Azure Security: A Comprehensive Quick Overview!
Preetha R.
Microsoft Certified Azure Solutions Architect Expert | Bridging Business Goals with Cloud Excellence | Strong Problem-Solving Skills | Follow my insights at #techysvault
Hi Friends,
This week's article provides a brief overview of the security options available in Azure, focusing on the concepts and best practices that Azure administrators or platform engineers can utilize.
You may be aware "Security by design is a fundamental principle in Azure and it involves integrating security controls into your solutions right from the design phase."
I appreciate Microsoft's documentation, and this article is grounded in their guidelines, which I have consistently followed in nearly all my projects.
Azure Security Service Map:
Please refer below security controls & benchmark diagram sponsored by Microsoft-
In Azure, services are broadly classified into three categories:
1.???? Secure & protect
2.???? Detect Threats
3.???? Investigate and respond
Secure & Protect
This refers to the suite of services that enable you to establish a multi-layered, in-depth defense strategy spanning across identities, hosts, networks, and data.
Microsoft Defender for Cloud:
Microsoft Defender for Cloud to reinforce the security of Azure environments and hybrid workloads, ensuring a proactive, ‘security by design’ approach across all cloud and on-premises environments. It’s a key tool for maintaining robust defenses and mitigating threats.?
Reference Link Improve security posture
Identity?&?Access?Management:
Use Microsoft Entra ID to collocate controls and identities and consider this as primary security perimeter.
Checklist:
1.???? Conditional Access
2.???? Domain Services
3.???? Privileged Identity Management
4.???? Multi-factor authentication
This is a tool to view detect, investigate, and remediate identity-based risks. This feature requires Microsoft Entra ID P2 licenses.
Ensure?that the azure resources deployed are secure by design by following below mentioned principles:
1.???? Use centralized identity and authentication system - Ensure Azure AD authentication is used to access the Azure services via RBAC. Avoid giving access to individual users, make sure users are added to AD groups. Provision access at group level.
2.???? Manage application identities securely and automatically - Use of either managed identities or service principals.
? Managed Identities - Ensure Azure managed identities are used instead of service principals, when possible, which can authenticate to Azure services and resources that support Azure Active Directory (Azure AD) authentication. Managed identity credentials are fully managed, rotated, and protected by the platform, avoiding hard-coded credentials in source code or configuration files.
? Service Principals - Data plane supports authentication using service principals as well. its recommended using Managed Identities where possible instead.
3.???? Restrict resource access based on conditions - Conditional Access for Data Plane - Data plane access should be restricted by using Azure AD Conditional Access Policies, such as blocking or granting access from specific locations, blocking risky sign-in behavior, or requiring organization-managed devices for specific applications.
4.???? Restrict the exposure of credential and secrets - Service Credential and Secrets Support Integration and Storage in Azure Key Vault - ensure that app secrets and credentials are stored in secure locations such as Azure Key Vault, instead of embedding them into code or configuration files. Use a managed identity on your app to then access credentials, or secrets stored in Key Vault in a secure fashion.
5.???? Follow just enough administration (least privilege) principle - Ensure to use Azure Role-Based Access Control (Azure RBAC) to manage access to service's data plane actions. Least access should be given as per the requirements.
6.???? Determine access process for cloud provider support - Ensure to use Customer Lockbox for Microsoft support access data to support or troubleshoot any issues. Customer Lockbox can be used to review, then approve or reject each of Microsoft's data access requests.
Infrastructure?&?Network
1.???? VPN Gateway: Setup and manage the VPN Gateway to ensure secure traffic between Azure and on-premises locations, as well as between Azure virtual networks.
2.???? Azure DDoS Protection: Enable and configure Azure DDoS Protection for the virtual network to defend against DDoS attacks.
3.???? Azure Front Door: Set up and manage Azure Front Door to create fast, secure, and scalable web applications.
4.???? Azure Firewall: Configure and manage Azure Firewall to provide threat protection for cloud workloads running in Azure.
5.???? Azure Key Vault: Manage Azure Key Vault to securely store and control access to tokens, passwords, certificates, API keys, and other secrets.
6.???? Key Vault Managed HSM: Manage the Key Vault Managed HSM to safeguard cryptographic keys for cloud applications.
7.???? Azure Private Link: Set up and manage Azure Private Link to enable access to Azure PaaS Services and Azure hosted customer-owned/partner services over a private endpoint in the virtual network.
8.???? Azure Application Gateway: Set up and manage Azure Application Gateway to manage traffic to web applications.
9.???? Azure Service Bus: Manage Azure Service Bus to decouple applications and services from each other.
10. Web Application Firewall: Deploy and manage Web Application Firewall with Azure Application Gateway and Azure Front Door to protect web applications from common exploits and vulnerabilities.
11. Azure Policy: Use Azure Policy to enforce organizational standards and assess compliance at-scale.?
Data Protection
We should be aware of how to protect the data at rest, in transit, and via authorized access mechanisms, including discover, classify, protect, and monitor sensitive data assets using access control, encryption, key management and certificate management.
1.???? Discover, classify, and label sensitive data -Tools such as Microsoft Purview and Azure SQL Data Discovery and Classification can be utilized to centrally scan, classify, and label the sensitive data that reside in the Azure, on-premises, Microsoft 365, and other locations.
2.???? Monitor anomalies and threats targeting sensitive data - Make use below tools to monitor anomalies & threats against sensitive data
? Azure Information protection (AIP) to monitor the data that has been classified and labeled.
? Microsoft Defender for Storage, Microsoft Defender for SQL, Microsoft Defender for open-source relational databases, and Microsoft Defender for Cosmos DB to alert on anomalous transfer of information that might indicate unauthorized transfers of sensitive data information.
3.???? Encrypt sensitive data in transit - Data in transit encryption is enabled for all Azure traffic traveling between Azure datacenters. TLS v1.2 or later is enabled on most Azure services by default. And some services such as Azure Storage and Application Gateway can enforce TLS v1.2 or later on the server side. Ensure to protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
? Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network (critical for traffic on external and public networks).
? Enforce secure transfer in services such as Azure Storage, where a native data in transit encryption feature is built in.
? Enforce HTTPS for web application workloads and services by ensuring that any clients connecting to Azure resources use transport layer security (TLS) v1.2 or later.
? For remote management of VMs, use SSH (for Linux) or RDP/TLS (for Windows) instead of an unencrypted protocol.
领英推荐
? For secure file transfer, use the SFTP/FTPS service in Azure Storage Blob, App Service apps, and Function apps, instead of using the regular FTP service.
4.???? Enable data at rest encryption by default - Many Azure services have data at rest encryption enabled by default at the infrastructure layer using a service-managed key. These service-managed keys are generated on the customer’s behalf and automatically rotated every two years.
Ensure to enable data at rest Where technically feasible and not enabled by default. This helps ensure that attackers cannot easily read or modify the data.
? Use customer-managed key option in data at rest encryption when required but tis would requires additional operational effort to manage the key lifecycle. This may include encryption key generation, rotation, revoke, and access control, etc.
5.???? Use a secure certificate management process - Use Azure Key Vault to create and control the certificate lifecycle, including the creation/import, rotation, revocation, storage, and purge of the certificate.
? Avoid using a self-signed certificate and wildcard certificate in your critical services due to the limited security assurance.
? Use only approved CA and ensure that known bad root/intermediate certificates issued by these CAs are disabled.
6.???? Ensure security of key and certificate repository - Ensure the security of the key vault service used for the cryptographic key and certificate lifecycle management.
? Harden your key vault service through access control, network security, logging and monitoring and backup to ensure keys and certificates are always protected using the maximum security.
? Enable Microsoft Defender for Key Vault for Azure-native, advanced threat protection for Azure Key Vault, providing an additional layer of security intelligence.?
Customer Access
Microsoft Entra External ID:
Make use of Microsoft Entra external ID to provide access to external individuals to your applications and resources.
? Use Microsoft Azure B2B collaboration for secure sharing of applications and resources with external users.
? Use Azure AD B2C, support a large user base and handle billions of authentications per day.
Monitor and mitigate security threats such as denial-of-service, password spray, or brute force attacks using Microsoft defender for cloud tools.
Detect Threats
As an Azure admin you can utilize below services for threat detection and issue investigation:
Microsoft Defender XDR:
Use this unified defense suite for coordinated detection, prevention, investigation, and response across various elements of your enterprise.
Microsoft Defender for Endpoint:
Leverage this platform to prevent, detect, investigate, and respond to advanced threats on your network.
Microsoft Defender for Identity:
Utilize this cloud-based solution to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions.
Microsoft Entra ID Protection:
Use the automated notification emails to manage user risk and risk detections.
Azure Firewall:
Use Azure Firewall Premium’s IDPS for rapid detection of attacks by looking for specific patterns in network traffic.
Microsoft Defender for IoT:
Use this unified security solution to identify IoT/OT devices, vulnerabilities, and threats, and secure your entire IoT/OT environment.
Azure Network Watcher:
Use this tool to monitor, diagnose, view metrics, and manage logs for resources in an Azure virtual network.
Azure Policy:
Use Azure Policy and its activity logs to enforce organizational standards and assess compliance at-scale.
Microsoft Defender for Containers:
Use this cloud-native solution to secure your containers and maintain the security of your clusters and their applications.
Microsoft Defender for Cloud Apps:
Use this CASB to gain visibility, control data travel, and use sophisticated analytics to identify and combat cyberthreats across all your cloud services.
Investigate & Respond
Next let's talk about the services available for investigation in Azure landscape:
Microsoft Sentinel:
Use its powerful search and query tools to hunt for security threats across your organization’s data sources.
Azure Monitor logs and metrics:
Utilize this comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Azure AD reports and monitoring:
Use Microsoft Entra reports for a comprehensive view of activity in your environment and route your Microsoft Entra activity logs to different endpoints.
Microsoft Entra PIM audit history:
Review all role assignments and activations within the past 30 days for all privileged roles.
Microsoft Defender for Cloud Apps:
Use its tools to gain a deeper understanding of what’s happening in your cloud environment.
Reference Links
Keep the following reference link at your fingertips for designing security in your Azure solutions.
Conclusion
According to me, by incorporating security from the beginning and leveraging Azure's extensive array of tools, administrators can efficiently defend against threats, protect identities, and sustain a resilient stance in the ever-changing realm of cloud computing.
Adopting Azure's security framework provides strong protection throughout the cloud infrastructure layers.
Enjoy learning and sharing ??
Thank You All ??