- Posted by Vladimir Stefanovic
- On March 6, 2020
- 0 Comments
- azure security, Microsoft Azure
In 2020, it is no secret (nor a surprise) that the adoption of the Infrastructure-as-a-Service (IaaS) model makes for the fastest-growing public cloud component currently on the market. According to Gartner, “the worldwide public cloud services market is forecast to grow 17% in 2020 to total $266.4 billion, up from $227.8 billion in 2019.”
Somewhat expectedly, with the growth of IaaS adoption, also comes the rise in attacks, breaches and overall cloud security risks. For instance, in Microsoft’s Security Intelligence Report for the year 2017, we could see a 300% year-over-year increase in attacks against Azure, with more than 30% of those attacks coming from China.
Now, though we do not want to alarm you too much with these numbers, we DO want to address and stress the importance of mitigating potential cloud security risks and keeping your corporate data, as well as your clients’ information, as protected as possible.
Prominent IaaS providers such as Microsoft Azure feature top-tier security models that always stay ahead of the curve, which is critical for companies and corporations that deem security one of their top priorities. However, as the tool is only as effective as the person handling it, we would like to tackle some of the most relevant Microsoft Azure security best practices that would bring your cloud security management game to the highest level possible.
1. Be Sure to Properly Understand Azure’s Shared Responsibility Model
Having a firm grasp of how responsibilities are divided across you (the user) and Microsoft is a paramount prerequisite for any company operating in the cloud. Although this division tends to vary depending on the type of Azure service, the user is essentially the one who is controlling and is responsible for the data and its access management.
Below is Azure’s shared responsibility matrix depending on the services and the cloud model:
(Source: Microsoft Azure)
Only when you completely understand how Azure’s shared responsibility model operates, will you be able to:
- Properly move your business to the cloud
- Leverage all the security benefits that come with Microsoft as your cloud provider of choice
- Fully protect your applications, services, data, users, keys, certificates, corporate secrets, etc.
Since we are not going to delve deep into this topic in this very article, we suggest checking out Microsoft’s white-paper on Shared Responsibilities for Cloud Computing where you can find all the necessary information.
2. Virtual Machine Security Tips
Make sure the following parameters are set for your VMs:
→ Set ‘OS Vulnerabilities’ to ON – this analyzes OS configurations on a daily basis in order to detect potential security issues capable of rendering the VM susceptible to attacks.
→ Set ‘Endpoint Protection’ to ON – enabling this setting allows endpoint protection provisioning for all Windows virtual machines which helps with virus/spyware identification and removal.
→ Set ‘JIT Network Access’ to ON – enabling this setting allows the Security Center to lock down inbound traffic coming to VMs and does it via network security group rules. This reduces attack exposure and provides an easy connection to VMs when needed. Note: more on JIT access in section number 7 of this article.
3. Take Care of Identity-Related Security Issues via Azure Active Directory
With the advent of cloud services, identity has slowly but surely become one of the crucial security perimeters. With this in mind, Microsoft Azure addressed the issue via several recommendations that tackle the ways of securing identity via Azure Active Directory.
Here are several identity-focused Azure Security best practices that Microsoft emphasized:
→ Centralize identity into a single authoritative source – for example, in a hybrid identity scenario, Azure recommends integrating cloud directories and on-premises through Azure Active Directory Connect. This allows for a one-off and one-location identity management, therefore boosting clarity and transparency while mitigating security risks and configuration complexity at the same time.
→ Use the Single Sign-On (SSO) option provided by Azure Active Directory – this option allows for single-identity access to all required resources and therefore obviates the need for having multiple/weak/reused passwords.
→ Implement the Two-Step Multi-Factor Authentication – do this for all users that have any access-level to Microsoft Azure and you will increase overall security, protect Azure resources, without hindering seamless SSO.
4. Control Network Access With a 3-Layer Protection Approach
Thoroughly controlling network access should be among your top-priority Azure security best practices. We recommend utilizing the 3-layer approach across your protected resources, and these layers involve:
a) Firewall – Azure Firewall is the first line of defense (it could also be or a third-party virtual network appliance solution) and it includes the following:
- Firewall policies
- DDoS prevention
- Intrusion Detection and Intrusion Prevention Systems (IDS/IPS)
- Web Content Filtering
- Vulnerability Management (Network Anti-Malware, Application Controls, Antivirus)
b) Applying NSG to the subnet – Using Network Security Groups allows you to filter the traffic that is going both to and from your Azure resources within a virtual network, therefore preventing undesired traffic happening within an Azure subnet. As all Azure VNet subnets are able to communicate with one another, controlling network access through NSG utilization lets you establish different security roles and zones for the subnets.
Bonus Tip: Avoid using a dedicated WAN connection to expose your systems to the internet, as Microsoft Azure offers site-to-site VPN, as well as ExpressRoute.
5. Find the Sweet Spot with the Number of Subscription Owners
This one is quite simple – the general rule of thumb with the number of Azure subscription owners is that there should be more than one, but not more than three users with owner permissions. The best practice scenario here is to have:
- Two product-owner-level Azure Administrators
- One emergency-level account
6. Use Data Encryption (for Both Rest & Transit Data)
Depending on the type of Azure service and type of data, encryption is either automatically or manually enabled. For example, rest data encryption for Managed Disks is activated by default via encryption keys managed by Microsoft, while the use of Azure Disk Encryption needs to be activated manually.
We recommend using encryption as it will protect any data and drives that harbor sensitive company or client information. Also, make sure you implement Azure SQL database transparent data encryption so your database files on disk remain secure as well.
7. Disable RDP & SSH Access to VMs
Disabling Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to your Azure virtual machines is definitely among the Microsoft Azure security best practices you should consider. Our Super Admins team recommends providing RDP and SSH via a dedicated connection using a more secure JIT (Just-in-Time) VM access.
Enabling Just-in-time virtual machine access allows for better control of inbound traffic coming to Azure VMs. It provides a smooth connection to VMs via RDP and SSH, while it also reduces exposure to brute force attacks – perhaps the most common breach attempts that take place across Azure. The JIT-enabled VM access utilizes NSGs rules to make sure only approved users are granted access and secure configuration.
Use Azure Bastion to Connect to a VM
We also recommend utilizing Azure Bastion to configure seamless and secure RDP/SSH connectivity to your Azure VMs directly in the Azure portal over SSL. This connection obviates the need for a public IP address.
8. Protect Your Sensitive Data (Keys/Secrets/Certificates)
Making sure your company’s sensitive data is properly secured is certainly among the most critical Azure security best practices. We recommend using Azure Key Vault for this purpose as it will ensure the certificates, cryptographic keys and secrets that are being deployed by Azure’s apps and services are protected. Azure Key Vault makes sure each vault utilizes role-based access control (RBAC) to achieve a unique access-control.
Ensuring top-tier security and protection of your data, projects, and services in the cloud may cause convoluted and unique challenges. However, if you approach this task granularly and properly understand and deploy Azure security best practices, your business will achieve a strong, streamlined, cost-effective, and safe infrastructure.
If you still don’t feel like you have a firm grasp of Microsoft Azure security, feel free to contact our team of experts.