Azure Security Solutions
*** Please note: An updated version of this course is available here. ***
Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and built and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications; and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.
This course is for security engineers, chief security officers, solution architects, information technologists or anyone wanting to understand security options within the Azure platform.
Viewers should have a basic understanding of cyber security, authentication and authorization best practices, and encryption. Some familiarity with the Azure platform will also be helpful but is not required.
- Understand the shared responsibility model
- Learn how to secure Azure resources such as virtual machines and storage accounts
- Learn how to secure your Azure-based applications
- Learn how to monitor your Azure resources with Azure Security Center
Welcome and Introduction: A brief introduction to the course and an overview of what Bill and Maura will be covering.
Shared Responsibility: In this lesson we'll cover Cyber Security, using CIA Principle: Confidentiality – Integrity. Availability; what security professionals do to ensure the parts of CIA: Prevent – Detect – Respond.
Microsoft’s responsibilities and their own security/compliance processes. What a customer is responsible for. And finally the tools that Azure provides, including AAD, Encryption, secure networking
Protecting Accounts: In this lesson we'll cover Azure Active Directory, and Mult-Factor Authorization.
Securing the Azure Portal: In this lesson we'll cover role-based access control.
Indentity Management for Apps: In this lesson we'll cover AAD protection and integration for business Apps.
Network Security: In this lesson we'll cover Virtual Private Networks and firewalls.
Data Security: In this lesson we'll cover Encryption and Masking.
Secrets Management: In this lesson we'll cover Key Vault and Shared Access Signatures.
Monitoring and Audting: In this lesson we'll discuss the Azure Security Center.
Course Conclusion: Course Wrap-Up
In this lecture we look at identity and access management for your applications using Azure Active Directory with both your organizations AAD accounts and support for social logins. While commonly used to manage the directory of uses in your organization, Azure Active Directory can also integrate with third party services. Let's take a look at that. Here you have the Azure Marketplace for third party services.
At present, this directory supports thousands of integrations. More than 2,800 applications at last count. Including salesforce.com, see it there Dropbox, Box, Google Analytics, and many more. Once you've integrated with any of these third party applications, using this portal experience, you'll be configured so that your organizations users will login to these third parties services using the same Azure Active Directory credentials they use for the Azure portal. This sort of integration works because Azure Active Directory is standards based. It includes support for SAML, OpenID Connect, O-Off2, and WS-Federation. It is through these standards that allows it to easily integrate with these third party SaaS Cloud applications that we looked at in the prior demo.
Through standards based integrations Azure Active Directory allows enterprise users to access these different Cloud applications without requiring a separate account. This frees administrators from needing to synchronizing access to multiple SaaS applications. An example I like to use is the employee you just hired to manage your marketing campaigns, imagine this employee needs access to email via Office 365, and salesforce.com to manage customer relationships. Your organization could set-up an Azure Active Directory account, integrate with salesforce.com, create a role for marketing, and assign that employee to this new role.
This user would then log into salesforce.com using their AAD account, not through a separate salesforce.com account. This ability to login with accounts from one system and map to an account in another system is commonly known as Single Sign-On or SSO. Now let's say six months have passed and this employee leaves our company. Our IT department now needs to take away her access to both Office 365 and salesforce.com to maintain proper security. With AAD as the central directory, the IT department simply needs to remove this employee from the one AAD directory and access to both salesforce.com and Office 365 are both cut off.
With a little bit of code from the Azure Directory Authentication Library, integration code can be written, all the configuration can be done, and you can have a solution that supports social logins. This will allow your audience of unknown users to log into your applications using Facebook, Google, LinkedIn and other social credentials. The best way to show how your organizations AAD authentication experience can extend to your custom applications and also how the AADB2C experience can integrate with social logins is to simply see how you'd use it.
Let's show how to set it up to enable it for website running under web apps in Azure. Note that because we are using this through an Azure website in this demo, the portal will handle a lot of the configuration on our behalf. But we could also use the open source Active Directory Authentication Libraries to integrate with arbitrary applications. Even applications not running from Azure.
So let's switch over and do the demo. First we'll show logging in with AAD credentials with a custom application. Then we'll show logging in with Twitter from the same custom application. Here we are back in the Azure portal. To get things started, we'll go into app services, add, and we'll create a new web app. This web app will host our sample application. We'll call our app claimdumpdemo. We'll take defaults on the rest and click create. We see our deployment is in progress, let's pin this to the dashboard, we'll come back in a few seconds when this is ready. Our app service has been created. Let's go ahead and deploy some code to it. Go here to deployment options. We'll deploy from GitHub. We'll configure a GitHub account. I've authorized an account from GitHub.
Now I'll choose a repo from GitHub. I'll use a personal repo. And we're going to use the one called claimdump. We'll take defaults on the rest and hit okay. Its been successfully deployed very quickly. Back to the overview tab here, and we see that our website URL is claimdumpdemo.azurewebsites.net. Let's click on that. And it should launch our website. Okay, here we are. This is just a sample ASP.NET application with one change. I've added some logic to the about page that will show me some information about the logged in user if they are authenticated. And I have not set up authentication for this application yet. So this page doesn't show anything interesting.
Let's go back to the Azure portal and configure that. In the same claimdumpdemo app service, I'm gonna choose authentication and authorization, I'm going to enable it. And I'm gonna change this from a not allow anonymous access, to login with Azure Active Directory. And this will use the same Azure Active Directory I'm currently logged in with which is the Azure Bookstore, Azure Active Directory. Let's go ahead and configure Azure Active Directory itself. We'll choose express and take the defaults for the rest. And hit save. Let's go back to our application now and reload this page. And after refreshing, authentication is enforced and now you can see some information about the user who's logged in. The user's logged in from a particular ip address. The user was authenticated through a password. The user's name is the AAD Global Admin. And you can see some other information about the user as well.
What's happened here is through the portal, I've configured authentication for this website. And now only users who can authenticate through my company's Azure Active Directory can access this website. Let's go over to another web browser where I'm not logged in. Let's go to the same website. Now that we've configured it to require AAD authentication, nobody can access this website unless they're able to authenticate with Azure Active Directory from my company's Azure Active Directory account. If I were to authenticate with another Azure Active Directory, that wouldn't work. I logged into a valid Azure Active Directory but as you can see down here, the user I logged in with is from a different identity provider and does not exist as a tenant in the current Azure Active Directory so it won't let me in.
This is a great way to extend line of business applications to your employees all over the internet. And just for illustration, let me log in with a different account from my company's Azure Active Directory. And see if I'm allowed in. Go to about, and I am. It shows different information about this logged in user. And as you can see it shows similar information but it's for a different user. Let's go back to the authentication and authorization section. Now that we've seen an Azure Active Directory configuration, let's switch over to using Twitter. You need to configure Twitter in order for this to work. You need to provide an API Key and an API Secret for a Twitter application that we've created over on Twitter. T
he instructions for carrying this out are here. So to do this, we go to the Twitter developers website, we have to log in with our Twitter credentials, which I will do. Here I am logged into apps.twitter.com. Let's create a new app. Call it Claim Dump Demo. Our website is claimdumpdemo. According to the instructions, my callback url is gonna wanna look like this. Claimdumpdemo azurewebsites.net.auth login, Twitter, callback. Check the agreement and create the app. So I need to bring my API Key over. Paste that in there. And I also need the secret. Grab that and come over here, hit okay. Twitter is now configured. I've chosen Twitter as the action to take when a user reaches the claimdumpdemo website. I'll hit save here. Okay, now that we're all configured, let's go back to the website and see if it works. First time you use the new application with Twitter, you have to authorize the application. You're authorizing Twitter to allow it to authenticate the claimdumpdemo application. We'll choose authorize app and now we're back on our application.
Let's go to the about screen and hopefully we'll see information from Twitter. And we do. This is my Twitter handle, my name of course, my Twitter description, my time zone, and a link to my profile photo. And if we go over to Twitter, we should be able to see the same information such as this. So let's jump over to Twitter and we can see that this information is the same.
Before we finish this lesson, let's point out a couple of other resources. First we have the link to the gallery of third party integrations with salesforce.com and so forth (https://azuremarketplace.microsoft.com/en-us/marketplace/apps). Then we have a link to the documentation in the GitHub page for the Azure Active Directory Authentication Libraries for many languages (https://docs.microsoft.com/en-us/azure/active-directory/develop/, https://github.com/AzureAD). And finally, we have the claimdump sample code (https://github.com/codingoutloud/claimdump). You can look at that code to see how the information about the logged in user was displayed. That's an ASP.NET simple application and the code was written in C#.
Bill Wilder is a hands-on architect currently focused on building cloud-native solutions on the Microsoft Azure cloud platform. Bill is CTO at Finomial which provides SaaS solutions to the global hedge fund industry from the cloud, co-founded Development Partners Software in 1999, and has broad industry experience with companies of all sizes – from modest startups to giant enterprises. Bill has been leading the Boston Azure group since founding it in 2009, has been recognized as a Microsoft MVP for Azure since 2010, and is author of Cloud Architecture Patterns (O’Reilly Media, 2012). He speaks frequently at community events, and occasionally at conferences, usually on topics relating to cloud, cybersecurity, and software architecture.