Is your code in VSTS safe? - 2
In the first part of the blog, I discussed key aspects that need to be considered when controlling access. In this second and final part, let’s take a look at some solutions available for VSTS.
Azure Active Directory Device Registration could have been an option if it supported VSTS, unfortunately it supports only O365 and Dynamics Online as a hosted service and not VSTS at this time. Even if it was supported, it’s a fairly complex process to setup and manage device registration. And, if you have users on Linux / Mac using Eclipse IDE, then it won't help. So let us look at other options!
- Option-1: Using Network Access Control (NAC) in the office network to prevent unauthorized endpoints from connecting to your office network or your office’s extended networks and accessing resources within those networks (for example, resources hosted on a third-party datacenter, but are connected to and are trusted by your office network). Also, this can ensure that the endpoint is a trusted one as it can verify whether the endpoint has an approved DLP implemented as per the company policy
- Option-2: Provide virtualized desktops with sufficient controls to trusted users. This way it does not matter if they use their own endpoint or a company trusted one, access to the code in VSTS is done from the virtual desktop, which is always a Trusted Endpoint
Both the above options are good if the users always work from office and thus attempt to access the code only from the office network. What if they need to work from home? (Remember the work styles listed above?). Now, this needs another element to ensure the user connects to office network first and then uses the office network to access VSTS. So, you need a VPN solution to help with this and in case you plan to go with the NAC option, the VPN solution should be integrated with the NAC as well.
Thus, the solution to the question with which I started above, “how do you provide conditional access to your code in VSTS”, requires you to combine all the solution components for the three aspects described above. So, your solution will look somewhat like this (refer to Figure 1):
This will give you an idea of how you can deal with this situation. You may read the Microsoft documentation on Azure Active directory based authentication for VSTS here, and Azure Conditional Access for SaaS Apps here.
In fact, with this solution, you can implement conditional access to most SaaS apps!
Some of the solution aspects given above may have alternate options as well. While I've not covered all options, you may provide comments and share your views. There are various advantages and disadvantages in terms of cost and performance, thus requiring careful consideration while choosing the options and implementing the solution.