Skip to content
Home » EntraID Notes

EntraID Notes

    1. Integration Between Microsoft Entra ID and Systems

    • Integration: Microsoft Entra ID (Identity and Access Management) is used to authenticate and authorize users or services.
    • Authorization:
      • All interactions between Azure components, such as the SQL system, EDM AKS, and EDM BLOB storage, are authenticated via Entra ID.
      • Service accounts are mentioned, likely for automated tasks, but these are also managed and authorized via Entra ID.
    • Security Concerns:
      • Least Privilege: Entra ID must follow the principle of least privilege, ensuring only necessary access to each component.
      • Access Auditing: Entra ID should have strong logging enabled to track who accesses each service and under what circumstances.

    2. Azure SQL Server and CC Spoke / VNet Integration

    • Integration: The SQL system in CC Spoke / VNet is linked to other components for data storage and operations.
    • Authorization:
      • Entra ID is used for secure authentication to the SQL database.
      • SQL permissions are granted based on roles defined in Entra ID.
    • Security Concerns:
      • SQL Injection Protection: Ensure that all inputs are validated to avoid SQL injection attacks.
      • Encryption at Rest & In Transit: The data in the SQL database should be encrypted at rest and in transit.

    3. Integration Between EDM Spoke / VNet, EDM AKS, and Hyland OnBase

    • Integration:
      • The EDM Spoke / VNet houses services like EDM AKS (Azure Kubernetes Service), which communicates with Hyland OnBase and uses EDM Mass Migrator for document and data migration.
      • The Mass Migrator likely handles bulk data transfer from one environment to another.
    • Authorization:
      • Entra ID is used for authentication in this process, ensuring that only authorized services and users can interact with these resources.
      • Encryption keys are managed and authenticated via EDM Key Vault.
    • Security Concerns:
      • Key Management: Ensure that the EDM Key Vault is secured with proper access controls and only authorized users and services can access keys.
      • Network Segmentation: The use of VNet ensures network isolation, but careful network security rules should be defined to limit access only to authorized entities.

    4. Integration with Azure Blob Storage

    • Integration:
      • The EDM Blob Storage (both production and temporary containers) is used to store documents and backups.
      • The Mass Migrator and EDM AKS interact with these storage containers.
    • Authorization:
      • Entra ID and Service Accounts are used for authentication to the Blob Storage.
      • Access Control Lists (ACLs) and Storage Account Keys are used for authorization.
    • Security Concerns:
      • Encryption: Ensure that data stored in Azure Blob Storage is encrypted (both in transit and at rest).
      • Key Rotation: Ensure that storage account keys are rotated regularly for security.

    5. Data Transfer Between Azure and AWS (via azCopy)

    • Integration:
      • Data (such as encrypted documents and database backups) is transferred from Azure Blob Storage to AWS Hyland Admiral S3 Bucket using azCopy.
      • AWS Credentials are fetched (likely using a script).
    • Authorization:
      • Entra ID handles authentication for access to Azure resources, while AWS credentials (such as AWS Storage Account Key & Secret) are used to authenticate to AWS resources.
      • Service Accounts are also part of this process for automated tasks.
    • Security Concerns:
      • Secure Storage of AWS Credentials: Credentials should be securely stored (e.g., using a secret manager or environment variables) and never exposed in code.
      • Secure Data Transfer: The use of azCopy for data transfer suggests encryption in transit, but this needs to be confirmed.
      • Multi-Cloud Security: Ensure that both Azure and AWS environments follow consistent security practices, especially for data encryption and identity management.

    6. Integration with AWS Cloud and S3 Bucket

    • Integration:
      • The Hyland Admiral S3 Bucket is used in AWS to store documents and backups transferred from Azure.
      • The AWS Cloud Firewall protects this bucket and restricts access.
    • Authorization:
      • AWS Storage Account Key & Secret are used to authenticate to AWS.
    • Security Concerns:
      • Bucket Permissions: S3 bucket policies should be tightly controlled to ensure that only authorized systems and users have access.
      • Data Integrity: Data integrity checks should be performed when moving data from Azure to AWS, ensuring no data corruption or tampering.

    7. Integration with PaloAlto Whitelist and Firewall

    • Integration:
      • The PaloAlto Whitelist is used to authorize specific entities to access resources within the system, acting as a secondary layer of security.
    • Authorization:
      • The Whitelisting mechanism allows specific IPs or services to access critical infrastructure, such as Azure or AWS resources.
    • Security Concerns:
      • Dynamic IPs: If the systems are using dynamic IPs, this could cause issues with maintaining a secure whitelist.
      • Access Control: It’s crucial that the whitelist is regularly reviewed and only authorized entities are granted access.

    General Security Questions & Concerns:

    1. Are all services using secure communication channels (TLS/SSL)?
      • It’s important to ensure that all data transmitted between Azure and AWS (and between components within Azure) is encrypted using TLS/SSL.
    2. Are there clear access control policies and audit logs for Entra ID and AWS Storage Keys?
      • Strong role-based access control (RBAC) policies should be in place for both Entra ID and AWS. Audit logs for these services should also be enabled to track any unauthorized access attempts.
    3. How are sensitive data and credentials stored and rotated?
      • For both AWS and Azure, credential management should follow best practices, such as using AWS Secrets Manager or Azure Key Vault for secure storage and automated rotation of secrets.
    4. Are data backups encrypted both in storage and during transfer?
      • Encryption should be enforced for backups at rest (in Blob Storage and S3) and in transit (when using azCopy or similar tools).
    5. Is there a disaster recovery plan in place for both Azure and AWS environments?
      • A disaster recovery strategy should be established in case of system failure, ensuring that data can be restored quickly and securely.
    6. How are the security policies enforced across different environments (Azure vs. AWS)?
      • Consistency in security practices across both Azure and AWS is essential to ensure no gaps in security.
    7. Are there any potential risks in the use of azCopy for data migration?
      • While azCopy is an efficient tool, it must be verified to ensure it uses encryption for all data transfers and is not inadvertently exposing sensitive data.

    Conclusion:

    The architecture involves several integrations across Azure and AWS, utilizing strong identity and access management through Entra ID and secure authentication via Service Accounts, AWS Keys, and Secrets. However, careful attention must be paid to encryption, access control policies, and credential management to ensure that the system remains secure.

    If you need additional details on any particular component or security aspect, feel free to ask!

    Leave a Reply

    Your email address will not be published. Required fields are marked *