Security

RADNAC strides to be a tool to aid you meeting your compliance requirements so a summary of how it secures your data is provided below.

  • The user interface provides informative and actionable warnings based on best current practices sourced from the standards working groups helping you navigate the most appropriate path for your deployment

  • All local secrets (user passwords and device secrets) are encrypted at rest by the Azure Key Vault, decryption is done on demand

    Backups contain the plaintext decrypted secrets, so make sure the Storage Account to send them to has limited access to only those authorized to view them
  • The Network Security Group (NSG) used by the service automatically manages the security rules for you utilizing both Application Security Groups (ASG) and ‘Deny by Default’ for both ingress (incoming) and egress (outgoing) traffic

  • EAP-TTLS/PAP credential caching uses S(alted)SHA512 (hash unique per entry, pool of 96 characters and of length 32 characters) and stores the result only in RAM

  • Remote network access to the instances is limited to the serial port only

    • The serial port is disabled

      • Can only be re-enabled by coreMem Limited when a co-administrator plan is used and then only with your permission for when access to the instance is required for diagnostics

    • The SSH service is disabled (systemctl mask ssh.socket ssh.service)

      • Only allows public key authentication

      • ‘root’ is blocked from using SSH

    • The only local user account is ‘root’ and the password is unique to each deployment which only exists and is stored in the Azure Key Vault created during the deployment

    • Only the root user is allowed to log in over the serial port

    • The ‘azureuser’ account is deleted during the install

      • It only briefly exists as Azure does not allow you to create (generalized) VMs without providing credentials

      • The SSH public key used is unique to each release, the private key is never recorded making it unusable to anyone, including coreMem Limited; it is deleted with the azureuser account during the deployment

    • No security rules on the Network Security Group (NSG) allow for SSH access to the instance

  • All resources used by the service (including Microsoft Entra ID and Graph API) utilize managed identities meaning there is no password or secret to leak

  • Use of Microsoft Entra ID MFA is made through the use of certificate credentials

    • The private key of the certificate is non-exportable and stored in an Azure Key Vault

    • The certificate is regularly and automatically rotated

      • Configurable by you during deployment and settable between one (1) and thirty-six (36) months whilst defaulting to twenty-four (24) months

  • All network traffic is secured using TLS version 1.3

  • Access to the Azure Function is protected by Microsoft Entra ID using OAuth2

Service Principal with Elevated Permissions used during Installation

Configuring the interaction between RADNAC and Microsoft Entra ID is long complicated process. Most of this process is not supported by the Azure web portal UI and requires configuration using the CLI.

To avoid you as the site administrator having to perform this error prone process manually, RADNAC expects a Service Principal with elevated permissions so that it may do these steps on your behalf.

This account is only used by the deployment process and no access to it is provided to any other entity, including coreMem Limited, outside of this.

The account is used to apply the following changes to your tenant:

  • Create an Application and accompanying Service Principal to interact with Microsoft Entra ID and MFA to support user authentication.

    • Provides ‘Admin consent’ for the user delegated permissions ‘openid’, ‘profile’ and ‘email’.

  • Create an Application and accompanying Service Principal to support authentication of Service Principal’s accessing the RADNAC API.

    • Provides ‘Admin consent’ for granting on-behalf access to both Azure Resource Manager and Key Vault APIs with the permissions of the connecting user.

      • Used to aid debugging in the web UI (and via the API) when RADNAC may not have access to a certificate stored in an Azure Key Vault.

      • This is the only official way to interact with Azure Key Vault from a web browser

  • Create an Application for use by the web UI to authenticate to the API and also to Microsoft Graph API.

    • Access to Microsoft Graph API utilitizes user delegated permissions (read-only access to groups) for the purposes of selecting Microsoft Entra ID groups easier.

The need for the particular Microsoft Entra ID roles assignments requested are:

  • Cloud Application Administrator: Creation of applications and service principals as well as assign credentials to so that Azure resources may use them.

  • Privileged Role Administrator: Least privileged role supported for Microsoft Graph allowing the assignment of {User,Group,Device,Domain}.Read.All to the System Assigned Managed Identity of the managed application resource so RADNAC may interact with Microsoft Graph API for policy enforcement purposes.

After the installation completes, this Service Principal is no longer required and should be deleted. If you wish to retain it instead for purposes of reuse, it is strongly recommended you remove the client secret credentials associated with it so it may no longer be used.

Microsoft Entra ID provides a non-tamperable audit trail of all changes made by the Service Principal so that you may inspect what actions were performed. You may locate it by:

  1. Navigate to Microsoft Entra ID found at https://entra.microsoft.com/.

  2. Navigate from the left panel Entra ID  Enterprise Apps.

  3. Remove the ‘Application type == Enterprise Applications’ filter.

  4. Search for the name of the Service Principal you used (‘RADAC Deployment’).

  5. Click on the application once you find it.

  6. In the panel that opens, navigate to Activity  Audit logs in the inner left sidebar.

If you have any suggestions for changes or improvements you would like to see to this process, do get in touch.