Azure (Microsoft® cloud) security explained
The use of Microsoft® Azure and other cloud infrastructures by any organization introduces some risk. Whether you’re merely hosting virtual machines in Azure, utilizing its identity services, or something in between to make your business both highly available and accessible, the exposure of these services to the Internet requires a high degree of security be in place.
Your investment in Azure should utilize a range of both proactive and reactive security measures layered together to protect, detect, and respond to any attack that may threaten your Azure tenant.
Needed areas of Azure security
Because your Azure environment could potentially be exposed to the Internet, it’s essential to have proper controls in place to protect the entirety of your Azure tenant. Network firewalls, virtual network-level security, and other fundamental security services in place to protect your Azure tenant are critical.
Continuous monitoring and management
Thwarting attacks requires visibility into any changes that may impact security tenant-wide. A central means to update any aspects of an Azure tenant are necessary to provide the environment is as protected as possible
Threat protection and remediation
The ability to identify threats as they occur is a primary need for Azure tenants. Both threat detection and intrusion detection are necessary parts of the strategy. Additionally, the need for visibility and context into threats is needed to remediate attacks properly.
Web-facing applications – whether in Azure or not – are often the target of a Distributed Denial of Service (DDoS) attacks, designed to exhaust server resources and, effectively, shut down the application. Azure-hosted applications must be protected through automatic detection and mitigation of DDoS attacks, providing for application availability.
Valuable data can take many forms and reside just about anywhere in your Azure tenant. So, it’s necessary to understand where data that needs to be protected resides. Whether that data is at rest or in transit, it’s critical that your data is encrypted and protected at all times.
Identity and access control
Azure implementations can provide employees, contractors, partners, and customers alike access to needed applications and resources needs. Required is a central and reliable means of identity, along with an ability to maintain consistent levels of security with any on-premises counterpart networks.
Virtual machines (VMs) within Azure still require the assessment and remediation of the same levels of vulnerabilities as an on-premises system. Virtual resources within Azure need to be as up-to-date on their security configuration and patching as possible.
What security tools are available?
Secure infrastructure – Microsoft aims to provide for the security of your Azure environment using several controls, including the following examples. Each customer resides in a segregated virtual network. Network-level access control is achieved through Network Security Groups (NSG), with VMs and NSGs managed in the Azure Security Center. Forced tunneling provides that traffic only follows User Defined Routes. The Azure Firewall is a fully stateful firewall that protects Azure virtual network resources.
Data security – Data can have protection at rest in many ways. Azure Information Protection classifies, labels, and provides for the security of documents and email stored in Azure. Azure Disk Encryption helps to protect VMs through the encryption of Windows and Linux IaaS VM disks. Data in transit can be protected using Azure VPN Gateway, to create point-to-site and site-to-site VPNs. Azure Key Vault safeguards cryptographic keys and secrets that cloud applications and services use.
Continuous monitoring and management – Azure’s Security Center plays a significant role in providing visibility into environmental changes that may impact the organization’s security. The Network Map offers continuous monitoring of the security status of your network. Secure Scores prioritizes security tasks, where security recommendations across all of your Azure investments are made to better safeguard subscriptions, servers, computers, VMs, container hosts, and more.
Vulnerability management – Both the Azure Security Center and Windows Defender Advanced Threat Protection help to discover, prioritize vulnerabilities and misconfigurations across a tenant, with the latter also assisting with automatic remediation of identified vulnerabilities.
Identity and access management – Azure Active Directory (Azure AD) serves as the basis for directory services, application access management, and identity protection to Azure resources for employees in the cloud, employees on-premises (via Azure AD Connect which syncs with on-premises AD), as well as cloud-based customers.
DDoS mitigation – Azure DDoS Protection detects and responds to frequent network-level DDoS attacks to help minimize the impact of an attack designed to exhaust an application’s resources. Azure customers can access Azure DDoS Protection Basic for free, with a Standard tier of service to protect Azure Virtual Network resources (such as Azure Load Balancer and Azure Application Gateway) at an additional cost.
Threat protection – Microsoft offers several solutions to address the varying needs of Azure customers. Antimalware for Azure offers real-time identification and removal of viruses, spyware, and malware. Windows Defender Advanced Threat Protection offers protection against network-based attacks. Larger customers with internal security staffing can also take advantage of investigative alerts and built-in tools to remediate sophisticated threats. What’s missing is intrusion detection capabilities.
Penetration testing – This is a needed component for any cloud-based infrastructure. While Microsoft does not perform any regular penetration testing on behalf of their customers, they do provide formal rules of engagement for third parties to perform penetration testing against their tenant.
Best practices for Azure security
Providing for Azure security involves a layered strategy tailored to the Azure services used, and the resultant risk created. Consider the following high-level best practices.
Understand your role in security
As with nearly all public cloud vendors, Azure uses a shared responsibility model where Microsoft takes responsibility for providing the underlying security services (described above under security tools), with you taking responsibility for the monitoring of and responding to security threats.
Take advantage of visibility
Azure provides visibility into insecure configurations within nearly all of an environment. This level of provided detail offers contextual insight into what parts of the environment need attention while providing an overarching view of your organization’s security stance within Azure.
Understand your risk footprint
The risk of Azure lies in the ability for your data, systems, and applications to be exposed and, therefore, utilized by – attackers. So, it’s critical to perform a risk assessment to fully understand what aspects of your Azure environment may be exposed, and what security service may be needed to protect your Azure investment.
Think layered security
Cyber threats are evolving daily at a rate no single organization can keep up with. Utilize solutions from Microsoft and other vendors that establish a layered approach to security, which provides for the highest level of protection against attacks seeking to compromise accounts, commit fraud, or steal data.
This document is provided as a general informational overview. Mention of third-party products or services is not an endorsement of the same.