As an increasing number of organizations adopt cloud as the target platform for their business critical workloads, securing these workloads has become a top priority. Establishing a well-defined risk management strategy that covers the entire stack—infrastructure, the application layer, and cloud-specific security controls—is the first step in improving your company’s cyber hygiene. If you are using the Azure platform for your workloads, Azure’s native security tools are a good starting point.
However, as your organization and workloads mature in the cloud, you’ll also want to build another layer of security through trusted third-party solutions.
Microsoft Azure, similar to its counterparts AWS and GCP which we explored previously as part of the “cloud security – vendor spotlight” blog series, follows a shared responsibility model for security in the cloud. Microsoft is responsible for handling the security of the Azure platform, while customers are expected to leverage various security tools and features to ensure application, infrastructure, and cloud security. For the customer, this typically requires a combination of native tools and third-party services to fill any possible security gaps. In this blog, we’ll explore five native security tools and services you can use to implement the necessary security controls in Azure.
1. Azure Security Center
Azure Security Center is the native cloud security posture management (CSPM) service offered by the platform. It provides centralized infrastructure security management for workloads hosted in Azure as well as on-premises. Deployments are constantly monitored against defined best practices, and misconfigurations are flagged for remediation. Azure services are integrated out of the box, with Azure Security Center enabling cloud speed for detection and remediation.
Azure Security Center quantifies your overall security posture by assigning a secure score for the resources under your subscription and helps customers prioritize their risk remediation activities in order to improve this score. Some of these remediation activities can be done directly from the Security Center; others may require manual intervention, for which detailed remediation guidance is provided.
Security Center comes with integrated capabilities such as adaptive application controls, which define a set of known-safe applications so that any potential malware or malicious software executed on cloud resources will trigger a security alert. The service also offers an integrated vulnerability assessment using Azure Defender (powered by Qualys).
But vulnerability assessment and reporting is only the first step in enabling cloud security. Organizations must also consider specialized cyber risk-based remediation solutions for security posture management, especially across heterogeneous multi-cloud environments.
2. Azure Firewall
Azure Firewall is a fully managed stateful firewall service for Azure workloads connected to a VNet. Delivered as a highly available service that can be deployed across availability zones, it is capable of supporting cloud-scale traffic. It can be used for central configuration of rules across subscriptions and networks to allow only legitimate traffic.
The firewall’s threat intelligence capabilities help to protect your workloads from traffic generated from or to malicious domains and IPs. Azure Firewall receives this information from the Microsoft Threat Intelligence feed, powered by the Intelligent Security Graph service. Azure Firewall also provides an option for application FQDN-based filtering to limit outbound traffic.
3. Azure DDoS Protection
Azure offers always-on DDoS Protection for all workloads hosted in the platform. While basic protection is enabled by default, customers can also opt for DDoS Protection Standard for enhanced protection against DDoS attacks. Some of the additional features enabled only with DDoS Standard include logging, telemetry, alerting, mitigation reports, and cost protection.
DDoS Standard offers native integration and turnkey protection for workloads deployed in an Azure VNet. It protects your workloads from both Layer 3 and Layer 4 attacks, and when integrated with Azure Web Application Firewall, it enables Layer 7 (application) protection as well. The service also provides detailed attack analytics reports that can be used to derive further insights on the type and nature of attack. Azure DDoS Protection delivers extensive mitigation at scale with the capability to detect and mitigate 60 different types of attacks.
4. Azure Sentinel
Azure Sentinel is the platform’s native SIEM solution, capable of ingesting telemetry data from multiple sources for analysis and threat detection. The data sources can be either Azure resources or hosted in other cloud platforms or on-premises. There are multiple connectors available for streaming the telemetry data, either provided by Microsoft or developed by third-party ISVs, SIs, or even by the community. Sentinel thus provides a single centralized repository for telemetry data and threat intelligence. For example, customers can use the AWS Cloud connector from Microsoft to stream data from AWS CloudTrail to Azure Sentinel.
In addition to being a SIEM solution, Azure Sentinel also comes with security orchestration and automated response (SOAR) capabilities out of the box. Customers can use automation rules and playbooks to respond to identified threats. The playbooks are based on Azure logic applications and can trigger a defined workflow once the threat is detected. Sentinel also comes with built-in hunting queries to detect anomalies in log data. In addition, security analysts can create custom queries easily from the Azure portal, for tailored detection.
5. Azure Web Application Firewall (WAF)
Azure Web Application Firewall (WAF) protects web applications from multiple known vulnerabilities. It provides centralized protection from such vulnerabilities, which could go undetected during the development phase. Any known threats—new or existing—are centrally patched and updated at the WAF level before attackers can exploit them. This also eliminates the overhead of administrators mitigating them for individual applications.
The prebuilt WAF rules are capable of protecting business applications from attack patterns like SQL injection, cross-site scripting (XSS), PHP injection, and remote command execution. WAF can be enabled with popular Azure frontend services—Application Gateway, Azure Front Door, and with CDN (in preview). WAF for Application Gateway is based on the OWASP ModSecurity Core Rule Set and is automatically updated to protect from newly discovered vulnerabilities without manual intervention.
Augmenting your Azure security tools with third-party integrations
Traditional risk management processes lack the detection capabilities required to secure cloud workloads, especially as more sophisticated attack patterns emerge in the cloud. As one of the most popular cloud platforms, Azure has become a hot target for attackers. If your organization is hosting business applications in Azure, you’ll need to up the ante on your cyber risk management by implementing end-to-end risk management in the cloud. This involves not only detection of vulnerabilities, but also prioritizing and automating the risk remediation process.
Native cloud tools are a good place to start, but implementing an additional layer of security through a risk-based cyber security solution is also recommended, especially when managing heterogeneous multi-cloud environments. The Vulcan Cyber® Risk Remediation Platform is an end-to-end solution that handles the entire risk lifecycle, from scan to fix.
Using automated processes, the Vulcan Azure connector inventories your Azure resources and mitigates identified vulnerabilities. It’s easy to get started with the Azure connector. Simply create an Azure AD application with reader access to the target Azure subscription. Use the application ID and its client secret to configure the Vulcan connector in order to receive asset information from Azure and then identify their associated vulnerabilities.
Vulcan Cyber gives you a holistic, single-pane view of your cloud asset security posture, no matter where your workloads are deployed. Its contextual organization-centric prioritization approach relies on correlation data and threat intelligence from various connected sources. It also offers integrations with popular ticketing tools like Jira as well as configuration management tools like Chef, Ansible, and Ivanti for automated remediation and end-to-end risk management. In addition, the platform reporting capabilities allow you to analyze and fine-tune your risk remediation process.