It’s important to understand the division of responsibility between you and Microsoft. On-premises, you own the whole stack. But as you move to the cloud, some responsibilities transfer to Microsoft.
Microsoft provides a secure foundation across physical, infrastructure, and operational security. Physical security refers to how Microsoft takes a multilayered approach to protect its datacenters. Network infrastructure, firmware and hardware, and continuous testing and monitoring make up the Azure infrastructure. Operational security consists of different security teams at Microsoft that work to mitigate risks across the security landscape.
For all cloud deployment types, you are responsible for protecting the security of your data, identities, on-premises resources, and the cloud components that you control (which vary by service type). Responsibilities that you always keep, regardless of the type of deployment, are:
Data
Endpoints
Account
Access Management
Microsoft provides resources to assist you in building and launching cloud-powered applications that help you comply with stringent regulations and standards. Because Azure has more certifications than any other cloud provider, you can deploy your critical workloads to Azure with confidence.
Below solutions will help you to secure your solutions deployed over Microsoft Azure.
Enforce multi-factor authentication for all the users, especially your administrator accounts. Azure Multi-factor Authentication (MFA) helps administrators protect their organizations and users with additional authentication methods.
Organizations that don’t add extra layers of identity protection, such as two-step verification, are more susceptible for credential theft attack. A credential theft attack can lead to data compromise.
Optimize identity and access management within the organization. Things you can do to optimize includes:
Treat identity as the primary security perimeter.
Centralized identity management.
Enabled single sign-on.
Turn on conditional access.
Enable password management.
Enforce multi-factor verifications for all the users.
Use role-based access control.
Lower exposure of privileged accounts.
Control the locations where resources are located.
Microsoft Entra ID (formerly known as Azure Active Directory) is the Azure solution for identity and access management. Entra ID is a multi-tenant, cloud-based directory and identity management service from Microsoft. It combines core directory services, application access management and identity protection into single solution.
In hybrid scenario, we recommend that you integrate your on-premise and cloud directories. Integration enables your IT team to manage accounts from one location, regardless of where the account is created. Integration also helps your users be more productive by providing a common identity for accessing both cloud and on-premises resources.
Enable Single Sign-on
In a mobile-first, cloud-first world, you want to enable single sign-on (SSO) to devices, apps, and services from anywhere so your users can be productive wherever and whenever. When you have multiple identity solutions to manage, this becomes an administrative problem not only for IT but also for users who have to remember multiple passwords.
By using the same identity solution for all your apps and resources, you can achieve SSO. And your users can use the same set of credentials to sign in and access the resources that they need, whether the resources are located on-premises or in the cloud.
Use SSO to enable users to access their SaaS applications based on their work or school account in Azure AD. This is applicable not only for Microsoft SaaS apps, but also other apps, such as Google Apps, Dropbox and Salesforce. As a security control, Azure AD does not issue a token that allows users to sign into the application unless they have been granted access through Azure AD. You can grant access directly, or through a group that users are a member of.
Organizations that don’t create a common identity to establish SSO for their users and applications are more exposed to scenarios where users have multiple passwords. These scenarios increase the likelihood of users reusing passwords or using weak passwords.
Turn on conditional access:
Users can access your organization's resources by using a variety of devices and apps from anywhere. As an IT admin, you want to make sure that these devices meet your standards for security and compliance. Just focusing on who can access a resource isn’t sufficient anymore.
To balance security and productivity, you need to think about how a resource is accessed before you can make a decision about access control. With Azure AD conditional access, you can address this requirement. With conditional access, you can make automated access control decisions—based on conditions—for accessing your cloud apps.
Best Practice | Solution |
Managed and control access to corporate resources. | Configure Microsoft Entra ID (Azure AD) conditional access based on group, location and application sensitivity for SaaS apps and Azure AD connected apps. |
Block legacy authentication protocols. | Attackers exploit weakness in older protocols every day, particularly password spray attacks. Configure conditional access to block legacy protocols. |
Use role-based access control:
Access management for cloud resources is critical for any organization that uses the cloud. Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
Designating groups or individual roles responsible for specific functions in Azure helps avoid confusion that can lead to human and automation errors that create security risks. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access.
Your security team needs visibility into your Azure resources in order to assess and remediate risk. If the security team has operational responsibilities, they need additional permissions to do their jobs. You can use RBAC to assign permissions to users, groups, and applications at a certain scope. The scope of a role assignment can be a subscription, a resource group, or a single resource.
Lower exposure of privileged accounts:
Securing privileged access is a critical first step to protecting business assets. Minimizing the number of people who have access to secure information or resources reduces the chance of a malicious user getting access, or an authorized user inadvertently affecting a sensitive resource.
Privileged accounts are accounts that administer and manage IT systems. Cyber attackers target these accounts to gain access to an organization’s data and systems. To secure privileged access, you should isolate the accounts and systems from the risk of being exposed to a malicious user.
If you don’t secure privileged access, you might find that you have too many users in highly privileged roles and are more vulnerable to attacks. Malicious actors, including cyber attackers, often target admin accounts and other elements of privileged access to gain access to sensitive data and systems by using credential theft.
Secure emails, documents and sensitive data:
Azure Information Protection is a cloud-based solution that helps an organization to classify, label, and protect its documents and emails. This can be done automatically by administrators who define rules and conditions, manually by users, or a combination where users get recommendations.
Classification is identifiable at all times, regardless of where the data is stored or with whom it’s shared. The labels include visual markings such as a header, footer, or watermark. Metadata is added to files and email headers in clear text. The clear text ensures that other services, such as solutions to prevent data loss, can identify the classification and take appropriate action.
The protection technology uses Azure Rights Management (Azure RMS). This technology is integrated with other Microsoft cloud services and applications, such as Office 365 and Azure Active Directory. This protection technology uses encryption, identity, and authorization policies. Protection that is applied through Azure RMS stays with the documents and emails, independently of the location—inside or outside your organization, networks, file servers, and applications.
This information protection solution keeps you in control of your data, even when it’s shared with other people. You can also use Azure RMS with your own line-of-business applications and information protection solutions from software vendors, whether these applications and solutions are on-premises or in the cloud.
Control locations where Azure resources are created:
Organizations that are not controlling how resources are created are more susceptible to users who might abuse the service by creating more resources than they need. Hardening the resource creation process is an important step to securing a multitenant scenario.
User Microsoft Entra ID (Azure AD) for storage authentication:
Azure Storage supports authentication and authorization with Azure AD for Blob storage and Queue storage. With Azure AD authentication, you can use Azure role-based access control to grant specific permissions to users, groups, and applications—down to the scope of an individual blob container or queue.
Use strong network controls:
You can connect Azure virtual machines (VMs) and appliances to other networked devices by placing them on Azure virtual networks. That is, you can connect virtual network interface cards to a virtual network to allow TCP/IP-based communications between network-enabled devices. Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or your own on-premises networks.
The following sections describes best practices for network security:
Logically segment subnets:
Azure virtual networks are similar to LANs on your on-premises network. The idea behind an Azure virtual network is that you create a network, based on a single private IP address space, on which you can place all your Azure virtual machines. The private IP address spaces available are in the Class A (10.0.0.0/8), Class B (172.16.0.0/12), and Class C (192.168.0.0/16) ranges.
Don't assign allow rules with broad ranges (for example, allow 0.0.0.0 through 255.255.255.255).
Segment the larger address space into subnets.
Use virtual network appliances:
Network security groups and user-defined routing can provide a certain measure of network security at the network and transport layers of the OSI model. But in some situations, you want or need to enable security at high levels of the stack. In such situations, we recommend that you deploy virtual network security appliances provided by Azure partners.
Azure network security appliances can deliver better security than what network-level controls provide. Network security capabilities of virtual network security appliances include:
Firewall
Intrusion detection/intrusion prevention
Vulnerability management
Application control
Network-based anomaly detection
Web filtering
Antivirus
Botnet protection
Adopt a Zero Trust approach
Perimeter-based networks operate on the assumption that all systems within a network can be trusted. But today’s employees access their organization’s resources from anywhere on a variety of devices and apps, which makes perimeter security controls irrelevant. Access control policies that focus only on who can access a resource are not enough. To master the balance between security and productivity, security admins also need to factor in how a resource is being accessed.
Zero Trust is the next evolution in network security. The state of cyberattacks drives organizations to take the “assume breach” mindset, but this approach shouldn’t be limiting. Zero Trust networks protect corporate data and resources while ensuring that organizations can build a modern workplace by using technologies that empower employees to be productive anytime, anywhere, in any way.
Lock down and secure VM and computer operating systems
In most IaaS scenarios, Azure virtual machines are the main workload for organizations that use cloud computing. This fact is evident in hybrid scenarios where organizations want to slowly migrate workloads to the cloud.
Cyberthreats are evolving. Safeguarding your VMs requires a monitoring capability that can quickly detect threats, prevent unauthorized access to your resources, trigger alerts, and reduce false positives.
To monitor the security posture of your Windows and Linux VMs, use Azure Security Center. In Security Center, safeguard your VMs by taking advantage of the following capabilities:
Apply OS security settings with recommended configuration rules.
Identify and download system security and critical updates that might be missing.
Deploy recommendations for endpoint antimalware protection.
Validate disk encryption.
Assess and remediate vulnerabilities.
Detect threats.
Security Center can actively monitor for threats, and potential threats are exposed in security alerts. Correlated threats are aggregated in a single view called a security incident.
Security Center stores data in Azure Log Analytics. Log Analytics provides a query language and analytics engine that gives you insights into the operation of your applications and resources. Data is also collected from Azure Monitor, management solutions, and agents installed on virtual machines in the cloud or on-premises. This shared functionality helps you form a complete picture of your environment.
Organizations that don't enforce strong security for their VMs remain unaware of potential attempts by unauthorized users to circumvent security controls.
Monitor VM Performance.
Encrypt your virtual HDD.
Restrict direct internet connectivity.
Choose key management solution.
Secure database.
Enable database authentication.
Secure deployment by using proven DevOps tools (Infrastructure-as-a-code).
Install a Web Application Firewall
Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities. Common among these exploits are SQL injection attacks, cross site scripting attacks to name a few. Preventing such attacks in application code can be challenging and may require rigorous maintenance, patching and monitoring at many layers of the application topology. A centralized web application firewall helps make security management much simpler and gives better assurance to application administrators against threats or intrusions. A WAF solution can also react to a security threat faster by patching a known vulnerability at a central location versus securing each of individual web applications. Existing application gateways can be converted to a web application firewall enabled application gateway easily.
Web application firewall (WAF) is a feature of Application Gateway that provides centralized protection of your web applications from common exploits and vulnerabilities.
Perform security penetration testing
Validating security defenses is as important as testing any other functionality. Make penetration testing a standard part of your build and deployment process. Schedule regular security tests and vulnerability scanning on deployed applications, and monitor for open ports, endpoints, and attacks.
Next Steps:
It is very important for any organization to have a regular check on the IT infrastructure whether on-premise or cloud. Regular audit is also necessary to avoid any cyber-attacks.
We are Super Infomatics can help you audit your IT infrastructure and help you implement what security is necessary for your organization. Please email us or call us for further one to one discussion.
+91 9022132272 |
Thank You!
JG