Security today is one of the most important aspects of any application, and it is no simple thing to get right. Fortunately, Azure provides many services to help you secure your application. We take a look at some of them in this chapter.
An important part of your application's security is authenticating users before they can use it. Authentication is not an easy thing to implement. You need to store user identities and credentials somewhere, implement password management, create a secure authentication handshake, and so on.
Azure Active Directory provides all of these things and more out of the box. You store your user identities in Azure Active Directory and have users authenticate against it, redirecting them to your application only after they are authenticated. Azure Active Directory takes care of password management, including common scenarios like "I forgot my password."
Azure Active Directory is used by millions of applications every day, including the Azure portal, Outlook.com and Office 365. Because of this, it is able to more readily detect malicious behavior and act on it. For instance, if a user were to sign in to an application from a location in Europe and then one minute later sign in from Australia, Azure Active Directory would flag this as malicious behavior and ask the user for additional credentials through multifactor authentication.
APIs should be secure. This is true for APIs that you create yourself as well as those that you consume from third-party vendors. To assist in making your APIs secure, you can use Azure API Management. This is basically a proxy that you put in front of your APIs or those from third-party vendors that adds features like caching, throttling, and authentication/authorization.
You can secure your API with API Management by requiring consumers to create a subscription to your API. This way, calling applications need to authenticate before they can use your API. You can use various authentication methods like access tokens, basic authentication, and certificates. Additionally, you can track who is calling your API and block unwanted callers.
As part of your security architecture, you need a secure place to store certificates, keys, and other secrets. Azure Key Vault provides that. With Key Vault, you have one central location where you store the secrets that your applications use.
These can be the credentials in a connectionstring that your application uses. Your application would get the connectionstring from Key Vault instead of from the configuration system. This way, administrators can control the secrets, and developers never need to deal with them.
You also use Key Vault to store certificates like Secure Sockets Layer (SSL) certificates that you use to secure the traffic to and from your applications over HTTPS.
You've heard it too many times on the news, and you certainly don't want it to happen to your enterprise: your application is attacked by a Distributed Denial of Service (DDoS) attack. These types of attacks are becoming more common and can overwhelm your application to the point that nobody can use it anymore.
Azure protects you from DDoS attacks with its Azure DDoS protection layer. This is a layer in the Azure physical network that is not accessible to customers. This is part of the Azure platform, and you get it for free with all your services. You don't need to do anything or configure anything to use it. It is always there to protect you.
You need to secure your application against many possible threats, including those defined in the
Open Web Application Security Project (OWASP) specification, such as SQL injection and Cross-Site Scripting (XSS). Azure Web Application Firewall can lend a hand with that. Web Application Firewall, a feature of the Azure Application Gateway service, provides real-time protection of your application.
It can detect a malicious attack, as defined in the OWASP core rule set, and block that attack from reaching your application. It also reports on the attacks that were attempted or are ongoing so that you can see which threats are trying to get to your application. This provides an extra layer of security that protects your applications.
You protect your data stores as well as you can by having secure connectionstrings and firewall rules in place. But if an attacker somehow is able to gain access to your data, you want to render it useless via encryption.
By default, your data is encrypted when you store it in Azure SQL Database, Azure SQL Data
Warehouse, Azure Database for MySQL, Azure Database for PostgreSQL, Azure Storage, Azure Cosmos DB or Azure Data Lake Store. And this all works automatically; you don't need to do a thing to configure it or to encrypt or decrypt data when you use it.