This blog will explain how a short-staffed team overcame security issues in a critical legacy application by combining modern authentication with legacy MVC frameworks. This allowed the team to upgrade the application to meet enterprise security standards without disrupting the users.

Background

I managed an in-house application, ERMS, developed a decade ago with MVC and forms authentication. The forms authentication used custom user management with SQL Server database. The skilled developer created a productive application that served the needs of the HR, managers, and employees. ERMS was developed for AIS in-house use and had lower priority than the customer engagements. Over the years, it’s been stable, requiring few changes. When changes were required, we had to juggle resources to accomplish them. Figure 1 shows the application architecture before the change.

Upgrading Legacy MVC Forms Authentication to Azure AD

Challenge

The application was developed before the standard security practices. Over time, it became non-compliant. ERMS needed to be upgraded the legacy forms authentication to Azure AD authentication. This required sweeping changes to the way the users logged in to the application, which would be a significant undertaking. The solution was not challenging, but it must be done with minimal downtime and minimal resources. In addition to this, ERMS uses custom roles that do not map to the Active Directory roles.

Solution

We considered several ways to solve this problem, as outlined below.

Upgrade Authentication and Authorization

The first option was to remove forms authentication and custom role management to use Active Directory, as shown in Figure 2. Equivalent AD roles would have to be created. The code at various layers needed to be updated to refer to the corresponding AD roles. This was not a viable option as it is risky with many changes.

Removing forms authentication

SCALING CLOUD FOR GLOBAL ENGINEERING
Looking to migrate your enterprise to the cloud? AIS can help you scale, reduce technical debt, and mitigate risk.

Upgrade Authentication and Use Legacy Authorization

Figure 3 shows another approach we explored to retain the existing role management and use Azure AD for authentication. This was a sensible fallback in the given context. That did not work as the User Principal in the HTTP request context was always not set, which would cause the authentication to break.

Retain the existing role management

We learned two points from the failed trials. First, we should only attempt to upgrade the authentication but not touch the custom role management. Second, it was a resource-heavy effort to integrate Active Directory with custom role management in ERMS.

Using a Connector for Authentication

The solution that worked was to have a lightweight authenticator app that the ERMS application consumes to validate the users, as shown in the high-level flow in Figure 5. This authenticator service app would validate against Azure AD, and role management would stay the same. Figure 4 shows the solution overview.

Complete Solution OverviewHigh Level Flow

The Right Approach

An independent authentication connector service and maintaining the existing role management are the key to the solution. This is a dependable approach if you are looking for a quick turnaround using minimal coding or resources.

The Current Situation

Today, organizations continue the transition to cloud computing as part of their digital transformation journey and become highly productive organizations in their respective industry. While transitioning to cloud computing demonstrates agility, scalability, cost-effectiveness, and performance, the challenge is strengthening their security foundation and reducing risk. While vendors, such as Microsoft, provide the best-in-class measures and features for tightening the organization’s security foundation, the ultimate responsibility belongs to the specific organization. Of course, organizations will take precautionary steps for protecting device assets and data from malicious exfiltration and theft. Still, organizations tend to loosely protect the number one crucial asset: the user’s identity. As reported by Microsoft, cybersecurity experts detected and reported 15 million attacks, scoped to password-based attacks alone. This is a signal that the user’s password is the primary target! So, the big question is…how does an organization protect the user identity, device assets, and corporate data, preventing compromises and breaches? The answer: Zero Trust.

What is Zero Trust?

Top cybersecurity experts and leaders changed the game with the introduction and indoctrination of Zero Trust, revealed as the top method to protecting identities, assets, data, and the overall organization. First, let’s start with the basics: what is Zero Trust?

Microsoft clearly defines Zero Trust by following three objectives:

  • Verify explicitly
  • Use least-privileged access
  • Assume breach

To summarize, treat every request as if it came from an unknown network and always verify.

Zero Trust Foundation

Verify explicitly – the user identity is the key to accessing organizational data and assets. Therefore, the first step is to verify the identity belongs to the user accessing the data—Azure AD supplements this concept with Conditional Access and leveraging security features, such as multi-factor authentication.

Ask yourself these questions:

  • Is the user accessing the data from the correct device to take it a step forward?
  • Is it in the correct location?
  • Is the user now at high risk?
  • Is the device at high exposure due to an existing cybersecurity incident? Is the device compliant?

Use least-privileged access – not a new concept, but not a heavily practiced concept. Specifically, in Microsoft 365, organizations utilize privileged identities for administrative functions and operations. However, remember that organizations do not separate privileged access from their regular accounts and leave a permanent assignment for privileged access even if the identities are separate. Also, some organizations allow users to consent for apps accessing Microsoft 365 data. Azure AD offers features to reduce the risk revolving around privileged access and tracking identities. For example, Azure AD Privileged Identity Management, Microsoft Defender for Identity, Conditional Access, Azure AD Identity Governance, Azure AD Identity Protection, Microsoft Information Protection, and more.

Assume breach – As any cybersecurity expert, vendor, or leader will tell you, an organization will never reach 100% hardened as malicious actors and attackers continue to develop sophisticated attacks. Therefore, the organization must adopt the “assume breach” mindset and always defend themselves. Thus, Microsoft Defender for Office 365, Microsoft Defender for Endpoint, Microsoft Defender for Identity, and Microsoft Cloud App Security protect the organization from modern attacks, allowing an organization to become proactive and leverage advanced hunting features to prevent future malicious attacks. Other methods of adopting the “assume breach” mindset are reviewing user sign-in risk, device health risk and exposure, threat and vulnerability management, device & user identity hygiene, and more.

Why Microsoft Security for Zero Trust Foundation?

In brief, Microsoft defines security under four (4) pillars: protect everything, simplify the complex, catch what others miss, and grow your future.

Safeguard your people, data and infrastructure

The four (4) pillars outline the overall position on Microsoft Security and the value it demonstrates for all customers: simplifying the Zero Trust foundation. In addition, Microsoft Security is proving its firm establishment in the cybersecurity field by being a prime leader in seven (7) Forrester Wave reports, and five (5) Gartner Magic Quadrant reports.

Microsoft Security a Leader in Gartner Magic Quadrant

Microsoft Security

Microsoft Security continues to develop an end-to-end approach, integrating with a total of 53 essential categories around the cybersecurity landscape. It also demonstrates cost savings with Microsoft security solutions covered under Microsoft 365 E3 and Microsoft 365 E5 licensing tiers, compared to competitors in cybersecurity, such as Symantec, Cisco, and CrowdStrike.

Integrate up to 40 categories

Enhanced Microsoft Security

How Can AIS help?

As a Microsoft Gold Partner, AIS contains the expertise and skills to assess, guide, and deploy the Zero Trust foundation from leveraging the solutions from the Microsoft Security foundation, such as Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, Microsoft Cloud App Security, Microsoft Information Protection, Azure AD Privileged Identity Management, and more. Below is the Zero Trust Guidance Center from Microsoft. Consider AIS for assistance on this journey for your organization to be at an optimal state of the Zero Trust foundation!

Zero Trust Guidance Center: Zero Trust Guidance Center | Microsoft Docs

Microsoft 365 is the best-in-class enterprise communication and collaboration solution, allowing your organization to become highly productive within and outside of the organization. In brief, Microsoft 365 is compromised of various products and workloads, from utilizing Exchange for email and Microsoft Teams for instant messaging and telephony to SharePoint Online for developing your intranet and Yammer for inter-organizational social interaction. So, now that your organization utilizes Microsoft 365, the best-in-class enterprise communication and collaboration solution, what is your next step?

The Challenge

Microsoft 365 provides extensive usage of available products like Exchange, Microsoft Teams, SharePoint Online, and Power Apps. Your organization may want to give the best solution and user experience to the end-user community, becoming productive and competitive in your respective industry. However, as your organization continues to adopt and incorporate change by providing the available features in Microsoft 365, the end-user community will begin utilizing these features as soon as possible.

So, what’s going to happen now? For example, I give my child a brand-new toy or video game, and they are ecstatic. However, after a few days, once my child is done playing with the toy or video game, they toss it in a nearby spot and completely forget about it. However, as a parent, I teach my child to put the new toy or video game in a specific location each time they are done, properly dispose if the child doesn’t want the toy or video game, or write their name on it, in case they lose it. Overall, there is an essential factor that organizations tend to forget or lack before communicating new features and products available in Microsoft 365: governance.

BOOSTING COLLABORATION & SAVING MONEY WITH O365
AIS helped ACA Compliance Group migrate its entire 800-person company to Microsoft Teams & Planner in just 16 weeks, increasing productivity and reducing subscription costs.

The Solution

In brief, Microsoft 365 governance revolves around planning the protection of your assets, ensuring proper asset lifecycle management, and minimizing risk to your organization, in the case of data leakage, improper role and permission assignment, and ownerless content. Examples of Microsoft 365 governance controls are access reviews for certain assets, such as Microsoft 365 groups, teams, or SharePoint communication sites. Another example is leveraging Microsoft Information Protection and assigning sensitivity labels to Microsoft 365 groups for protection and classification. Another example is leveraging Azure AD PIM (Privileged Identity Management) for permanent or temporary role assignments and just-in-time access for specific tasks or objectives. A final example is establishing required controls and permissions for Azure AD app registration and consent.

The Objective

As you continue to adopt Microsoft 365 in your organization, begin planning and establishing a Microsoft 365 governance framework for all workloads utilized, such as Exchange, Microsoft Teams, Azure AD, Yammer, SharePoint, and more. As you establish the Microsoft 365 governance framework, collaborate with key members from adoption & change management, business stakeholders, and inter-organizational Microsoft 365 champions, ensure the overall end-user community is aware of the governance controls set for Microsoft 365. Also, keep in mind, your Microsoft 365 governance framework is a living, ever-evolving concept. Therefore, as you continue to utilize Microsoft 365 in your organization, keep your governance framework up-to-date and inform the same key members and stakeholders.

Quick Links

JOIN OUR GROWING TEAM
We're looking for top-tier talent to join our quickly growing team. Learn more about our benefits, culture, and open opportunities on our career site.