Day 35: Azure Az-900: How to Secure your resources on Cloud?

The goal of defense-in-depth is to safeguard information and prevent unauthorised access. This strategy uses multiple layers of protection to slow down attacks and provide alerts that security teams can act on, whether automatically or manually. By not relying on a single layer of security, it ensures a comprehensive approach to protecting data.

Visualising Defense-in-Depth

Think of defense-in-depth as a series of layers, with the data at the centre and each layer providing a shield to protect it. Here are the key layers:

1. Physical Security
2. Identity and Access Management
3. Perimeter Security
4. Network Security
5. Compute Security
6. Application Security
7. Data Security

Each layer has a specific role in protecting your data and systems. If one layer is compromised, the next layer helps prevent further intrusion.

The Role of Each Layer

Physical Security

Physical security is the first line of defence, protecting the hardware in data centres. This includes controlling access to buildings and equipment to prevent unauthorised physical access.

• Access Control: Secure entry points using biometric scanners, key cards, and security guards to ensure only authorised personnel can access sensitive areas.
• Surveillance: Continuous monitoring through CCTV cameras to detect and record any suspicious activities.
• Environmental Controls: Measures such as fire suppression systems, climate control, and backup power supplies to protect hardware from environmental hazards.

Identity and Access Management

This layer ensures that only authorised identities can access infrastructure and data.

• Authentication: Implement strong authentication mechanisms like Multi-Factor Authentication (MFA) to verify user identities.
• Authorisation: Use Role-Based Access Control (RBAC) to ensure users have access only to the resources necessary for their roles.
• Monitoring and Logging: Keep detailed logs of access attempts and changes to detect and respond to suspicious activities.

Perimeter Security

The perimeter layer defends against large-scale network attacks.

• DDoS Protection: Utilise Distributed Denial of Service (DDoS) protection to absorb and mitigate large-scale attacks aimed at overwhelming network resources.
• Perimeter Firewalls: Deploy firewalls at the network edge to filter incoming and outgoing traffic, blocking malicious activities and alerting administrators of potential threats.

Network Security

Network security focuses on limiting communication between resources to what is necessary.

• Segmentation: Divide the network into smaller, isolated segments to limit the spread of attacks and contain breaches.
• Access Controls: Implement access control lists (ACLs) and network security groups (NSGs) to restrict traffic to and from critical resources.
• Encryption: Use encryption protocols like TLS and VPNs to secure data in transit across the network.

Compute Security

Securing virtual machines and keeping systems patched is crucial to this layer.

• Endpoint Protection: Deploy antivirus and anti-malware software on all endpoints to detect and remove malicious software.
• Patch Management: Regularly update and patch systems to protect against known vulnerabilities.
• Access Controls: Ensure that access to virtual machines and compute resources is tightly controlled and monitored.

Application Security

This layer integrates security into the development lifecycle to minimise vulnerabilities in applications.

• Secure Coding Practices: Follow secure coding guidelines to prevent common vulnerabilities such as SQL injection and cross-site scripting (XSS).
• Application Firewalls: Use Web Application Firewalls (WAFs) to protect applications from external threats and attacks.
• Secret Management: Store sensitive information such as API keys and passwords securely, using tools like Azure Key Vault.

Data Security

Data security is focused on protecting business and customer data.

• Encryption: Encrypt data at rest and in transit to prevent unauthorised access during storage and transmission.
• Access Controls: Implement fine-grained access controls to restrict who can access and modify data.
• Data Loss Prevention (DLP): Use DLP tools to monitor and protect sensitive data, preventing accidental or malicious data leaks.

By using multiple layers of security, it reduces the risk of a successful attack and provides multiple opportunities to detect and respond to threats. Azure’s extensive security tools and features support each layer of the defense-in-depth model, helping you build a secure and resilient infrastructure.

Azure Defender

Azure Defender is a robust security solution offered by Microsoft, designed to provide advanced protection for both Azure and on-premise workloads. Accessible through the Azure Security Center, Azure Defender integrates a suite of tools to enhance your security posture. Let’s delve into the various aspects and functionalities of Azure Defender.

Key Components of Azure Defender

Azure Defender is composed of several core components, each serving a unique function to secure your resources:

Coverage:

Azure Defender provides protection for various resource types within your subscription, including virtual machines, Kubernetes services, container registries, app services, SQL servers, key vaults, and storage accounts. This ensures that a wide range of resources are monitored and secured.

• Azure-Native Service: Many Azure services are automatically monitored and protected without needing extra deployment.
• Hybrid and Multi-Cloud Support: For non-Azure environments, Defender for Cloud uses Azure Arc to extend its capabilities, ensuring comprehensive security coverage.

Security Alerts:

Security alerts offer detailed information about affected resources and provide remediation steps. In some cases, you can trigger automated responses using Logic Apps. This feature helps maintain a proactive security stance by addressing issues as they arise.

Insights

Azure Defender includes a rolling pane that displays news, suggested readings, and high-priority alerts relevant to your subscription. These insights help keep you informed about pressing security matters and emerging threats.

Advanced Protection:

Azure Defender offers advanced security features driven by analytics, such as:

• VM Vulnerability Assessments
• Just-In-Time VM Access
• Adaptive Application Control
• Container Image Scanning
• Adaptive Network Hardening
• SQL Vulnerability Assessment
• File Integrity Monitoring
• Network Map
• IoT Security

These features provide comprehensive protection, ensuring that vulnerabilities are identified and mitigated promptly.

Scope of Azure Defender

Azure Defender covers a broad range of Azure resources with specialised plans for each type. When you activate Azure Defender, all these plans are enabled, providing comprehensive security coverage. The supported resources include:

• Servers
• App Services
• Storage
• SQL
• Kubernetes
• Container Registry
• Key Vault
• Resource Manager
• DNS
• Open Source Relational Databases

Each plan offers tailored security measures to address the specific risks associated with these resources.

Protection everywhere you’re deployed

Azure PaaS Services

Threat Detection: Defender for Cloud is designed to detect threats targeting Azure Platform as a Service (PaaS) offerings. This includes services like Azure App Service, Azure SQL, and Azure Storage Account. The integration with Microsoft Defender for Cloud Apps (formerly known as Microsoft Cloud App Security) enables anomaly detection on your Azure activity logs. This helps in identifying suspicious activities that could indicate potential threats.

Anomaly Detection: By leveraging anomaly detection capabilities, Defender for Cloud can monitor unusual patterns in your Azure activity logs. This proactive approach ensures that threats are detected early, allowing for timely intervention.

Azure Data Services

Defender for Cloud provides automatic data classification capabilities for Azure SQL databases. This helps in identifying and categorising sensitive data, ensuring that it is appropriately protected.

Additionally, Defender for Cloud offers vulnerability assessments for Azure SQL and Storage services. These assessments provide insights into potential security weaknesses and offer recommendations for mitigating risks.

Along with detecting vulnerabilities, Defender for Cloud provides actionable recommendations to address identified risks. This ensures that your data services are not only protected but also continuously improved based on the latest security best practices.

Network Security

One of the key features of Defender for Cloud is its ability to limit exposure to brute force attacks. By implementing just-in-time (JIT) virtual machine (VM) access, you can significantly reduce the risk of unauthorised access to your network.

JIT access allows you to configure secure access policies on selected ports. This ensures that only authorised users can access these ports, from allowed source IP address ranges or specific IP addresses, and for a limited period.

By setting secure access policies, you can control who has access to your VMs and under what conditions. This includes specifying the allowed IP addresses and the duration for which access is granted. Such granular control helps in minimising the attack surface and enhancing overall network security.

Defend your hybrid resources

In addition to defending your Azure environment, you can add Defender for Cloud capabilities to your hybrid cloud environment to protect your non-Azure servers. To help you focus on what matters the most, you’ll get customised threat intelligence and prioritised alerts according to your specific environment. To extend protection to on-premises machines, deploy Azure Arc and enable Defender for Cloud’s enhanced security features.

Assess, Secure, and Defend with Microsoft Defender for Cloud

Microsoft Defender for Cloud is designed to meet three critical needs in managing the security of cloud and on-premises resources: continuous assessment, securing environments, and defending against threats. Here’s how it helps in each of these areas.

Continuously Assess

Defender for Cloud continuously evaluates your environment, identifying and tracking vulnerabilities across virtual machines, container registries, and SQL servers. It includes native integration with Microsoft Defender for Endpoint for servers, providing access to comprehensive vulnerability findings from Microsoft threat and vulnerability management.

Regular, detailed vulnerability scans cover your compute, data, and infrastructure, allowing you to review and respond to findings directly within Defender for Cloud.

Assessment Tools:

• Vulnerability Assessment Solutions: For virtual machines, container registries, and SQL servers.
• Integration with Defender for Endpoint: Enhances vulnerability detection and management for servers.

Secure

Security in the cloud involves setting robust policies tailored to your environment, which are built on Azure Policy controls. This provides a flexible and comprehensive policy solution.

Defender for Cloud constantly monitors for new resources and assesses their configuration against security best practices. If deviations are found, it flags these and provides a prioritised list of recommendations to reduce the attack surface.

Security Policies:

Azure Security Benchmark: Provides guidelines for security and compliance best practices based on common frameworks.

Secure Configuration Standards: Apply these across your resources to ensure security and compliance.

Secure Score:

Defender for Cloud groups recommendations into security controls and assigns a secure score to each control. This score provides an at-a-glance indicator of your security posture and a list of actions to improve it.

Defend

When a threat is detected, Defender for Cloud generates a security alert that includes details of the affected resources, remediation steps, and sometimes an option to trigger a logic app for response.

It supports exporting alerts and includes fusion kill-chain analysis, which correlates alerts based on cyber kill-chain analysis to provide a comprehensive view of attack campaigns.

Security Alerts:

• Details and Remediation: Alerts describe affected resources and suggest remediation steps.
• Automated Responses: Options to trigger automated responses via logic apps.

Advanced Threat Protection:

• Defender for Cloud provides advanced protection features for virtual machines, SQL databases, containers, web applications, and networks.
• It includes securing VM management ports with just-in-time access and adaptive application controls to create allowlists for approved applications.

Highlight: Network Map

One of the standout features of Azure Defender is the Network Map. This graphical tool provides a detailed view of your network topology with security overlays. It offers recommendations and insights for hardening your network resources. You can visualise the connections between virtual machines, subnets, and other network components, and drill down into specific resources to view and implement security recommendations.

Hybrid Cloud Protection

Azure Defender extends its protection to virtual machines (VMs) residing in other cloud service providers, such as AWS and GCP, through Azure Arc. Azure Arc is a control plane that manages compute resources across multiple cloud environments and on-premise infrastructure. This capability ensures that your security strategy is unified and comprehensive, regardless of where your resources are located.

By providing advanced threat protection, detailed security alerts, insightful recommendations, and hybrid cloud capabilities, Azure Defender helps maintain a robust security posture. For those managing complex environments with resources spread across multiple platforms, Azure Defender offers the comprehensive protection needed to safeguard against modern cyber threats.