In an era of increasingly sophisticated digital threats, robust cybersecurity is a top priority, especially for companies using cloud platforms like Azure. A global technology leader in Azure security products needed to safeguard sensitive data and maintain the integrity of digital infrastructures. This case study highlights how our team implemented advanced security measures, focusing on key cybersecurity pillars, to significantly improve the company’s security posture.
We identified three scenarios within the project where existing security implementations required updates. These updates focused on Managed Identity, Federated Identity Credentials, and Role-Based Access Control.
Scenario 1: Transition from API Keys to Managed Identity and Role-Based Access Control (RBAC)
Problem statement
The client relied on API keys to authenticate Azure
Functions with Azure AI Text Analytics and Language services. With evolving
security guidelines, discontinuing the use of these keys became crucial. The
primary goal was to adopt Managed Identity and RBAC to secure access and
eliminate vulnerabilities from storing API keys.
Implementation strategy
· Identity management configuration: We set
up user-assigned managed identities within Azure Resource Management. This
identity was linked to the 'Cognitive Service User' role, ensuring only
authorized identities accessed the Azure services.
· Secure authentication process: We
migrated service endpoints to custom domain endpoints. By using Managed
Identity and Azure's DefaultAzureCredential, we established a more secure and
streamlined authentication process.
· Code revisions for security: The codebase
was updated to integrate the new security model. This included creating a
TextAnalyticsClient object capable of dynamically generating tokens for Azure
AI Translator services, replacing the insecure API key method.
Outcome
This shift from API keys to Managed Identity improved
security by eliminating the need to store sensitive keys in Azure Key Vault and
reducing the potential for key leakage. As a result, the client achieved a more
secure and streamlined authentication process, improving their overall security
framework.
Scenario
2: Improving storage account security through Managed Identity
Problem statement
The client previously managed secrets for the AzureWebJobsStorage environment
variables in Key Vault. With new security mandates from Microsoft, there was a
need to eliminate the use of access keys and transition to a more secure,
automated system.
Implementation strategy
· Role-Based Access Assignment: We assigned
the ‘Storage Blob Data Owner’ role to the Azure Function App's system-assigned
managed identity. This ensured the app had the necessary permissions to
securely access storage resources.
· Environment Variable Transition: To improve
security, we replaced the traditional AzureWebJobsStorage environment variable
with the AzureWebJobsStorage__accountName variable, linking it directly to the
storage account's name.
· Secret Management Automation: By removing
dependencies on storage account connection strings, we minimized manual secret
management and enabled automated key rotation. This reduces the risk of
exposure.
Outcome
Implementing managed identities instead of traditional
access keys significantly reduced the administrative overhead of secret
management. This transition improved security and streamlined operations,
allowing the client's teams to focus on more strategic tasks.
Scenario
3: Implementing Federated Identity Credentials for app registration
Problem statement
To meet the latest security requirements, the client needed to eliminate the
use of secrets for app registration authentication. The solution involved
adopting Federated Identity Credentials (FIC) to ensure a more secure and
scalable authentication method.
Implementation strategy
· Federated identity setup: We integrated
federated credentials into the required app registrations. This allowed the
client to use federated identities for secure, secret-less authentication.
· Token generation configuration: Managed
Identity was configured to dynamically generate tokens, which were then used to
securely interact with services like Event Hub.
· Scope and permission management: We
enabled the application to call various services by generating tokens with
appropriate scopes, ensuring secure and authorized access to resources.
Outcome
The transition to Federated Identity Credentials significantly enhanced the
security of the client’s app registrations. By eliminating the need for
secrets, the client reduced its attack surface and established a more robust
and scalable authentication mechanism.
How our
new approach aligns with key pillars of security
Across all three scenarios, our approach focused on the
following key cybersecurity pillars:
1. Protect
identity and secrets
o Implemented
Managed Identity to eliminate the need for API keys and secrets, ensuring that
only authorized identities access critical resources.
o Used
RBAC to enforce fine-grained access permissions, minimizing the risk of
unauthorized access.
o Adopted
Federated Identity Credentials to secure app registrations without relying on
traditional secrets.
2. Protect
tenants and isolate production systems
o Migrated
authentication processes to Managed Identity, removing vulnerabilities linked
to API key storage and manual secret management.
o Strengthened
security around service endpoints and minimized the risk of breaches by
replacing access keys with automated token generation.
3. Protect
network and engineering systems
o Automated
key rotation and secret management, reducing human error and improving
operational efficiency.
o Simplified
security configurations, allowing the client's teams to focus on more strategic
initiatives while maintaining robust security controls.
4. Monitor
and detect threat
o Secured
communication channels and endpoints by transitioning to custom domain
endpoints, reducing the potential attack surface.
o Protected
sensitive data by using Managed Identity for all authentication processes,
effectively mitigating risks associated with key leakage.
5. Compliance
and standards adherence
o Ensured
alignment with Microsoft's updated security standards, helping the client
remain compliant with industry best practices and regulatory requirements.
Key advantages of Managed Identity over traditional
key-based security
Adopting Managed Identity offers significant benefits
compared to traditional key-based security mechanisms like Azure Key Vault:
· Elimination of secret management: Managed
Identity removes the need for managing credentials and secrets, reducing administrative
burden and the risk of exposure.
· Increased security: Applications using
Managed Identity can securely access Azure resources without the need for
hardcoded credentials, mitigating potential vulnerabilities.
· Simplified access control: Managed
Identities integrate seamlessly with Azure Active Directory, enabling
centralized and granular control over resource access.
· Cost efficiency: The reduced need for
managing, rotating, and securing keys or secrets translates into lower
operational costs.
This case study showcases how our comprehensive approach to cybersecurity enabled
a global technology company to fortify its security infrastructure. By
transitioning to Managed Identity and implementing RBAC, the client safeguarded
its digital assets while establishing a secure and scalable foundation for
future growth. This proactive approach to security reinforces the company’s
reputation as a leader in the industry, ensuring continued trust and confidence
from its customers.