GAIA-X gets new support with European Eclipse Data Connector

Data has an increasingly important role in strengthening business models and offering improved public services but much of its potential remains untapped. Data sharing is an essential element to the promise of unlocking new business opportunities and broader economic growth for all industries. Europe has been a leading voice for years on the need to expand industry participation in data sharing. Business-to-business (B2B) data sharing is also a foundational concept of GAIA-X, an initiative to create a federated data infrastructure. Last month a coalition of leading European organizations announced the Eclipse Dataspace Connector (EDC) which is a European open-source project that enables multicloud, policy-based B2B data sharing. The EDC was showcased at the GAIA-X Hackathon in Munich on August 30 – 31, 2021.

Multicloud data sharing across organizations

Transmitting data from one organization to another is a technical problem that has been solved in innumerable ways. What is different about this project? Think about a large manufacturing company with its design organization using engineering software running on AWS, its factory systems running on Azure, its supply chain management systems hosted by SAP, and its custom-built cloud services for sales and marketing hosted by Deutsche Telekom. On top of that, they want to exchange data in their supply chain with their partners who have equally complicated systems. Each company may want to share data, but how to do that across multiple clouds and on-premises systems while remaining respectful of data sharing policies as well as privacy and security laws? In addition, what identity management system can support data sovereignty and federation requirements?

The EDC is made up of open-source components that enable multicloud, policy-based, federated data sharing based on European data sovereignty principles. Every party associated with the sharing and consumption of data needs to have a valid digital identity that provides them the level of sovereignty they desire based on their organizational requirements. Each party also needs to be able to declare the policies under which they are willing to exchange data and be able to enforce them. And ultimately, the sharing of data needs to be secure and efficient.

Enabling data innovation for modern business

Banks develop and provide cloud financial services, media content providers have cloud streaming services, airlines offer cloud ticketing and flight services—most modern businesses are cloud providers to their customers. Thus, every business—every cloud provider—will need to enable trusted data sharing. There are other problems that will need to be solved such as data semantics and the internal governance practices associated with the business decisions for sharing or receiving data. But putting the first layers of this complex structure in place is a significant step forward for enabling data innovation-based growth.

The fact that it is a European solution, governed by a European open-source software foundation, and led by organizations committed to protecting European values is critical to its acceptance in the GAIA-X process. Microsoft is pleased to support this project along with Fraunhofer Institute for Software and Systems Engineering ISST, Daimler TSS, BMW Group, Deutsche Telekom, Amazon AWS, SAP, Bosch, HPE, ZF Friedrichshafen and GAIA-X AISBL as well as the International Data Spaces Association.

Source: microsoft.com

Continue reading

Advancing Azure Active Directory availability

Our customers trust Azure AD to manage secure access to all their applications and services. For us, this means that every authentication request is a mission critical operation. Given the critical nature and the scale of the service, our identity team’s top priority is the reliability and security of the service. Azure AD is engineered for availability and security using a truly cloud-native, hyper-scale, multi-tenant architecture and our team has a continual program of raising the bar on reliability and security.

Azure AD: Core availability principles

Engineering a service of this scale, complexity, and mission criticality to be highly available in a world where everything we build on can and does fail is a complex task.

Our resilience investments are organized around the set of reliability principles below:

Our availability work adopts a layered defense approach to reduce the possibility of customer visible failure as much as possible; if a failure does occur, scope down the impact of that failure as much as possible, and finally, reduce the time it takes to recover and mitigate a failure as much as possible.

Over the coming weeks and months, we dive deeper into how each of the principles is designed and verified in practice, as well as provide examples of how they work for our customers.

Highly redundant

Azure AD is a global service with multiple levels of internal redundancy and automatic recoverability. Azure AD is deployed in over 30 datacenters around the world leveraging Azure Availability Zones where present. This number is growing rapidly as additional Azure Regions are deployed.

For durability, any piece of data written to Azure AD is replicated to at least 4 and up to 13 datacenters depending on your tenant configuration. Within each data center, data is again replicated at least 9 times for durability but also to scale out capacity to serve authentication load. To illustrate—this means that at any point in time, there are at least 36 copies of your directory data available within our service in our smallest region. For durability, writes to Azure AD are not completed until a successful commit to an out of region datacenter.

This approach gives us both durability of the data and massive redundancy—multiple network paths and datacenters can serve any given authorization request, and the system automatically and intelligently retries and routes around failures both inside a datacenter and across datacenters.

To validate this, we regularly exercise fault injection and validate the system’s resiliency to failure of the system components Azure AD is built on. This extends all the way to taking out entire datacenters on a regular basis to confirm the system can tolerate the loss of a datacenter with zero customer impact.

No single points of failure (SPOF)

As mentioned, Azure AD itself is architected with multiple levels of internal resilience, but our principle extends even further to have resilience in all our external dependencies. This is expressed in our no single point of failure (SPOF) principle.

Given the criticality of our services we don’t accept SPOFs in critical external systems like Distributed Name Service (DNS), content delivery networks (CDN), or Telco providers that transport our multi-factor authentication (MFA), including SMS and Voice. For each of these systems, we use multiple redundant systems configured in a full active-active configuration.

Much of that work on this principle has come to completion over the last calendar year, and to illustrate, when a large DNS provider recently had an outage, Azure AD was entirely unaffected because we had an active/active path to an alternate provider.

Elastically scales

Azure AD is already a massive system running on over 300,000 CPU Cores and able to rely on the massive scalability of the Azure Cloud to dynamically and rapidly scale up to meet any demand. This can include both natural increases in traffic, such as a 9AM peak in authentications in a given region, but also huge surges in new traffic served by our Azure AD B2C which powers some of the world’s largest events and frequently sees rushes of millions of new users.

As an added level of resilience, Azure AD over-provisions its capacity and a design point is that the failover of an entire datacenter does not require any additional provisioning of capacity to handle the redistributed load. This gives us the flexibility to know that in an emergency we already have all the capacity we need on hand.

Safe deployment

Safe deployment ensures that changes (code or configuration) progress gradually from internal automation to internal to Microsoft self-hosting rings to production. Within production we adopt a very graduated and slow ramp up of the percentage of users exposed to a change with automated health checks gating progression from one ring of deployment to the next. This entire process takes over a week to fully rollout a change across production and can at any time rapidly rollback to the last well-known healthy state.

This system regularly catches potential failures in what we call our ‘early rings’ that are entirely internal to Microsoft and prevents their rollout to rings that would impact customer/production traffic.

Modern verification

To support the health checks that gate safe deployment and give our engineering team insight into the health of the systems, Azure AD emits a massive amount of internal telemetry, metrics, and signals used to monitor the health of our systems. At our scale, this is over 11 PetaBytes a week of signals that feed our automated health monitoring systems. Those systems in turn trigger alerting to automation as well as our team of 24/7/365 engineers that respond to any potential degradation in availability or Quality of Service (QoS).

Our journey here is expanding that telemetry to provide optics of not just the health of the services, but metrics that truly represent the end-to-end health of a given scenario for a given tenant. Our team is already alerting on these metrics internally and we’re evaluating how to expose this per-tenant health data directly to customers in the Azure Portal.

Partitioning and fine-grained fault domains

A good analogy to better understand Azure AD are the compartments in a submarine, designed to be able to flood without affecting either other compartments or the integrity of the entire vessel.

The equivalent for Azure AD is a fault domain, the scale units that serve a set of tenants in a fault domain are architected to be completely isolated from other fault domain’s scale units. These fault domains provide hard isolation of many classes of failures such that the ‘blast radius’ of a fault is contained in a given fault domain.

Azure AD up to now has consisted of five separate fault domains. Over the last year, and completed by next summer, this number will increase to 50 fault domains, and many services, including Azure Multi-Factor Authentication (MFA), are moving to become fully isolated in those same fault domains.

This hard-partitioning work is designed to be a final catch all that scopes any outage or failure to no more than 1/50 or ~2% of our users. Our objective is to increase this even further to hundreds of fault domains in the following year.

A preview of what’s to come

The principles above aim to harden the core Azure AD service. Given the critical nature of Azure AD, we’re not stopping there—future posts will cover new investments we’re making including rolling out in production a second and completely fault-decorrelated identity service that can provide seamless fallback authentication support in the event of a failure in the primary Azure AD service.

Think of this as the equivalent to a backup generator or uninterruptible power supply (UPS) system that can provide coverage and protection in the event the primary power grid is impacted. This system is completely transparent and seamless to end users and is now in production protecting a portion of our critical authentication flows for a set of M365 workloads. We’ll be rapidly expanding its applicability to cover more scenarios and workloads.

Continue reading

Azure Cost Management now generally available for Pay-As-You-Go customers

We are excited to announce the general availability of Azure Cost Management features for all Pay-As-You-Go and Azure Government customers that will greatly enhance your ability to analyze and proactively manage your cloud costs. These features will allow you to analyze your cost data, configure budgets to drive accountability for cloud costs, and export pre-configured reports on a schedule to support deeper data analysis within your own systems. This release for Pay-As-You-Go customers also provides invoice reconciliation support in the Azure portal via a usage csv download of all charges applicable to your invoices.

New feature

Azure Usage Download for invoice reconciliation

As a part of this general availability for Pay-As-You-Go customers, we are now providing usage download capabilities in the Azure portal. This downloadable csv file can be used to reconcile your charges with your monthly invoice.

Your usage download file can also be accessed by a new API that is now available for developers. To learn more about developing on top of our APIs, including Usage Download, please visit our Azure REST API documentation.

Generally available features

The features below are now generally available for Pay-As-You-Go and Azure Government customers within the Azure portal. Log into the Azure portal and test them out today! If you are a Government customer, log into the Azure Government portal.

Cost analysis

This feature allows you to track costs over the course of the month and offers you a variety of ways to analyze your data.

Budgets

Use budgets to proactively manage costs and drive accountability within your organization.

Exports

Export all of your cost data to an Azure storage account using our new exports feature. You can use this data in external systems and combine it with your own data to maximize your cost management capabilities.

GA data limitations

The GA release of the features identified above has a few limitations that are identified below. We expect to bring many of these features to you soon so stay tuned for announcements of future releases!

◉ Feature support for Pay-As-You-Go customers is available for native Azure resources only. Resources available via the Azure Marketplace, including recurring charges, will be supported in upcoming releases.

◉ Cost management data for Pay-As-You-Go customers is currently only available from September 2018 and later. Data prior to this date can be accessed via the Usage Details API.

◉ Feature support for Azure Reserved Instances is not currently available for Pay-As-You-Go or Azure Government customers and will be incorporated into upcoming releases.

◉ Feature support for the Power BI Content Pack is not currently available for Pay-As-You-Go customers and will be incorporated into upcoming releases.

Continue reading

Announcing new Azure Security Center capabilities at RSA 2018

Migrating your workloads to the cloud can enable some inherent security benefits. With cloud scale machine learning and security analytics, you can mitigate threats quickly, making your environment more secure and your organization more productive.

Azure Security Center provides centralized visibility of the security state of your resources and uses the collective intelligence from machine learning and advanced analytics to not only detect threats quickly but to help you prevent them. It’s agent-based approach helps gain deeper security insights from the workloads and extends these protections to workloads running on-premises as well as other clouds, providing a unified security management for you.

Today we are excited to announce several capabilities in Azure Security Center that will provide enhanced protection to help you keep pace with the evolving cybersecurity landscape:

Visibility and governance at the organizational level

Take advantage of a new overview dashboard to gain visibility into your security state from an organizational level instead of a subscription level. To help organizations identify and address the challenges of managing an organization-wide security posture, you can now set security policies for management groups in your organization. You can also monitor it with an organization-wide compliance score as well as a breakdown score per subscription and management group.

Improve your productivity

Integrated security configuration in the Virtual Machine experience: Securing your resources in IaaS is important, which is why we’ve made it even simpler for you to do. As you create virtual machines in Azure, security configuration is now integrated into the virtual machine experience. In just a few clicks, you can enable Security Center and quickly assess the security state of your virtual machine, get actionable recommendations and mitigate risks.

An Identity & Access Management section will make it easier to discover if you have enabled access controls, such as multifactor authentication, for your applications and data. You can also discover identity and access issues and receive instructions for remediation.

Reduce your exposure to threats

Just-in-time VM access general availability: Previously in preview, the Just-in-Time VM access will be generally available today. It allows you to protect against threats such as brute force attacks by reducing access to virtual machine management ports only when it is needed.

Adaptive application controls: Using machine learning, Security Center recommends applications that should be whitelisted. Two new improvements will be available in preview today. First, you can get recommendations for new file types such as MSIs and scripts. Second, you can group virtual machines based on the similarity of applications running on them. Both of these enhancements are to improve the accuracy of the whitelisting policy that Security Center recommends for the virtual machines in a specific workload, and make it even easier for you to block unwanted applications and malware.

Interactive network security monitoring: Get visibility into the network components within your virtual networks in Azure from a new interactive topology. You can explore the connections between your virtual networks, subnets and nodes. You get actionable recommendations if vulnerabilities such as missing network security groups or web application firewalls are detected so you can take the appropriate next step.

File integrity monitoring (FIM): To help protect the integrity of your system and application software, Security Center is continuously monitoring the behavior of your registry and configuration files. If some abnormal change to the files or a malicious behavior is detected, Security Center will alert you so that you can continue to stay in control of your files.

Extending threat protection to containers: You can now get visibility into security posture of container environment and monitor for unsecure configuration on the container engine.

New secure configuration assessments for servers: A new web security configuration assessment helps you find vulnerabilities in your IIS web servers running on IaaS VMs and provides actionable recommendations to mitigate the risks.

Quickly detect and respond to threats

Integration with Windows Defender Advanced Threat Protection for servers (WDATP): Security Center now harnesses the power of WDATP to provide improved threat detection for Windows Servers. Microsoft’s vast threat intelligence enables WDATP to identify and notify you of attackers’ tools and techniques, so you can understand threats and respond. To uncover more information about a breach, you can explore the details in the interactive Investigation Path within Security Center blade. To get started, WDATP is automatically enabled for Azure and on-premises Windows Servers that have onboarded to Security Center.

Fileless Attack Detection: Security Center uses a variety of advanced memory forensic techniques to identify malware that persists only in memory and is not detected via traditional means. You can use the rich set of contextual information for alert triage, correlation, analysis and pattern extraction.

Threat analytics for admin activity: Security Center can now detect threats targeting your admin activity by analyzing the Azure Resource Management logs. If something abnormal is attempted or permissive privileges have been granted, you will be alerted and can investigate the activity.

Security Center is also extending its threat detection capabilities to PaaS resources. It can now detect threats targeting Azure App Services and provide recommendations to protect your applications.

New partner integrations

Security Center integrates with many partner solutions. We are excited to announce the integration with new partner solutions from Palo Alto and McAfee.

Palo Alto: This integration enables you to streamline provisioning for Palo Alto VM series Next Generation Firewall in the Security Center blade along with integrated threat detection and unified health monitoring of the firewall and simplify deployment.

McAfee: Security Center also supports the discovery and health status reporting of McAfee anti-malware on Windows machines, so you can now receive recommendations from another third-party antimalware service and mitigate potential issues.

Azure Security Center released several new capabilities today that will provide you with better insight, more control, and confidence to keep pace in this ever-changing cybersecurity landscape. Learn how one of our customers, Icertis, achieved better security and gained more productivity by saving 30 percent of operations time by using Azure Security Center.

Continue reading

Spring Security Azure AD: Wire up enterprise grade authentication and authorization

We are pleased to announce that Azure Active Directory (Azure AD) is integrated with Spring Security to secure your Java web applications. With only few lines of configurations, you can wire up enterprise grade authentication and authorization for your Spring Boot project.

With Spring Boot Starter for Azure AD, Java developers now can get started quickly to build the authentication workflow for a web application that uses Azure AD and OAuth 2.0 to secure its back end. It also enables developers to create a role based authorization workflow for a Web API secured by Azure AD with the power of the Spring Security.

Getting Started

Take the To-do App, which Erich Gamma showed on SpringOne 2017, as an example. The sample is composed of two layers: Angular JS client and Spring Boot RESTful web service. It illustrates the flow to login and retrieves user's information using AAD Graph API.

Authorization Flow Chart

The authorization flow is composed of 3 phrases:

1. Login with credentials and get validated through Azure AD.
2. Retrieve token and membership information from Azure AD Graph API.
3. Evaluate the membership for role-based authorization.

Register a new application in Azure AD

To get started, first register a new application in Azure Active Directory. After the app is ready, generate a client key and grant permissions to the app.

Features of Spring Security Azure AD

Use Spring Initializer to quick-start a new project with dependencies of Spring Security and Azure Active Directory. Specify the Azure AD connections and wire up AAD AuthFilter in your project. Now you can easily set up AAD authentication and role-based authorization with the following features:

◈ @PreAuthorize: Implement Spring’s @PreAuthorize annotation to provide method-level security with roles and permissions of logged-in users.

◈ isMemberOf(): provide access control with roles and permissions based on a specified Azure user group.

Access Control with Azure AD Group

Run and test your app in a web browser. Now you can easily use Azure AD Group for access control by adding or removing group members.

Continue reading