- Posted by Vladimir Stefanovic
- On March 23, 2020
- 0 Comments
- azure security, Microsoft Azure, public cloud
Much like any other public provider of cloud-based or cloud-native services, Microsoft Azure too brings a plethora of advantages, but also a handful of challenges and concerns. These challenges are often pegged to the very process of cloud migration, while the concerns almost always refer to potential security-related issues.
Needless to say, security is a crucial aspect of any cloud-based app, service or infrastructure, which is why properly approaching and tackling all potential security-related pain points is paramount for businesses that have at least one of their components running in the cloud.
Those coming from the cloud computing landscape (or should we say cloudscape) probably already know that the three biggest players on the market – Microsoft Azure, AWS, and Google Cloud – all have a slightly different approach to the services they offer and the audiences they tend to target.
For example, Azure is perhaps more enterprise-oriented, while AWS and Google tend to gravitate more toward the consumer. This also reflects on security concerns that may be bestowed upon the Azure users and aren’t likely to pertain to AWS and Google Cloud consumers.
These are usually the following:
- Various types of malware targeting Azure’s identification tools and BLOB storage
- Identity-based attacks
- Relatively weak firewall
- Prone to hacking attacks…
That said, let’s go over 6 of the most common Microsoft Azure security issues and concerns companies are struggling with.
1. Azure Binary Large OBject (BLOB) Storage Tends to Be a Common Hacking Target
Since Microsoft is a familiar ecosystem and Azure a trusted free-to-set-up environment, it has been a slightly more frequent target of hacking attacks than Google Cloud or AWS. Malicious links carrying malware, along with compromised accounts, are a common occurrence within this type of architecture. PDF-based phishing campaigns have also been taking place, which has been associated with Azure blob storage hosting.
The reason these attacks are more common with Azure is that the phishing campaigns that are oriented around Azure blob storage tend to be cost-effective, very easy to set up, and overall quite effective in their mission. It is also important to mention that Azure BLOB offers various ways of access protection including setting up access via Azure Virtual Network only, setting up Firewall/ACL, implementing Storage Access Policy and Shared Access Storage (SAS), etc.
This is why we recommend that anyone utilizing Azure blob storage approach this security concern with raised awareness and even consult Azure experts for best practices in dealing with this kind of attack.
2. Identity-Based Attacks
In today’s public cloud environment, Identity Protection is among the most important aspects of cloud security. This includes:
- Multi-Factor Authentication (MFA) – as a must-have
- Role-Based Access Control (RBAC) – used for role definition permissions (active in Azure since 2014 when Azure transformed from an ASM to ARM model)
- Service Principals – for when services need access so they do not have user/pass
- Passwordless – as the new model raising a lot of hype lately
As Microsoft identity tools were migrated from its on-premise systems into the cloud, these tools are now being utilized by businesses around Azure. Organizations working with AWS, on the other hand, typically handle identity protection by using the active directory from a CASB (Cloud Access Security Broker) tool, whereas Azure users are most likely to use Microsoft’s identity tools on a company level.
Attack provisioning in Azure is usually done by using the company’s passwords and tenant ID across all sites, which is potentially the main reason why we have been seeing more identity-based attacks against Azure compared to other cloud providers.
The best practice solution for this issue is to create an infrastructure environment that combines both Microsoft’s identity features and a third-party CASB tool that has effective authentication capabilities. CASBs are great for correlation between different types of access taking place across a server, especially in cases where the identity of a user is known.
3. Azure’s Firewall as a Pain-Point
Although Azure’s firewall doesn’t require much work in terms of deployment and configuration, and even though it does provide numerous advantages, there are still certain pain points and limitations that may interest companies that rely solely on Azure’s firewall.
Some of these limitations include:
- IPS Support
- Application rules using Azure Public DNS
- The requirement of Public Internet Access
- Protocol support
- Lack of geoblocking
- Outbound SNAT and Public IP Addresses
- Filtering against specific content
- Missing management capabilities
More information on Azure firewall advantages and limitations available here.
4. Microsoft Tends to be a Frequent Malware Target
As malware has proven to be a rather easy way of gaining control over a machine, Microsoft’s Windows has been a frequent target of malware-based attacks. To battle this issue, the Azure Security Center provides a built-in anti-malware system, while there’s also room for utilizing third-party anti-malware tools that can help you ward off attacks.
Azure Security Centar provides its users with a security overview and best practice security recommendations, but it is not a service that can fully implement protection and overall cloud security. Certain services can be protected via ASC, but it essentially only gives instructions to tools about which action to perform for which service.
5. Azure Cosmos DB Database Service as Attack Target
When it comes to IaaS, numerous deployment aspects in Azure tend to be more IT-centric instead of cloud-centric, which possibly comes as a result of Microsoft’s relationships with traditional enterprises. This led to the data stored within Azure being more private and less accessible over the internet when compared to AWS environments.
However, although network attacks are potentially less likely to happen in Azure, there are certain components – like the Azure Cosmos DB database service – that are frequent targets of hackers, which comes as a result of it being open to the internet. This is why some experts suggest companies shouldn’t keep their sensitive data stored within Azure Cosmos.
Properly understanding and approaching potential security concerns and limitations that come with Microsoft Azure is a prerequisite to having a strong, stable and highly secure infrastructure. Much like any other cloud-based service, Azure comes with both advantages and vulnerabilities in terms of data and account protection. Being capable of tackling, optimizing and monitoring cloud security should be a critical component of any cloud management process.
In case you still have doubts about Azure security and you are unsure how to approach this important task, we suggest you schedule a call with our cloud security experts and see where your business currently stands with these issues.