In the past few years, we have seen tremendous growth towards businesses adopting cloud-based infrastructure (Infrastructure as a Service – IaaS). Microsoft Azure is one such cloud computing service that is facilitating businesses to start their journey towards cloud adoption. But the world has also seen an unprecedented rise in data breaches, cyber-attacks, and cloud security risks. One of the reasons behind this is the misconception of businesses that they think big company names, like Microsoft, will be securing the resources it hosts, so there will be not much that users have to worry about. Although Azure facilitates a lot when it comes to securing your business resources, still it involves lots of shared responsibilities that also require you to play role in securing your Azure cloud. In this blog, we are listing 9 top-notch security practices for Azure that you must adopt to ensure the effective security of your business assets.
- Use Azure Active Directory to Secure Identity
In this technologically advanced era, the firewall is no longer the network’s first security boundary. The rise of cloud services has slowly made identity a key security element. Due to that, you can find many recommendations from Microsoft regarding using Azure Active Directory to secure identity. Some of the recommendations are as follow:
- There should be a single authoritative source where all identities are centralized. For example, in a scenario of hybrid identity scenario, you should integrate cloud and on-premises directories via Azure Active Directory Connect. It will enable managing identities all at once in one single location, reducing the chances of mistakes and increasing the clarity for stronger security measures.
- Use the Single Sign-On (SSO) feature provided by Azure Active Directory when integrated with on-premises Active Directory. With SSO, you are able to access all cloud and on-premises resources by one identity. It will help in avoiding the need for multiple passwords, which sometimes result in reused or weak passwords.
- Two-step authentication is a highly recommended practice today. Therefore, you should also set up two-step authentication for all the users that have access to Azure.
- Understand Shared Responsibility Model
One of the primary understanding cloud security professionals and other users should have is about the shared responsibility model. You should be well-aware that how responsibilities are divided between Microsoft and Azure user (you). The responsibilities vary based on the type of services accessed from Azure, but one thing is clear that the responsibility for access management and data is totally under the user control. With a proper understanding of the shared responsibility model of Azure, you will be in a better position to properly migrate your business to the cloud, utilize all Microsoft security benefits, and have effective protection of applications, keys, certificates, users, data, services, etc.
- Control Network Access
Network access is one of the crucial protection elements for any data center. In the case of Azure security, controlling network access should be a top priority. For ensuring efficient control of network access, you can carry out the following practices:
- Firewall: The first wall of defense should be a firewall, such as an Azure Firewall or reliable virtual network appliance solution of a third-party. This defense stage will provide you firewall policies, web content filtering, Distributed Denial of Service (DDoS) prevention, vulnerability management (antivirus, application controls, and network anti-malware), and Intrusion Detection and Intrusion Prevention Systems (IDS/IPS).
- Network Security Group (NSG): NSG enables you to filter and control network traffic entering and leaving from Azure resources, subnets, etc. The subnets in Azure Virtual Network are by default free to communicate. With NSG, you can set up different roles or security zones for every subset. This requires that each subnet should be properly configured with NSG. In the case of a virtual server, NSG should be applied to the VMs network interface. It will help to control the network traffic entering and leaving the virtual machine.
- VPN: Don’t expose your system to the internet by using a dedicated WAN connection. Azure provides ExpressRoute and site-to-site VPN to address this effectively.
- Virtual Machine Protection
The protection of server operating systems is still on you and that’s why you should effectively utilize anti-malware and antivirus tools. For this purpose, you can use Microsoft anti-malware and Advanced Threat Protection (ATP) from Windows Defender. Both of these tools integrate with Azure Security Center, enabling to have a single place for all virtual machine security management.
For the virtual machines hosted in Azure, Microsoft requires system updates for them. To facilitate this process, Azure provides an update management solution where Windows VMs updates are applied automatically. Besides that, Azure Security Center also detects and applies missing important updates for VMs.
- Implement Data Encryption
Data encryption gives an extra layer of protection to the data. Therefore, make sure you do data encryption in Azure both at rest and in transit. Depending on the data type and Azure service, the encryption is either enabled by default or you have to manually do it. For example, encryption is attained automatically by default at rest for Managed Disks via Storage Service Encryption for Azure Managed Disks, and Microsoft itself manages the encryption keys in this case. Besides that, you can manually enable Azure Disk Encryption for encrypting a disk containing sensitive data. Similarly, it is also recommended to implement Azure SQL database encryption when using Azure SQL to secure database files.
- Protect Sensitive Data
Sensitive data such as certificates, secrets, and keys are some of the main sensitive data in your Microsoft Azure cloud that need protection all the time. To protect such sensitive data, use Azure Key Vault. Every vault possesses an exclusive access-control list that utilizes role-based access control.
- Use Azure Bastion for VM Connection
Another good security practice is to use Azure Bastion for configuring seamlessly and securing RDP/SSH connectivity to VMs directly over SSL in the Azure portal. This approach removes the requirement of a public IP address.
- Disable RDP & SSH Access
For enhanced security, you should not give Azure VMs access to RDP and SSH from the internet. Even if you want to give RDP and SSH access, there should be a secure dedicated connection, like ExpressRoute or VPN, utilizing Just-in-Time (JIT) VM access. JIT VM access provides multiple benefits, such as easy access to connects VMs using Secure Shell or Remote Desktop, control incoming Azure VMs traffic, decrease exposure to brute force attack, and many other benefits. As per Microsoft, Brute Force attacks belong to the most common attacks category. Just-in-Time (JIT) VM access leverages rules of Network Security Groups (NSGs) to give secure configuration and securely give access to approved users.
- Limit Azure Subscription Owners
Rather a simple but important security practice is that to have a limited number of Azure subscription owners. The ideal limitation approach is that there should be more than 1 Azure subscription owner, but it should not exceed more than 3 owners. There should be 2 trustworthy Azure Administrators (more like product owners) and 1 emergency level account.
There is no second thought on acknowledging the importance and significance of Microsoft Azure for the business sector. It can raise many security concerns if no comprehensive security practices are placed. Therefore, the above listed 9 security practices for Azure are just the primary security practices, and it requires more technical knowledge and expertise to ensure impenetrable security measures for Azure.