A PKI Solution for Azure - Security Boulevard

A PKI Solution for Azure

Cyber crime is a genuine threat now that everyone’s information is uploaded online. It is critical for organizations to keep their users’ information protected from outside threats, otherwise they could be looking at a major catastrophe.

Many Azure admins have their users create their own passwords, which is a detriment to network security and user experience. If a user needs to use multiple web applications, they will either need to remember several different passwords or just end up using the same password for each one. The former is a burden on the user and the IT department; the latter is a security risk. Plus, passwords require password reset policies, meaning every 60 or 90 days the IT team is bombarded with support tickets.

Azure customers can ditch password-based authentication and switch to x.509 certificate-based authentication. Digital certificates offer vast improvements to network security, efficiency, and user experience. But in order to deploy certificates, organizations will need to implement a Public Key Infrastructure (PKI).

The Security Benefits of using a PKI with Azure

Although they provide a multitude of services, PKIs are most often used with Azure for authenticating users for Wi-Fi, VPN, and web applications. PKIs enable admins to use public key cryptography, or asymmetric encryption, and create a public-private key pair for each user. Public keys are stored in digital certificates for secure exchange, while the private keys can be securely stored in the software.

There are some PKI vendors that have solutions that are directly catered to some applications. For example: SecureW2’s Managed Cloud PKI works perfectly for WPA2-Enterprise and is built to support certificate-based Wi-Fi authentication (EAP-TLS). EAP-TLS is the only certificate-based authentication protocol for 802.1x, which makes it the most secure protocol too.

By using EAP-TLS and certificates for authenticating users, organizations are able to eliminate any possibility of over-the-air credentials theft. Dangerous cyber attacks like the infamous man-in-the-middle attack are rendered useless because even if one were to attain a certificate, they’re impossible to decrypt.

Certificates can also be easily used for VPN authentication. Using certificates for VPN authentication instead of passwords, significantly reduces the risk for VPN phishing attacks. With SecureW2’s PKI, you can easily get VPN certificates on to every device on your network with our BYOD Certificate Installation software and our Gateway APIs for managed device certificate auto-enrollment.

SecureW2’s PKI also comes with a Dynamic Cloud RADIUS server which can support Azure networks. In fact, Cloud RADIUS offers an industry-first passwordless Azure solution by leveraging certificates for network security, while still providing LDAP security features like User Lookup. It’s the only solution that provides admins with all the tools necessary to deploy certificate-based 802.1x authentication and VPN authentication.

A Cloud PKI that Works with Azure

If our sales and support engineers have told us anything, it’s that many Azure and Active Directory (AD) admins are having difficulties when attempting to migrate their environments to the cloud. For starters, AD requires an on-prem connection and isn’t designed for cloud computing.

With that restriction, many admins have chosen to build their own PKI on-premise. But by doing so, they are signing themselves up for an incredibly laborious project that will cost their organizations hundreds of thousands of dollars. On-premise PKIs require weeks or even months of configuration in order to get up and running. Admins spend countless hours trying to figure out what they need, what they don’t need, how to connect the things they do need, and how to connect it with their AD directory.

With the on-prem option, Azure customers are stuck with legacy servers that aren’t well-equipped to handle modern cyber threats – leaving their systems vulnerable to over-the-air credential theft. Plus, the software world is quickly migrating to the cloud and networks with legacy environments are left behind.

So how can you deploy a cloud PKI that works with Azure?

Integrating Azure with a Cloud PKI Solution

Many admins may fear it too difficult to implement a PKI for their Azure environment, but that’s not the case at all. By integrating Azure with our Managed Cloud PKI, admins can get it up and running in no time and start issuing certificates to all network users.

Below, we’ll cover a quick overview of how to set up Azure and AD with SecureW2’s PKI to deploy WPA2-Enterprise with 802.1x EAP-TLS.

  1. Configure Azure as an IDP in a SAML Application.
    • Enable users to self-configure their devices for WPA2-Enterprise, equip their device with a certificate for life after integrating Azure SAML with SecureW2.
  2. Add Users to the Azure SAML Application and/or Integrate Active Directory
    • Once integrated, the network can quickly determine who’s an approved network user during the authentication process..
  3. Configure Attribute Mapping and Policies in the SecureW2 Management Portal
    • Encode user attributes to certificates to provide Identity Context and easily assign VLANs, which is valuable for user groups and policies.

For a more in-depth guide, check out our article on configuring WPA2-Enterprise with Azure and Azure AD.

Managing PKI Certificates in Azure

pki azure

Apart from getting a certificate onto every device, managing every certificate seems like a tall order for your typical sysadmin. Not to worry, our PKI solution covers every aspect of certificate lifecycle management, from issuance to expiration.

Certificate Issuance

Azure customers are able to use SecureW2’s PKI to deliver certificates to all network devices. For BYODs, admins can use our onboarding software and for managed devices, they can use Gateway APIs.

Users can download our JoinNow App and, in just a few clicks, configure their devices with 802.1x settings and are enrolled with a certificate. Admins can send out configuration payloads containing 802.1x configuration settings and devices will then automatically request a certificate. Once their credentials are approved, a certificate will be administered to the device and set for life.


Our Cloud RADIUS server is able to view all certificates that have been revoked by periodically downloading a Certificate Revocation List (CRL). When authenticating devices, Cloud RADIUS can refer to the CRL to ensure that the user’s certificate has not recently been revoked.

Cloud RADIUS gives Azure admins the ability to adjust download intervals so the CRL can be updated more or less frequently to balance security needs and request resources.

Managed Device Gateways APIs

For Azure customers that also use an MDM, such as Intune, admins are able to build powerful Gateway APIs to easily provision every device with a certificate.

SecureW2 offers industry-first native integration with MS-GPO, giving admins the ability to customize certificates for users based on their network policies and access levels.

Implement a Secure Cloud-based PKI for Azure

By integrating their environments with SecureW2’s Managed PKI and Cloud RADIUS, Azure admins are able deploy secure certificate-based authentication and leave passwords behind. Our software works natively with Azure and admins can use our onboarding software and powerful gateway APIs to auto-enroll all network devices.

Our service comes at an incredibly affordable price, check out more information on our pricing page.

The post A PKI Solution for Azure appeared first on SecureW2.

*** This is a Security Bloggers Network syndicated blog from SecureW2 authored by Sam Metzler. Read the original post at: https://www.securew2.com/blog/pki-solution-azure/