• Latest
  • Trending
  • All
  • News
  • Business
  • Politics
  • Science
  • World
  • Lifestyle
  • Tech
A moment of reckoning: the need for a strong and global cybersecurity response

8 Cloud Security Best Practice Fundamentals for Microsoft Azure

February 9, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

March 5, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

March 5, 2021
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

Microsoft Power BI Premium Per User pricing is a game changer

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

March 4, 2021
8×8 makes raft of updates to platform

BitDam ATP+ protects Office 365 users from unknown threats

March 4, 2021
How to use Microsoft Sysmon, Azure Sentinel to log security events

Cloud Network Engineer – Associate – ATL

March 3, 2021
Microsoft Outlines How To Set Up Windows Virtual Desktop

What’s New in Tufin Orchestration Suite 21-1

March 3, 2021
Innovative solutions for IT workers at home

BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

March 2, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft to add new shared channels, encryption for calls, webinar features to Teams

March 2, 2021
Microsoft Declares ‘General Availability’ of Threat Experts Security Service

Mindware Partners with Cibecs to Help Regional Organizations Manage and Protect Distributed Endpoint Devices and Data

March 1, 2021
Microsoft To Build New Azure Cloud Data Centers In Greece

Enterprise Key Management Solution Market 2021 Industry Growth Analysis, Future Predictions, SWOT Analysis, By Top Players- EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

March 1, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Intel Calls Silicon ‘Greatest Weapon Against Security Threats’

March 1, 2021
  • About
  • Advertise
  • Privacy & Policy
  • Contact
Sunday, March 7, 2021
  • Login
Azure Security News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
    • Home – Layout 4
    • Home – Layout 5
  • News
    • All
    • Business
    • Politics
    • Science
    • World
    Microsoft To Build New Azure Cloud Data Centers In Greece

    Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft makes passwordless push in Azure Active Directory

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

    8×8 makes raft of updates to platform

    BitDam ATP+ protects Office 365 users from unknown threats

    Microsoft Outlines How To Set Up Windows Virtual Desktop

    What’s New in Tufin Orchestration Suite 21-1

    Innovative solutions for IT workers at home

    BitDam Offers Complete Security for Office 365 Email, OneDrive and Teams With The Introduction of BitDam ATP+

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Cloud Security in Banking Market Next Big Thing | Major Giants- Sophos, Boxcryptor, Microsoft Azure

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Microsoft Cloud Announces Three New Vertical Cloud Solutions

    Innovative solutions for IT workers at home

    Privacera Announces Partnership with Talend for Rapid Cloud Data Integration and Governance with Automated Privacy and Compliance

    Innovative solutions for IT workers at home

    What is database encryption?

    Trending Tags

    • Donald Trump
    • Future of News
    • Climate Change
    • Market Stories
    • Election Results
    • Flat Earth
  • Tech
    • All
    • Apps
    • Gear
    • Mobile
    • Startup
    Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

    Microsoft Power BI Premium Per User pricing is a game changer

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    Cloud Network Engineer – Associate – ATL

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft to add new shared channels, encryption for calls, webinar features to Teams

    Microsoft Declares ‘General Availability’ of Threat Experts Security Service

    Mindware Partners with Cibecs to Help Regional Organizations Manage and Protect Distributed Endpoint Devices and Data

    Microsoft To Build New Azure Cloud Data Centers In Greece

    Enterprise Key Management Solution Market 2021 Industry Growth Analysis, Future Predictions, SWOT Analysis, By Top Players- EMC Corporation Townsend security Hewlett-Packard Enterprise Gemalto N.V. Microsoft Azure Google Thales e-security International Business Machines (IBM) Broadcom

    A moment of reckoning: the need for a strong and global cybersecurity response

    Intel Calls Silicon ‘Greatest Weapon Against Security Threats’

    A moment of reckoning: the need for a strong and global cybersecurity response

    Microsoft Releases Azure Firewall Premium in Public Preview

    Telecom Provider Migrates Confidently to Microsoft Azure with Fortinet’s Dynamic Cloud Security Solutions

    Veeam Backup & Replication 11: Enhanced data management for a multi-cloud environment

    8×8 makes raft of updates to platform

    Advancing the Orchestration of Distributed Edge Applications, ZEDEDA Integrates with Microsoft Azure IoT

    How to use Microsoft Sysmon, Azure Sentinel to log security events

    OPS101 – Securing your Hybrid environment – Part 1 – Azure Security Center

    Trending Tags

    • Flat Earth
    • Sillicon Valley
    • Mr. Robot
    • MotoGP 2017
    • Golden Globes
    • Future of News
  • Entertainment
    • All
    • Gaming
    • Movie
    • Music
    • Sports
    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Microsoft Flight Simulator Continues to Look Stunning in New Snow Video

    Meet the woman who’s making consumer boycotts great again

    New campaign wants you to raise funds for abuse victims by ditching the razor

    Twitter tweaks video again, adding view counts for some users

    A beginner’s guide to the legendary Tim Tam biscuit, now available in America

    People are handing out badges at Tube stations to tackle loneliness

    Trump’s H-1B Visa Bill spooks India’s IT companies

    Magical fish basically has the power to conjure its own Patronus

    This Filipino guy channels his inner Miss Universe by strutting in six-inch heels and speedos

    Oil spill off India’s southern coast leaves fisherman stranded, marine life impacted

  • Lifestyle
    • All
    • Fashion
    • Food
    • Health
    • Travel
    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Offers More ‘Solorigate’ Advice Using Microsoft 365 Defender Tools

    A moment of reckoning: the need for a strong and global cybersecurity response

    Solar Winds, Office 365 & Shipbuilding…

    Aruba ClearPass Policy Manager Integrates with Microsoft

    Imprivata Expands Collaboration with Microsoft on New Digital Identity Innovations

    Microsoft Seriously Beefs Up Security in Windows Server 2019

    Microsoft Canada’s 10 biggest stories of 2020

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    FAA issues new proposed Boeing 737 MAX pilot training procedures

    AMD breaks revenue records for 2019 and 4Q

    AMD breaks revenue records for 2019 and 4Q

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft and Analog Devices pair on 3D imaging tech

    Microsoft is killing off insecure Cloud App Security cipher suites

    Microsoft is killing off insecure Cloud App Security cipher suites

    Rap group call out publication for using their image in place of ‘gang’

    Meet the woman who’s making consumer boycotts great again

    Trending Tags

    • Golden Globes
    • Mr. Robot
    • MotoGP 2017
    • Climate Change
    • Flat Earth
No Result
View All Result
Azure Security News
No Result
View All Result
Home News

8 Cloud Security Best Practice Fundamentals for Microsoft Azure

by AZURE SECURITY NEWS EDITOR
February 9, 2021
in News
0
A moment of reckoning: the need for a strong and global cybersecurity response
492
SHARES
1.4k
VIEWS
Share on FacebookShare on Twitter

In a previous blog, I discussed securing AWS management configurations by combating six common threats with a focus on using both the Center for Internet Security (CIS) Amazon Web Services Foundations benchmark policy along with general security best practices.

Now I’d like to do the same thing for Microsoft Azure. I had the privilege of being involved in the development of the CIS Microsoft Foundations Benchmark, which was published in early 2018.  During that process, I learned a great deal about the security aspects of Azure. Many of the same cloud security fundamentals we discussed previously also apply to other cloud environments, so we’re going to use that best practice cloud security knowledge we learned in the last blog and apply it to Microsoft Azure.

1. Identity Management with Azure Active Directory

Like before, it’s crucial that multi-factor authentication is being used wherever possible in order to combat attacks from phishing and lost or compromised credentials. At a minimum, any Azure Active Directory user with an administrative role or the ability to create and alter resources should have multi-factor authentication enabled.  Enable password policy settings to ensure complex passwords.

It’s easy to lose track of which permissions exist within custom roles. Audit any custom role definitions to ensure that none contain unnecessary administrative permissions that could be instead assigned via default roles.

Ensure that no unneeded guest users are created in the Azure Active Directory. For any that are necessary, ensure that the user setting for limiting guest permissions is set as well as the setting to not allow guests to invite additional users.

If you are using Active Directory Federation Services in order to allow a user to sign into Azure-AD based services with their on-premises password, it is critical that you are also auditing your on-premises Active Directory for security and compliance with vulnerability assessment and monitoring tools.

2. The Microsoft Azure Security Center

A number of security features are available within the Microsoft Azure Security Center for us to take advantage of, and Microsoft has automated the discovery and implementation of a good deal of it.

It is important to enable virtual machine security data collection by default via the automatic provisioning of monitoring agent function. Once the monitoring agent is enabled, you should ensure that all recommendation settings in the security policy are enabled. These recommendations cover a myriad of security settings, such as when operating system patches are required or when encryption has not been enabled.

You should make a habit of reviewing the Recommendations tab within the Security Center blade in order to ensure no active security tasks exist and that any recommendations have been considered and implemented where possible.

Ensure that a current security contact email and phone number have been set in the Security Center Policy. This ensures that Microsoft has an accurate contact within your organization for any security related incidents.

Lastly, consider upgrading from the Free Azure security tier to the Standard tier for enhanced security options. This does come at a cost, but it allows threat detection on virtual machines and databases.

3. Networking with Microsoft SQL Server

It’s critical to limit exposure to brute force attacks by limiting access to ssh and rdp in your Network Security Groups. This advice is the same no matter the platform; don’t open ports 22 or 3389 to the open internet.

If you are running Microsoft SQL Server, there is a separate SQL Server Firewall mechanism that exists outside of the Network Security Groups function. You should audit the SQL Server Firewall to ensure that you have not allowed access to the open internet or to network blocks that do not require access.

It still makes sense to make use of operating system firewalls within virtual machines to provide defense in depth in case of accidental Network Security Group misconfiguration or a platform error.

It is also a good idea to perform vulnerability scans against your infrastructure. These can be done without notifying Microsoft as long as they follow the Pentest Rules of Engagement. You can assess your Azure infrastructure for network- and host-based vulnerabilities with a vulnerability management product like Tripwire® IP360™.

4. Logging with Ample Storage Retention

There are multiple logging capabilities within Microsoft Azure, and it is important to utilize them for security auditing and compliance. Ensure that you have enabled Activity Log storage, which we will further use to create monitoring alerts for various behaviors. (See below.)

Additionally, each Network Security Group should have flow logging enabled, and each SQL Server Database should have database auditing enabled. Each of these logging capabilities utilizes a storage account. For each logging function, you should create a storage account that is encrypted at rest via the “Storage Service Encryption” setting and in transit via the “Secure Transfer Required” setting.

It also recommended that you enable log storage retention for greater than 90 days or set retention to unlimited if possible for each logging case.

5. Monitoring with Activity Log Alerts

The Activity Log enables us to perform monitoring for a variety of security relevant events. Alerts allow us to ensure that the appropriate parties are notified of behavior that could be suspicious if it has not been approved, such as the changing of security settings.

Activity Log Alerts should be created for the following events:

  • Create Policy Assignment
  • Create or Update Network Security Group
  • Delete Network Security Group
  • Create or Update Network Security Group Rule
  • Delete Network Security Group Rule
  • Create or Update SQL Server Firewall Rule
  • Delete SQL Server Firewall Rule
  • Create or Update Security Solution
  • Delete Security Solution
  • Update Security Policy

6. Cloud Storage Account Security

We previously mentioned ensuring that logs are stored in storage accounts with SSL and Disk Encryption. Where possible, you should configure every storage account to use blob encryption, file encryption, and secure transfer.

Storage Account keys should be periodically regenerated to mitigate the risk of compromised access keys. Shared Access Signatures should be used only with secure transfer and should have expiration times of eight hours or less so that access is not granted indefinitely.

Any public access of Blob or file containers should be carefully audited to ensure it is only used in cases such as public web sites.  Tripwire Configuration Manager can be used to audit public access of storage containers and even enforce privacy settings automatically.

7. Virtual Machine Security Data

One unique facet of Azure virtual machine security is the virtual machine agent that gathers security data as mentioned above. Keeping the agent running ensures a proper overview of your assets.

However most importantly, securing virtual machines in the cloud works much the same as on the premises and has been discussed at length. Ensure you have the latest operating system and software patches and are running endpoint protection. Ensure you are using disk encryption to encrypt files at rest in case of storage compromise.

8. Microsoft SQL Server Azure Integration

Finally, one of the main selling points of Azure is the integration with Microsoft SQL Server. At a minimum, it is important to set your SQL Server Firewall with the tightest policy possible and to enable audit logs for insight into security breaches or possible misuse of information.

The Microsoft SQL Server threat detection capability within Azure can detect SQL injection, SQL injection vulnerabilities, and other anomalies. This is a paid feature, but it can enable further defense in depth and should be enabled if possible. Ensure that you are sending alerts to a security contact and service owners if you do enable threat detection.

This best practice advice is a baseline that applies to any project implemented within Microsoft Azure and can be expanded on and tailored to individual installations. Most of the recommendations here can be expanded on by referring to the Center for Internet Security Microsoft Azure Foundations Benchmark.

Tripwire’s Configuration Manager helps you determine the security state of your Microsoft Azure, Amazon Web Services, and Google Cloud Platform deployments by collecting and analyzing cloud account configuration data. Configuration Manager allows you to monitor your Azure Resource Manager, AWS and Google Cloud consoles for configuration changes, as we well as perform automatic remediation of many security risks.

Reference: https://www.tripwire.com/state-of-security/security-data-protection/securing-azure-best-practice-fundamentals/

Share197Tweet123Share49
AZURE SECURITY NEWS EDITOR

AZURE SECURITY NEWS EDITOR

Related Posts

Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

by AZURE SECURITY NEWS EDITOR
March 5, 2021
0

Microsoft Azure Active Directory (AD) users can use YubiKeys to log into various applications now that Yubico has announced that its passwordless...

A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

by AZURE SECURITY NEWS EDITOR
March 5, 2021
0

During a Microsoft Ignite 2021 session Wednesday titled, "Azure Active Directory: our identity vision and roadmap for strengthening Zero Trust defenses in...

How to use Microsoft Sysmon, Azure Sentinel to log security events

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by AZURE SECURITY NEWS EDITOR
March 4, 2021
0

Microsoft recently released a few new Azure Active Directory (AD) features, namely My Apps "collections" and new "risk detections" capabilities, into general availability (GA)....

8×8 makes raft of updates to platform

BitDam ATP+ protects Office 365 users from unknown threats

by AZURE SECURITY NEWS EDITOR
March 4, 2021
0

BitDam announced the availability of BitDam ATP+, its upgraded Advanced Threat Protection (ATP) solution, offering comprehensive defense against malware, phishing, business...

  • Trending
  • Comments
  • Latest
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

AZURE DEFAULT RESOURCE GROUP AND DEFAULT WORKSPACE: WHAT ARE THEY?

December 14, 2020
Microsoft Seriously Beefs Up Security in Windows Server 2019

TCS Launches Cloud Exponence on Microsoft Azure

January 21, 2021
Microsoft Launches Host of Security Products in Time for RSA

Microsoft to add two new Microsoft 365 security, compliance bundles to its line-up

November 26, 2020

Lady Gaga Pulled Off One of the Best Halftime Shows Ever

0

Barack Obama’s Now Mainly Focusing on Wearing This Casual Backwards Hat

0

Watch Justin Timberlake’s ‘Cry Me a River’ Come to Life in Mesmerizing Dance

0
Microsoft To Build New Azure Cloud Data Centers In Greece

Yubico Makes Passwordless Authentication Generally Available for Azure AD Users

March 5, 2021
A moment of reckoning: the need for a strong and global cybersecurity response

Microsoft makes passwordless push in Azure Active Directory

March 5, 2021
Microsoft’s CyberX Acquisition Boosts Security of Azure IoT Lineup

Microsoft Power BI Premium Per User pricing is a game changer

March 4, 2021
Azure Security News

Copyright © 2020 - Azure Security

Navigate Site

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Follow Us

No Result
View All Result
  • Home
  • News
    • Politics
    • Business
    • World
    • Science
  • Entertainment
    • Gaming
    • Music
    • Movie
    • Sports
  • Tech
    • Apps
    • Gear
    • Mobile
    • Startup
  • Lifestyle
    • Food
    • Fashion
    • Health
    • Travel

Copyright © 2020 - Azure Security

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms below to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In