Security patterns

Authentication pattern

Authentication is an essential property of any solution. It pertains to identifying your counterpart in a conversation with some certainty.

We typically refer to the degree of certainty as the authentication strength. For example, suppose someone declares who they are without providing any proof. This would not be an authentication, but rather an identification. If they do a little better and provide a password, this would be weak authentication. Of course, you can impose restrictions to ensure an attacker cannot easily guess user passwords, but this has a limited effect on security.

Authentication typically involves the use of one, two, or all of the following parameters:

  • Something you know This might be a password.

  • Something you have This could be your phone or a physical token.

  • Something you are This might be biometric information.

If you base authentication only on the password—that is, something you know—you have single-factor authorization, which can easily be compromised. To increase security, you should pair it with a second factor—for example, your username and password (things you know) and your phone (some-thing you have). The idea here is that although an attacker might easily compromise any one of them, compromising them both at the same time would be much more challenging. Finally, you could add the third factor—something you are—to improve security even more. This approach is typically called multifactor authentication (MFA) because it relies on more than one factor.

Authentication does not represent a value per se, but it is instrumental in securing your application and data.

This section focuses on one common pattern for securing your solution through authentication: using a centralized identify provider for authentication.

Use a centralized identity provider for authentication

Intent and motivation

The cloud is a convenient platform for hosting applications—so much so that you might host many applications on it, all of which require authentication. It is only natural for organizations to seek a centralized approach for managing identity to access all different services with a single set of credentials. This requirement is not only for simplicity but also to retain control and visibility.

Centralizing identity allows for the adoption of tools like user and entity behavior analytics (UEBA). These tools enable you to determine whether any account or system represents a potential risk for the organization by analyzing its behavior, often adopting artificial intelligence (AI) algorithms able to identify changes in usage patterns.

Another advantage of centralized identity systems is they provide a single location for managing identities and grants. They also allow you to integrate identity management with HR processes—for example, to remove or disable a user’s account as soon as that user ceases their relationship with the organization. Finally, these identity systems enable you to review assigned rights and remove them when necessary.

Description

Azure AD represents a complete and unified approach to identity management on Azure. It provides fundamental capabilities, like managed identities and access reviews, and can be extended with additional services to increase security. These services include:

  • Azure AD Identity Protection This service determines which identities are at risk by analyzing signals from many sources, such as threat intelligence, leaked credentials, and Microsoft Defender for Cloud Apps (Microsoft’s Cloud Access Service Broker, or CASB).

  • Microsoft Defender for Cloud Apps You can use this service to control and limit the adoption of applications and to detect the presence of shadow IT in your organization.

  • Microsoft Defender for Endpoints This is a user and entity behavior analytics (UEBA) solution that can be integrated with Windows 10, Windows 11, and various devices.

  • Azure AD Privileged Identity Management (PIM) This service enables you to assign access rights when required, eventually requiring approval from a third party before executing the assignment.

Azure AD also provides zerotrust security for the implementation of identities through the use of conditional access. This defines policies to prevent access to services by users who are not trusted enough. For example, suppose Azure AD Identity Protection has identified a potential security risk related to a particular user. It can then force that user to authenticate with MFA when accessing sensitive resources.

Examples

  • Adopt conditional access to require MFA for privileged users such as the solution administrators.

  • Use Azure AD to define custom application roles to control how the solution is used. You can find out more about these here: https://azsec.tech/0g6.

  • Although some services—like Azure SQL Database, SQL Managed Instances, Cosmos DB, and Azure Storage—provide different ways to authenticate, including using Azure AD credentials, you should use Azure AD credentials whenever possible, because they can be better controlled from a central location. Using Azure AD credentials also enables the adoption of the whole set of capabilities offered to secure these identities.

Related security principles

  • Zero trust

  • Complete mediation

  • Defense in depth

  • Economy of mechanisms

  • Least privilege

  • Leveraging existing components

Related patterns

  • Adopt just-in-time administration

  • Use role-based access control (RBAC)

  • Use managed identities