, making it a rich solution for your organization. You can work with that toolset in a native cloud-first scenario, hybrid, and a complex hybrid scenario and can extend your solution to every possible use case or environment. The following figure illustrates all the different topics that are covered with Microsoft Azure security solutions:
The Microsoft Azure IAM capabilities help you to empower your users with a flexible and rich solution that enables better business outcomes in a more productive way. You help your organization to improve the regulatory compliance overall and reduce the information security risk. Additionally, it can be possible to reduce IT operating and development costs by providing higher operating efficiency and transparency. Last but not least, it will lead to improved user satisfaction and better support from the business for further investments.
The following toolset gives you very good instruments for calculating the costs of your special environment.
Azure Active Directory Pricing Calculator: http://bit.ly/1fspdhz
Enterprise Mobility Suite Pricing: http://bit.ly/1V42RSk
Microsoft Azure Pricing Calculator: http://bit.ly/1JojUfA
The classification of data, such as business information or personal data, is not only necessary for an on-premises infrastructure. It is the basis for the assurance of business-related information and is represented by compliance with official regulations. These requirements are of greater significance when using cloud services or solutions outside your own company and regulation borders. They are clearly needed for a controlled shift of data in an area in which responsibilities on contracts must be regulated. Safety limits do not stop at the private cloud, and are responsible for the technical and organizational implementation and control of security settings.
The subsequent objectives are as follows:
Construction, extension, or adaptation of the data classification to the Cloud Integration
Data classification as a basis for encryption or isolated security silos
Data classification as a basis for authentication and authorization
Microsoft itself has strict controls that restrict access to Azure to Microsoft employees. Microsoft also enables customers to control access to their Azure environments, data, and applications, as well as allowing them to penetrate and audit services with special auditors and regulations on request.
Note
A statement from Microsoft: Customers will only use cloud providers in which they have great trust. They must trust that the privacy of their information will be protected, and that their data will be used in a way that is consistent with their expectations. We build privacy protections into Azure through Privacy by Design.
You can get all the necessary information about security, compliance, and privacy by visiting the following link http://bit.ly/1uJTLAT.
Now that you are fully clued up with information about typical needs and challenges and feature and licensing information, you should be able to apply the right technology and licensing model to your cloud-only scenario. You should also be aware of the benefits and cost calculators that will help you calculate a basic price model for your required services. Furthermore, you can also decide which security and legal requirements are relevant for your cloud-only environments.
In the next chapter, we will design a sustainable cloud-only IAM environment. We will discuss the user and group life cycle and the roles and administrative units with the relevant identity reporting capabilities. We look forward to seeing you work on your design in the next chapter.