Azure Identity Services
With people increasingly able to work from anywhere, plus the rise of “bring your own device” strategies, mobile applications and cloud applications. Many of those access points are now outside the company’s physical networks. Identity has become the new primary security boundary. Accurately proving that someone is a valid user of your system with an appropriate level of access is critical to maintaining control of your data.
Data ⥮ Application ⥮ Compute ⥮ Network ⥮ Perimeter ⥮ Identity and Access ← target of attack 😈 ⥮ Physical Security
Azure Active Directory or Azure AD can also help consistently secure all of the applications accessed from the internet and from public networks. Be mindful not to confuse
Active Directory (securing on premises applications) with
Azure Active Directory (securing applications in the cloud).
Authentication and authorization both support everything else that happens and they occur sequentially in the Identity and Access process.
|Authentication||The process of establishing the identity of a person or service that wants to access a resource. The end-user or service is challenged for a set of |
You can establish whether the user is who they say they are.
|Authorization||The process of establishing what level of access an authenticated person or service has. It specifies what application, data and resources they’re allowed to access, and what they can do with them.|
Azure Active Directory is Microsoft’s cloud-based Identity and Access Management Service. Azure AD enables an organization’s employees to sign in and access both internal and external resources, while also keeping them secure. Users can sign in and access:
- external resources
- Microsoft 365, the Azure portal, SaaS applications, etc.
- internal resources
- the organization’s corporate network and applications, etc.
When you secure identities on-premises with Active Directory, Microsoft doesn’t monitor sign in attempts. When you connect Active Directory with Azure AD, Microsoft can help protect you by detecting suspicious sign-in attempts at no extra cost.
A tenant represents an organization in Azure Active Directory. It’s a dedicated Azure AD instance that an organization receives and owns when it signs up for a Microsoft Cloud service. Azure AD provides services:
- single sign-on
- application management
- device management
Connecting Active Directory with Azure AD enables you to provide a consistent identity experience to your users. Perhaps the most popular method is to use Azure AD Connect.
Single sign-on (SSO) is important as organizations need a robust Identity and Access Management strategy that can handle the challenges of securing user and data access from the cloud. Multi-factor authentication is a process where users prompted during the sign-in process for an additional form of identification.
Conditional access is a tool that Azure Active Directory uses to allow or deny access to resources based on identity signals. These signals include:
- who the user is
- where the user is
- what device the user is requesting access from
You can use the conditional access What If tool to know what to expect from the conditional access policies in your environment. It allows you to understand the impact of your new policies on your environment before you implement them.
Cloud Governance Strategy
The term governance describes the general process of establishing rules and policies and ensuring that those rules and policies are enforced. When running in the cloud, a good governance strategy helps you maintain control over the applications and resources that you manage in the cloud. There are regulatory requirements that must be enforced and standards that must be followed for all cloud resources. Governance can be beneficial to organizations in a wide range of areas.
There’s no single cloud adoption path that works for every organization. But the main implementation stages are similar for all organizations and industries. The Cloud Adoption Framework for Azure provides you with proven guidance to help with your cloud adoption journey. It helps you create and implement the business and technology strategies. The framework includes these stages:
- Define your strategy
- Define and document your motivations
- Document business outcomes
- Develop a business case
- Prioritize projects and choose the first one
- Make a plan
- Create an inventory of the existing digital assets and workloads
- Ensure that the right people are involved
- Build skills readiness plan
- Build cloud adoption plan
- Ready your organization
- Create a landing zone (an environment in the cloud that helps you begin hosting your workload)
- Expand the landing zone
- Adopt the cloud
- Migrate your applications to the cloud
- Might find ways to modernize your applications and build innovative solutions
- Govern your cloud environments
- Define a methodology that incrementally takes you from your first steps to full governance
- Use the governance benchmark tool to assess your current state and future state
- Create a minimally viable product (MVP) that captures the first steps of your governance plan
- Iteratively add governance controls that address tangible risks as you progress
- Manage your cloud environments
- Establish your management baseline
- Define business commitments
- Expand the baseline
- Perform a deeper architecture review to deliver on your resiliency and reliability commitments
At the beginning of any cloud governance implementation, you identify a cloud organization structure that meets your business needs. This step often involves forming a cloud center of excellence team, also called a cloud enablement team, or a cloud custodian team. This team is empowered to implement governance practices, from a centralized location for the entire organization. Teams often start their Azure governance strategy at the subscription level. There are three main aspects to consider when you create and manage subscriptions:
|Billing||You can create one billing report per subscription, or organize|
subscriptions by department, or by project. Resource tags can also help.
|Access control||Every subscription is associated with an Azure Active Directory tenant, which provides administrators the ability to set granular access, through defined roles by using Azure role-based access control.|
|Subscription limits||Subscriptions also have some resource limitations. Those limits should be considered|
during your design phase.
Azure Role-Based Access Control
It is good security practice to grant users only the rights they need to perform their job and only to the relevant resources. Ordinarily when new resources are created, you would have to define the detailed access requirements for each individual and then update their access rights.
Azure role-based access control allows control over who has access to which Azure resources and what those people can do with those resources. You achieve control by assigning roles to users, groups, or applications at a particular scope:
- A role might be described as a collection of permissions.
- The scope is the set of resources that the access applies to.
By combining an Azure role and a scope, you can set finely tailored permissions for your Azure resources. The way you control access to resources is to create role assignments which control how permissions are enforced. A role assignment is the process of attaching a role to a security principle at a particular scope for the purpose of granting access.
A security principle is an object that represents a user, group, service principle or managed identity that is requesting access to Azure resources. For instance,
Users managing resources,
Automated processes illustrate the users or accounts that would typically be assigned each of the various roles.
|Scope \ Built-in Role||Reader||Resource|
Reader can view resources, but is not allowed to make any changes. When you assign the
Reader role to a group at the
Subscription scope, the members of that group can view any
Resource group and
Resource within the Subscription.
Contributor has full access to manage all resources, but is not allowed to assign roles. When you assign the
Contributor role to an application at the
Resource group scope, the application can manage resources of all types within that Resource group, but not other Resource groups within the Subscription.
Owner role has full access to manage all resources, including the ability to assign roles in Azure RBAC. When you assign the
Owner role to a user at the
Management group scope, that user can manage everything and all
Subscriptions within the Management group.
If the built-in roles don’t meet the specific needs of your organization, you can create your own
Azure RBAC is enforced on any action that is initiated against an Azure resource that passes through Azure Resource Manager, which is a management service that provides a way to organize and secure your Cloud resources. You typically access Azure Resource Manager from the Azure Portal, Azure Cloud Shell, Azure PowerShell, and the Azure CLI. Note that Azure RBAC doesn’t enforce access permissions at the application or data level, application security must be handled by your application.
Azure RBAC uses an Allow Model. When you’re assigned a role, RBAC allows you to perform certain actions, such as read, write, or delete. The Allow Model is cumulative. If one role assignment grants you read permissions to a resource group and a different role assignment grants you write permissions to the same resource group, you have both read and write permissions on that resource group.
A resource lock prevents resources from being accidentally deleted or changed. Even with Azure RBAC policies in place, there’s still a risk that people with the right level of access could delete critical Cloud resources. Think of a resource lock as a warning system that reminds you that a resource should not be deleted or changed. You can set the lock level to
|CanNotDelete||Authorized people can still read and modify a resource, but they can’t delete the resource without first removing the lock.|
|ReadOnly||Authorized people can read a resource, but they can’t delete or change the resource.|
Applying this lock, is like restricting all authorized users to the permissions granted by
Resource locks apply regardless of RBAC permissions. Even if you’re an
Owner of the resource, you must still remove the lock before you can perform the blocked activity.
To make the protection process more robust, you can combine resource locks with Azure Blueprints. Azure Blueprints enables you to define the set of standard Azure resources that your organization requires. For example, you can define a blueprint that specifies that a certain resource lock must exist. Azure blueprints can automatically replace the resource lock if the lock is removed.
You can use resource groups to manage related resources, however Resource tags are another way to organize resources. Tags provide extra information or metadata about your resources. Metadata is useful for a variety of purposes including:
|Tag enables you to:|
|Resource management||locate and act on resources that are associated with specific workloads, environments, business units, and owners.|
|Cost management and optimization||group resources so that you can report on costs, allocate internal cost centers, track budgets and forecast estimated cost.|
|Operations management||group resources according to how critical their availability is to your business. This grouping helps you formulate service-level agreements (SLAs).|
|Security||classify data by its security level.|
|Governance and regulatory compliance||identify resources that align with governance or regulatory compliance requirements.|
|Workload optimization and automation||visualize all of the resources that participate in complex deployments.|
How do you ensure that your resources stay compliant? Azure Policy is a service in Azure that enables you to create, assign and manage policies that control or audit your resources. These policies enforce different rules and effects over your resource configurations so that those configurations stay compliant with corporate standards.
Azure Policy enables you to define both individual policies and groups of related policies known as initiatives, which is a way of grouping related policies into one set. The initiative definition contains all of the policy definitions to help track your compliance state for a larger goal. It evaluates your resources and highlights resources that aren’t compliant with the policies you’ve created. It can also prevent non-compliant resources from being created.
Azure Policy also integrates with Azure DevOps by applying any continuous integration and delivery pipeline policies that apply to the pre-deployment and post-deployment phases of your applications.
What happens when your cloud environment starts to grow beyond just one subscription? How can you scale the configuration of these features, knowing they need to be enforced for resources in new subscriptions? Instead of having to configure features like Azure policy for each new subscription, with Azure Blueprints, you can define a repeatable set of governance tools and standard Azure resources that your organization requires. Azure Blueprints orchestrates the deployment of various resource templates and other artifacts. You can use Azure blueprints to scale their governance practices throughout the organization.
Privacy, Compliance and Data Protection Standards
Microsoft commits to protect customer and application data. The Microsoft’s Privacy Statement, the Online Services Terms and the Data Protection Addendum detail Microsoft’s commitment to protecting data and privacy in the cloud.
The Microsoft Privacy Statement explains what personal data Microsoft collects, how Microsoft uses it and for what purposes.
The Online Services Terms (OST) is a legal agreement between Microsoft and the customer. The OST details the obligations by both parties with respect to the processing and security of customer data and personal data. The OST applies specifically to Microsoft Online Services that you’re licensed through subscription.
The Data Protection Addendum (DPA) further defines the data processing and security terms for Online services. These terms include:
- Compliance with laws
- Disclosure of processed data
- Data security
- security practices and policies
- data encryption
- data access
- customer responsibilities and compliance with auditing
- Data transfer, retention and deletion
Running on-premise data center requires you to maintain a facility and purchase power, cooler, and maintain your servers. However running data center in the cloud presents new ways to think about your IT expenses. You need to understand the factors that influence cost. The Total Cost of Ownership (TCO) Calculator helps you estimate the cost savings of operating your solution on Azure over time instead of in your on-premises data center.
Among these factors that affect the costs are:
- Resource type and how you customize
- Usage meters
- Resource usage
- Azure subscription types
- Azure Marketplace
The decision of where to provision a resource can have cost consequences. Azure infrastructure is distributed globally, different geographic regions can have different prices.
Ideally, you want your provisions of resources to match your actual usage. Azure Advisor identifies unused or underutilized resources and recommends unused resources that you can remove. This information helps you configure your resources to match your actual workload. Quota limits on the number of similar resources that you can provision within your subscription. Licensing is another area that can dramatically impact your cloud spending.
A service-level agreement (SLA) is a formal agreement between a service company and the customer. For Azure, this agreement defines the performance standards, like uptime and connectivity, that Microsoft commits to the customer. A typical SLA includes:
- What to expect
- Subscription renewals
- General terms
- Definition of terms
- Defines the general terms of the agreement
- Defines the specific guarantees for the service
- Performance commitments: latency, uptime (9 hours for 99.9% and 52 min for 99.99%), etc.
- Any additional terms specific to this service
Free products typically don’t have an SLA. Azure Status provides a global view of the health of azure services and regions.
An application SLA defines the requirements for specific application. Keeping that application SLA in mind. You’ll select the Azure products and services you need and provision your cloud resources according to those requirements.
A workload is a distinct capability or task that’s logically separated from other tasks in terms of business logic and data storage requirements. Each workload defines a set of requirements for availability, scalability, data consistency and disaster recovery. Suppose an application will require:
|workload / service||SLA|
|virtual machines (2x)||99.9 %|
|Azure SQL database||99.99 %|
|Azure load balancer||99.99 %|
You might notice that the SLAs of those workloads are not all the same. The process of combining SLAs helps you compute the composite SLA for a set of services. Computing the composite SLA requires that you multiply the SLA of each individual service.
Composite SLA = 99.9 % * 99.9 % * 99.99 % * 99.99 % = 99.78 %
Using multiple services adds an extra level of complexity and slightly increases the risk of failure.
For more on Azure Cloud Governance Strategy, please refer to the wonderful course here https://www.coursera.org/learn/microsoft-azure-services-lifecycles
Related Quick Recap
I am Kesler Zhu, thank you for visiting my website. Check out more course reviews at https://KZHU.ai
All of your support will be used for maintenance of this site and more great content. I am humbled and grateful for your generosity. Thank you!
Don't forget to sign up newsletter, don't miss any chance to learn.
Or share what you've learned with friends!Tweet