Contact us anytime to know more β Amit A., Founder & COO CISIN
Where should you begin in terms of Azure Security? Azure is similar to any data center in many aspects, yet it can differ dramatically regarding its security issues.
While businesses new to the platform often overlook it initially, the security of resources hosted on Azure should never be forgotten. It is essential in protecting assets against theft and loss. While Microsoft helps ensure your assets are safe with Azure, users bear much of the responsibility to keep your cloud protected and maintain it over time.
Why Azure Security?
Azure is a premier cloud computing service provider available today, boasting multiple networks, databases, storage, and more services in its platform.
Confidential information stored and accessed daily by businesses cannot allow someone else to breach security, seize control, and reveal private data - that is why so many services exist within Azure to safeguard and fortify networks - though Azure will notify users in case of major incidents automatically; there are however measures you can take yourself for additional resources safeguarding in Azure if any serious incidents arise.
Securing Azure Environment
Understand The Shared Responsibility Model
Let me briefly cover the main concepts surrounding Microsoft Azure's shared responsibility model: cloud providers' security risks experts must understand both parties have roles they must fulfill when sharing responsibility; generally, you're responsible for your data and controlling access management, though exact duties depend on which service is being utilized - see diagram below.
Microsoft's white paper on "Shared Responsibilities for Cloud Computing" offers great information regarding cloud security shared responsibility models.
Customers planning on migrating their application security or services into the cloud application must understand this shared responsibility model. However, cloud service providers offer many security policies and benefits, and the customer must still protect their users, apps, and services accordingly.
Read The Recommendations And Warnings From The Azure Security Centre
As there's nothing new here, let me start by noting Azure Security Centre, where all recommendations listed below can be found.
Starting our Azure security strategy off right begins with Azure Security Centre.
For optimal protection of Azure resources, this security tool offers alerts and suggested modifications; making use of it by regularly checking its portal for signals that require action quickly enough to remediate them as soon as possible is my first recommended practice for Azure security features; secondly using it across all subscriptions or at least those hosting production resources is another key practice I endorse for optimal protection on this cloud-computing service.
Microsoft Azure includes limited information with their basic level Azure Security Centre; Azure Security Centre Standard offers suggestions and aids in identifying security flaws; as an added incentive, they also offer a free 60-day trial version of Security Centre Standard!
Secure Identity with Azure Active Directory
Identity has quickly overtaken firewalls as the initial defense barrier of networks; Microsoft Azure, in particular, makes this point clear by publishing recommendations regarding Azure Active Directory identity security experts essential to safeguarding its cloud services and users.
These best practices comprise what Microsoft calls Azure Security best practices. These recommendations help protect users using Microsoft's authentication services, such as Azure Active Directory, to gain entry.
Microsoft recommends against centralizing identity into multiple Authoritative sources. Azure Active Directory Connect provides an ideal method of unifying on-premise and cloud resource directories into one central authority, making identity management possible in one streamlined experience.
By eliminating errors that raise security concerns or complicate configuration efforts, this "single source of truth" provides greater clarity while mitigating configuration complications and errors that would otherwise arise from multiple Authoritative sources of identity management.
Single Sign-On (SSO) is another feature Azure Active Directory offers when combined with your on-premises directory.
SSO allows one identity to access all necessary resources locally and online; multiple passwords increase exposure, while SSO reduces this risk.
Implement two-factor or multi-factor authentication for users attempting to gain entry to Microsoft Azure once they begin using the Azure Active Directory.
MFA strengthens security threats while still offering seamless Single Sign On (SSO). It will provide greater protection and access to resources protection of Azure resources.
Limit Subscription Owners
This Azure Security best practice is fairly straightforward: only three users but multiple subscription owners should hold owner permissions.
You should ideally designate one "break-glass" account as an emergency backup and two reliable Azure Administrators or "Product owners," also referred to as Product owners, to act as actual subscription owners(s).
Control Network Access
Network access in the Azure app service must be strictly managed, just like any data center. I recommend adopting the "protection rings" strategy of creating multiple security rings around and between protected resources to maximize protection.
When applying this approach to Azure resources, typically using its built-in firewall (Azure Firewall) or one from third-party virtual network appliances forming the first perimeter ring may serve this function; other elements commonly found here may include firewall rules, intrusion detection/prevention systems (IDS/IPS), web content filtering rules firewall policies as well as DDoS prevention/prevention tools such as antivirus application controls network antimalware tools, etc.
Use network security groups in Azure subnets to block unwanted traffic from entering or leaving. A Virtual Network (VNet) supports open communications among its subnets by default; using security zones and roles created with network security groups, you can control network access between subnets - so be sure to link each subnet with one appropriately configured security requirements group!
As previously discussed, applying an NSG to the virtual machine network interface forms the third ring of virtual server security recommendations.
As mentioned, such an NSG controls traffic between its host computer and virtual machines. Take steps to minimize Internet exposure with dedicated WAN connections from Azure storage; ExpressRoute and site-to-site VPN are great choices.
Disable Remote Access (RDP/SSH)
At Azure virtual machines, it is highly advised that both SSH and RDP access should be disabled to protect them from internet vulnerabilities.
In reality, just-in-time (JIT) virtual machine access via an encrypted dedicated connection such as VPN or ExpressRoute should provide both RDP and SSH access simultaneously.
Once Azure Security Centre Standard has been enabled, Just-in-time virtual machine access should also be activated to reduce brute-force attack vulnerabilities while making Secure Shell and Remote Desktop connection easy for virtual machines (VMs).
Microsoft reports Brute Force attacks as being among the most frequently utilized attacks, so Just-In-Time Virtual Machine Access uses NSG rules for secure configuration and provides access to only authorized users.
Azure then shuts off these ports after three hours have elapsed to reduce attack vulnerability.
Just-In-Time Virtual Machine Access from Azure information protection Active Directory with Role Based Access Control permissions provides users access to virtual machines (VM).
This shows how identity has become the cornerstone of the security team, as was mentioned previously.
Protect And Update Your Virtual Machine
As in an on-premise data center, cloud servers require protection from malicious code in their operating systems.
Antivirus and antimalware protection should also be employed; I suggest that Microsoft antimalware and Windows Defender Advanced Threat Protection (ATP) work together seamlessly within Azure Security Centre as one convenient place.
Azure provides the Update Management solution - an automated method of applying updates to Windows Virtual Machines hosted on Azure.
Microsoft still mandates system updates on these virtual machines; additionally, Azure Security Centre can identify and install any pertinent security control updates for you.
Safeguard Sensitive Data
Secure storage for confidential data like keys, secrets, and certificates is vital in the Microsoft Azure cloud environment.
Azure Key Vault should be utilized to safeguard cryptographic keys used by cloud apps and services, with each vault containing its role-based access control (RBAC) list for added protection of cryptographic keys used within cloud apps and services.
Enable Encryption
Use encryption to safeguard your data stored on Microsoft Azure - in transit and at rest - using either default settings or manually switching on encryption based on specific scenarios.
Sometimes, encryption should be turned on automatically, while other times, it needs to be switched on manually.
Storage Service Encryption for Azure Managed Disks automatically achieves encryption at rest for Managed Discs created, using encryption keys managed by Microsoft, and can automatically achieve data protection at rest for these discs.
I also advise manually activating the Azure Disc Encryption feature if your drive contains sensitive information. Encrypting Azure SQL databases transparently should protect their files on disc.
Conclusion
Azure security presents unique challenges, yet it can provide just as much safety when implemented properly.
While these Azure Security Best Practices may assist in getting you started on this path to safety, technical knowledge and practical training will ultimately allow for optimal Azure protection.
