User Authentication

Technical Gap

The existing implementation of the application authentication depends on the chosen identity provider. Authentication of users for a cloud application should be based on a standardized and secure identity mechanism.

Migration Path

Azure Web Apps enables to restrict access by leveraging Azure Active Directory. This solution is stack agnostic so it works for all the supported different stacks regardless of the application being coded in .NET, PHP, Node, Java or Python.

Identified Tasks

  • Prepare your directory
  • Select the Directory associated with the Website
  • Select or create the Azure Active Directory app for the Website
  • Configure your Web App so its access will be restricted to only users in the directory you selected

Reference

https://azure.microsoft.com/en-us/documentation/articles/active-directory-authentication-scenarios

Using Azure Active Directory

In the Cloud, users should be authenticated using a Cloud-friendly identity provider such as Azure Active Directory.

BOOSTERLOW

Impersonate Identity

Some on-premise applications may rely on executing code with the identity of the actual user. This requires a corresponding user account has been created on the platform, which is not possible in a Cloud environment.

ROADBLOCKCRITICALCODE | FRAMEWORK | ARCHITECTURE

Usage of Windows Authentication

Using Windows as an identity provider is not possible in a Cloud environment, as it assumes a corresponding user account has been created on the platform.

ROADBLOCKMEDIUMCODE | FRAMEWORK | ARCHITECTURE

Usage of Web Forms

Using “Web Forms” authentication requires that user accounts and passwords be created and managed in a storage such as a database. This mechanism does not offer the flexibility of claims-based authentication and should not be used in Cloud applications.

ROADBLOCKLOWCODE | FRAMEWORK | ARCHITECTURE

Application Logs

Technical Gap

Capturing web application diagnostic information is dependent on the web platform. ASP.NET applications can use the System.Diagnostics.Trace class to log information to the application diagnostics log.Node.js applications write to the console using console.log(‘message’) and console.error(‘message’) which goes to Information/Error level log entries. Other web platform have similar mechanisms…

Application logs should be centralized and exposed in a comprehensive manner.

Migration Path

In the Azure portal you can direct different verbosity levels (Warning, Error, Verbose) to different targets at the same time : file system and Azure blob storage. Using a combination of adjusting configuration parameters for the trace sources defined in code and moving log information into Azure persisted storage, enable to fully control web application diagnostic output.

Identified Tasks

  • Implement of methods of adding tracks corresponding to different severities of message (ex: info, warning, error) using the appropriate web platform trace method
  • Configure verbosity levels to the supported target depending on the web platform

Reference

https://azure.microsoft.com/en-gb/documentation/articles/web-sites-enable-diagnostic-log

Application Logging Good Practices

Log messages must be issued using OS-agnostic logging mechanisms using the framework’s built-in capabilities, or a proper third-party logging system.

BOOSTERLOW

Usage of Console/Debug Functions

Log messages must not be sent via debug or OS-specific mechanisms such as the console as it would direct access to the execution environment to leverage these log messages.

ROADBLOCKLOWCODE

Persistent Files

Technical Gap

Files generated on a Web App Azure virtual machine instance are not persisted : if the machine goes down or if the site moves to another machine, those files are lost.

Migration Path

Files that need to be persisted must be stored in Azure Blob Storage type storage.

Identified Tasks

  • Declare a Blob storage management class
  • Implement methods of file management (CRUD) in Blob Storage
  • Initialize the corresponding management objects with recovery of the connection string to the service
  • Call replacement methods of current CRUD calls (asynchronous)

Reference

https://msdn.microsoft.com/en-us/library/microsoft.windowsazure.storage.blob.cloudblockblob.aspx

Directory Manipulation Bad Practices

Manipulating local directories requires specific permissions and usually assumes a predefined directory structure exists. In the Cloud, it is not possible to make such assumptions.

ROADBLOCKMEDIUMCODE | FRAMEWORK | ARCHITECTURE

File Manipulation Bad Practices

Manipulating local files requires specific permissions and usually assumes a predefined directory structure exists. In the Cloud, it is not possible to make such assumptions.

ROADBLOCKMEDIUMCODE | FRAMEWORK | ARCHITECTURE

Temporary Files

Technical Gap

Azure Web Apps come with a dedicated physical folder for the temporary files on the corresponding hosted VM. This folder path may be different than the default path for on-premise environment.

Migration Path

The temporary files path is defined in the environment variable %TEMP%. So one solution is to call ‘Path.GetTempPath()’ to get it. Another solution is to use blob object in Azure to simulate temp file.

Identified Tasks

  • Using temp path just requires to keep the existing code and to replace the way temp folder is assessed
  • Using Azure blob storage suppose the same tasks than those described in “Persistent files management”

Reference

https://code.msdn.microsoft.com/How-to-store-temp-files-in-d33bbb10

Access to Environment Variables from Code

Environment variables are OS-dependent and as such, not Cloud-friendly. Additionally, their existence in a Cloud environment cannot be guaranteed.

ROADBLOCKLOWCODE | FRAMEWORK | ARCHITECTURE

Explicit Usage of GetTempPath

Manipulating temporary files on the local file-system requires specific permissions which may not be available in a Cloud environment.

ROADBLOCKLOWCODE | FRAMEWORK | ARCHITECTURE

Application Settings Configuration

Technical Gap

Developers can store key-value string pairs in Azure as part of the configuration information associated with a website so application settings should not be declared in the configuration files (*.config) any more.

Migration Path

App settings are represented as name-value pairs made available to web application when it starts. The mechanism used to access these values depends on the web platform on which the web application is programmed:

  • If the application is built using .NET, then access to the values of app settings is done in the same way access for AppSettings values stored in web.config.
  • If the application is built using another supported web platform, such as Node.js, PHP, Python, or Java, app settings will be presented to the application as environment variables.

Identified Tasks

  • Implement “access to the settings” methods from the environment variables if the web platform is not .NET

Reference

https://azure.microsoft.com/en-us/blog/windows-azure-web-sites-how-application-strings-and-connection-strings-work

Presence of Web Configuration

Application settings must be defined in a Cloud-friendly storage. Web configuration files are designed for such usage.

BOOSTERLOW

Presence of Application Settings Configuration Manager

Application settings must be defined in a Cloud-friendly storage. Using a configuration manager helps attaining that goal.

BOOSTERLOW

Presence of other configuration files than web configuration

Storing application settings in external files that are not manageable in the Cloud platform is not recommended as such settings will not be easily changeable.

ROADBLOCKLOWCODE

Registry Settings

Technical Gap

Access to the system registry in the Web app instance VMs is restricted. Apps have read-only access to much of the registry of the virtual machine they are running on. Write-access to the registry is blocked, including access to any per-user registry keys.

Migration Path

The migration will have to handle differently system and application keys. System keys are not to be kept. Application keys have to stored through another mechanism. Our recommendation is to use Azure Table Storage.

Identified Tasks

  • Key systems: Remove access to key systems (system information and COM)
  • Key applications:
    • Create an Azure Storage table to contain application key parameters
    • Declare an application keys class based on the Azure Table Storage APIs
    • Implement methods for adding and retrieving parameters

    Calls to the methods in replacement of the access to the hive

Reference

https://azure.microsoft.com/en-us/documentation/articles/web-sites-available-operating-system-functionality
https://msdn.microsoft.com/en-us/library/microsoft.windowsazure.storage.table.cloudtable.aspx

Usage of the Registry class

Application settings must not be defined in OS-specific storage such as Windows Registry, because it may not be available or accessible to the application.

ROADBLOCKMEDIUMCODE | FRAMEWORK

Usage of Azure CloudTable

Application settings should be stored in a Cloud storage service such as Azure CloudTable.

BOOSTERLOW

Access Control List

Technical Gap

No access security list on Cloud Storage.

Migration Path

Rewrite the content security logic with an application level security implementation.

Identified Tasks

Identify usage of System.Security.AccessControl related functions. New implementation will be defined on a a case-by-case basis.

Reference

https://msdn.microsoft.com/fr-fr/library/system.security.accesscontrol(v=vs.110).aspx

Detect usage of Access Control List

Managing user rights based on ACL assumes that the application is running in the identity context of the user, which is not available in a Cloud environment.

ROADBLOCKCRITICALCODE | FRAMEWORK | ARCHITECTURE

Code Execution

Technical Gap

App Service doesn’t configure any web framework settings to restricted modes such as “full” trust. Web frameworks, including both classic ASP and ASP.NET, can call in-process COM components (but not out of process COM components) like ADO (ActiveX Data Objects) that are registered by default on the Windows operating system.

Apps can spawn and run arbitrary code. It is allowable for an app to do things like spawn a command shell or run a PowerShell script. However, even though arbitrary code and processes can be spawned from an app, executable programs and scripts are still restricted to the privileges granted to the parent application pool.

Migration Path

Adapt the application code by first checking whether the existing application has existing dependencies on specific component and restricted privilege usage.

Identified Tasks

  • Validate the application privileges prerequisites
  • Replace unsupported components with in-process equivalent and supported libraries.

Reference

https://azure.microsoft.com/en-us/documentation/articles/web-sites-available-operating-system-functionality

References to COM components

ROADBLOCKHIGHCODE | FRAMEWORK

Data Encryption Keys

Technical Gap

If the application is using encryption keys, these keys must themselves be secured to prevent from the data theft.

Migration Path

Our recommendation is to use the Azure Key Vault service to secure the strings. Note that the algorithm used by KeyVault is RSA (with or without card HSM); It will therefore read and re – encrypt information with the new algorithm.

Identified Tasks

  • Rewrite encryption existing code to use the Azure Key Vault service to implement encryption/decryption methods

Reference

https://msdn.microsoft.com/en-us/library/azure/mt134054.aspx
https://msdn.microsoft.com/en-us/library/azure/microsoft.azure.keyvault.keyvaultclient.decryptasync.aspx
https://msdn.microsoft.com/en-us/library/azure/abd1b743-1d58-413f-afc1-d08ebf93828a#BKMK_KeyTypes

Usage of Azure KeyVault Encryption Mechanism

BOOSTERLOW

Execution Environment

Technical Gap

To be completed.

Migration Path

To be completed.

Identified Tasks

To be completed.

Reference

To be completed.

Application Server Dependencies

ROADBLOCKHIGHCODE | FRAMEWORK

Inter-Application Messaging

Technical Gap

Existing application may use asynchronous messaging middleware that enables to send data between decoupled systems. These messaging environments are not natively integrated in Azure PaaS services.

Migration Path

There are several messaging alternatives in Azure. In the inter-application communication context, our recommendation is to use Azure Service Bus messaging.

Identified Tasks

  • Creating a Service Bus queue
  • Definition and generation of the different types of messages
  • Sending messages to the queue
  • Checking and reading messages from the queue

Reference

https://azure.microsoft.com/en-us/documentation/articles/service-bus-fundamentals-hybrid-solutions/

https://azure.microsoft.com/en-us/documentation/articles/service-bus-dotnet-how-to-use-queues

Usage of Azure Service Bus

BOOSTERLOW

Sensitive Data Storage Protection

Technical Gap

It’s common to have application settings that are sensitive and must be protected, such as: database or cache connection strings, passwords,… These data should be protected in a centralized secured store.

Migration Path

If you are targeting an Azure Web App you can add the actual values for these settings in the Azure Portal. By doing this, the actual values will not be in the web.config but protected via the Azure Portal where you have separate access control capabilities. But to go one step further in data protection, our recommendation is to use Azure Key Vault, a cloud-hosted service for managing secrets.

Identified Tasks

  • Integrate the Azure Key Vault communication logic.
  • Change connection method to retrieve connection string from Azure Key vault

Reference

https://msdn.microsoft.com/en-us/library/azure/microsoft.azure.keyvault.aspx

https://azure.microsoft.com/en-us/documentation/articles/key-vault-use-from-web-application

Usage of Azure KeyVault

BOOSTERLOW

Services & Scheduled Tasks

Technical Gap

Windows services or scheduled tasks can not be deployed on Azure Web Apps.

Migration Path

Corresponding feature has to be implemented as continuous and scheduled WebJobs or Azure functions.

Identified Tasks

  • Transform and adapt the existing service or scheduled task code to the required interfaces

Reference

https://azure.microsoft.com/en-us/documentation/articles/web-sites-create-web-jobs

https://azure.microsoft.com/en-us/documentation/articles/functions-overview

Shared Caching

Technical Gap

If the on-premise application is using a centralized global cache, an equivalent solution should be implemented on Azure.

Migration Path

The recommended way is to migrate the cache mechanism to Azure Redis Cache. Redis cache needs to be instantiated from a connection string which has to be secured. Azure Key Vault should be the right place to keep this sensitive information.

Identified Tasks

  • Create a Redis cache on Azure
  • Implement a Redis Cache management as a singleton class
  • Implement class initialization: appeal to Azure Key Vault in order to retrieve the connection string to the Redis cache from the vault
  • Implement methods for addition and recovery of global data in and from this cache
  • Call replacement methods for the cache

Reference

https://github.com/mspnp/azure-guidance/blob/master/Caching.md

https://msdn.microsoft.com/en-us/library/azure/microsoft.azure.keyvault.aspx

Usage of a Cache Management Framework

BOOSTERLOW

Third-Party External Dependencies

Technical Gap

In the cloud, application services generally run in a secure environment called a sandbox. The sandbox generally aims to restrict access to shared components of Windows, including many core components of Windows : registry, cryptography, and User32/GDI32 graphics subsystems.

Migration Path

Adapt the application code by first checking whether the existing application has existing dependencies on third-party external dependencies. For example; PDF generators failing due to restriction mentioned above (Syncfusion, Siberix, Nreco, Spire.PDF). Also check the dependencies that are not supported such as PhantomJS/Selenium which try to connect to local address, and also uses GDI+.

Identified Tasks

Detect usage of registry, cryptography, and graphics API, usage of DllImport and call to the components dependent on un supported third party dependencies. Replace unsupported components with in-process equivalent and supported libraries (SQL Reporting framework for PDF generation,…).

Reference

https://github.com/projectkudu/kudu/wiki/Azure-Web-App-sandbox