Microsoft Azure security fundamentals include documenting responses to security events, using identity access management tools, authenticating users, taking advantage of tools with automation, encrypting data, and using firewalls.
There is a sharing of responsibilities for securing the cloud between the cloud provider and the organization using the cloud. The image below depicts the division.
Plan and Strategize for Security Events
Organizations should document how they respond to security events before those events occur and how they will recover afterward. This should be completed before an organization subscribes to any cloud security service. Microsoft Azure recommends organizations adopt a business continuity and disaster recovery (BCDR) strategy. Microsoft Azure has services and suggested practices that keep the cloud environment secure and help in the recovery process.
Password policy enforcement is the practice of requiring a certain level of complexity and specific lifespans for passwords. With Microsoft Azure’s SQL Servers, organizations can mandate that users’ passwords fit these preset requirements. This makes it more difficult for hackers to gain or use credentials.
Azure Backup is a service that allows organizations to back up entire virtual machines (VMs), Azure Files shares, SQL Server databases, and SAP HANA databases. In the event data is lost from one data center due to an environmental force or to an attack, the data still exists elsewhere for recovery.
Azure Site Recovery is a major contributor to a BCDR strategy. When an outage occurs due to a DDoS attack or problems within the data center, Site Recovery keeps apps and workloads running at a secondary location that has not been affected. This is an example of distributed cloud infrastructure. Once the primary location begins functioning again, it will receive workloads again. When an attack is occurring, having Site Recovery as an option means an organization’s customers do not see a disruption in service.
Use Identity Access Management and Authentication Tools
Organizations can use identity access management (IAM) tools alongside authentication and authorization tools to ensure users are who they claim to be and grant them certain permissions. Microsoft Azure services that are used for this include the Azure App Service, role-based access control (RBAC), and multi-factor authentication (MFA) through Microsoft Authenticator.
Azure App Service features built-in authentication and authorization support, enabling users to sign-in and access data from a web app, RESTful API, mobile back end, or Azure Functions, with little to no code required. Additionally, it provides secure authentication and authorization utilities, which can be used for federation, encryption, JSON web tokens management, and grant types.
RBAC is a common practice for executing on the principle of least privilege. The idea is to grant the minimum level of access to users, in this case, employees, for them to effectively perform their job. RBAC assigns roles to users in a customizable fashion. The roles determine the user’s level of access and are enforced as policy.
Azure Active Directory is a cloud-based IAM and single sign-on (SSO) service for Microsoft applications like Office 365. Features available in Azure Active Directory geared towards identities and security include authentication, conditional access, identity governance, identity protection, managed identities, privileged identity management, and reports and monitoring. This helps Microsoft Azure cloud security because if credentials are stolen, the amount of access to data and cloud resources is limited and risk is mitigated.
Monitor the Cloud Environment
When an organization has blind spots in its cloud environment, it lacks the ability to properly protect itself. A good approach to security is to use services that are able to view the entire environment and report on what they detect. A couple of monitoring services from Microsoft Azure are the Azure Security Center and the Azure App Service.
The Azure Security Center grants visibility and control for cloud resources that allows organizations to detect and respond to threats. This service monitors cloud resources and provides reports that suggest actions administrations can take to address any anomalies.
Azure Monitor gives visibility into data in the Azure infrastructure and individual Azure resources.
Take Advantage of Automation for a Secure Microsoft Azure
An organization should take advantage of automation tools to take over difficult and time-consuming jobs like data analytics.
Many of Microsoft Azure’s security services are automated, particularly ones dedicated to monitoring the cloud environment and enforcing policy. An example of this is Application Insights.
Use Encryption and Firewalls
One of the most basic aspects of cybersecurity is to use encryption and firewalls. With Microsoft Azure, organizations have the opportunity to use a web application firewall, encryption at rest and in transit, and Azure Key Vault, among other security features.
Microsoft Azure’s web application firewall (WAF) is part of its Azure Application Gateway. The WAF protects web applications using the gateway for application delivery control functions. Because it is cloud-based, the WAF is a centralized way to protect web applications. The WAF is based on rules made by the Open Web Application Security Project (OWASP) and automatically updates when new vulnerabilities become apparent.
Azure Storage is able to secure data with encryption while the data is at rest or in transit. Data at rest is data sitting in storage whereas data in transit is data being sent along network connections. This is helpful to organizations because it takes care of the base need to encrypt data at all times.
The Azure Key Vault is a hardware security module (HSM) that stores cryptographic keys and critical secrets. A secret, in this instance, is any data an organization wants to tightly control access to. For example, a secret could be API keys, passwords, or certificates. The hardware used by the Azure Key Vault is certified to the standards of FIPS 140-2 Level 2 devices. Cryptographic keys encrypt and decrypt data, particularly after it has been sent or received. By having a secure piece of hardware retaining an organization’s secrets and keys, the keys themselves are protected. Without protected keys, encryption and authentication functions are rendered ineffective because an attacker with the cryptography keys can easily decrypt the data.
Microsoft Azure Security: Key Takeaways
- Organizations should have a plan protecting their cloud instances and responding when attacked.
- IAM is key to mitigating intentional or accidental manipulation of data and cloud resources.
- Visibility means everything in reducing weak points in a security system.
- Automation is crucial for saving time and making security practices more efficient.
- Firewalls prevent hackers from accessing where data is stored while encryption prevents hackers from accessing the data itself.