What is Identity and Access Management (IAM) for Cloud?
Ensuring the security of applications on cloud is of paramount importance and the threat of unauthorized sign-in attempts and application accesses is one of the biggest threats in today’s cloud world and any failures on this aspect may be catastrophic for the cloud application owners.
Identity and Access Management (IAM) Solution provides the basis for security assurance of your Cloud infrastructure. Dealing with this threat needs an advanced Identify and Access Management (IAM) solution far beyond a basic firewall protection and username- password based authentication that sufficed in legacy IT infrastructure.
Why Identity and Access Management (IAM) is important for Cloud?
Legacy on premises IT infrastructure protected their IT systems mainly on the basis of network security solutions such as Firewalls. These firewalls protected internal IT systems against outside threats from the internet.
However, these protections are less useful in Cloud based IT infrastructure that is designed around shared service usage. Multiple cloud customers share common Cloud infrastructure provided by Cloud providers. Cloud IT infrastructure is dynamic in nature where resources spin up and down continuously.
Moreover, Cloud customers do not own or control the network where these services are hosted in Cloud. The scenario gets even more complex as the users of Cloud IT infrastructure may be spread all over the world and can access from any location and devices.
This makes it practically impossible to write concise rules for a Firewall that factors in all of these aspects, controls and protects your own Cloud Infrastructure.
A Cloud based Identity and Access Management (IAM) solution is designed to overcome all these challenges and provide protection to Cloud data and resources.
Identify and Access Management (IAM) works on the principle of managing the access to Cloud resources and data based on Authentication and Authorization. All accesses to resources and data are controlled by IAM as it decides which request should be permitted or otherwise.
Azure Active Directory (AD) Services
Azure Active Directory (AD) provides advanced Identify and Access Management (IAM) services for cloud. Azure Active Directory (AD) provides a way of verifying identity to access applications and resources on Azure. With Azure AD you can implement IAM Services globally and secure identities for your online applications. Azure AD provides more enhanced IAM capabilities than on premises Active Directory (AD) services.
Features of Azure Active Directory (AD) Services:
Azure AD services are not just limited to IAM but also offer advanced security features. These features offer advanced threat intelligence based on AI capabilities applied over large volumes of access related data. Some of the additional features of Azure AD Multi-factor Authentication include:
Monitoring of sign-in attempts by users: This helps detect suspicious multiple sign-in attempts
It also monitors and detects the location of the sign in attempts and based on that decides on applying additional authentication
It can also detect the device used for sign in attempt and decide on applying additional authentication
Additionally, Azure AD Services also provide following features:
Single Sign On (SSO): SSO provides user convenience by providing a way to enter username and password only once and the same is used to access multiple applications.
Device Management: Azure AD also provides registration of devices done through Azure tools like Microsoft Intune. Using this, administrators can implement “Conditional access Policies” to provide access only to specific registered devices. This restricts sign in attempts from unknown devices.
These additional security features make Azure cloud a more secure environment to host your applications on cloud.
Azure AD connects seamlessly with on premise Active Directory (AD) using Azure AD Connect tool.
Let us now understand basics of Identify and Access Management (IAM):
What is Authentication?
Authentication is the process of establishing the identity of a person or service that wants to access a resource. This way Azure controls the access to a resource on Azure.
It involves the act of challenging a person or service for legitimate credentials and provides the basis for creating a security principal for identity and access control. It establishes that the user is a genuine user trying to access a resource.
Single factor Authentication
A traditional authentication approach involved a single step approach of challenging a user attempting to sign in with a password and based on successful password match allowing access to authorized resources. While this approach worked good in on premise application, in the internet environment this single factor authentication proved to be inadequate. There are high chances of passwords being compromised on the internet and hence additional security checks are felt necessary during the authentication.
What is a Multi-factor Authentication?
Multi-factor authentication involves a multi-step authentication process. In this, besides a username and password verification, a user is also prompted during the sign-in process for an additional form of identification.
An example of this is sending a code to a user's registered mobile phone or a fingerprint scan.
You may have already experienced the process of multi-factor authentication while signing in to an email service like Gmail or logging in to various websites. online gaming services. All of these services not just request for username and password but also prompts the user to provide an additional form of authentication such as entering a code sent on to user’s registered mobile phone.
Multifactor authentication provides additional security for your identities by requiring two or more elements to fully authenticate. These elements fall into three categories:
Something the user knows
This might be an email address and password.
Something the user has
This might be a code that's sent to the user's mobile phone.
Something the user is
This is typically some sort of biometric property, such as a fingerprint or face scan that's used on many mobile devices.
Azure administrators can make Identity and Access management even more granular with Conditional Access tool. Conditional access is a tool in Microsoft Azure that allows or denies access to an Azure resource based on certain identity conditions. These conditions can be configured in the tool by the administrators.
The conditions include certain signals that are generated during the sign in process such as:
Who the user is (Identify of the user), Where the user is, What device the user is using.
Conditional access tool collects these signals from attempted signing in user and then dynamically takes IAM decisions such as:
Not challenging for a second authentication factor if user is from a known location and challenging if the user is from an unknown location
Allow full access if the user is signing in from usual location and block the access if user is signing in from a high risk location
Azure Active Directory (AD) licensing:
Azure Active Directory (AD) comes in various forms of licensing from a free license offering basic IAM services to paid licenses offering advanced features.
End users get free access to Azure AD if they are already subscribed to Microsoft Online business services such as Microsoft 365 or Microsoft Azure. These services require Azure AD for sign-in activities and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.
Some of the features included in free license include:
User and group management
Synchronization with on-premises Active directory
Basic security reports
Self-service password change for cloud users
Single sign-on across Azure, Microsoft 365, and many popular SaaS apps
Premium licenses (P1, P2):
Azure AD implementation can be enhanced further if you add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory. These licenses provide advanced IAM features such as following:
For P1 license:
Self-service capabilities such as password resets for Azure AD
Secure access for mobile users
Enhanced security monitoring and reporting
P1 Hybrid users access to both on-premises and cloud resources
Advanced administration options such as dynamic groups, self-service group management
Self-service password reset for on-premises users
For P2 license:
In addition to all P1 features, you can implement risk-based conditional access to your apps, resources and data
Privileged Identity Management capability that provides just-in-time access when needed and also helps to discover, restrict, and monitor administrators and their access to resources
“Pay as you go” Licenses:
In addition to free, P1, P2 licenses, additional feature licenses are also available.
These include “pay as you go” type licenses such as Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps.
Business-to-Business(B2B) : lets you manage your guest users and external partners, while maintaining control over your own corporate data.
Azure Active Directory Pricing:
Azure Active Directory (AD) license pricing is based on price per user/month. Refer image below for latest pricing from Microsoft:
(* Source - Microsoft site, price snapshot on 20th June 2022)
If you find this article useful, request you to share with your friends and also to beginners who want to prepare for Azure Fundamentals certification. Thank you