Azure security best practices

1. Encrypt data at rest and in-transitIf an attacker gains access to your azure SQL database, data can still be protected by 'Transparent Data encyption' - TDE . This is available for Azure SQL, Synapse analytics, Postgre SQL .Encryption key can be either managed by Azure (by selecting the default 'Service managed key) or bring your own (Customer managed key)

Also protect the flight data using TLS - Transport Layer Security. For most of the Azure services, this is enabled by default. Else we can enable by ourselves. 'Secure transfer enabled' .

2. Restrict access to the database:

Chose the users and services to access the database.

Enable the firewall (usually enabled by default for sql db) and add the IP address which are allowed to access the database. This is suitable for development and test databases.

For Production database, wrap the database in a virtual network and set up a private endpoint link for the services to connect to the database. This sheilds the data from the outside world.

3. Restrict access to the VMs

Most of the cases , VMs are accessed using RDPs / SSH ports and this leads to security vulnerability . So it is advisable to close these ports when a VM is created.

Instead deploy the VM in the virtual network and install bastian. When using bastian, the VM doesn`t need a public IP address which shields it from the outside world.

4. Protect the application secrets

Use secrets in Key vaults which contains keys and certificates for the applications.

Then the key vaults can be securely connected from the services using Azure managed service Identity. This allows the applications to connect to Key vault without using API keys or connection strings.

5. Use seperate Azure subscription for Production

Define different policies to the resources in different subscription. Also use Role based access control (RBAC) to restict the user access for the production resources. This can be applied to all the azure resources including storage account, subscription etc.,

6. Implement a Web Application Firewall (WAF)

To protect the web application from constant attack, implement a gateway service (like a front door or application gateway) to filter the traffic.

Enable the WAF feature in the services which detects the threats and block and report them.

7. Use Azure security center

This can be used to detect the security state of each service . It guides on what is to be improved to increase the security and how to implement that. It helps you to check the security periodically and set an alert when something requries our attention. It allows us to implement the security from the center directly.