Azure Security Solutions
*** Please note: An updated version of this course is available here. ***
Security is a critical concern for anyone who uses the cloud. Microsoft takes this seriously and built and operates the Azure Platform with security as a key principle. Microsoft secures data centers, and management applications; and provides pay-as-you-go security services. Learn how to take advantage of these security features and services to enable strong security practices in your organization and to protect and secure your own cloud applications.
This course is for security engineers, chief security officers, solution architects, information technologists or anyone wanting to understand security options within the Azure platform.
Viewers should have a basic understanding of cyber security, authentication and authorization best practices, and encryption. Some familiarity with the Azure platform will also be helpful but is not required.
- Understand the shared responsibility model
- Learn how to secure Azure resources such as virtual machines and storage accounts
- Learn how to secure your Azure-based applications
- Learn how to monitor your Azure resources with Azure Security Center
Welcome and Introduction: A brief introduction to the course and an overview of what Bill and Maura will be covering.
Shared Responsibility: In this lesson we'll cover Cyber Security, using CIA Principle: Confidentiality – Integrity. Availability; what security professionals do to ensure the parts of CIA: Prevent – Detect – Respond.
Microsoft’s responsibilities and their own security/compliance processes. What a customer is responsible for. And finally the tools that Azure provides, including AAD, Encryption, secure networking
Protecting Accounts: In this lesson we'll cover Azure Active Directory, and Mult-Factor Authorization.
Securing the Azure Portal: In this lesson we'll cover role-based access control.
Indentity Management for Apps: In this lesson we'll cover AAD protection and integration for business Apps.
Network Security: In this lesson we'll cover Virtual Private Networks and firewalls.
Data Security: In this lesson we'll cover Encryption and Masking.
Secrets Management: In this lesson we'll cover Key Vault and Shared Access Signatures.
Monitoring and Audting: In this lesson we'll discuss the Azure Security Center.
Course Conclusion: Course Wrap-Up
In this lecture, we look at Azure's built-in support for identity management and how to protect your account within this identity management system. Azure Active Directory, or AAD for short, is Microsoft's cloud-based directory and identity management service. It's core function is to maintain an organization's user directory and provide authentication services for those users. A typical use is for an organization to create a single AAD account, similar to how an organization would have created a single, on-premises active directory account.
In fact, if you already have an on-premises active directory account, you can sync it with your Azure Active Directory account, that way users will have the same log-in credentials, whether they're logging in on-premises or in the cloud. What you see here is a hierarchy of an Azure account as it relates to other resources within an Azure subscription. Every Azure subscription is managed through exactly one Azure Active Directory account, but an individual Azure Active Directory account might manage multiple subscriptions.
In fact, this is a very common scenario. And then our actual resources within Azure, such as databases and virtual machines, live within resource groups, which live within subscriptions. At any one time, a resource, like a database, is in exactly one resource group. And at any one time, a resource group is in exactly one Azure subscription and an Azure subscription is in exactly one Azure Active Directory account. It is important to understand that AAD is also the authentication system that backs Office 365 and some other Microsoft properties, such as Intune. If you use these other services, you already have an AAD account, and this can be used with the Azure portal.
Let's bring the focus back to the AAD for the Azure portal. Let's consider a case where you'd like to create a new user and then remove access for that user. For this, we'll jump over to the Azure portal in a web browser. Here we are in our Azure subscription. Let's go to the Azure Active Directory blade and add a new user. We'll choose users and groups. All users. And we'll add a new user. Since we're going to disable this user in just a minute, I'm gonna call this user Temp, and we'll give this user the email address firstname.lastname@example.org.
Let's quickly note that the directory role for this user is called user. We could also make this user a global administrator, which would give them full power within the Azure Active Directory, or we could give them a limited administrative role, depending on the function they would serve. For example, as you can see from this list, they might be simply a password administrator or a billing administrator. But for us, user is the correct role. Let's show the password that was generated for us. Copy that to the clipboard and we'll create. So the user, email@example.com, has been successfully created.
Let's hop over to another web browser and see if we can log in. Here we are at a different web browser. Let's log in as firstname.lastname@example.org We'll use the password that was generated for us in the portal and we'll sign in. We're being asked to change our password from the generated one, so we'll provide it a good password. And we're in. We're in in the same Azure subscription from which this user was created in the other web browser. But you might notice that this user doesn't see any resources. We'll come back to that later, when we talk about role-based access controls.
For now, the important thing is to realize that this user is successfully logged in the Azure portal. Let's log out of the Azure portal. Now that we've logged out of the Azure portal, let's go back to our other web browser, and have another look at this user. So here's email@example.com. Since we wanna demonstrate removing a user, let's go ahead and delete this user. Do you want to delete Temp user? Yes; successfully deleted user Temp. You can see that firstname.lastname@example.org is no longer visible on the list of users.
Return to our other web browser and type in our credentials. Temp@azurebookstore.com. We provide our username and password. And these are the results that we would expect. We don't recognize this user ID or password because it's been deleted. So we've shown how to create and delete an Azure Active Directory account. We've just looked at how to created a new user, how to log in with that new user, and how to delete and disable that user, even though there's a temporary window where a user who's recently authenticated in a particular web browser, might have a security token still around, that will expire soon enough, and the user won't be able to log in there or anywhere. Clearly Azure Active Directory accounts need to be protected. Other than strong, unique passwords, there are some other protections available within Azure Active Directory.
The most basic and critical of these is multi-factor authentication. AAD has built-in support from multi-factor authentication, or MFA for short. MFA is the practice of using multiple forms of proof that you are who you say you are. The various forms include something that the user knows, typically a password, something that the user has, often a mobile phone, and something that a user is, a biometric, most commonly a fingerprint. AAD has support for MFA as we've mentioned, but like other aspects of the shared responsibility model, you need to turn it on. Let's go ahead and set up an AAD user with multi-factor authentication so you can how this works. Here were are, back in the Azure portal. We're in the user and groups experience within the Azure Active Directory blade. The AAD global admin user does not have multi-factor authentication turned on.
So let's go ahead and turn it on. To do that, we're going to the multi-factor authentication option, which brings up the multi-factor authentication screen. Here's our multi-factor authentication configuration screen. We see that multi-factor authentication is disabled for this AAD global admin user. We'll select that user and we'll click enable. If you're turning this on for the first time in your own Azure Active Directory, you'll really wanna read this guidance. It explains a lot of important details, including how to prepare your users for this. We'll go ahead and enable multi-factor authentication. And we can see that the AAD global admin user's status has changed from disabled to enabled. And you can notice here that there's also a status of enforced. It's not enforced yet, because the user has not yet had the opportunity to configure it. Let's go ahead and log in as the AAD global admin user to see what happens during the first log-in after multi-factor authentication has been turned on.
Here we are on a different browser, logging in with our usual credentials. We type in our correct username and password, we hit sign in, but unlike in the past, where clicking sign in just logged us in, something else happens this one time. As you can see, we got a different screen. This screen is telling us that we need to configure additional security verification. This is two-factor authentication. Let's go ahead and set it up. What kind of two-factor authentication do we want? We'll choose authentication via a mobile app and we'll click set up. What you see on the right-hand side of the screen is a QR code, and on the left side, you see my iPhone screen. My iPhone is running the Microsoft Authenticator app. Within the Microsoft Authenticator app, I'm going to proceed to configure this account, by tapping the plus in the top right, next to accounts.
Now I wanna choose a work or school account, because that's the appropriate choice for Azure Active Directory accounts. Now it's activating my camera. And you can see that it picked up the QR code through the camera and my Azure Active Directory account for the email@example.com account has been established on my phone. Click down here and the message has come back. The mobile app has been configured for notifications and verification codes. This means that my iPhone or Android or other device is now configured and is ready to serve as a second factor of authentication for this account. I'm gonna select contact me, and then you'll see on the left-hand side, which shows the screen of my iPhone, what the contact looks like. It's asking me to approve a sign-in. And this is the user experience that I'll see every time I go to log in with this user. I'll tap approve and now I'm in.
I'm not gonna show the rest of the configuration here, but I'll skip ahead to the next time I log in with this account using two-factor authentication. Here I am logging in the next time with this account. As you can see, on the left-hand side, my iPhone is being asked to approve this log in after I've already typed in my username and password. I tap approve on my phone and it logs me in. Before we leave this section, let's point out a couple of other resources. Microsoft Research has published a very practical paper on identity protection (https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview). It's worth a read. And there are a couple of additional protection features within Azure Active Directory that you may want to consider. One such additional protection, Azure AD Identity Protection (https://azure.microsoft.com/en-us/blog/topics/identity-access-management/). This is a service that monitors for suspicious activity relating to log-ins. One example is that it can detect impossible travel situations, such as logging in from Paris only 15 minutes after having logged in from Montreal. This situation might be legitimate, such as with a virtual private network, but it's at least suspicious the first time it happens.
Another additional protection feature is Azure AD Privileged Identity Management (https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure). This is a service that manages just in time, in time-limited privilege escalations when performing certain high-risk operations within the Azure portal. This tool gives you a process to manage and control these changes. You also may want to take a look at synchronizing your active directory on-premises with your AAD in the cloud (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect).
Bill Wilder is a hands-on architect currently focused on building cloud-native solutions on the Microsoft Azure cloud platform. Bill is CTO at Finomial which provides SaaS solutions to the global hedge fund industry from the cloud, co-founded Development Partners Software in 1999, and has broad industry experience with companies of all sizes – from modest startups to giant enterprises. Bill has been leading the Boston Azure group since founding it in 2009, has been recognized as a Microsoft MVP for Azure since 2010, and is author of Cloud Architecture Patterns (O’Reilly Media, 2012). He speaks frequently at community events, and occasionally at conferences, usually on topics relating to cloud, cybersecurity, and software architecture.