May 4, 2016 // By Jared Zagelbaum
The lynchpins of modern hybrid and cloud architectures are security, encryption, and identity. Without a strong implementation of all of these controls, your environment can be easily compromised, and then the rest of the story just gets worse.
This is old news for those who have been managing their assets strictly on premises, but the implications are new. Let’s consider just identity management. Not that long ago, the scope of implementing single sign on (SSO) even for on premises applications alone often required a significant level of effort in analysis and development. More than a few of the clients I worked with on SSO solutions ended up scrapping the idea after recognizing the scope of what was involved for even the most basic functionality.
Security in cloud adopted environments is even more complex. Security architects have to account for the shifting landscape of services available, as well as recognize existing on premises identity providers. In windows environments, this generally means Active Directory (AD) and can include Active Directory Federation Services (ADFS) in more complex environments.
Sound complicated? Well, actually it’s not. This is because Microsoft has a service offering that already integrates with all Azure services, as well as on premises AD & ADFS solutions: Azure Active Directory.
I might have come off a bit terse there, but in my opinion Azure AD really is that strong of a service offering. First and foremost, it is the glue that holds all of the Azure services together. When you consider that the same identity management system is being used to secure IaaS, PaaS, and SaaS solutions from multiple vendors across a global datacenter infrastructure, you begin to appreciate how it might be powerful enough to provide some real value propositions for your infrastructure.
Apart from simply synchronizing on premises AD accounts to the cloud, Azure AD offers out of the box SSO with thousands of cloud SaaS offerings including SalesForce.com, Google Apps, and Dropbox, making enterprise adoption of cloud SaaS services very easy for the security admins and business users. Even more impressive, Azure AD offers paid capabilities in two tiers, Basic and Premium, that greatly simplify administration, accelerate application development, and even potentially prolong the useful life of your existing applications.
Starting with just the basic tier subscription you get access to an incredibly powerful feature: The Azure Active Directory Application Proxy. The application proxy allows any intranet facing web app to be securely surfaced to the internet without requiring any architectural changes to the application infrastructure itself. All that is required for implementation is ideally, a dedicated server(s) running the Azure AD Application Proxy Connector Service. For an example, see this blog from Microsoft architect Kirk Evans, where he securely proxies a windows authentication based SharePoint 2013 site to render externally on any device: https://blogs.msdn.microsoft.com/kaevans/2015/04/13/azure-ad-application-proxy-and-sharepoint-2013/ . This implementation can be done with any windows authentication or claims based web application, and allows for secure access by pre-authenticating to Azure before ever even attempting to render the app or touch your data. In my personal experience, building out a similar solution using ADFS / DMZ on premises with even basic functionality is often a yearlong project or more for enterprise customers. How many applications in your environment could avoid deprecation for a few more years by simply having external access from mobile devices?
The administrative features for hybrid infrastructure really kick in at the premium tier, with cloud write back to on premises directories, self-service password reset, and multi-factor authentication. The Azure AD service also accelerates common IT admin tasks by allowing for business owners to be delegated authorization for setup of new users. Add to that device management for BYOD and 99.9% SLA along with even more features I haven’t discussed here (and more in development right now that I don’t even know about), and a good question to ask yourself is why I haven’t thought more about utilizing Azure Active Directory.
If you’d like to contact Magenic directly, email us or call us at 877-277-1044.