Technical requirements – Building Application Security

by Paulette Dukrs Posted on

In the previous chapter, we explained how to manage and control user access through the use of management groups, policies, and Azure Blueprints.

In Chapter 2, Principles of Modern Architecture, we also discussed the need for security in depth – that is, the need for multiple layers of security to protect us in the event one layer is compromised.

Two such additional areas of control involve the encryption of data and the security of communications between services. This has become more important in recent years due to the increased use of microservice architectures that demand multiple smaller services, working together and transferring data between them.

Encryption of data is often performed using either SSL/TLS certificates or encryption keys and is applied while at rest or in transit.

Another data protection mechanism is how we control and authenticate between one system and another. One example is a website communicating with a database; a connection string would typically be used to define a username and password. The connection string itself is considered sensitive, and therefore consideration must be given to how you can provide it to the system without exposing it to developers or system administrators.

This chapter will cover three tools in Azure that can help with these aspects. We will first look at Azure Key Vault, a mechanism for generating, securely storing, and managing the life cycle of secrets, keys, and certificates.

Next, we will look at how we can use Azure security principals to provide application-level access to secrets and other Azure components, and how they can also to used to enable OAuth-based authentication to your apps quickly.

Finally, we will examine managed identities, which provide an alternative to service principals for authenticating between some of Azure’s services such as Web Apps, Virtual Machines, Key Vault, and storage accounts.

Specifically, we will be covering the following topics:

  • Introducing Azure Key Vault
  • Working with Security Principals
  • Using managed identities

Technical requirements

This chapter will use the Azure portal (https://portal.azure.com) for examples, and Azure PowerShell (https://docs.Microsoft.com/en-us/powershell/azure/install-az-ps).

Coding is performed using Visual Studio Code, which can be downloaded here: https://code.visualstudio.com.

The source code for our examples can be downloaded from https://github.com/PacktPublishing/Exam-Ref-AZ-304-Microsoft-Azure-Architect-Design-Certification-and-Beyond/tree/master/ch6.

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly powered by Williamshand | Theme: Designed by William.