As cyber risks and attacks in the cloud increase, integrating security into your cloud blueprints from day one has become non-negotiable. This is true especially of Azure, widely used globally for cloud environments. The shared responsibility model in cloud computing assumes that customers will implement the required security guardrails provided by the platform or by third-party services to secure cloud deployments.
Key statistic: Microsoft Azure’s market share has risen to 23%, marking a 2% growth from its average market share of 21% observed across the previous four quarters. Together, the top three cloud service providers—Amazon, Microsoft, and Google—now command 66% of the worldwide cloud market. (AAG)
Identification and implementation of the right security controls for each cloud resource play an important role in this journey. There are certain basic controls that all customers can adopt to reduce the attack surface, irrespective of the scale of the environment.
In this article, we explore some of the basic security measures you can implement to ensure Azure environments.
Azure Policy is a native capability in Azure that can help standardize the security controls of your cloud environment. The always-on nature of Azure rules ensures that proper governance controls are in place to guarantee resource consistency. Along with other operational aspects like restricting the type and location of resources, Azure Policy can also be used to implement a variety of security controls. For example, you can ensure that certain services like Microsoft Defender, centralized logging, and Azure Monitor are configured.
Some of the controls you might want to consider include:
- Using policy definitions to ensure threat protection through Azure Defender is enabled for SQL servers and managed SQL databases as well as other open-source databases.
- Specifying parameters—like maximum validity period, allowed key types, or validity period—for certificates in your key vault.
- Setting the Azure Monitor security and audit module to be enabled by default using Azure Policy.
Azure provides a set of built-in policies with similar security and operational controls that can be enabled in just a few easy steps. Customers also have the flexibility to build custom policies to fine-tune the process.
Azure role-based access control (RBAC) helps implement the principle of least privilege for Azure users and administrators. Through Azure AD and RBAC, Azure offers a centralized identity management solution that helps manage user access at scale. Built on Azure Resource Manager, Azure RBAC aids in the implementation of fine-grained access control for Azure resources.
Azure RBAC provides multiple built-in roles with predefined role definition that allow users assigned to that role to perform certain tasks. For example, the “Monitoring Reader” role enables you to read logs, metrics, and more; while the “Monitoring Contributor” role assists with editing monitoring settings. One of the built-in roles can be assigned to a user depending on the level of permissions required. Alternatively, you can create custom roles if the permissions of available built-in roles are too broad.
Implementing risk-based access policies allows you to further tighten security settings. Risk conditions can be configured to identify sign-in risks and autoremediate them using steps like secure password change or multi-factor authentication.
Zero-trust strategy, a recommended security best practice, should be implemented across your network to help contain cyber attacks. The zero-trust model is based on the identities of applications, devices, or users and helps enforce access control. This will help augment other security restrictions implemented based on IP addresses, port numbers, and protocols.
Network security groups (NSGs) help implement traffic restrictions at Layers 3 and 4 between resources connected to Azure virtual networks and the internet. Implementing NSGs is a quick and easy way to segment network traffic based on the required application flow. To add another layer of security, you can use application security groups (ASGs) by grouping virtual machines under an application context and then applying traffic rules to them.
To monitor the traffic flowing through NSGs and detect any unauthorized access attempts, leveraging the NSG Flow logs feature in Azure Network Watcher is recommended.
Inbound/outbound internet access
Inbound/outbound access to the internet from virtual machines—if not secure—is one of the most common entry points of security threats. By default, the outbound internet access from VMs is permissive. Disabling this access and routing it through services like NAT gateway, firewalls, or load balancers is therefore recommended.
Native security tools like Azure Web Application Firewall (WAF), Azure Firewall, and Azure Front Door can be configured based on application requirements to act as the frontend, without exposing the VM directly to the internet. While using Azure Firewall, applications with similar inbound/outbound network access requirements across regions and subscriptions can be managed together using IP groups to ensure consistency. If you are using any of the Azure platform-as-a-service (PaaS) resources, assigning a service tag and creating a user-defined route (UDR) to securely manage the outbound traffic is recommended.
Privileged access control
Identity is considered the new security perimeter, as compromised accounts can aid in the lateral movement of attack vectors. The risk is higher for accounts with privileged access—mainly administrator accounts—capable of making irreversible changes to your Azure resources. Creating a roadmap for such accounts with privileged access is therefore recommended.
Azure AD Privileged Identity Management (PIM) allows you to identify the high-risk roles and manage their access in your production environments. Users with Azure AD administrator roles should be secured with multi-factor authentication; this should be mandatory. You can also implement a password-change policy that requires all administrators to rotate their passwords within a certain time period. Privileged access can also be adjusted to be time-bound through just-in-time (JIT) access.
Organizations can leverage identity protection capabilities available in Azure that condense the knowledge Microsoft has acquired over the years through threat signal analysis and protection. Azure has native capabilities that automate the identification and remediation of identity risks through risk policies. These risks can then be investigated further using inbuilt security reports or exported to other SIEM tools to trace the source of an attack vector.
For comprehensive protection, data should be encrypted both at rest while being stored and in transit. Azure provides multiple inbuilt encryption mechanisms to meet this requirement.
For data stored in Azure storage or disk, you can opt for encryption using platform-managed or customer-managed encryption keys. Azure Key Vault is FIPS-140-2-validated for safe storage and management of encryption keys. You should select the key management option based on your applications’ security requirements. For example, if you have bring-your-own-key (BYOK) requirements or need a dedicated HSM for storing keys, you can use the Azure Dedicated HSM service.
For data encryption in transit, you can use RDP sessions protected by TLS for Windows machines, SSH access to Linux VMs, and hybrid connectivity encryption over VPN and HTTPS connections for data lake storage.
Logging and auditing
Logs provide a wealth of information about any anomalies in your Azure environment. These logs can be either control plane or data plane. Control-plane logs provide visibility into the administration activities done on a resource. Azure activity logs capture this information as they track all create, update, or delete operations on Azure resources. This data can be analyzed to identify anomalies or suspicious access patterns. For data-plane logs, you can use Azure Monitor to capture diagnostics logs of specific Azure resources.
Events in Azure Active Directory related to user/group/application/license changes are captured in Azure AD audit logs. They provide important insights into the security status of your Azure AD tenant, like details of sign-ins, resource usage, or account provisioning. These logs should be monitored to ensure that only authorized users can access Azure resources.
Microsoft Defender for Cloud is a native cloud security posture management service in Azure and one-stop solution for analyzing security threats across hybrid and Azure cloud deployments. It conducts vulnerability assessments to evaluate your security posture, reporting on findings that require remediation. Reviewing and remediating the findings from Microsoft Defender for Cloud is one of the easiest ways to quickly secure your Azure environment.
While deploying applications in IaaS or PaaS models, customers are responsible for ensuring application-layer security. This includes the security of application endpoints, user access control, application code, network security, and so on. To protect applications exposed to the internet, you can use the application gateway feature in WAF, which provides protection based on OWASP core rule sets.
You should use RBAC to assign user permissions to access applications, aligned with the principle of least privilege. Key Vault helps secure keys and secrets used in your applications. You can protect application service environments that are integrated with virtual networks through NSGs. Continuous monitoring of logs generated by applications both at data and control planes through native Azure logging and services like Azure Defender for Cloud will help further strengthen application security.
Secure Azure environments with Vulcan Cyber
As the cloud threat landscape evolves, augmenting native Azure security capabilities with specialized tools has become necessary. Threat detection, prioritization, and mitigation processes must be fast, efficient, and automated as much as possible.
The Vulcan Cyber® risk management platform offers end-to-end management of the risk lifecycle, complementing and enhancing your native Azure security tools. The Vulcan Azure connector collects an inventory of Azure resources and detects vulnerabilities.
Whether your workloads are hosted in Azure, on-premises, or on any other cloud platform, Vulcan provides centralized visibility and contextual information about your threat landscape, helping you prioritize the impact of vulnerabilities in the context of your environment.