Blogs

A hybrid cloud can be defined as a cloud computing environment that utilizes a combination of on-premises private cloud and third-party public cloud services with instrumentation between the two. Cloud service providers offer services such as data storage, work environments & security. Businesses can customize their experience to meet their demands and objectives.

If we compare the hybrid cloud market to other cloud services in the past few years, we can notice a staggering growth in the former. This is because of the additional benefits that the hybrid cloud market provides, which any data-driven organization demands.

It permits companies to scale computing resources and assists in the eradication of investment in a massive chunk of its capital in handling short-term spikes in demand. It is also useful in cases where the organization has to free up local resources to make room for more sensitive data and/or applications.

The benefits of Hybrid cloud

Data Backup and Business Continuity

Hybrid clouds are much better in backing up and restoration of data. For IT companies, data is everything and that is why mitigating data loss is of greatest importance.

Companies can save not only money but also their time and resources, instead of employing DIY disaster management and recovery measures. And what’s more – the downtime is negligible because retrieving lost or misplaced data has never been easier and faster.

Data Privacy and Security

One of the biggest benefits of choosing a hybrid cloud is the choice of data location based on its usage. This is because in some cases, the public cloud is not suitable to store certain types of business data. On the other hand, the public cloud offers a lot of compliance offerings, making it a choice to easily achieve compliance certification.

Scalability

It is important to note that the scalability offered by private clouds is quite limited. On the other hand, the scalability offered by the Hybrid cloud is virtually unlimited. But, shifting from an in-house cloud infra to public cloud servers is not cost-effective always, however, the Return on Investment (ROI) makes up for it.

Save your money!

Cost can be an alarming factor for companies that are running private clouds on-premises. A huge chunk of the company’s IT budgeting is often spent on overhead costs, investment of the infrastructure, and maintenance. However, it doesn’t have to!

The entry of hybrid cloud solutions has clearly helped companies in significant cost savings, and because these hybrid cloud solutions are essential, a link between public and private clouds there is no compromise whatsoever when it comes to the security and sanctity of the data as well as the infrastructure.

Choice of Public Cloud

Certain companies may choose a service from Amazon Web Services due to its wide & flexible offerings; others might choose from Google Cloud Platform for its open-source support, and ease of use from Microsoft Azure. Ultimately, such flexibility allows a company to have the best services from the cloud provider that meet their needs.

Companies choose hybrid cloud over private cloud because of these great benefits! Shift to a hybrid cloud system & see it yourself. Mismo Systems helps companies to get the best hybrid cloud solution based on their needs and goals. Contact us today!

What is a Ransomware attack?

It can be defined as a malware attack that is carried out deliberately to encrypt your data and/or the whole system. In most cases, a ransom is demanded by the assailant to decrypt your data, so that you can access it again. Lately, there has been a surge in the demand for cryptocurrency as a form of payment since it is less traceable. The amount of ransom demanded can be small or large, depending on the importance of the data as well as the financial status of the victim.

How to build an effective Ransomware Data Recovery Strategy?

1) Protection of backups—Your backups are useful only if they are safe as well as accessible. It must be ensured that the backups created are as protected as your data so that data can be recovered quickly and safely.

2) Formulate your recovery plan—An efficient and effective ransomware data recovery plan for all assets and data must be formulated, with special emphasis on the mission-critical ones. Even if there is an attack, a master backup or image must be present to restore and/or rebuild all the data.

3) Create offsite copies of your data—Anyone who is dealing with data must store a copy of it either offsite, online, or in fact, both. It is an integral step in data protection as it safeguards your data even if your on-site backups are under attack. While you are storing these copies, remember to secure the data just as you would for the primary copy.

4) Categorize your data—Start by building an inventory of your data. This step is done to determine how your data should be categorized and stored. These categories might be: regulated, proprietary, critical, or valuable. Once the inventory is set up, how data needs to be protected can be finalized. Plus, data backup can also be initiated.

5) Identify the endpoints—You must be aware of all the data endpoints to identify where these ransomware infections might come from. Categorization of these endpoints can also be done to determine high-value endpoints so that they can be protected.

How can an attack be prevented?

A) Do not click on unsafe links: Most browsers display a warning if you try to open an unsafe link. Do not go forward unless and until you are sure that the given website/link is safe. In most cases, an automatic download may be initiated when you open the link, which could potentially lead to a ransomware infection.

B) Do not disclose personal information: It should be noted that personal information should never be disclosed in a text, e-mail message, or voice call from an untrusted source. Usually, these ransomware attackers try to collect personal information in advance, so that they can design customized phishing messages specifically for you.

C) Suspicious email attachments should not be opened: E-mail attachments are one of the most common forms of a Ransomware attack. You should avoid opening e-mail attachments from unknown sources. To check whether the e-mail is trustworthy, verify the sender and their e-mail address. Do not open files that prompt you to run macros to view them, because an infectious file will run a malicious macro that will give the control of your data and/or system to the attacker.

D) Don’t insert unknown USB sticks into your system: USB sticks/Hard disks/CDs from unknown sources may contain ransomware.

E) Always keep your programs and operating system up to date: Regular updates can be very useful in protecting your operating system from malware, as it contains the latest security patches.

F) Download files only from reliable sources: Never use unknown sites to download software or media files. Many people, especially youngsters tend to download free but plagiarized content from websites that often contain viruses and malware.

G) Always use a VPN if you are on a public Wi-Fi network: Public Wi-Fi should never be used for making sensitive transactions. If it is unavoidable, then remember to use a good-quality VPN service with it.

Switch to Azure Cloud & help your organization avoid any ransomware attack. Protect your progress without excessive storage costs & pay only for what you use with Azure’s PAYG (Pay-as-you-go) model. To know more about Azure cloud solutions, contact us.

PowerApps is a tool that allows you to create custom apps, leveraging many of the features of the Office 365 and Microsoft platforms. Apps can be accessed via mobile devices or via the browser.

What sets PowerApps apart from other offerings is that while it can be used by developers, it can also be used by non-technical employees such as business analysts. This means that it is quite possible for a PowerApps power user to create a custom app. Just like its Microsoft cousin Flow, PowerApps is successfully bringing the power of process automation to a non-technical audience.

Features

PowerApps comes with features and tools to help create apps that don’t require any coding. These include:

• a library of sample apps that you can work from as a starting point and then customise
• a library of over 200 connectors to integrate data and systems including those across the Office 365 universe
• an easy drag and drop interface for the creation of apps
• close integration with other Office 365 and Dynamics tools
• good support structures, including an active PowerApps community

Canvas and model-driven apps

There are two ways to develop PowerApps – via the canvas approach or the model-driven approach.  The canvas approach is a bit like working from a blank canvas where you connect data sources, add workflows and create interfaces for your app using the drag and drop interface, potentially relying on the library of standard connectors.

Leveraging the connected world of Office 365 allows you to even create canvas apps within other tools such as SharePoint as the starting point.  Using the canvas approach also gives you complete control over an app you’re creating from scratch.

How to Build an App with Microsoft PowerApps

The simplest way to build a PowerApps app is to start from the data source. This is part one in a three-part process:

1. For this example, we’ll start from a SharePoint list that stores some data:

2. Next, we’ll select the “Create an app” option in the PowerApps menu:

3. This takes us to the PowerApps Studio where we’ll find a fully functional canvas app generated by the system:

Keep in mind that these are just the default choices. They hide a much wider set of available options, configurations, and architectural choices that PowerApps provides. Without further ado, let’s take a more in-depth look!

Step 1: Select Your PowerApps Environment

There are four tools or environments that you can work within PowerApps, and they each have their own capabilities and roles.

PowerApps Website

The website is where you’ll begin your PowerApps service journey. This is where you will be able to create a new app and to manage existing ones.

Here’s a small snapshot of some of the templates that might give you some useful ideas for the app:

PowerApps Studio

Here you’ll be able to design and adapt apps that you create to your specific business needs!

PowerApps Studio contains three panes and a ribbon that help make app creation feel similar to creating a slide deck in PowerPoint. 

PowerApps Mobile App

This handy mobile app is available on both phones (iOS, Android) and tablets (Windows 10). No matter the platform, the app provides a runtime environment where you’ll be able to execute all of your PowerApps apps. This includes the ones that were shared with you as well as the ones you designed and coded yourself.

PowerApps Admin Center

Admin.powerapps.com gives you the power to create and manage environments, DLP (Data Loss Prevention) strategies and user roles. You can get a list of user licenses in the tenant.

Step 2: Select Your PowerApps Application Type

There are two main types of apps you can create with PowerApps:

• Canvas apps
• Model-driven apps

Step 3: Select Your Storage Type

Power Platform and specifically PowerApps target a world where data is king and the foundation of any business process. Thus, choosing the correct data sources is very impactful when it comes to designing an app.

Data are stored in a data source and you import them into your app by creating a connection.

Be aware that the choice of data sources will have an impact on the licenses needed to create and execute your app. If you choose or need a Premium source (like Salesforce or Common Data Service) you’ll need a PowerApps P1 or P2 license.

Let us know your questions in the comment section below. Contact us for more information!

Thanks for reading.

Microsoft 365, a world of enhanced productivity and collaboration that drives a team to achieve more together, is a complete workplace solution that provides all the apps and services a team requires to do more.

Moving forward from the times when you had to arrange services for email, internal chat or collaboration, apps for the office and the operating system for the normal functioning of a user and on top of it, the management and security tools to keep track of all the workplace service landscape. With the incoming of Microsoft 365, all of it comes under one umbrella for the seamless connectivity of all the smaller pieces that make up the workplace.

The term workplace is used to refer to a physical space where we went and got busy doing our assigned task, adding value to our organization. But there is a big shift in that definition as far as today’s work culture is concerned. the workplace is now an always-connected environment that provides access to all the tools and resources that an employee might need to get his work done.

Basically, it is a location-agnostic event that can happen at any time of day using any connected device. The digital workplace is all about how technology is transforming the type of work employees perform, as well as where and how work gets done.

If we were to list out of the benefits that a modern workplace enriches the users with, it would be as follows:

1. Creation and Co-authoring
2. Emailing and Internal Collaboration
3. Ever-availability on Cloud
4. A fully configurable Intranet
5. Device and Application Management
6. Protection Against Cyberthreats etc.

Now, why would you consider M365 as your modern workplace solution?

1. Work from Home:

We are becoming more and more mobile in our working style. Unlike before, we no longer have to be present at the office premises to start the work or to deliver the given assignments. With the increasing popularity of working from home, users need one solution that can enable them to be productive and collaborative anywhere.

• Work on any Device:

Depending on a single device to get the work done creates a lot of liability. In any event where the accessibility to the device is disrupted our working gets disrupted in turn. Microsoft 365 easily solves that problem by keeping your work online and accessible with complete security from any device. Just login on any device using your credentials and you are all set with all the required tools.

• Undisrupted work continuity:

There have been numerous incidents wherein we or one of our teammates could not work for reasons not attributed to him or her such as the device being stolen, physically damaged or attacked by cybercriminals. Microsoft 365 comes up as an absolute answer to all such highly probably scenarios. Getting ready to face any of these showstoppers is an investment with multifold returns.

We at Mismo Systems, encourage our customers to give away the responsibility of fluid workplace functioning, management and security of all devices and data. Mismo Systems supports businesses to do more to grow more without the worries of day-to-day operations. Let’s all achieve more with the modernization of our workplace! Call us to know more

In this blog, we will be discussing the various Microsoft Teams updates in the month of June.

Meeting Updates:

• Presenter Mode

During the past few months, this feature has been heavily promoted by Microsoft, finally you can start using this latest meeting feature that gives you an added advantage with respect to how you want to present your content & video feed to your viewers. The new feature gives you the ability to customize the way your content & video feed is being displayed in the meeting by utilizing layouts like “Standout” which exhibits the presenter’s video as a silhouette in front of the content being shared. As of now, this will be the only layout available for use, however, there are two additional layouts (Reporter and Side-by-side) coming soon!

Calling

• Updated calling user interface

The calling tab layout in Microsoft Teams has been updated. With this, you will get a much more streamlined view that has voicemail, contacts and even calling history all on a single screen. Before this update was rolled out, the users had to switch between several different tabs to get to the desired area.

Chat and Collaboration

• Group chat with external users

A lot of you must be aware that, Microsoft Teams lets you have a conversation with up to 250 participants within a single chat. Now, even though it is a great feature in its own right, Microsoft has decided to expand on this capability by giving its users the ability to add multiple federated/external users into chats to make collaborations easier. Earlier, you could only have a single user for federated chats which means that you had to create a Teams meeting with all federated participants for you to communicate with them all at once.

Important Reminder for all the Teams administrators- Do not forget to have a look at your external access/federation settings as it is the primary setting driving this ability to chat with federated users.

Security, Compliance, and Privacy

• Customer Key support in Teams

The Microsoft 365 Customer Keys allows an organization to meet specific compliance requirements by providing encryption keys that are used to encrypt your data in a Microsoft Datacentre. This is handled via the DEPs (Data Encryption Policies) which encrypt your data across multiple M365 workloads for all users within the tenant. Since, it is a part of Microsoft Teams, it could include:

• Teams chat messages (including 1:1 chat, group chats, meeting chats, and channel conversations).
• Teams media messages (code snippets, images, video messages, audio messages, wiki images).
• Teams call and meeting recordings stored in Teams storage.
• Teams chat notifications.
• Teams chat suggestions by Cortana.
• Teams status messages.

Subscribe to our monthly newsletter to receive all the latest updates on Microsoft Teams.

For a free demo contact us here!

Thanks for reading.

Microsoft’s virtual desktop infrastructure platform has been rebranded under the Azure name and notified of new security and management capabilities that are currently under preview. Formerly known as the Windows Virtual Desktop (WVD), the platform will now be known as Azure Virtual Desktop (AVD), Microsoft said in an official statement on the 6^th of June 2021.

The organization has also launched early access to several features in Azure Virtual Desktop – The flexible cloud VDI platform for the hybrid workplace, to enhance its security and management system, like the new and improved Azure Active directory support.

A handful of selected users of the AVD will have vastly improved support for Azure Active Directory, which is responsible for managing security controls and user access to apps and data. Soon, users will have the ability to enrol virtual machines automatically with Microsoft Endpoint Manager, thus, not only making the deployment easier but also reducing the need for a domain controller.

Another added feature that has been seen in the preview is the ability to link the AVD virtual machines to Azure Active Directory which will essentially allow its users to connect with the virtual machine from any properly approved device.

An exciting onboarding experience in the Azure portal will begin an automated deployment of a Virtual Desktop environment. Another interesting news is that now the independent software vendors can pay a monthly per-user access price to use AVD to deliver apps for customers to stream as opposed to the previous system which included just internal employees.

It is important to highlight that since last year there has been a noticeable spike in the number of Windows Virtual Desktop users due to the ongoing pandemic. To know more about it click here.

Thanks for reading!

Startups are an enjoyable but demanding professional experience. A host of entrepreneurially dedicated professionals pursue their passion and dive into the world of launching their own company with meteoric growth from businesses. E.g., Facebook, Uber, and Airbnb.

It is noted that in the fast-paced world of startups, there are a lot of challenges that are not faced in the regular office environment. From infrastructure to marketing, all processes of a startup must be built from scratch which becomes difficult for a new company, mainly due to a lack of investments. While the employee count can be subsequently low at the beginning with individuals being from multiple cities or even countries, the major issue arises when a proper structure is required to manage the work of each member.

With Cloud Computing above risks can be reduced.

First, let us understand what is cloud computing?

Cloud Computing is a network of computing services like servers, storage, databases, networking, software, analytics, and intelligence. You only pay for the cloud services you use which helps in reducing operational costs & runs your infra more efficiently. It follows a Pay as you go (PAYG) cost model for cloud services, which is much more beneficial than the traditional IT cost model that has a lot more upfront capital expenditures for both hardware and software requirements.

Read More:- Storage on Cloud

Read on as we discuss the reasons why adopting cloud computing systems can benefit your startup business.

Many people tend to think that life in the world of startups is very fascinating & exciting, still, it cannot be denied that it has its own set of risks and demerits. In a report presented by the Small Business Administration (SBA) Office of Advocacy’s (2018) Frequently Asked Questions (FAQ), it was stated that the number of Small and medium-sized enterprises (SMEs) that are able to sustain through the five-year mark, range from only 45.4% to 51%.

 All bodies of startups have many risks: founders, investors, customers, and partners. But by following a proper approach such risks can be avoided.

As discussed, startups face the following few problems:-

1. Employee location. (different cities/countries/regions)
2. Lack of funds.
3. Stability.

Here are the major benefits of adopting cloud computing for your startup:-

1. Data Protection: Cloud Solution Providers put forward a group of technologies & services which help in data protection. Daily backups and snapshots on secure servers will secure your data.
2. Speed & Low Cost: Cloud Computing enhances the flexibility of your business. With just a few taps, it offers you a creative IT infrastructure at low costs. It is easy, quick, and requires minimal investment. You only pay when you use the server.
3. Effective Collaboration: With Virtualization now being the ‘new normal’, all the employees can work more profusely without the need for large spaces. Also, decreased infrastructure costs, power usage, maintenance, upgrades, hardware, installation services, and support expenses – all of which are immeasurably valuable savings for a startup. Cloud Computing allows all the employees of a firm to access various documents, files & other data from anywhere, anytime via Internet-enabled devices.
4. Scalability: A Cloud storage platform allows the organization to scale resources up or down in a flexible and cost-effective manner. Contrary to the conventional approach, where human intervention is necessary and costly, sophisticated software and hardware can be inserted or removed according to your convenience. The virtual existence of the cloud increases the usability and availability of service additions. The cloud’s versatility, usability, flexibility, and competitiveness to entrepreneurs are thus critical to the long term success rate of today’s marketplace.

The mobility, accessibility, affordability, and productivity that the Cloud provides is extremely beneficial for startups.

If you have any more ideas on how cloud computing can help startups, do share in the comment section. To read more blogs by Mismo Systems, click here.

Being part of Mismo Systems, I am fortunate enough to get to work on a diverse set of projects. Few technologies that we see deployed often are Microsoft 365 and EC2, S3 on AWS. Microsoft 365 is growing in stature in the Enterprise space when it comes to Identity and Single Sign-On. Microsoft has worked hard to make it ridiculously simple to integrate with SaaS, Public Clouds, or any other application. Microsoft 365 comes pre-packaged with a free version of Azure AD in the backend, which means you do not have to worry about setting up any major infrastructure if you want to dabble your feet into the world of enterprise SSO. Recently while working on a project I was tasked with setting up SSO between Azure AD and AWS and I thought why not share the knowledge I gathered while working on this with you by writing this blog. Now, before we go ahead and set up the Azure AD SSO for AWS, let’s first take a quick dip into the world of SSO.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single identity to any of several related, yet independent, software systems. It is a property of identity and access management (IAM) that enables users to securely authenticate with multiple applications and websites by logging in only once—with just one set of credentials (username and password). With SSO, the application or website that the user is trying to access relies on a trusted third party to verify that users are who they say they are.

Single sign-on provides a giant leap forward in how users sign in and use applications. Single sign-on based authentication systems are often called “modern authentication”. Modern authentication and single sign-on fall into a category of computing called Identity and Access Management (IAM). Web applications are incredibly popular. Web apps are hosted by various companies and made available as a service. Some popular examples of web apps include Microsoft 365, GitHub, and Salesforce, and there are thousands of others. People access web apps using a web browser on their computer. Single sign-on makes it possible for people to navigate between the various web apps without having to sign in multiple times.

Traditionally, companies used on-prem federation services to enable users/applications to connect without worrying about safety threats to overcome this challenge. In order to set up this mechanism companies require ADFS (Active Directory Federation Services. ADFS provided a means for managing online identities and providing single sign-on capabilities.

List of requirements to set up ADFS federation in the traditional environment are listed below:

• ADFS server with High availability solution (Active & Passive)
• WAP or ADFS Proxy server for external expose
• Public CA – Certificate
• Domain controller server

Some of the challenges with traditional federation setup are:

• High availability & Server Maintenance – Administration
• Billing cost for hardware, license and certificate management

A solution for the above scenario is to use Azure AD with Enterprise application SSO supported application with centralized user management setup. When you integrate Amazon Web Services (AWS) with Azure AD, you can:

• Control in Azure AD who has access to Amazon Web Services (AWS)
• Enable your users to be automatically signed-in to Amazon Web Services (AWS) with their Azure AD accounts
• Manage your accounts in one central location – the Azure portal

Choosing a single sign-on method

There are several ways to configure an application for single sign-on. Choosing a single sign-on method depends on how the application is configured for authentication.

• Cloud applications can use OpenID Connect, OAuth, SAML, password-based, linked, or disabled methods for single sign-on
• On-premises applications can use password-based, Integrated Windows Authentication, header-based, linked, or disabled methods for single sign-on. The on-premises choices work when applications are configured for Application Proxy

This flowchart helps you decide which single sign-on method is best for your situation:

Since we are going to implement SSO between Azure AD and AWS, I will only talk about the former, i.e. Cloud application. For this blog, we look at how to set up SSO using SAML.

SAML

SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).

• Identity Provider — Performs authentication and passes the user’s identity and authorization level to the service provider
• Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource

In our scenario, the identity provider would be Azure AD, (which itself uses Auth0 to authenticate users). The service provider would be AWS. The employee signs into the “My Apps” dashboard with Auth0. They click on the AWS icon, and AWS recognizes that the user wants to log in via SAML. AWS sends the employee back to Auth0 with a SAML Request that asks Auth0 to authenticate the user. Since the employee has already authenticated with Auth0, Auth0 verifies the session and sends the user back to AWS with a SAML Response. AWS checks this response, and if it looks good, the employee is granted access!

Benefits of SAML Authentication

• Improved User Experience — Users only need to sign in one time to access multiple service providers. This allows for a faster authentication process and less expectation of the user to remember multiple login credentials for every application. In the example above, that user could have clicked on any of the other icons in their dashboard and been promptly logged in without ever having to enter more credentials!
• Increased Security — SAML provides a single point of authentication, which happens at a secure identity provider. Then, SAML transfers the identity information to the service providers. This form of authentication ensures that credentials are only sent to the IdP directly
• Loose Coupling of Directories — SAML doesn’t require user information to be maintained and synchronized between directories
• Reduced Costs for Service Providers — With SAML, you don’t have to maintain account information across multiple services. The identity provider bears this burden

Azure & AWS – Why use both?

There are two main reasons why an organization would want to use multiple clouds: To leverage the strengths of each cloud and to improve availability. Large organizations are selecting different services or features from different providers as part of an overall multi-cloud strategy. This allows them to optimize resources and budgets, as some environments are better suited than others for particular tasks.

In my specific scenario, the company was already using AWS. Once it was decided that they would migrate their workplace services from G Suite to Microsoft 365, we had to go ahead and implement a way for the two technologies to be connected to each other to provide users with a seamless experience. But there are other examples as well where companies willingly go ahead and use both Azure and AWS to manage their cloud infrastructure.

There are specific reasons why an organization would want to use both AWS and Azure together. A few general-use cases for multi-cloud environments include:

• Site replication and disaster recovery
• On-ramping and off-ramping data
• Load balancing across different clouds
• Cloud switching to take advantage of cost structures
• Keeping development and production environments separate

Such scenarios warrant the use SSO as users only need to remember the credentials for one environment rather than having to remember a slew of different passwords.

Now that we have covered some basics of the SSO & SAML, lets go ahead and start setting up SSO between Azure AD and AWS. Before we start, there are a few pre-requisites that we need to know of which are as follows:

• An Azure AD subscription
• An AWS single sign-on (SSO) enabled subscription

Adding Amazon Web Services (AWS) from the gallery

To configure the integration of Amazon Web Services (AWS) into Azure AD, we need to add Amazon Web Services (AWS) from the gallery to our list of managed SaaS apps. The steps are as follows:

• Sign in to the Azure portal using a work or school account
• In the Azure portal, search for and select Azure Active Directory
• Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications
• Select New application to add an application

In the Add from the gallery section, type Amazon Web Services (AWS) in the search box

• Select Amazon Web Services (AWS) from results panel and then add the app. We wait a few seconds while the app is added to our tenant

Once the app is added successfully, it opens a new app blade where we can start configuring SSO.

Configure Azure AD SSO

• In the Amazon Web Services (AWS) application integration page, select single sign-on in Manage section and click on SAML

• In Save Single Sign On Setting prompt click on “No, I’ll save it later”

• On the Set up single sign-on with SAML page, in the SAML Signing Certificate (Step 3) dialog box, click on Download to save a copy of the federation metadata XML as shown:

Now we move to the AWS console to upload this federation metadata XML and add Azure AD as an identity provider.

Configure Amazon Web Services (AWS) SSO

• In a different browser window, we sign-on to our AWS company site as an administrator
• In the AWS Management Console, type IAM in the find services field, and click IAM

• Select Identity Providers > Create Provider

• On the Configure Provider page, perform the following steps:
• In Provider Type chose SAML
• In Provider Name, type AzureAD (The name can be anything, I have added Azure AD to simplify things. You can add whatever name you like)
• In the Metadata Document, choose the federation metadata XML file you downloaded in the step above and click on Next Steps

• Click Create to finish the process

• Now select Roles > Create role

• On the Create role page, perform the following steps:
• Under Select type of trusted entity, select SAML 2.0 federation
• Under Choose a SAML 2.0 Provider, select the SAML provider you created previously (AzureAD or whatever name you choose in the step above)
• Select Allow programmatic and AWS Management Console access
• Select Next: Permissions

• On the Attach permissions policies dialog box, attach the appropriate policy, per your requirements. I chose the AdministratorAccess role

• On the Review dialog box, perform the following steps:
• In Role name, enter your role name
• In Role description, enter the description
• Select Create role
• Create as many roles as needed, and map them to the identity provider

• Now, we need to create a user on AWS with the ReadRoles permissions and add it to Azure Azure AD so that we can grant our Azure AD users the roles we created in the step above. To do that, we forst need to create a ReadRoles policy in AWS IAM. In the IAM section, select Policies and click Create Policies

• In the Visual Editor on Create Policy page, do the following:
• In Services, choose IAM
• In Actions, choose ListRoles
• Click Review Policy

• Click Create Policy

• Now we create a new user account in the AWS IAM service. In the AWS IAM console, select Users and click on Add User

• In the Add user section:
• Enter the user name as AzureADRoleManager
• For the access type, select Programmatic access. This way, the user can invoke the APIs and fetch the roles from the AWS account
• Select Next Permissions

• On the Set Permissions page, select the policy we created above

• On the Review page, click Create User and download the user credentials of a user

Configure AWS Role Provisioning in Azure AD

• In the Azure AD management portal, in the AWS app, go to Provisioning and click on Get Started
• In the Provisioning Mode, select Automatic and enter the access key and secret in the clientsecret and Secret Token fields, respectively and click on Test Connection

• Once the test is successful, click on Save and reload the page. Once the page has reloaded, select Edit Provisioning

• Turn on provisioning by toggling the Provisioning Status Button to On

The provisioning service imports roles only from AWS to Azure AD. The service does not provision users and groups from Azure AD to AWS. After we save the provisioning credentials, we must wait for the initial sync cycle to run. Sync usually takes around 40 minutes to finish.

Assign the Azure AD test user

• Within the Azure Active Directory overview menu, choose Enterprise Applications > All applications
• In the application list, select Amazon Web Services (AWS)
• In the app’s overview page, find the Manage section and select Users and groups and, select Add user, then select Users and groups in the Add Assignment dialog
• In the Users and groups dialog, select the required user the Users list, then click the Select button at the bottom of the screen

• Click on Assign
• To assign a specific AWS role to the user, select the user and click on Edit

• Click on Select A Role and select the appropriate role for the user. Click Assign once done

End User Experience

Once you have added the user to the App and assigned appropriate permission, the user can start accessing the AWS console without needing to perform any additional authentication. The user can log in to https://myapps.microsoft.com using their Azure AD/Microsoft 365 credentials and they will see the Amazon Web Services (AWS) app in their my apps portal.

They will be taken to the AWS console directly just by clicking on it and will granted to access to those services only for which they were assigned the roles.

Conclusion

As a next step, it is best practice to set up several SAML Roles inside of AWS. The SAML roles can and should be granularly defined down to the AWS account and resource level.

Here are some example roles to get started with:

• ReadOnlyAccess Role
• AmazonEC2FullAccess Role
• AdministratorAccess Role

On the Azure AD side, we recommend creating groups for each of the above Roles. The assign users to the group, and they are then automatically assigned to the AWS role. Using groups makes a bit easier to manage large amounts of users.

Find out more about Mismo Systems

We love Cloud, Containers, DevOps, and Workplace as a service. If you are interested in chatting, connect with us on Twitter, or drop us an email: connect@mismosystems.com. We hope you found this article helpful. If there is anything you would like to contribute or you have questions, please let us know!

1. Azure Compute

Azure compute is an on-demand computing service for running cloud-based applications. Azure compute service can be divided broadly into three categories.

• Infrastructure as a service

Virtual Machine: It is an IaaS service that allows us to deploy and manage VMs inside a virtual network (VNet). The most fundamental building block is the Azure virtual machine. We don’t need to buy any physical hardware and bear its maintenance cost. Using Azure virtual machine, we are able to deploy different services such as Windows, Linux within the Azure cloud. All this gets done within a few minutes. When we implement a virtual machine, every virtual machine will have an associated OS disk and data disk (if we want).

• Platform as a service

App Service: It is a managed PaaS offering from Microsoft Azure for hosting web apps, mobile app back ends, etc. With this, we can simply upload our code and it deploys the application for us.

• Serverless services

Infrastructure provisioning and management are invisible to the developer, hence the name serverless.

Azure Functions: With azure functions, we can run small pieces of code (“functions”) without worrying about the application infrastructure.

Azure logic apps: Azure logic apps are similar to azure functions, just that we don’t have to write code. With this, we can schedule, automate and orchestrate tasks, etc.

2. Azure Site Recovery

Azure Site Recovery is Azure’s built-in disaster recovery as a service (DRaaS).

What it does is when primary infrastructure goes down then it directs to the secondary infrastructure until it comes back again. It helps in business continuity.

As an organization, you need to adopt a business continuity and disaster recovery (BCDR) strategy that keeps your data safe when planned and unplanned outages occur.

Simple to deploy and manage:

We can set up Azure Site Recovery simply by replicating an Azure VM to a different Azure region directly from the Azure portal. Azure Site Recovery is automatically updated with new Azure features as they’re released.

Reduce infrastructure costs:

It reduces the cost of deploying, monitoring, patching, and maintaining on-premises disaster recovery infrastructure by eliminating the need for building or maintaining a costly secondary datacenter.

Testing without disruption:

 You can easily run disaster recovery drills, without affecting ongoing replication.

RTO and RPO targets:

The recovery time objectives (RTO) and recovery point objectives (RPO) are within organizational limits. Site Recovery provides continuous replication for Azure VMs and VMware VMs, and replication frequency as low as 30 seconds for Hyper-V.

3. Azure Content Delivery Network (CDN)

Azure CDN delivers high bandwidth content to users by caching their content at strategically placed nodes across the world. It lowers the latency to a great extent and reduces the file download time.

CDN stores the cached content on edge servers in POP (Point of Presence) locations that are close to end-users.

4. Azure Cost Management

 While the cloud made it easy to deploy and manage thousands of resources, it’s also important to manage the cost. Microsoft Azure Cost Management delivers cloud business management solutions to multi-cloud enterprises so that they can grow the cloud with confidence. It helps organizations effectively manage and optimize cloud spend across Azure and other clouds.

Azure Cost Management is a SaaS offering that helps organizations to monitor, allocate, and optimize cloud spend in a multi-cloud environment (Azure, AWS and Google Cloud Platform, etc.).

• Service on by default
• Set budgets, track, and get alerts.
• Maximize cloud potential.
• Free to manage azure costs.
• Integrated with the azure advisor.
• Optimize cloud spending.

Have questions? Let us know in the comments section below!

We see all businesses small or big, consuming cloud technology in one or another way. The pandemic has increased the adoption substantially and before that security was one of the drivers of moving to the cloud.

While we help businesses to realize the benefits of cloud technologies, we are concerned about their misunderstanding (especially small & medium) that moving to the cloud will take away their responsibility and everything is managed by cloud provider including security.

It is super important to have a clear understanding of everyone’s responsibility. Some examples below:

• In case of SaaS services (e.g., Microsoft 365), you need to ensure that you are following the best practices to keep your account secure. Some of these are:
• Implementing Multi Factor Authentication (MFA).
• Disabling the services & accounts that are not required including legacy authentication.
• Have right process & procedures (onboarding & offboarding).
• Use Single Sign On/Single Identity to reduce the attack surface.
• Use premium security offerings like Advanced Threat Protection (ATP), Azure AD Premium, Intune etc.
• In case of Cloud platforms (IaaS & Pass):
• Make sure that you have opened only the required network traffic.
• Patching your servers regularly.
• Using offerings like Web Application Firewalls, DDoS protection etc. to protect your workloads.
• Protect database servers by isolating then in a different network.

Here is a diagram from Microsoft to help you understand the shared responsibility.

Another very important factor is to have regular monitoring & audit of the environment. This preventive approach helps you avoid security breaches and downtime. You can use the services of a Cloud Solutions Provider to do this for you.

It is the responsibility of cloud solution providers to share this information and making sure that customer is aware of this. To tackle this, we at Mismo Systems has decided that all of the customers will be managed. This will make it a little difficult for us to compete in the market due to the increased cost of adding managed services by default. However, we think it’s the only way and is in the best interest of our customers.

You can read about Mismo’s Managed Services here.

Let’s understand our responsibility and have safe cloud computing!