azure ssl/tls

TLS/SSL Encryption with Azure

Sam Metzler Education

TLS/SSL Encryption with Azure

Improving cyber security is crucial for organizations as one cyber attack could trigger the downfall and bankruptcy of an entire business. That’s why end-to-end encryption has become a network security standard because it involves encrypting an online connection between two entities, such as client-server, server-server, or web page-browser.

SSL, now TLS, encryption was developed to help organizations encrypt their online traffic to prevent cyber attacks from infiltrating the network. Now that the cloud is a staple in the IT field, organizations must maintain network security at all times.

Microsoft Azure is a cloud-based service that allows admins to build, test, and deploy service through Microsoft datacenters. Windows networks are centered around Active Directory (AD), an online directory and is the most popular directory in the IT industry. However, AD was built for on-premise hardware before the cloud.

Since the cloud was introduced, cyber attacks have gotten more dangerous because now malicious actors can hack into a network from anywhere rather than having to break into the server room. Luckily, better encryption methods have been rolled out, like SSL/TLS encryption.

What is SSL and TLS?azure tls/ssl

Secure Socket Layer (SSL) and Transport Layer Security (TLS) both are cryptographic protocols that provide data encryption and authentication between two virtual entities, including servers, systems, applications, and the like.

The first iteration of SSL, SSL 1.0, was developed in the mid 1990s but was not released due to pervasive security flaws. This led to the release of SSL 2.0 and SSL 3.0 in subsequent years, but they both still suffer from security faults.

TLS is an updated version of SSL developed by Consensus Development to improve the security gaps apparent in SSL 3.0. After some trial and error, TLS made significant security improvements and it’s most recent iterations, TLS 1.2 and 1.3, are the only protocols that services actively support.

SSL/TLS encryption is vital because the data shared can contain sensitive information that must be protected. To secure the connection, SSL/TLS uses digital certificates, cryptographic keys that can be installed on network entities and serve as their identification. SSL/TLS certificate encryption is the standard internet protocol for connecting a web page with a browser.

Can You Use SSL/TLS with Azure?

For Microsoft networks, admins can configure TLS encryption for Azure. Microsoft datacenters can create a TLS connection between clients and Azure systems. In order to do this, admins will need to use the Azure Application Gateway which terminates the TLS encryption at the gateway and decrypts user traffic. Microsoft has more information about configuring end-to-end TLS encryption with TLS.

One problem Microsoft Admins face is they are unsure how to enable TLS encryption for end users wanting to use it for Wi-Fi or VPN authentication. There is no clear native option to enroll users for X.509 digital certificates using their Azure credentials, or how to authenticate the certificate once they have the credentials. We find admins asking us for help configuring these types of solutions all the time. The best option we’ve found is to configure a Public Key Infrastructure (PKI) that supports SAML enrollment with Azure, and use CloudRADIUS to authenticate the certificates.

Enable End-to-End Encryption with SecureW2 PKI

Digital certificates provide the best network security, but they can be a pain to configure and manage, especially since users will have several certificates issued to them. SecureW2’s Managed PKI solution can equip every device with a certificate and enable 802.1x EAP-TLS authentication for Azure networks.

Certificate-based EAP-TLS authentication is an ideal alternative to credential-based network access. It eliminates over-the-air credential theft because user credentials are encrypted within the certificate. Both clients and servers are equipped with certificates, making them easier to identify.

With the standard 802.1x EAP-TLS authentication networks historically employed, user access policies are limited to information input onto the certificate, which cannot be changed once created. But, network user policies should change all the time, especially if an organization wants to implement Zero Trust philosophies to their network security. Luckily, there’s a RADIUS solution that checks user attributes in your directory in real-time for ultra-secure network security.

Improve Authentication with SecureW2 CloudRADIUScloud radius azure

SecureW2’s CloudRADIUS is an improved iteration of RADIUS with cloud capabilities and stronger network security. Instead of credentials, CloudRADIUS is built around certificate-based authentication and comes with SecureW2’s Managed PKI. Users are authenticated with certificates that are customized with user attributes and permissions. Once a certificate is created, it’s then distributed to a user’s device, serving as their identity.

CloudRADIUS is powered by a Dynamic Policy Engine that can revolutionize network policy enforcement. With the backing of the Policy Engine, our CloudRADIUS is the only cloud-based RADIUS that can directly reference any cloud identity provider (Google, Okta, Azure) to harden the certificate-authentication process. Similar to user lookup in LDAP-AD systems, CloudRADIUS can directly reference a directory entry and check if the entity is authorized and any additional info attached to that entry.

With a Dynamic Policy Engine, user attributes don’t have to be stored on the certificate. Instead of going through the entire certificate lifecycle multiple times just because one user’s policies changed, admins can instead edit user attributes with our easy-to-use GUI interface. CloudRADIUS can perform runtime-level policy decisions and changes take effect instantly, rather than 24 hours.

Both SecureW2’s PKI and CloudRADIUS don’t require any forklift upgrades, can be set up in less than an hour, and come at an affordable price for organizations of all sizes.


Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.