SmartMoney is an application developed by the fictional company OneFinance, which manages financial data for thousands of customers. SmartMoney helps customers gain insight into their personal finances and provides advice on becoming financially healthy. The customer service department is responsible for managing all of the customer data. Based on this data, the expert department provides advice to customers on how to save costs and create monthly budgets.
When the COVID-19 pandemic broke out, the government enforced lockdowns, which had severe consequences for OneFinance. With employees working from home and unable to access the SmartMoney application, OneFinance which had not invested much in their infrastructure, faced challenges as everything still ran on-premises with no remote connection possible. To enable employees to work from home, the company rushed to bring some of their workloads to the cloud. Below the current architecture in Azure.
Current Azure architecture
Employees from OneFinance can authenticate to the SmartMoney application using their Azure AD account. The application
is hosted in Azure App Service and uses Azure SQL and Azure Storage account to store data.
The SmartMoney solution is split into a frontend application and backend application that contains a set of APIs. All
is deployed and managed into one subscription.
The application is available through a public URL. Firewall settings are configured to only
allow certain IP addresses to access the application.
Zero Trust
Zero Trust is not a one-time task, but rather an ongoing effort to enhance your security. While it's important to carefully consider your architecture before implementing Zero Trust, I will continually update the information and architecture as I publish new articles about improving the architecture of SmartMoney. Information might be updated to demonstrate new services or features that can be used to improve the security of the application.
Protect surface
To implement Zero Trust, the initial step is to identify the surfaces that require protection. OneFinance has multiple internal and external applications, among which SmartMoney is recognized as a protect surface. Additionally, the ERP system, intranet, and corporate website are also considered as protect surfaces.
Map the transaction flows
- The frontend application communicates with the backend API to fetch and write data.
- The backend application fetch and store data from Azure SQL
- The backend application fetch and store data from Azure Storage account
Architect a Zero Trust environment
In each article, I'll explain how to secure the application and infrastructure.
Create Zero Trust security policies
...
Monitor and maintain
...
Articles about securing the infrastructure
Here is a list of articles that detail how the infrastructure has been modified to align with the principles of Zero Trust.
Assume breach and minimize the impact with network security groups
In this blog post, I’ll explain how to restrict subnet traffic flow with network security groups and create fine-grained rules with service tags. Why it’s ...
Access internal applications with Entra Application Proxy
The way we work and the tools we use are changing rapidly. With more employees working remotely and using their own devices, the way organizations manage and...
Secure Azure PaaS services with Azure Private Link
When using Azure you shouldn’t take the security of your data and services for granted. Microsoft explicitly states that security is a shared responsibility ...
Centralize management with the hub-spoke network topology
OneFinance has many different applications that were brought to the cloud in unplanned way. During Corona OneFinance (like many other companies) ensured...