Cloudflare and Azure AD B2C: Enable secure access to applications
Presented by: Abhi Das, Michael Tremante, Razi Rais
Originally aired on October 17, 2021 @ 8:00 PM - 8:30 PM EDT
How does Cloudflare WAF and Azure AD B2C integration works? What are the most common use cases it covers.
English
Panel
Transcript (Beta)
Hi everyone, welcome to Cloudflare TV. Today we are going to discuss the topic of how to modernize and secure applications, secure access to applications with Cloudflare Web and Azure Active Directory.
So for that we have with us today Razi Rais and Michael Tremante.
Razi is the Senior Program Manager for Microsoft Identity Engineering Group and Michael is our Lead Product Manager for Cloudflare Web Product.
So just a few background for both the companies. Cloudflare is fundamentally a network.
We started building a network of 200 plus data centers around the globe and Cloudflare brings together Zero Trust security services with networking services deployed on that edge of 200 plus data centers.
And it's built using our own developer platform for unparalleled cost efficiency and pace of innovation.
On the other hand, Azure Active Directory V2C is a customer identity access management service capable of supporting millions of identities and billions of authentications per day.
And it takes care of scaling and safety of authentication platform monitoring, automatically handling threats and using its identity protection capabilities which leverages advanced ML algorithms that continuously learns from those attacks.
Before we dive deeper, I wanted to set the context here a little bit.
We are in the midst of digital transformation like never seen before, especially in the past 16 months.
Companies are seeking to modernize their applications to protect themselves.
With a lot of malicious attacks and consumer data being breached, companies are also asking for the best practice security implementations.
So maybe you can dive a little bit deeper on this and we can start with Razi.
Razi, can you help us understand how does Azure Active Directory V2C fits in that context here?
Yeah, sure. So as you mentioned, the Azure V2C is a white label authentication solution.
It basically allows our customers to customize the entire user experience with their own brand.
So it can blend seamlessly into their own web and mobile experience.
Obviously, it's very critical for us.
So for example, we support a full HTML-based integration, native iOS, Android, and other mobile devices integration.
We also provide single sign -on access capabilities.
We provide integration with third-party external services using the API.
We have progressive profiling services. We also have a third-party verification improving services.
So we basically take a very holistic look when it comes to identity management because we're more on the customer and the consumer side of it.
We also take security very, very important. I think it's critical for our customers to get one of the best security that they can have.
And I will talk a little bit about it when we go into detail, but I just wanted to highlight that Microsoft, Azure, the platform that we are under, we basically, Microsoft has spent like a $1 billion US dollar per year on cybersecurity research and development.
So there's a lot of enrichment that are happening around those brands.
Thanks, Razi. So maybe I can turn over to Michael here.
Michael, how does Cloudflare fits in that picture? And what is Cloudflare web in general for the broader audience we have here?
Yeah, good question. So as you said at the start, Cloudflare is essentially a network.
And one of the missions we have as a company is to help make the Internet a better place, especially a safer place.
And we provide a lot of tools for web administrators, application owners, security admins, to essentially protect their assets, any assets connected to the web, of course.
But if we zoom in and focus specifically on the web application firewall, of course, we're talking about websites or applications that are using the HTTP protocol.
The way we do this is Cloudflare is essentially, I like the analogy of it being a shield.
It's a huge reverse proxy dotted around the world and all the points of presence you mentioned earlier, but essentially filters out all the bad traffic or potentially malicious traffic before it reaches your application.
Whilst, of course, letting through your legitimate users who want to use your service.
The way we do it, we do this in a number of different ways.
And as part of the platform, once you onboard an application onto Cloudflare, there's a lot of features that come baked in out of the box.
But at the most basic level, we inspect the traffic and we have libraries of rules.
And in some cases, even machine learning models that understand and are able to differentiate good from bad, or even for example, bot traffic, automated traffic versus human traffic.
And as the traffic flows through and we run this engine on every single request, we allow the security admins, those application owners, or even if you own a very simple blog website to make decisions on what to block and what to let through.
And in many cases, actually, we're pretty confident we make the right decision out of the box.
So we simplify the whole experience of just turning on the WAF.
At a slightly more technical level, of course, we have security teams internally that are constantly looking for new threats, observing, using the visibility we have across the worldwide web on new attack vectors that get developed.
And we're always mitigating and deploying new rules and signatures that are automatically deployed in front of our customers or users' applications, such as protecting against CVE attacks, zero-day vulnerabilities, or even potentially new botnets or completely automated traffic that might cause some harm to your web application.
Great. So double-clicking on that a little bit, Michael, what makes Cloudflare WAF unique or one of the best solutions in the market?
What's the recipe behind it? Yeah, good question. So we, as a company, we started trying to bring...
A lot of these security tools are historically very expensive.
And just like the Azure AD solution, we're trying to bring out-of-the-box solutions that are very useful and very expensive to build in -house most of the times.
And we're doing the same from a more general security perspective and performance perspective for our customers.
And what that meant is that we actually started...
And anyone who goes to the Cloudflare.com website, you can sign up on some of our self-service plans.
And we also provide a fully free plan, which has no payment required.
What this has allowed us to do over time is to get a lot of users and customers on our platform.
And as we grow the network, and you mentioned 200 points per presence earlier, we've now got more...
Last time I checked, more than 25 million applications using our security and protection services.
And this gives us what I would say, a very good visibility across Internet threats that not many other companies can match.
Simply because we've got customers from all over the world, our points of presence are globally distributed as well.
And whenever any of our customers get hit by a new attack vector, because it's a uniform platform, it's a multi-tenant platform, it's built on our own cloud.
Every time we deploy a mitigation, it affects or improves the security of all of our customers.
We're not doing appliances, we're not doing sort of virtual appliances.
It's a very linear, scalable platform. And the other nice benefit of course, is if you have a small website, or if you have a large Fortune 100 application, large company with a large high traffic application, it doesn't really matter.
The platform scales horizontally really well, which also helps from a security perspective, because many times attackers will try to take down applications by simply overloading them.
Sounds good. So maybe Razi, help us understand a bit here.
Why is it important to offload authentication to Azure AD B2C for any business?
Yeah, I think one of the critical reasons why a lot of businesses look at Azure AD B2C and Azure AD in general, is that we provide a very unique opportunity at a very good price point for customers to basically store like a, again, like millions of these user accounts at highly scalable environment.
It's very difficult, if you look around, to find a provider which they can trust, provide the privacy.
We are, basically, Azure right now is the largest number of compliance certifications in any of the cloud provider out there.
So basically, what we're trying to do is that we want to give all the business opportunities in this sort of like a hostile environment, where the cyber attacks are so prevalent, that they should be able to have an ability to get the full identity control access management without really having anything to build in-house.
Because building in-house, these things are usually not a good idea to begin with.
So basically, that's the starting point.
That's the starting journey, because a lot of customers that we work with, they are moving into the cloud, they're getting into that visualization journey.
And having the good foundation when it comes to the user account storage and authentication is extremely critical.
So I think that's where we basically start when it comes to the customer identity.
And along the same route, Michael, why is it important to protect those authentication endpoints?
And from your angle, where you're sitting, what sort of scenarios and attacks that you're seeing most common these days?
Yeah, no, great question. And I think the solution from Microsoft is hitting the nail on the head.
Authentication endpoints are the front door to your service.
And we're seeing an increasing amount of attacks and attack vectors being performed against the authentication endpoints, regardless of the application.
As soon as you're offering a service, which holds some private customer data, or some personal information that could be used for impersonation on some other service, or even in the more complicated use cases, you may be holding credit card data, financial data, medical business, anything, as soon as you have an application which requires authentication to access the actual feature set, you will see the authentication and login endpoint essentially be one of the first parts of the application that gets targeted by attackers.
And in terms of what sort of attacks we're seeing, historically, the traditional OWASP top 10 attack vectors are always there.
People are trying to break the login form with SQL injection, XSS attacks, and things like that.
They're never going to go away. They're always going to be the first thing people try.
But we started seeing a lot more sophisticated attacks, especially now that we always hear about large applications being compromised.
And very often, attackers will download dumps of essentially valid username and password credentials of millions of potential customers.
And unfortunately, people reuse passwords all the time. I'm hoping one day, passwords will no longer be a thing, but that's not the case today.
And very sophisticated attackers will be using now botnets, iterating over these very large databases of valid user credentials, retrying those same credentials on potentially your application and trying to log it.
So protecting and being able to detect bot traffic versus human traffic, or even sometimes simply deploying some business logic around your authentication endpoint.
For example, if you are operating as a company only outside of a specific region, you can probably enforce a little more security for login requests coming outside of that region.
And although it's very simple sort of logic there, you're already getting rid of a vast amount of troubles that may become by just having your login endpoint open.
So going back to your initial question, login endpoints are the entry door to your app.
We're seeing all sorts of attacks, all the way from the simple ones to the more sophisticated brute force attacks with leak credentials, all the way to customers using actually very large botnets and just iterating over valid credentials.
Makes sense.
What about Razi? What are you seeing sort of in terms of kinds of attacks and volumes from your end?
Yeah, that's a good point. I think I agree with Michael on that.
In the last few years, we have been seeing high influx of cyber attacks.
I mean, they start with a typical range of your attack that you expect, like password spray attacks, leak credentials.
Password reuse still remains a big issue for consumers.
People just repurpose the password. But what we are seeing now is sophisticated attacks through bots.
And you can launch attacks which are very sophisticated, can be under the radar.
And we also see, for example, MFA being deployed nowadays.
But the reality is that MFA is also prone to certain type of attacks.
So you basically really need an advanced approach to counter these attacks.
I think on the B2C side, we have a burden feature, which is the identity protection feature, which is based on the machine learning, which is basically calculate risk on every incoming request for each user when they try to sign in or sign.
That is basically when we calculate the risk. And based on the score, we try to evaluate and give opportunity for the administrator if they wanted to continue that user to come in and go through the journey, or they wanted to probably do either more enhanced security or to completely downright block them.
So it's a little bit of like going into like a world where now, because of the machine learning, because of the advancement in the bot, you kind of like see sophistication on the attack.
And you also have to increase the bar to make sure that you catch more of bot type attacks.
Makes sense. And thanks for giving sort of the background on that.
I also wanted to highlight or maybe cover what would happen before this integration is in place between Cloudflare web and Azure ADB2C.
If an application is using Azure and Cloudflare together, what would happen then and what would happen now?
What's the difference? We can start with Razi maybe, and then Michael, you can chime in.
Yeah. When it comes to security, defense in depth is best approach to handle the cyber threats.
This is really pretty much the best practice.
If you look at the OWASP or the other, like NIST, this is basically where they approach this problem space.
So by integrating with a third-party web application firewall providers like Cloudflare, we basically empower customers to broaden the scope of their cybersecurity defense.
I think that's important.
The other thing is that if we have customer base who are already using third-party Cloudflare, Cloudflare is one of them.
So we wanted to make sure that we allow them to bring it over when they're moving towards B2C.
It's kind of important for us to provide that really complimentary space.
So basically at the end of the day, we look at it more holistically.
So having a web in front of B2C basically provide you opportunity to have defense in depth implemented.
Yeah. And I can definitely add a bit to that as well.
There's no silver bullet for security.
Defense in depth definitely is the right way to go. To some extent, the more you can leverage security tools and security approaches across not only your login authentication, but your entire network, the better positioned you are, of course, to identify threats and identify patterns and react to those attacks.
So to highlight a few of the additional benefits, of course, of integrating the two solutions together, of course, Azure Identity Services will allow your users to log in and perform the authentication and offload all of that business logic.
And there's already a lot of security baked into that.
But if you're then deploying the WAF in front of the endpoint, I'm assuming most customers will be already Cloudflare users or looking at adopting Cloudflare, potentially deploying the Cloudflare platform across the rest of the application at the same time.
Attackers will try to get into your app from any vector they have available.
First step is reconnaissance, looking for weak points into your application.
And if you have the uniform WAF in front of your login endpoint, in front of the rest of your app, you might notice or get patterns which otherwise would not pop up on your dashboards.
And then on top of that, of course, deploying sometimes additional business rules across your application, including your login endpoint, becomes very easy if you have a reverse proxy, which is giving you a uniform layer across not only potentially the app itself, but even the rest of your infrastructure.
So I don't see, there's only positives, really.
The integration, as we'll see shortly, hopefully, is actually very simple to perform.
And you're getting the best of both worlds, right?
The offloaded authentication and then the additional security there provided by Cloudflare and the experience we have across all of the other customers we're protecting at the background.
So maybe we can get on a demo here for our audience to get a real flavor of how it looks like.
So, Razi, given you have all the necessary access, maybe it's worth for you to running a quick demo for us here?
Sure. So what I'm going to do is that I will share my screen.
Go ahead and do that. So, yes, a little bit.
All right. Can everyone see my screen? Yes. Okay. So basically, this is a canonical example where we have a page secured by Azure and we basically have a Cloudflare in front of it.
So what I'm going to do is that I will show you without a WAF in front of it and then with WAF, just to give you an idea.
So let me go in here and just open up without WAF.
So basically, this is the screen that you get.
This is a very common way when customers get in. They basically get this branded experience.
And here you have a and basically, this is one of the ways that you can log in.
It's the typical email. So I will just go and quickly log in here with my account.
And you will notice that it will take me back to, if I put my password correctly, it will take me back to a sort of like a sample page where it will give me the details for debugging.
But the point is that this page is available on the B2C. There's no WAF in front.
Now, if I dig the same page and try to access it through the Cloudflare, for which basically, I set up a WAF and the WAF, I set up a rule that every time we try to exit this page, one of the security features enabled is the CAPTCHA, which basically that every time user try to get in, they have to make sure they prove they are human, not a bot-based activity.
So I will go ahead and you can see that this is the page presented to me.
I will click on human, in this case, basically asking me to choose.
So we'll go ahead and select that. I think I did right.
And now you will see that it basically confirmed that, and then I'm landing in and I managed to go and log in again.
And you will notice that I will land into, again, the same page successfully with the identity token.
Now, from a technical standpoint, there are a couple of entities that play here.
So we have the B2C end and we have the Cloudflare. So maybe I can show a little bit of the configuration side because you're interested into looking into how it's done.
One of the key things needed to enable the WAF is using Microsoft Azure Front Door.
So this is a front-end because you need to bring your own custom domain.
So if you remember in this particular case, when I was going to the page, I was basically using a custom domain, id.contosobank.co.uk, which is my test account.
It's sort of like a sample bank that I use for testing. But the idea here is that that you need to onboard that.
And the way you basically onboard that domain is by using a Microsoft protocol Azure Front Door, which is basically optimized to provide custom domain service.
You can basically onboard thousands of custom domain and scale it.
It also has its own security built in. So in this particular case, I have this domain, which I'm using, id.contosobank.co .uk.
So I need to onboard this domain over here. And then it basically has a back end where it's basically going to connect with the Azure AD B2C itself.
So the B2C also needs to know that there is an account of a tenant, and then it wanted to know exactly which domain the request is coming from.
So in this case, if I search for the ID, you will notice that this is the same domain over here, id.contosobank.co.uk.
So it's basically onboarded in Azure AD B2C.
So Azure AD B2C knows about it. The Azure Front Door knows about it.
So that basically is sort of like the first thing you do.
And then the Azure Front Door also has its own entry point, or the CNAM, contosobank.co.uk.azurefd.com.
Now, from the Cloudflare side, from a configuration standpoint, what you need to do is, and I will basically going to use this slide here, because it's a little bit confidential information if I show the whole page, but it will highlight the configuration needed.
So you will notice that on the bottom here, there's a CNAM entry, which says id, which is id .contosobank.co.uk, and the target is contosobank.azurefd.net.
So basically, the first thing we are telling the system here is that, hey, make a CNAM entry.
So all the requests coming in now need to actually go through the CNAM entry.
And on the same time, we have this proxy enabled, which basically means that we are now going to use the Cloudflare WAF.
And in this case, I have different type of challenges set up.
The one that I'm showing you now for the demo upfront was the one with the CAPTCHA, where I'm basically using the hostname to perform the, sort of like a check that, hey, every incoming request to this particular hostname should get the CAPTCHA.
So you can do these settings. And then after this, sort of like the hurdle is passed, then the traffic will go to B2C.
And you will see that you can actually do more.
There's another thing you can do where you can actually use a rule where you can just deny the request based on various factors.
For example, I have a set of rules where I'm denying the request based on the query string parameter.
So in the end, if I have logs equal to true, a very canonical case, but it's sort of like proving the point, then I'm basically blocking the incoming request.
You can actually use rules like log based on country, log based on IP address.
You can do a lot of things with that. So whatever you expect from evap, you can do that on that layer.
So you can do those things. And then basically after the configuration is done and everything is validated, then the Cloudflare will allow you to pass through and land on the B2C site.
Michael, do you want to add something, because I missed?
Yeah. One thing I'd actually like to call out here, which is, I guess, one of the advantages of connecting Cloudflare to the Microsoft Azure platform here, is that because Cloudflare is a cloud native platform, so we've built this by deploying a software we built in-house in data centers, which are dotted around the world.
And because the Cloudflare proxy, WAF is essentially implemented as a reverse proxy, we don't mind where the application resides to some extent.
And the beauty here is, in fact, we're putting the Cloudflare WAF, which is not an on-premise appliance, in front of another cloud based service, which is provided by Microsoft Azure.
And I think that's, you know, Razzy demoed here, the fact that it's mostly done via DNS based forwarding in this case, right?
Because we're using a custom hostname.
So you have your own branding for the endpoint, but you're just redirecting customer traffic to the Cloudflare platform towards, you know, if all the checks are good on the Cloudflare side, then things get forwarded on to the Microsoft, you know, powered login page.
And it's literally just a couple of steps, and that's the beauty of it.
And then, as you said, you showed some canonical examples, but you get access to a lot of other fields and features that you can deploy, you can use to deploy your rules.
Yes. And I think the couple of things I wanted to call out here is that you will see that the whole onboarding process is a cloud based service.
So I just wanted to call out that, because both the Azure platform is cloud driven, Cloudflare in this case is definitely cloud driven.
So the barrier to entry for the customers is very low. It's just mainly the initial setup that they need to perform.
So let me do this. I will share and then share again, really quick, the documentation page for the customers in the case they wanted to find more about it.
Let me share back again. I think the sharing.
So we published recently a documentation where we talk about pretty much everything with a little bit more details and the technical rigor.
And you will see that these are the step by step ways to configure the Cloudflare wrap with the Azure AD B2C.
So basically, these are a little bit more on the technical side, but it also gives you access to some other ways that you can enhance the security.
So I just wanted to call out that this is something that anyone who is watching this can leverage.
Okay. Back to you, Abhi. Cool. Thank you both for the demo. Super helpful.
I think we're reaching towards the end of the time. So before we let you go, everyone, thanks for joining.
Feel free to read the blog. It's on Cloudflare .com slash blogs.
Go through the tech docs for that one that Razi demonstrated. And plus there are multiple others.
If you want to install Cloudflare and Cloudflare web and Azure AD B2C on your application.
And lastly, feel free to fill out a form at the end of the blog, just so that we can keep you updated for more improvements on the products coming up in future.
Again, thank you everyone for joining. Thanks Razi and Michael for your time and goodbye everyone.
Thank you. Bye-bye. Thank you.
Thanks for having me. There's too much that goes into creating high quality video today.
That's just simply still too hard for many of our customers. Most cloud providers don't actually provide a turnkey solution for video.
They provide bits and pieces of the equation, but there's no provider that provides an end-to-end solution from rendering to streaming.
They'll provide bits and pieces that now you have to kind of cobble together to build an amazing product.
Our focus now is how do we simplify and streamline that by providing a deeply integrated, simple to ease and easy to use solution.
A big part of what we do at Cloudflare is as we focus on helping build a better Internet is take complicated things and make them simple.
And to enable them to just literally be able to go to Cloudflare, to log in, to point their video asset at Cloudflare, and then on the other end, be able to pull a player out of Cloudflare and place it wherever they need to be able to deliver the video.
And that's it.
There's a triplicate where you could do something either well or fast or cheaply.
And so we're striving for all three because we really need it. We need it to be really good because otherwise why would anyone use the service?
You got an entire Internet out there, use something else.
We need it to be fast because people have no patience.
And we need it to be cheap enough that we can stream to millions of users without it becoming uneconomical.
So you have to get all three.
And Cloudflare is a really important part of offering all three. If you want to deliver a video to anybody on the globe, there really is no better network to put it on than Cloudflare because we can guarantee the highest quality experience to somebody who is in New York City and someone who's in Djibouti and someone who's in Sydney.