Normalize Security & Improve AppDev Velocity via TFE & AAD
My primary design goal is to seamlessly deliver security by integrating security deliverables into upstream platform action. In other words, I want the things I need created or put in place from a security perspective to be automatically initiated, built, and put in place based on an action you had to take to develop or deploy youapp secication. In appSec this equates to triggering a code scan or a container security check as part of an application development lifecycle however, the integration and automation shouldn’t stop there. What about automating application registrations, roles, and security group to role mapping?
Recently I sat with a customer who utilized Azure Active Directory and TFE. They were fairly TFE mature but hadn’t yet implemented private TFE modules or TFE capabilities within the identity and application registration area. Our goals as part of this work were to empower the app dev teams to:
- Automate application registrations, role definitions, security group creation, and security group to role mapping.
- Automatically create identities and enable entitlement declaration, approval, and assignment.
Understanding the relationship between an Application Registration and an Enterprise Application is essential. The Application Registration is where application roles are defined. The Enterprise Application is where the application role to a security group (the actual container that houses the user) mapping is defined (see figure 1 below).
TFE offers an application registration module. The module enables both the creation of an application registration and the definition of the roles (we are working with AAD integrated applications here) the application requires. TFE also offers a module that creates security groups in Azure Active Directory. Combine these two modules, and you get an Application Registration that defines its roles (figure 2)
and the automatic creation of the required security groups to contain the users with that role (figure 3).
Figure 3 also demonstrates a security group naming standard that enables the application to track user assignment method i.e., birthright or exception (ticketed).
Now that TFE has created the role and the groups required to support the roles, I can utilize PowerShell to perform the role > group mapping on the Enterprise Application.
So now, any team writing their app, which includes defining the roles and required access logic within the app, can automatically have their roles registered to the Application Registration, their security groups created, and their security group to role mapping completed on the Enterprise Application, without having to talk to anyone in Information Security-Identity. This works for SaaS purchased apps too. Just create the Application Registration with the roles defined by the SaaS provider.