You are working with government, so you probably already know about smartcard authentication and PIV, and you are probably sweating that now thanks to Executive Order 14028 you have to implement phishing resistant authentication in Azure GCC High. But what if I told you that it doesn’t have to suck? That you can set up Azure Certificate Based Authentication (CBA) in a few hours (Less than an hour in public cloud), and that it will not only improve your security but also your user experience and productivity? In this blog we will walk you through how to set up Azure CBA in Azure GCC High, and how to use it with smart cards and YubiKeys. Below you can see a video of how simple it is to set it up in public cloud
With the move to the cloud, many organizations are looking for ways to implement phishing resistant authentication without the need for an on-premise Active Directory. To help with this, Microsoft introduced Entra Certificate Based Authentication (CBA) This allows organizations to use certificates for authentication without the need for an on-premise Active Directory or Active Directory Federation Services (ADFS) and before you start yelling, yes you still need to have a Certificate Authority (CA) in place, and a way to manage the smartcards and user certificates. That is where EZCMS and EZCA come in, EZCMS is a solution that allows you to manage smart cards and user certificates in a simple and easy way, and if you do not have an on-prem CA, EZCA is a solution that allows you to manage your Certificate Authority in Azure. Together, they provide a complete solution for implementing phishing resistant authentication in Azure GCC High.
Unfortunately, due to the nature of Azure GCC High, you cannot use the public cloud version of EZCMS and EZCA, which are hosted on your behalf by Keytos. Instead, you will need to set up EZCMS and EZCA in your own Azure GCC High environment. This is a bit more complex than the public cloud version, but it is still super easy to set up. Since our tools were designed by Ex-Microsoft engineers, to be able to be easy to setup and manage in Azure, all our tools use Azure PaaS services, so you do not need to worry about managing any infrastructure. You can see below a diagram of the resources that you will need to set up EZCMS and EZCA in Azure GCC High (Don’t worry we have Azure CLI scripts that you can run and by the time you come back from lunch your resources will be ready to go).
One of the best parts of using EZCA in Azure GCC High is that you can use it for all your PKI needs, it is not just a 1 trick pony for smart card authentication. You can use it to issue certificates for your web servers, code signing, email encryption, and Intune SCEP for Wi-fi authentication. This means that you can have a complete PKI solution in Azure GCC High without the need for an on-premise Active Directory Certificate Services (ADCS). EZCA is built on top of Azure Key Vault, which means that it is secure, scalable, and highly available. You can also use it to manage your existing PKI infrastructure if you have one.
While EZCA and EZCMS are packed with features, they are also very affordable. We understand that government organizations have tight budgets, and we want to make sure that you can implement phishing resistant authentication without breaking the bank. Since it is running on your own infrastructure, our GCC High pricing is based on a flat licensing fee ($3,000 USD per month) per tool for unlimited CAs/Users. If you have more questions book a free identity assessment with our identity experts and we can help you achieve your passwordless goals in public or government cloud.
