by Sonrai and Azure Security News
Key takeaways from our recent webinar on Microsoft Azure cloud security
As we discussed in a recent webinar on Microsoft Azure security considerations, Azure’s consistent innovation provides great value but requires enterprises to stay up to date on sophisticated and evolving threats.
Azure environments are constantly at risk from cybercrime or companies are encountering internal security issues due to misconfigurations and mismanagement. For example, App developer Probase left an Azure blob, containing files with personally identifiable data, wide open. It was discovered that UK-based app developer Probase exposed information – including medical records, recruitment data, occupational health assessments, insurance claim documents and more – via an unsecured cloud database. The news was first broken by The Register, which was tipped off by cybersecurity researcher Oliver Hough. The publication, investigating the matter, found that 587,000 files were left in an unprotected Azure blob. Any malicious actors that knew where to look would have been able to find and access the database with ease.
Making matters worse, research from McKinsey shows that insider threats are present in 50% of cyber breaches — and 44% of root causes can be attributed to negligence. Oftentimes, breaches occur when inexperienced or understaffed IT teams are asked to handle large-scale cloud migrations.
Suffice it to say that Azure can be incredibly complicated. If you’re new to the platform, it’s very easy to make small mistakes that can lead to catastrophic consequences.
With all this in mind, let’s take a closer look at some of the leading Azure security issues that were discussed in the webinar to give you a better idea of what you can do to protect your cloud environment.
Cloud Security Challenges
Compromise of Microsoft Azure
Azure has made significant investments in security to protect its platform from intrusion. However, the possibility always exists that an attacker could compromise an element in the Azure platform and either gain access to data, take an application running on the platform offline, or permanently destroy data. An attacker only needs to find one misconfiguration to get in, while a security team needs to keep track of all of them, all the time.
Insider Threats and Privileged Identity Threats
The average enterprise experiences 11 insider threats each month, and one-third are privileged user threats. These incidents can include malicious and negligent behavior ranging from taking actions that unintentionally expose data to the internet to employees stealing data.
Third-party Account Compromise
According to the Verizon Data Breach Investigations Report, 63% of data breaches, including the breach that sunk Code Spaces, was due to a compromised account where the malicious actor exploited a weak, default, or stolen password. Misconfigured security settings or accounts with excessive identity and access management (IAM) permissions can increase the potential damage.
Azure Cloud Data Sprawl
Gone are the days of a limited selection of manageable data stores (e.g., Oracle, IBM, and MS SQL). Innovations in agile cloud development have led to an explosion of new data store options, with teams utilizing Amazon MongoDB, Elasticsearch, CouchDB, Cassandra, Dynamo DB, HashiCorp Vault, and many, many more. Adding these to object stores, like Microsoft Blob, makes it self-evident that new corporate infrastructures do not have a physical or logical concept of a ‘data center.’
This innovation can create cloud sprawl, where an organization has an uncontrolled proliferation of its cloud instances, services, or identities. Cloud sprawl typically occurs when an organization lacks visibility into or control over its cloud computing resources.
Ephemeral Compute Pours Over Your Data
With container orchestration, the typical lifetime of a container is 12 hours. Serverless functions – already adopted by 22% of corporations – come and go in seconds. Data is the digital era’s oil, but the oil rigs are ephemeral and countless in this era. Spot instances, containers, serverless functions, admins, and agile development teams are the countless fleeting rigs that drill into your data.
Unsecured Storage Containers
The news is filled regularly with attacks on misconfigured cloud servers and the leaked data that criminals obtain from them. Misconfigurations are the natural result of human error. Setting a cloud server with loose or no credentials and then forgetting to tighten them when the server is placed into production is a common mistake.
Lack of Application Protection
Network firewalls don’t help you when it comes to the public cloud. Attacks on applications more than doubled, according to the 2020 Verizon Data Breach report Manually Managing Access Rights Keeping track of which users can access an application manually creates risk. You can’t detect common privilege escalation attacks across your infrastructure manually. Also, you can create risk by giving too many admin rights to virtual machines and containers.
Microsoft Azure Cloud Security Checklist
Microsoft Azure has built a set of security controls for its customers to use across Azure services, and it is up to the customer to make the most of these built-in capabilities. Here are best practices security experts recommend you follow:
- Ensure that multifactor authentication (MFA) is enabled for all users
- Enable MFA on privileged accounts and strongly consider layering in some conditional access policies (e.g., geo, IP address, device state, etc.)
- Ensure that users can consent to apps accessing company data on their behalf is set to ‘no’
- Ensure that there are no guest users
- Use Role-Based Access Control for all admin accounts instead of assigning all privileged accounts Global Administrator privileges
- Ensure that ‘enable users to memorize multifactor authentication on devices they trust’ is disabled
- Ensure that entrance to the Azure AD administration portal should be limited
- Ensure that ‘users can create security associations’ is set to ‘none’
- Ensure that ‘self-service group administration enabled’ is established to ‘no‘
- Make sure ‘users who can handle security groups’ is set to ‘none’
- Make sure ‘require multifactor auth to join devices’ is set to ‘yes’
- Ensure that ‘secure transfer required’ is arranged to ‘enabled’
- Ensure that ‘storage service encryption’ is set to ‘enabled’
- On SQL servers, ensure that ‘auditing’ is set to ‘on’
- On SQL servers, ensure that ‘auditing type’ is set to a blob
- Ensure on SQL servers that ‘threat detection’ is set to ‘on’
- On SQL servers, ensure that ‘threat detection types’ is set to ‘all’
- On SQL servers, ensure that ‘send alerts to’ is set