Azure Security Best Practices

November 29, 2016  |  Jake Mosher

Moving applications and workloads to the cloud is a big draw for organizations, primarily due to the favorable economics, ease of deployment, and the flexibility and scale that the cloud provides. Microsoft Azure is one cloud platform seeing rising adoption in the past year.

You may be contemplating moving workloads to Azure, particularly if you are a Microsoft shop. But like most organizations moving to the cloud, you are probably concerned about the security of your Azure environment. In this blog, we will detail some Azure security best practices, and what you should be doing as you make the move to the Azure cloud.

At the outset, you should understand that security in Azure is based on the shared security model, similar to other cloud platform providers. This means that while Azure is responsible for securing its infrastructure, you are responsible for securing your applications and workloads running in Azure.

azure shared security model splits responsibility in cloud

If you think about the cloud continuum going from Infrastructure as a Service (IaaS) to Platform as a Service (PaaS) to Software as a Service (SaaS), as you move towards SaaS on that continuum, you are responsible for more and more of your individual security controls. Therefore, you will need to follow cloud security best practices in Azure, including proper scanning, monitoring, and access control. We will dig into these Azure security best practices, and break them down as follows:

  1. Establish secure access control and account management policies
  2. Configure your Azure virtual machines with security in mind
  3. Scan your Azure virtual systems regularly for vulnerabilities
  4. Monitor your environment for inappropriate or suspicious use
  5. Apply continuously updated threat intelligence to find new and emerging threats

1.Establish secure access control and account management policies

Your Azure account holds the keys to your kingdom. It is extremely important to apply the appropriate security to this account to ensure that your environment is protected. To do this you will need to start by setting up your Azure account properly, following the guidelines that Microsoft provides.

You will need to answer one key question: who in your organization needs access? As a best practice, you should limit access to only those individuals who require it. When access is given to too many people, the security of the account becomes more at risk. So, protect it!

To help further protect your Azure accounts, Microsoft allows you to add multi-factor authentication to all accounts. Make sure you implement this, particularly for administrators and other privileged users.

After you have set up your account and your virtual machines (VM’s), one of the most important things you can do is to have strong account security and access control policies in place. Principal to this is following strong password management practices. Also, good credential management is critical, which is a function of access control. Key to all security strategies, particularly in the cloud, is your organization’s ability to control access to your systems. And access control depends on the proper use of credentials to validate users and applications.

Note that one of the important tools Azure provides is Azure Active Directory (AAD). You can use AAD to sign users into the management portal, to secure access to the Azure management API, and to help with management of users and groups.

Another important point to raise here about the cloud is the access to the management plane that it affords. The management plane is essentially the web interface and the APIs that configure, monitor, and control your cloud environment. If the bad guys get access to the management plane, they essentially have the keys to the kingdom. So, you need to lock it down.

How do you do that?... First, as mentioned above, you should enable multi-factor authentication in your account for all users. You should also be thinking about the use of roles in Azure. The primary role is the account administrator, and you can have only one of those per Azure account. This is the person who signs up Azure subscriptions, and is authorized to access the Account Center in Azure and perform various management tasks. You can create separate co-administrator accounts using the Azure Active Directory. These are for the accounts being used on a daily basis.

Another security best practice you should implement in Azure is Role-Based Access Control (RBAC). Using RBAC, you can control which cloud resources your employees can access and what actions they can perform on those resources. You can also grant only the amount of access that users need to perform their jobs.

2.Configure your Azure virtual machines with security in mind.

You will need to properly set up your Azure virtual machine (VM), depending on your workload or particular use case. Azure provides many available images, including Windows Server (of course), as well as Linux, SQL Server, Oracle, IBM, and SAP. Azure provides step by step guidance for VM’s during the setup process. Don’t forget to create an SSH key pair to enable password-less logins and better security. You should also ensure the root user is disabled. Note that by default, the root user is disabled on Linux VM’s in Azure.

Next, think about reducing your attack surface in Azure. Start off by using the built-in security controls features in Azure, including Azure Security Center. Ensure you are configuring these tools properly. Azure allows Network Security Groups (NSGs), which control traffic to your VM instances. Next, control your access points to Azure. Azure allows multiple access methods, so it’s important to restrict remote access to your VM from a dedicated hardened workstation. And finally, as referenced above, following good credential management practices will further mitigate risk.

3.Scan Your Azure Virtual Systems Regularly for Vulnerabilities

Another Azure security best practice is reducing your vulnerabilities. Typical cloud vulnerabilities result from improperly patched systems, cloud asset misconfigurations, and poorly managed credentials, leading to common attacks such as SQL injections, account and service hijacking, and distributed denial of service (DDoS) attacks. Vulnerabilities in the Azure cloud are no different. You should therefore do basic patch management. You also need to do vulnerability scanning to identify misconfigurations in your Azure environment. Look for tools to help you scan your Azure environment to identify vulnerabilities and misconfigurations. Note that this is not a trivial effort. Scanning cloud assets is not the same as scanning your on-premises and data center infrastructure. There are not a lot of effective tools available. Find one that works in Azure and easily integrates with your other security tools.

4.Monitor Your Environment for Inappropriate or Suspicious Use

Performing basic Azure security monitoring is yet another crucial Azure security best practice. As the Azure security model centers on the shared security approach, Microsoft will monitor their servers and networks. At the application level, Azure provides tools for security monitoring, including Azure Security Center (ASC). Offered as a free or paid service, ASC provides basic security monitoring and policy management across your Azure subscriptions. ASC collects data from your VM’s in order to assess their security state, provide security recommendations, and alert you to threats.

However, these Azure-only tools lack some essential security capabilities. You need to enhance those with additional tools, as you are ultimately responsible for securing your cloud environment. Look for security solutions that are native-built for Azure and provide critical security monitoring capabilities, including vulnerability scanning, intrusion detection, and Security Information Event Management (SIEM).

You can bring your security controls together with a SIEM in the Azure cloud. Effective SIEM integration is a critical component to any effective security program. And integrating Azure logs and data into your existing SIEM tool can be challenging. Azure provides some tools, including Azure Monitor and Azure Log Integration, which enables you to integrate logs from assets deployed in Azure to third party SIEM tools. But you need a comprehensive SIEM for Azure tool that is purpose-built to bring all your data sources together and deliver the visibility you need for effective monitoring and threat detection.

5.Apply Continuously Updated Threat Intelligence to Find New and Emerging Threats

Finally, security of your Azure cloud is not truly possible without effective threat intelligence. Threat intelligence is actionable information your IT team needs to automatically detect threats in your network and prioritize the response to those threats. Some examples of threat intelligence include vulnerability signatures for the latest cloud vulnerabilities and uncovering new threats that are impacting cloud environments. Look for threat intelligence that is easily integrated into your existing security tools.

In conclusion, the Azure cloud is delivering great benefits to organizations, but moving to the cloud takes planning and foresight. Security in the cloud remains a concern for most organizations, and so following some of the Azure security best practices laid out here should steer you in the right direction. Establishing secure access control & account management policies and setting up your VM’s properly is the crucial foundation. Scanning those VM’s regularly for vulnerabilities, and monitoring your Azure environment for inappropriate or suspicious use is critical for threat detection. And finding an effective SIEM tool for Azure while adding in threat intelligence will bring your Azure security program together.

Share this with others

Get price Free trial