Azure Identity and Access Management (IAM) is used as a part of Azure Security and Access Control to manage and control a user’s identity. Access control is mainly used to prevent data breaches, account hijacking, breaches caused from shared resources, and creating a secure Identity and Access Management (IAM) system, among other benefits. By using IAM, Global Admin of Azure account can track which user has what type of access and what actions were carried out on that access. IAM best practices include policies like Single Sign-On (SSO), Multi-factor Authentication (MFA), Role-based Access Control (RBAC), etc. Cloud Service Providers like Azure, AWS, Google Cloud Platform, etc provide their recommendations for implementing IAM.
Implementing Single Sign-On (SSO)
When there are multiple directories to manage, there is an administrative problem for IT and end-users to remember multiple passwords. By using Single Sign-On (SSO), the users get the ability to sign-in with the same set of credentials to access the resources that they need regardless where the resource is located on-premises or in the cloud.
Using SSO enables users to access their SaaS applications based on their organizational account in Azure AD (Azure Active Directory). This is not only limited to Microsoft SaaS applications but also for other apps such as, Google Apps and Salesforce.
Organizations which do not enforce SSO for their users and applications are more exposed to scenarios where the users have multiple passwords, which directly increases the likelihood of users reusing passwords or using weak passwords which may lead to poor security.
Use Role-Based Access Control (RBAC)
Use of Role Based Access Control is one of the important aspects for the organizations that want to implement security policies for the data access by restricting access based on the need and least privilege security principles. RBAC can be used to assign permissions to users, groups and applications at a certain scope based on the roles assigned. A role assignment can be done at a single resource, a resource group or a subscription level called as scope.
Built-in and custom RBAC roles can be leveraged to assign privilege to users. Let us consider using a built-in RBAC role named Storage Account Contributor for cloud operators that need to manage storage accounts; for the cloud operators that need to manage Virtual Machines and storage account, we need to add them to Virtual Machine Contributor role.
Organizations which do not enforce data access control by leveraging capabilities such as RBAC may give more privileges than necessary to their users. This can lead to data compromise by allowing users access to certain types of data (for example, high business impact) that they shouldn’t have in the first place.
Apply Multi-Factor Authentication
By implementing Azure MFA, an additional security layer is added for protecting user sign-in and transactions. Despite having compromised credentials, the attacker is not able to access the data.
By enabling MFA, the user is asked for username, password and a secondary verification method. Secondary verification method can be through text message, phone call or email.
Once the user has enforced MFA and selected text message or phone call as verification method, the attacker is not able to access the other resources since he does not have access to user’s phone, even if the user’s credentials are compromised.
Organizations that do not enforce extra layer of identity protection they are more susceptible for credential theft attack which may lead to data compromise.
Centralize your identity management
An important step for securing the user’s identity is to ensure that IT can manage accounts from one location regardless where this account was created. Although majority of organisations have their primary account directory on-premises, hybrid cloud deployments are on the rise. It is important to understand how to integrate on-premises and cloud directories to provide a seamless experience to end-users.
To accomplish hybrid identity scenario, two options are recommended:
- Synchronize on-premises directory with cloud directory using Azure AD Connect.
- Enable SSO with password hash synchronization, pass-through authentication or federate on-premises identity with cloud directory using Active Directory Federation Services (AD FS).
Organizations that fail to integrate their on-premises identity with their cloud identity may experience an increased administrative overhead in managing accounts, which increases the likelihood of mistakes and security breaches.
Check location of resources created using Resource Manager
Azure IAM also permits checking the locations where user can create resources, which enables organizations to create security policies that have definitions that describe the actions or resources that are denied. These policy definitions can be assigned at desired scope such as the subscription, resource group or an individual resource.
This is not similar to RBAC as it leverages RBAC to authenticate the users that have privilege to create those resources. Azure Resource Manager can be availed to create custom policies for scenarios where the organization wants to allow operations only when the appropriate cost center is associated.
Organizations that do not control how resources are created are more susceptible to users that may misuse the service by creating more resources than they need.
Making the resource creation process tougher to secure multi-tenant scenario is an important step.