While designing cloud solutions using Microsoft Azure, security best practices are key to ensuring your infrastructure is resilient to attacks while safeguarding user access and protecting customer data.
There are different ways to improve the security of networking and containerised infrastructures, from the Azure resource group level all the way down to the individual components. Azure monitoring plays a key role in identifying vulnerability, using Azure Monitor. We will also look into securing our data using tools such as Azure information protection, encryption of storage accounts and databases and Azure Key Vault.
List of Azure security components:
|1. Networking||Network Security Groups, Azure VPN Gateway, Azure Application Gateway, Web Application Firewall (WAF), Azure Load Balancer, Azure Traffic Manager, Azure Application Proxy, Azure Firewall, Azure DDoS protection, Virtual Network service endpoints.|
|2. Identity and access management||Azure role-based access control, Azure Active Directory, Azure Active Directory B2C, Azure Active Directory Domain Services, Azure AD Multi-Factor Authentication.|
|3. Database security||Azure SQL Firewall, Azure SQL Cell Level Encryption, Azure SQL Connection Encryption, Azure SQL Always Encryption, Azure SQL Transparent Data Encryption, Azure SQL Database Auditing.|
|4. Storage security||Azure Storage Service Encryption, Azure Client-Side Encryption, Azure Storage Shared Access Signatures, Azure Storage Account Keys, Azure File shares with SMB 3.0 Encryption, Azure Storage Analytics.|
|5. General Azure security||Azure Security Center, Azure Key Vault, Azure Monitor logs.|
|6. Backup and disaster recovery||Azure Backup, Azure Site Recovery.|
Some of the key security best practices are:
- Upgrade your Azure subscription to Azure Security Centre Standard,
- Store your keys and secrets in Azure Key Vault,
- Install a Web Application Firewall (WAF),
- Enforce multi-factor verification for users,
- Encrypt your virtual hard disk files,
- Use DDos Protection Standard,
- Place all Azure VM’s in Azure virtual networks.
Azure network security best practices:
Always adopt a “zero trust” approach. Nowadays, many companies in financial services, retail, eCommerce and government have adopted zero trust architecture. In this model, all accesses are strongly authenticated and authorised using inbuilt policies. This model helps in inspecting anomalies and achieving compliance.
To adopt this zero trust approach in Azure, carry out the following:
- Virtual network appliances,
- Deploy perimeter networks for security zones,
- Avoid exposure to the internet with dedicated WAN links,
- Disable RDP/SSH access to virtual machines,
- Optimise uptime and performance,
- Control routing behaviour,
- Logically segment subnets,
- Secure your critical Azure service resources to only your virtual networks,
- Use strong network controls.
Azure identity and access management best practices:
Identity management is the process of providing multiple levels of authenticating, authorising and controlling information using Azure security principals. Identity and access management help protect resources and applications using Conditional Access policies and monitor activity through alerting, auditing and reporting.
To implement these best practices, do the following:
- Treat identity as the primary security perimeter,
- Centralise identity management,
- Manage connected tenants,
- Enable single sign-on,
- Turn on Conditional Access,
- Plan for routine security improvements,
- Enable password management,
- Enforce multi-factor verification for users,
- Use role-based access control,
- Lower exposure of privileged accounts,
- Control locations where resources are located,
- Use Azure Active Directory for storage authentication.
Azure database security best practices:
When it comes to databases, security is the main concern and top priority.
In the Azure SQL Database you should:
- Set firewall rules, authentication and authorisation mechanisms to limit users.
- For authentication, Azure AD authentication can be used to manage database users identities in one central location.
- You can encrypt the data with FIPS 140-2 validated 256-bit AES encryption which meets industry standards. Cell-level encryption, Row-level Security are other encryption methods that can be used.
- You have to enable database auditing for tracking and logging server-level and database-level events.
By enabling database threat protection you are alerted to potential threats in real-time.
VM and operating systems security best practices:
You should integrate Azure AD authentication for authentication of Linux VM’s.
Here is how to do it:
- You can use Azure customised policies to resource groups. Resources under the resource group will inherit the policies.
- Implement “principle of least privilege” to user’s.
- Use “Azure role-based access control (Azure RBAC)” these are azure inbuilt roles that are applied to users groups that access the VM’s.
- Use the antivirus provided by Microsoft “Microsoft Anti-malware” or partner endpoint eg: Trend Mirco, McAfee, Windows Defender etc.
- Always use “Azure Security Centre” to restrict access to internet facing endpoints. Use Just-in-time (JIT) VM access to lock down inbound traffic to your VM’s.
- Other security tips include enable VM general and security updates, monitor VM performance using Azure Monitor and encrypting virtual hard disk files using Azure Disk Encryption.
Best practices for data protection:
There are two states in which your data can occur i.e data at rest and data in transit. Data at rest include VM Iaas disk encryption with Azure Disk Encryption service (BitLocker feature – you have to encrypt your drives before you use it.) And the other one is Data in Transit, man-in-the-middle attacks, eavesdropping attacks and session hijacking happen when your data is in transit.
To protect and safeguard you data you can use VPN or HTTPS while moving data from on-premises and cloud infrastructures. Azure provide certain services like Azure VPN Gateway, site-to-site VPN, point-to-site VPN, ExpressRoute for safeguarding your moving data. Azure also provides a service called Azure Information Protection which helps in labelling and protecting your emails and documents.
Operational security best practices:
This section is all about features that are used to protect your applications and assets in Azure.
Best practices under operational security:
- Enable Azure Security Center which helps to monitor, detect, prevent and respond to threats.
- Use Azure Storage Analytics for logging, gathering metrics data used for diagnose issues and trace requests of your storage account.
- Azure Sentinel provides automated threat intelligence using security orchestration automated response (SOAR) solution.
- Azure Network Watcher is used to diagnose and visualise at a network level.
As more organisations have migrated to the cloud, a question arises around the security of the infrastructure and the resources. As a result cloud service providers are stepping up with more security services components and models that can reduce cost, complexity and help administrators close the gaps in security. They can be integrated with on-premises and hybrid environments as well. By ensuring you use best practice in Azure, you can protect your infrastructure against potential threats and vulnerabilities.
Other useful links: