Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Mastering Identity and Access Management with Microsoft Azure

You're reading from   Mastering Identity and Access Management with Microsoft Azure Start empowering users and protecting corporate data, while managing Identities and Access with Microsoft Azure in different environments

Arrow left icon
Product type Paperback
Published in Sep 2016
Publisher Packt
ISBN-13 9781785889448
Length 692 pages
Edition 1st Edition
Languages
Tools
Concepts
Arrow right icon
Authors (2):
Arrow left icon
Jochen Nickel Jochen Nickel
Author Profile Icon Jochen Nickel
Jochen Nickel
Jochen Nickel Jochen Nickel
Author Profile Icon Jochen Nickel
Jochen Nickel
Arrow right icon
View More author details
Toc

Table of Contents (17) Chapters Close

Preface 1. Getting Started with a Cloud-Only Scenario 2. Planning and Designing Cloud Identities FREE CHAPTER 3. Planning and Designing Authentication and Application Access 4. Building and Configuring a Suitable Azure AD 5. Shifting to a Hybrid Scenario 6. Extending to a Basic Hybrid Environment 7. Designing Hybrid Identity Management Architecture 8. Planning Authorization and Information Protection Options 9. Building Cloud from Common Identities 10. Implementing Access Control Mechanisms 11. Managing Transition Scenarios with Special Scenarios 12. Advanced Considerations for Complex Scenarios 13. Delivering Multi-Forest Hybrid Architectures 14. Installing and Configuring the Enhanced Identity Infrastructure 15. Installing and Configuring Information Protection Features 16. Choosing the Right Technology, Methods, and Future Trends

Identifying business needs and challenges

Oh! Don't worry, we don't intend to bore you with a lesson of typical IAM stories - we're sure you've come across a lot of information in this area. However, you do need to have an independent view of the actual business needs and challenges in the cloud area, so that you can get the most out of your own situation.

Common Identity and Access Management needs

Identity and Access Management (IAM) is the discipline that plays an important role in the actual cloud era of your organization. It's also of value to small and medium-sized companies, so that they can enable the right individuals to access the right resources from any location and device, at the right time and for the right reasons, to empower and enable the desired business outcomes. IAM addresses the mission-critical need of ensuring appropriate and secure access to resources inside and across company borders, such as cloud or partner applications.

The old security strategy of only securing your environment with an intelligent firewall concept and access control lists will take on a more and more subordinated role. There is a recommended requirement of reviewing and overworking this strategy in order to meet higher compliance and operational and business requirements. To adopt a mature security and risk management practice, it's very important that your IAM strategy is business-aligned and that the required business skills and stakeholders are committed to this topic. Without clearly defined business processes you can't implement a successful IAM functionality in the planned timeframe. Companies that follow this strategy can become more agile in supporting new business initiatives and reduce their costs in IAM.

The following three groups show the typical indicators for missing IAM capabilities on the premises and for cloud services:

  • Your employees/partners:
    • Same password usage across multiple applications without periodic changes (also in social media accounts)
    • Multiple identities and logins
    • Passwords are written down in Sticky Notes, Excel, etc.
    • Application and data access allowed after termination
    • Forgotten usernames and passwords
    • Poor usability of application access inside and outside the company (multiple logins, VPN connection required, incompatible devices, etc.) 
  • Your IT department:
    • High workload on Password Reset Support
    • Missing automated identity lifecycles with integrity (data duplication and data quality problems)
  • No insights in application usage and security
  • Missing reporting tools for compliance management
  • Complex integration of central access to Software as a Service (SaaS), Partner and On-Premise applications (missing central access/authentication/authorization platform)
  • No policy enforcement in cloud services usage
  • Collection of access rights (missing processes)
  • Your developers:
    • Limited knowledge of all the different security standards, protocols, and APIs
    • Constantly changing requirements and rapid developments
    • Complex changes of the Identity Provider

Implications of Shadow IT

On top of that, often the IT department will hear the following question: When can we expect the new application for our business unit? Sorry, but the answer will always take too long. Why should I wait? All I need is a valid credit card that allows me to buy my required business application, but suddenly another popular phenomenon pops up: The shadow IT! Most of the time, this introduces another problem - uncontrolled information leakage. The following figure shows the flow of typical information - and that which you don't know can hurt!

Implications of Shadow IT

The previous figure should not give you the impression that cloud services are inherently dangerous, rather that before using them you should first be aware that, and in which manner, they are being used. Simply migrating or ordering a new service in the cloud won't solve common IAM needs. This figure should help you to imagine that, if not planned, the introduction of a new or migrated service brings with it a new identity and credential set for the users, and therefore multiple credentials and logins to remember! You should also be sure which information can be stored and processed in a regulatory area other than your own organization. The following table shows the responsibilities involved when using the different cloud service models. In particular, you should identify that you are responsible for data classification, IAM, and end point security in every model:

Cloud Service Modell

IaaS

PaaS

SaaS

   

Responsibility

Customer

Provider

Customer

Provider

Customer

Provider

Data Classification

X

X

X

End Point Security

X

X

X

Identity and Access Management

X

X

X

X

X

Application Security

X

X

X

X

Network Controls

X

X

X

X

Host Security

X

X

X

Physical Security

X

X

X

The mobile workforce and cloud-first strategy

Many organizations are facing the challenge of meeting the expectations of a mobile workforce, all with their own device preferences, a mix of private and professional commitments, and the request to use social media as an additional means of business communication.

Let's dive into a short, practical, but extreme example. The AzureID company employs approximately 80 employees. They work with a SaaS landscape of eight services to drive all their business processes. On premises, they use Network-Attached Storage(NAS) to store some corporate data and provide network printers to all of the employees. Some of the printers are directly attached to the C-level of the company. The main issues today are that the employees need to remember all their usernames and passwords of all the business applications, and if they want to share some information with partners they cannot give them partial access to the necessary information in a secure and flexible way. Another point is if they want to access corporate data from their mobile device, it's always a burden to provide every single login for the applications necessary to fulfil their job. The small IT department with one Full-time Employee (FTE) is overloaded with having to create and manage every identity in each different service. In addition, users forget their passwords periodically, and most of the time outside normal business hours. The following figure shows the actual infrastructure:

The mobile workforce and cloud-first strategy

Let's analyze this extreme example to reveal some typical problems, so that you can match some ideas to your IT infrastructure:

  • Provisioning, managing, and de-provisioning identities can be a time-consuming task
  • There are no single identity and credentials
  • There is no collaboration support for partner and consumer communication
  • There is no Self-Service Password Reset functionality
  • Sensitive information leaves the corporation over email
  • There are no usage or security reports about the accessed applications/services
  • There is no central way to enable Multi-Factor Authentication (MFA) for sensitive applications
  • There is no secure strategy for accessing social media
  • There is no usable, secure, and central remote access portal

    Note

    Remember, shifting applications and services to the cloud just introduces more implications/challenges, not solutions. First of all, you need your IAM functionality accurately in place. You also need to always handle on-premises resources with minimal printer management.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime