Since the world is moving towards digitization, cloud and cloud security have started playing a very important role in our lives. We use cloud technology almost every day especially when we use Google Drive, Dropbox, OneDrive or any similar storage media.
Similarly, organisations have an option to use Microsoft Active Directory on the cloud; namely Azure Active Directory, deploy servers, workstations and/or applications on the cloud, people use online password managers which store their passwords on the cloud in an encrypted format, hence almost every other person uses cloud technology in some way or the other.
The present leader in cloud technology is Amazon with its Amazon Web Services (AWS), but Microsoft’s cloud technology, i.e Microsoft Azure is also not far behind.
Since people and organisations have started adopting cloud technology as the new norm, it is extremely important to have a security focused mindset before implementing or using cloud technology.
In this article, we’ll discuss some azure security best practices to keep in mind when deploying an application on Azure.
What is Azure?
Azure is Microsoft’s cloud computing platform and infrastructure. By leveraging Azure, your business can reduce costs through efficient technology usage while increasing productivity by having access to a robust set of tools that allow you to build new products or innovate at a faster pace than ever before.
Microsoft Azure is the second largest cloud service provider serving millions of users, applications and integrations. It offers more than 200 products to its customers.
Microsoft Azure maintains and manages hardware, infrastructure and resources that it provides to its customers on a free or rental basis, and supports many scripting and programming languages, tools etc. both offered by Microsoft and by third parties as well.
What services are offered by Microsoft Azure?
Microsoft Azure offers a wide range of cloud services that can be utilized for various projects.It’s important to note that not all the different types of Microsoft Azure service have an SLA (service level agreement). While most customers understand what is covered by an SLA, some customers are surprised when they’re billed for Azure service availability issues.
Microsoft Azure offers a Service Level Agreement (SLA) to help protect you against potential billing or usage charge increases in the event of an impact on your ability to use our services that is not planned or expected by either ourselves or your users.It offers over 6000 services which can be categorised into 4 main types:
1. Platform as a Service (PaaS)
Platform as a Service (or simply PaaS) is a service offered by cloud technology service providers to consumers that allows them to deploy, run and manage computing resources or applications without going through the hassle of building them up from scratch.
2. Software as a Service (SaaS)
Software as a Service (or SaaS) is another service offered by cloud service providers that allow customers and consumers to deploy and use applications over the internet without going through the entire installation and licensing procedures.
SaaS is also known as “on-demand software.”
3. Infrastructure as a Service (IaaS)
Infrastructure as a Service (IaaS) is a pay-as-you-go service offered by cloud technology service providers that provides computing, storage and networking resources on demand. The cloud service provider manages and maintains all the necessary hardware equipment and is responsible for any kind of trouble-shooting or failure of any resource at any point.
Comparison between Platform (PaaS), Software (SaaS) and Infrastructure (IaaS) as a Service
4. ServerlessServerless computing is another service provided by cloud service providers which also follows a pay-as-you-go process, meaning that the cloud service provider handles all the resources a user wants and allots memory, computational resources etc. as per the user’s needs. When an application is not in use, no cloud resources are being utilized as well.Azure security best practices
Prior to deploying any application or server or data centre on Azure, it is important to know and understand the security risks and azure security implications and concerns regarding cloud technology as it is said, “Cloud is just somebody else’s computer.”
With the rapid evolution of cloud technology, the threat landscape has also grown by a high amount, but with careful preparation and azure security focused mindset, organisations can try to protect their cloud infrastructure from an attempted or potential breach.
Azure security best practices revolve around four fundamental elements, and those being:
The weakest link in any organisation is the human being. People are very easy to manipulate. They easily fall victim to a social engineering or phishing campaign, and hence human beings are the most exploitable vulnerability in any organisation. Therefore, it is extremely important and necessary to educate the people and the team members about cloud operations and their security concerns.
Educate the organisational teams about the processes running in the cloud. Establish incident management and response teams and update incident response processes in the cloud. Assign accountability for security decisions, and try to establish an overall azure security posture management.
Cloud service providers also facilitate their consumers with security technology so as the customers can establish security up to a certain extent. Making use of that technology is a good approach to start off with implementing security in the cloud.
For example, ensuring that multi-factor authentication is enabled for each user on the cloud. Integrating firewalls and other network security tools and solutions, and implementing a native threat detection solution.
Similarly, standardizing the use of a single azure active directory and identity. Making use of identity and access management solutions and enforcing identity-based access controls, instead of using key-based access controls, because while key-based authentication can be used to sign in to various cloud services and applications, the challenge is to keep these keys secure.
Identity-based authentication overcomes many of these challenges with mature capabilities for secret rotation, lifecycle management, administrative delegation etc.
Microsoft Azure security best practices checklist
1. Educate teams about the cloud security journey
The first and primary security best practice that every organisation must follow regardless of
having an appropriate network security culture and awareness among the individuals who directly or indirectly interact with your azure cloud environment.
In addition, it is essential to impart knowledge around the shared responsibility of the cloud within your organisation, so your employees and teams are aware of the due diligence required from them.
Similarly, each of the staff must be aware and educated of the latest attack trends and threats; prepared to resist and report on their earliest in case they come across any identical or similar attack.
2. Educate teams on cloud security technology
Once your employees and team have enough cyber security knowledge, it is time to educate them on cloud security services, best practices, controls, architecture, etc. For example, your team must know how the cloud works, set permissions to limit unauthorised access, where the logs are, where the firewall is, where is the storage, how the services and other integrated technology must be securely configured, etc.
In order to enable your team to deliver the right work with an appropriate countermeasure, it is important that you train them and help them learn cloud security technology.
3. Assign accountability for cloud security decisions
Your cloud environment comprises multiple elements that need security heads up, and without relevant individuals and informed decisions, it is not possible.
So, you must align your team according to their expertise and roles to make informed decisions around cloud technology and security.
Like, for each category of security, such as network security, policy management, or network management, choose leaders and designate them with their roles and responsibilities. This will not only speed up your cloud adaptation but also make a transparent path for every activity.
In addition, it aligns the business goal, developer timeline, quality controls with the security assurance that will result in categorising secure and insecure deployment and approvals.
4. Update Incident Response (IR) processes for cloud
It is repeatedly said, no organisation is immune to cyber attacks, but with simulated attacks and multiple attack scenarios, organisations can prepare themselves to combat cyber attacks. An updated incident response plan is one of the advanced security best practices that significantly helps businesses to hold their ground during a cyber incident or investigation.
You can prepare your incident response plan by assuming what kind of attack you can face. For example, if you face an ABC attack, what type of tools would be needed, what data or system could be affected by the attack, how would that influence the businesses, etc.
By answering all the questions and planning the response according to it, you can readily document your plan. Furthermore, with all documented processes to remediate the launched attack, businesses can reduce the disaster caused by the attack to a great extent.
5. Establish security posture management
We all are aware of the fact that the current era is the most evolving. We have a diverse technological landscape; new features come now and then, some get obsolete, some need up-gradation, and some require patches. Amidst all these constant changes, you need to keep up with the modification and addition.
To cope up with all the modification and remediation tasks, you must establish a team that can keep track of all the changes and do the appropriate mitigation of risks associated with all activities.
6. Require Passwordless or Multi-Factor-Authentication
With people, security education, security processes, the technical security controls are equally important. The cloud environment is one sign-in away. Your security controls can relatively restrict unauthorised access from other cloud resources, but one coming from stolen or leaked credentials can not be blocked unless you have multi-factor authentication or passwordless security controls to verify and authenticate the access.
Passwordless is more robust than the MFA, but since passwordless is not applicable everywhere, you can choose whatever you feel is more likely compatible with your environment.
7. Integrate native firewall and network security
The cyber attack arena is vast, which comprises known and unknown attack vectors. Unknown attack vectors are relatively new and often challenging to distinguish and restrict in the first place. However, you can always look for known attack vectors and their pattern and eventually restrict them from entering your cyber sphere.
Misconfiguration, human error and other common attacks like DDoS are easily preventable through network security solutions, firewalls, WAF, which azure resources also offers. You can easily integrate them into your virtual network security strategy to mitigate their risks.
8. Integrate native threat detection
Early detection leads to an early response, and this is what you need for solid security. By integrating the threat detection solution into our cloud environment, you can readily reduce the impact of attackers accessing your environment. In addition, by measuring the meantime to acknowledge, respond and remediate, you can also enhance your threat detection and incident response capabilities.
9. Standardize on a single directory and identity
Having multiple identities and directories can create a lot of confusion among the users. And it opens up a few microsoft security loopholes, as well, for example, using the same password for different accounts.
Hence having a single identity across the entire organisational network and using a single azure active directory service to manage that identity is the best approach when moving towards cloud technology.
10. Use identity-based access control (instead of keys)
Use role-based and identity-based access control instead of using keys for authentication. Security operations keys are a good and possibly more secure means of authenticating into applications and services on the cloud, but opens up a whole new challenge of keeping those keys private and safe. As the organisation grows, this challenge becomes more difficult. A simple google or github dorking shows a bunch of secret keys exposed on the internet.
Therefore, using identity-based access controls and implementing ACLs keeping the Principle of Least Privileges in mind is the absolute go-to option.
11. Establish a single unified security strategy
Finally, having a unified security strategy is mandatory. Keeping all the teams in confidence about the business risks and network security implementations is always a good option, which prevents friction and conflicts between teams, and helps in keeping a healthy work culture.
12. Use encryption
No matter how many security solutions you use or how many security controls you implement, nothing is 100% secure. There is always a link in the entire organisational chain that is weaker than the others and is relatively easier to exploit, and cyber threat actors are always on the lookout for such weak links.
Therefore, protect your data at rest and in transit by applying encryption. Azure offers encryption for network security data at rest for Managed Disks via its Storage Service Encryption for Azure Managed Disks.
13. Disable remote access
Disable telnet, SSH and RDP access to your virtual appliances except for users who are authorised to use your cloud instances and have to use them as a part of their work to do their jobs.
Apply firewall rules and limit all inbound connectivity except for authorised connections.
14. Regular patching and updating
Regular and constant patching and updating of your virtual appliances on the cloud is absolutely necessary. Zero-days are being dropped publicly almost every week and it is mandatory to be aware of these 0-days and their patches.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.