Currently number 2 in the Cloud market, just behind Amazon Web Services, the Redmont giant follows it Cloud development strategy under the leadership of Satya Nadella.
Indeed, after the acquisition of Cloudyn, and even more recently of Cycle Computing, Microsoft Azure continues to strengthen in the orchestration of tasks in the Cloud and intends to make Azure the most complete service on the market.
But when it comes to Cloud, security is always mentioned as the main barrier to its adoption. Cloud providers have their share of responsibility as well as the users of its services.
This security responsibility depends on the type of cloud service. The following chart summarizes the sharing of responsibility between Microsoft and companies:
To guide companies wishing to migrate their infrastructure to a Microsoft Azure cloud technology, we will discuss Top 10 best security practices to respect.
None of these best practices alone can secure the systems properly, so they must be used together. As always regarding security, you have to choose the appropriate options according to your environment and your needs.
Top 10 Microsoft Azure best security practices
1. Use dedicated workstations
Companies are often victims of cyber attacks because users using accounts with high fees. However, they do other things that can compromise the network integrity: e-mail checking and Internet browsing, for example.
The latter are exposed to cyber attacks such as Malware or Ransomware that could allow hackers to access your business. To resolve this issue, Microsoft Azure has set up Privileged Access Workstations (PAWs).
They provide an operating system dedicated to sensitive tasks and protected against external attacks. The separation of these workstations and everyday-use devices provides a high protection against phishing attacks, operating system vulnerabilities and applications. This approach is part of the Microsoft Azure security best practices, which advocate the separation of standard users from administrators accounts - which must be nominative.
2. Use multiple authentication
In order to secure your Microsoft Azure account we recommend to activate multiple authentication. Multiple authentication is an authentication method that is complementary to the password. It allows to mitigate the risk of access of a foreign person following a password theft.
Azure Multi-Factor Authentication helps secure data and application access while meeting the user demand with a simple authentication process. It provides strong authentication via several simple checks: phone call, SMS, mobile application notification. Users can choose the method they prefer.
3. Restrict the administrator access
It is extremely important to secure accounts that can manage your Azure subscription. The compromise of these accounts reduces to nothing all other measures taken to ensure the confidentiality and integrity of your data. Internal attacks is a threat to the overall security of an organization that must be taken into account.
The tasks requiring administrative privileges should be evaluated and also how often they should be performed to restrict access during times when the user performs standard tasks.
Microsoft Azure has set up an administration system that avoids unnecessary accounts with high fees during periods when these rights are not required. Accounts are configured to have more rights for a specified period of time so administrators can perform their tasks. These rights will be removed at the end of a service or when a task is completed.
You can use Privileged Identity Management to manage, analyze, and control access in your organization. These users have to follow an activation process and be granted administrator rights for a limited time.
4. Restrict the user access
Using Azure for development environments and labs allows organizations to gain test agility and development by eliminating delays due to material/equipment/hardware supply.
The DevOps approach, which is highly acclaimed by companies, can unintentionally expose the organization to internal attacks. Indeed, due to a lack of Azure knowledge or the desire to accelerate its adoption, the DevOps may be too permissive regarding the allocation of rights. Some users end up with far more access rights than they should have.
The Azure DevTest Labs service uses Azure Role-Based Access Control (RBAC). It allows responsibilities division within a team to grant only the level of access necessary for users to perform their tasks. This service is provided with predefined roles (owner, lab user and collaborator). It is also possible to use these roles to assign rights to external partners.
5. Control and limit the network access to Microsoft Azure
Another good Microsoft Azure security practice is protecting systems that are accessible on the Internet. By default, for any deployment of a new Windows virtual machine, the RDP port is accessible from the Internet; for a Linux virtual machine, the SSH port is open. It is necessary to take measures in order to reduce the risk of unauthorized access.
Microsoft Azure allows Network Security Group (NSG) utilisation. When using Azure Resource Manager for deployment, NSGs restrict access from all networks to the only desired access points (RDP or SSH).
It is also possible to configure a site-to-site VPN from your local network. A site-to-site VPN extends the local network to the cloud. This enhances the use of network security groups because they can be modified to not allow access from points outside the local network. It is recommended that you connect to the Azure network via VPN for administration.
Finally, there is the point-to-site option for situations when the administrator wants to manage systems that do not need access to local resources. These systems can be isolated in their own Azure virtual network. Administrators can connect through a VPN to the Azure hosted environment from their administrative workstation.
6. Use a key management solution
A secure key management is essential to protect cloud data.
Azure Key Vault enables safe storage of encryption keys and secret keys (such as passwords) in hardware security modules (HSMs). To enhance this security, you can import or generate HSM keys.
Microsoft processes the keys in hardware security modules according to the "FIPS 140-2 Level 2" standard. Key usage can be monitored and audited by sending logs to Azure or to your SIEM (Security Information and Event Management) for additional threat analysis and detection.
7. Encrypt virtual disks and disk storage
Azure Disk Encryption eliminates data theft risk or the exposure to unauthorized access by moving a disk. The disk can be attached to another system in order to bypass other security controls. Disk Encryption uses BitLocker on Windows and DM-Crypt on Linux to encrypt the operating system and data drives. Azure Disk Encryption is integrated with Key Vault to control and manage encryption keys. It is available for standard virtual machines and virtual machines with premium storage.
The Azure Storage Services encryption helps protect data at rest. It is activated at the storage account level. It encrypts the data in Azure as it is written and then decrypted automatically when the user wishes to access it.
8. Use a centralized security management system
Servers should be monitored for corrective updates, configuration, events, and activities that may be considered security issues. To resolve these issues, you can use Azure Security Center. This solution goes beyond the configuration within the operating system. It also provides an analysis of the configuration of the underlying infrastructure, such as network configuration and the use of virtual appliances.
Azure Security Center constantly evaluates the security status of Azure resources to identify potential vulnerabilities. Its results in the form of a list of recommendations enable to correctly configure the security checks.
Here are few examples:
- Providing anti-malware software to identify and remove malware
- Configuring network security groups and rules to control traffic to virtual machines
- Provisioning web application firewalls to protect your web applications against targeted attacks
- Deploying missing system updates
- Fixing operating system configurations that do not follow recommendations
9. Monitor the operating systems security
In an IaaS deployment, the user is always responsible for the operating systems management he deploys, just like any other server or workload in his environment. Corrective updates, enhanced security, rights assignment and other activities related to system maintenance are under his responsibility. For systems that are closely integrated with your local resources, it may be interesting to use the same tools and procedures as local ones :
- Following the IaaS provider security rules
- Install and manage anti-malware software
- Install the latest security updates
- Using a backup solution
- Using a continuous vulnerability detection solution
10. Watch Cloud Workloads security
Applications and services are easily deployable in a cloud environment. Azure does not escape to the flexibility and availability needs of companies.
The extent and the concentration of Cloud Workloads are pulling more and more hackers. Indeed, developers reuse existing codes and models. In addition, they does not know the new cloud services best security practices, like our 2011 study on AWS already showed it.
The best way to ensure Cloud Workload security is to use a continuous monitoring solution that will check the good IaaS provider security rules. Elastic Workload Protector verifies these rules compliance via an API and allows to classify the risk by criticality according the IT exposure level.
This non-exhaustive list of Microsoft Azure best security practices is a solid foundation for an effective security policy. As we just have seen, the checkpoints are numerous and diverse. To meet the security needs of a constantly changing environment, it is necessary to have a continuous monitoring solution. When more than 50 new vulnerabilities are discovered every day on average in 2017 and configuration errors are recurring, companies must favour preventive security. SecludIT security experts work in this direction by going with companies who want to migrate their IT infrastructure to the Cloud.
We offer a free trial to monitor your Cloud environment security and detect your vulnerabilities.