Authentication – How to use AD credentials in a cloud app easily?Authorization – How to give enough data to the app to make the right access decisions?Data Synchronization – If you need to store data in the cloud, how to do that wellSecurity of Data – How does your corporate data privacy or legal restrictions influence this?Application Integration – how to model things like Kerberos constrained delegation or calling internal web services?Ops/Mgmt – how to integrate into your operations tools like SCOM; how to do forensics for your security team; audits, etc.
User can be on corpnet or on the internetNo need to sync AD to the cloud (big win)All authentication is done within the Accenture networkGoal is for the user not to notice that the cloud app is in the cloud
The OrgChart app is configured to only accept claims signed by the Accenture Geneva server – this is a key security considerationThe OrgChart app uses claims based auth and the internal Lookup app uses ADFS Web Agent with NT Token
Azure Real World - Joseph Paradi
To use Azure for a corporate application, what are the areas you need to think about?<br />“The Pillars of Concern”<br /><ul><li>Authentication
What did we see?<br /><ul><li>Authentication – “Geneva” server against corporate AD on an internally hosted server
Authorization – “Geneva” server created a custom claim that only contained the data elements required for the application to make the authorization decision
Data Sync – An SSIS package was used to pull data rows and columns using a view from the internal data table and load to the SQL Azure instance
Application Integration – use of “Geneva” server allowed Web SSO model between apps in different locations using different techniques</li></li></ul><li>Where are the gaps?<br /><ul><li>Security of Data – each organization will need to understand how the data is secured in SQL Azure and how to comply with any applicable laws/policies.
Operations/Management – today we cannot use our standard model for creating events in the Windows Event Log and then capturing those with SCOM. We are looking at whether we could build a .NET Services layer to handle it.
IT Audit – you will need to understand what requirements your internal/external IT audit teams have</li></li></ul><li>What did it take to build?<br /><ul><li>Started with .NET 2.0 web site app – conversion to .NET 3.5 SP1 web app was simple
Blog post on how to add geneva claims handling to an app
Geneva server already existed for other apps – defined new relying party and claims to be transmitted
Used SQL Azure Migration Wizardto create SQL Database objects on SQL Azure
Created view on internal SQL data and used SSIS to move it to SQL Azure</li></ul>Overall, the initial version of this took about 40 hours of effort from both of us and it has been modified only slightly since then (another 10 hours of effort).<br />
Why is this so cool?<br /><ul><li>You are leveraging the development and ITPro skills that you already have (VS, SSIS)
You can get running very quickly without new infrastructure (assuming you already have “Geneva”)
You do not have to worry about the plumbing, you just have to build the application
Microsoft is providing the tooling and guidance to reduce the barrier to leveraging Azure</li></li></ul><li>Q & A<br />