Security

Why Implement PIM? Privileged Identity Management (PIM) is one of the most effective security controls available in Azure AD. Traditional role assignments grant permanent, standing privileges that create significant security risks: Expanded Attack Surface: Compromised accounts with permanent privileges give attackers immediate access Compliance Gaps: Audit requirements often mandate Just-In-Time (JIT) access for privileged operations Privilege Creep: Over time, users accumulate unnecessary permanent role assignments PIM transforms these permanent assignments into time-bound, audited, and justified access - dramatically reducing your organization’s risk profile. ...

Understanding Geographic-Based Access Controls Geographic-based access controls are crucial for organizations looking to maintain compliance with international regulations or enhance security by removing some low hanging fruit. One specific use case is blocking access from OFAC sanctioned countries while allowing access from trusted locations. Implementation Steps 1. Create a Report-Only Policy First, create a policy in report-only mode to assess impact: Navigate to Azure Portal > Azure AD > Security > Conditional Access Create a new policy Configure the following settings: Users and groups: All users Cloud apps or actions: All cloud apps Conditions: Locations > Configure > Selected locations Access controls: Block access Enable policy: Report-only 2. Configure Location Conditions Create a list of blocked locations: ...

This week, I implemented several critical security measures in Azure Active Directory (now Microsoft Entra ID) that every organization should consider. Let’s walk through the key implementations: 1. Break Glass Account Setup Break glass accounts are emergency access accounts that help maintain access during identity system failures. Here’s how to set one up: Create a dedicated emergency access account Store credentials securely (I used a password manager) Configure exemptions from Conditional Access policies Share access with minimal required administrators Document the process and access procedures 2. Conditional Access for Admin Roles Implemented stronger MFA controls for administrative roles: ...

WAF Configuration Fundamentals Rule Set Implementation # Custom VCL for WAF integration sub vcl_recv { # Enable WAF for specific paths if (req.url.path ~ "^/api/") { set req.http.X-Fastly-WAF-Enabled = "true"; } # Custom headers for WAF logging set req.http.X-Environment = "production"; set req.http.X-Application = "api-gateway"; } Advanced Security Rules Custom Rule Configuration { "rule_id": "custom-sqli-protection", "severity": "critical", "conditions": { "operator": "and", "conditions": [ { "parameter": "REQUEST_URI", "operator": "contains", "value": "sql" }, { "parameter": "REQUEST_METHOD", "operator": "equals", "value": "POST" } ] }, "action": "block" } Logging and Monitoring Real-time Alert Configuration { "name": "waf-alerts", "endpoint_type": "https", "url": "https://alerts.example.com/webhook", "content_type": "application/json", "format": { "timestamp": "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", "client_ip": "%{req.http.Fastly-Client-IP}V", "request_id": "%{req.http.Fastly-Request-ID}V", "rule_id": "%{waf.rule_id}V", "severity": "%{waf.severity}V", "action": "%{waf.action}V", "message": "%{waf.message}V" } } Production Implementation # Terraform configuration for Fastly WAF resource "fastly_service_waf_configuration" "production" { name = "production-waf" rule_set { type = "owasp" version = "latest" } rule { rule_id = "1010020" status = "log" threshold = 10 } rule { rule_id = "1010030" status = "block" threshold = 5 } logging { name = "waf-logs" format = "${jsonencode({ timestamp = "%{strftime({"%Y-%m-%d %H:%M:%S"}, time.start)}V", client_ip = "%{req.http.Fastly-Client-IP}V", request_id = "%{req.http.Fastly-Request-ID}V", rule_id = "%{waf.rule_id}V", severity = "%{waf.severity}V", action = "%{waf.action}V", message = "%{waf.message}V" })}" } }

This week, I deployed a private n8n automation instance in Azure with a focus on security, auditability, and zero public exposure. Here’s how I solved the HTTPS challenge without storing credentials or opening ports unnecessarily. Problem Statement I needed to: Run n8n privately for internal automations Enable HTTPS for browser access and webhook security Use Let’s Encrypt for free TLS certs Avoid storing Azure credentials on the VM Keep the VM locked down with minimal exposure Azure VM and NSG Setup Deployed Ubuntu VM with n8n running via systemd Configured Azure Network Security Group (NSG) to allow: Port 22 (SSH) and 443 (HTTPS) only Scoped to my static IP Temporarily opened port 80 for Let’s Encrypt HTTP challenge SSL Issue: Nginx Serving Self-Signed Cert Despite running Certbot successfully, openssl s_client revealed: ...