Fewer credentials, more security
Let me tell you the story of the one Immoweb employee juggling with five different login credentials, three environments, and two VPN connections. It is a riveting one, with many mistakes, locked accounts, and frustration all around!
On second thought, let me rather explain how we succeeded in unifying all of this into one set of credentials and turned our confused users into happy ones!
Immoweb is at a turning point in the way we work. Until three years ago, our entire platform was hosted on servers in a data center, all our internal data and tools rested on a single rack of servers in a room in our office building.
Both the data center and this internal server room were managed by our Infrastructure team of only seven people! From the physical layer, all the way over to the network, VMware, and Windows, up to and including the application layer.
You can imagine our teams’ daily frustration having to open Windows, log into one VPN, get their data, kill the VPN, open another VPN to the data center, open a VDI desktop, and develop on the platform. Now add the high level of complexity for both the Infrastructure team and end-users to understand and debug whenever something would not be working, and the time needed to deliver any work.
Luckily, in Spring 2017, a new company strategy was laid out: we were to transform into a new platform, redesigned from the ground up into micro-services using AWS. At the same time, we decided to also migrate to the cloud our office servers which were soon reaching end-of-life. For our internal email and data, we chose Microsoft 365, in a bid to reduce complexity, the panel of competencies needed as well as to diminish the risk of data loss greatly.
After making this strategical choice, an Azure AD link was set up between the on-prem devices and the MS 365 to reuse our existing windows credentials. We gradually, painstakingly migrated away from the server room on the 3rd floor of our office.
We started by setting up Exchange online and then continued by migrating our users’ data to OneDrive, and the company’s to SharePoint, all of which could be accessed with the original credentials.
We did not fully realize then how this would make our lives (and logins!) much more efficient, simpler, and straightforward in the future.
With the redesign of our platform rose the need for a new CRM; we settled for Salesforce. To handle logging into this new platform, multiple technologies were available, such as federation to our local AD or using a SAML connection to the Azure AD.
We chose the latter, as setting up a SAML connection between the two cloud solutions proved very simple. This permits us to reuse our Azure AD credentials, which are secured through multi-factor authentication.
The mindset had shifted. From now on, we would only choose services proving to be configurable using SAML.
A great example of this implementation is how our employees can now connect to our dev & test environments using Cloudflare Access; this service acts as a bastion for websites and terminal servers.
The environment is protected, and the login redirects to our own Azure AD.
Did I explain the MFA part? By using this way of connecting, services such as our internal admin portal suddenly became super secure as multi-factor is obligatory in our MS 365 cloud.
Until yesterday, when Team Leads wanted to deploy using Jenkins, they needed a VPN connection to our data center, which gave them, through yet another VPN tunnel, access to AWS where they would then log in using … which credentials again?
Today, they simply go to our Cloudflare Access, log in with their usual credentials, and that’s it.
Our new contract management tool? You guessed it: safe and secure behind our multi-factor authenticated Azure AD.
One user, One login.
One on and off-boarding as well, by the way 😊
To sum it up: Fewer credentials, but with more security!
“But what about these VPN connections & tunnels?” You may ask. “They must be useful!”
Well, yes, in the former way of working.
After the mind switch, the pandemic triggered a physical switch.
Mandatory homeworking made it clear for everyone that the office was just a brick-and-mortar building.
And that will be for my next blog article: “Make the office serverless again!”
