DEV Community

Robertino
Robertino

Posted on

💡 Why Auth0 “Shifted Left” with Azure

How we expanded customer choice while building a security-first architecture.


Choice is good. We like it when our supermarket shelves are stocked with hundreds of varieties of breakfast cereal. We pick the smartphones we use and the cars we drive. The same should be true for businesses and the technologies they use.

Today, we brought the Auth0 Identity Platform to Microsoft Azure, giving our private cloud customers the ability to pick the right infrastructure provider for their needs.

This means a greater selection of regions. Microsoft currently operates in over 60 regions around the world, making it easier to comply with data residency and sovereignty requirements.

And if you’re already running your app on Azure’s cloud servers, you’ll benefit from a converged infrastructure, with every component running on the same underlying cloud platform.

Azure

Shifting Security Left on Microsoft Azure

We’re equally excited to tell you about the development process. Auth0 has always prioritized security. Last year, we took this a step further with the adoption of “Shift-Left” principles. This puts security-related tasks at the start of the Software Development Life Cycle (SDLC), making it easier to build a stronger, more resilient product.

We remained true to these principles when building the Auth0 Identity Platform for Microsoft Azure, and are thrilled with the end result. The final product is one that reflects our Secure by Design philosophy and faithfully adheres to industry best practices.

Let’s talk about what “Shift-Left” means. This is an established term in the software development sphere, and refers to a variety of domains, both security-related and otherwise. In short, you take something that would typically happen at the end of the development lifecycle and tackle it at the beginning. Test-driven development (TDD) is a notable example.

As Auth0’s CISO Jameeka Aaron said: “Nobody wants their CISO to show up at the last minute with 800 vulnerabilities to be fixed before release.” Our security engineering team looks for vulnerabilities during the design and development phases, and remediates issues early on to prevent a last-minute crunch, or worse, having to rework the design.

At Auth0, our Shift-Left process tackles both the human and technical elements of secure software development. All code must meet strict security requirements and is constantly tested against sophisticated static analysis benchmarks.

We also provide all developers with secure coding training, with some designated as “security champions.” These employees act as liaisons between the engineering and our dedicated platform security teams. They also receive additional training to act as security advocates within their teams.

Security First Architecture

As we developed the Auth0 Identity Platform for Microsoft Azure, we emphasized “shift-left” principles and focused on building a strong security architecture at the start of the development cycle.

We established a dedicated Azure AD tenant and automated governance controls to support resource and identity isolation, required MFA and Azure PIM for privileged access, and enforced security standards with Azure Policy. Prioritizing security in the early stages of the development process is part of our Secure by Design strategy to mitigate risk and keep customers safe from cyberthreats.

The Security Engineering team is also responsible for Azure customer account provisioning and management. In Azure, these are called subscriptions. These are used to isolate private cloud environments and all the associated provisioned resources, like VMs, data storage, and more.

We built a new service for managing Azure subscriptions, and it is integrated directly into our platform infrastructure workflows. This helped to automate how we manage our Azure Private Cloud environments and dramatically improved environment creation time. This was another part of our Azure governance to keep customer environments isolated and secure.

Read more...

Discussion (0)