Azure Security: Best Practices You Need to Know

When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the utmost importance, though it is sometimes overlooked by companies new to Azure.

During the early stages of a company’s journey toward cloud adoption, it is often assumed that Microsoft secures the resources it hosts. While Azure helps with securing your business assets, a great deal of responsibility is shared and requires customers to do their part to secure their Azure cloud.

In this article, I’ll discuss my top nine Azure Security best practices. If you’re looking to dig deep into Azure Security, you might want to jump into Cloud Academy’s AZ-500 Exam Preparation: Microsoft Azure Security Technologies Learning Path. Even if you aren’t interested in becoming an Azure Security Certified Professional, these courses and hands-on labs will help you get started on your way to deploying and managing Microsoft Azure security technologies.

AZ-500 Exam Preparation: Microsoft Azure Security Technologies

Now let’s dive right into my Azure Security best practices.

1. Understand the shared responsibility model

While I could go into a great amount of detail about the Azure shared responsibility model, I will briefly summarize the core principles. It is critical for cloud security professionals to have a firm understanding of the division of responsibilities shared between the Azure consumer (you) and Microsoft. The division of responsibility varies for each Azure service, but at a high level, you are responsible for your data and managing access to that data. Depending on what service you are consuming, you may have additional responsibilities as depicted below.

Azure Responsibility Zones

Source: MSDN Blog

If you would like to learn more about the shared responsibility for security in the cloud, I suggest that you review the Shared Responsibilities for Cloud Computing white-paper provided by Microsoft. The importance of understanding this shared responsibility model is essential for customers planning to move to the cloud. Cloud providers offer considerable advantages in security, but these advantages do not exempt the customer from protecting their users, applications, and services. 

2. Read Azure Security Center suggested changes and alerts

Please allow me to begin by saying, nothing listed here is new. Every recommendation you see below you can find in Azure by using Azure Security Center, which is why I will begin there.

Azure Security Center is the perfect place for us to get started. Azure Security Center offers suggested changes and alerts for protecting your Azure resources. My first Azure Security best practice is to make the most out of Azure Security Center by checking the portal regularly for new alerts and take action to promptly to remediate as many alerts as possible. My second Azure Security best practice is to utilize Azure Security Center standard for every subscription, or at a minimum, every subscription with production resources.

The basic level of Azure Security Center that’s included with Microsoft Azure offers limited information. Azure Security Center Standard helps to find security vulnerabilities and offers a recommended solution. Microsoft offers a sixty-day trial of Security Center Standard at no cost. 

Per Microsoft:

“Security Center gives you defense in depth with its ability to both detect and help protect against threats…and it provides actionable recommendations for mitigating these threats.”

Source: Azure Security Center 

3. Secure Identity with Azure Active Directory

Gone are the days that the first security boundary in the network is the Firewall. Identity is quickly becoming the primary security perimeter. In Microsoft Azure, this is truer than ever before. As a result, Microsoft has made several recommendations around securing Identity with Azure Active Directory. As Microsoft Azure relies on Azure Active Directory for authentication, these Azure Security best practices are also critical to the security of your Azure cloud.

Microsoft highly recommends that Identity be centralized into a single Authoritative source. In a hybrid identity scenario, an Azure Security best practice is to integrate your on-premises and cloud directories with the use of Azure Active Directory Connect. Integration will allow identities to be managed once, in one location. This “single source of truth” will increase clarity and reduce the likelihood of mistakes that cause security risks and configuration complexity. 

Azure Active Directory also provides for Single Sign-On (SSO) when integrated with your on-premises Active Directory. SSO allows for one identity to be used to access all the resources required, whether on-premise or in the cloud. SSO reduces the exposure of having multiple passwords, which increases the potential of weak or reused passwords.

Once you are using Azure Active Directory, I highly recommend that two-step authentication (otherwise known as Multi-Factor Authentication) be implemented for any user that has any level of access to Microsoft Azure. Azure Multi-Factor Authentication (MFA) will increase security and protect access to Microsoft Azure resources while still allowing for seamless SSO. 

4. Limit subscription owners

The Azure Security best practice here is very straightforward. There should be more than one Azure subscription owner, but there should not be over three users with owner permissions. Ideally, you want to have two trusted Azure Administrators or “Product owners” to act as the owners of the subscription(s), and if possible, one “break-glass” account for an emergency.

5. Control network access

As with any data center, network access in Azure must be tightly controlled. My recommendation is a “protection rings” approach, in which you establish multiple rings of security around (and between) protected resources. Applying this approach to Azure, the first ring (often referred to as the perimeter ring) is typically a Firewall such as Azure Firewall or a third-party virtual network appliance solution. At this ring you typically find Firewall policies, Distributed Denial of Service (DDoS) prevention, Intrusion Detection and Intrusion Prevention systems (IDS/IPS), Web Content Filtering, and Vulnerability Management such as Network Anti-Malware, Application Controls, and Antivirus.

The second ring is often a Network Security Group (or NSG) applied to the subnet. Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network.

“A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, Azure resources, subnets, etc.”

Source: Microsoft Azure Security Groups

Use a network security group to prevent undesired traffic from entering or leaving an Azure subnet. By default, all subnets in an Azure Virtual Network (VNet) can communicate freely. By using a network security group for network access control between subnets, you can establish a different security zone or role for each subnet. As such, all subnets should be associated with a properly configured Network Security Group. 

With a virtual server, there is a third ring which is a Network Security Group (NSG) applied to the Virtual Machines network interface. As stated above, this NSG will allow for control of traffic to and from the Virtual Machine.

Lastly, avoid exposure to the internet with a dedicated WAN connection. Azure offers both site-to-site VPN and ExpressRoute for this purpose.

6. Disable remote access (RDP/SSH)

I recommend that you disable RDP and SSH access to Azure virtual machines from the internet. In fact, both RDP and SSH access should only be provided over a secure dedicated connection (such as VPN or ExpressRoute, mentioned above) using Just-in-Time (JIT) Virtual Machine access.

After enabling Azure Security Center Standard, I highly encourage you to enable Just-in-time virtual machine access. Just-in-time virtual machine access is utilized to control inbound traffic to Azure Virtual Machines, reducing brute force attack exposure while providing easy access to connect to virtual machines (VMs) via Remote Desktop or Secure Shell.

Per Microsoft, Brute Force attacks are one of the most common attack types. Just-in-time VM access leverages NSGs rules to provide a secure configuration and safely provide access to approved individuals. To accomplish this, the Just-In-Time VM access policy configures at the NSG to lock down the virtual machines remote management ports. When an authorized user requires access to the VM, they will use Just-In-Time VM Access to request access for up to three hours. After the requested time has elapsed, Azure locks the management ports down to help reduce susceptibility to an attack.

Just-In-Time VM access uses Azure Active Directory and Role-Based Access Control (RBAC) permissions that allow a user to successfully request access to a VM. As mentioned above, this is a perfect example of how identity is becoming the primary security perimeter.

7. Protect and update your virtual machine

You still need to protect your server operating systems as you would with an on-premise data center. You need to run antivirus and anti-malware. I recommend Windows Defender Advanced Threat Protection (ATP) and Microsoft anti-malware, both of which integrate with Azure Security Center to provide a single location to manage your VM security.

Microsoft still requires system updates for VMs hosted in Azure, and Azure offers the update management solution, which is an automated method to apply updates to Windows Virtual Machines. Azure Security Center will also identify missing critical security updates and can apply them for you.

8. Safeguard sensitive data

Safeguarding sensitive data — such as with keys, secrets, and certificates — is critical to protecting your data in the Microsoft Azure cloud. Azure Key Vault should be utilized to safeguard cryptographic keys and secrets that cloud applications and services use. Each vault has a unique access-control list that uses role-based access control (RBAC).

9. Enable encryption

In Microsoft Azure, protect all of your data, at rest and in transit, with Encryption. Sometimes, the encryption is enabled by default. In other cases, Encryption must be enabled manually.

Encryption at rest is achieved automatically for Managed Disks (created after June 10th, 2017) through Storage Service Encryption for Azure Managed Disks using encryption keys managed by Microsoft. I also recommend the use of Azure Disk Encryption, which is enabled manually, to encrypt any drive that will contain sensitive information.

Additionally, with Azure SQL, Azure SQL database transparent data encryption should be implemented to protect database files on disk. 

Closing

Securing Azure can pose many unique challenges. But if done properly, it can be as secure as any top-tier data center. These Azure Security Best Practices will help to get you started, but truly mastering Azure Security will require both technical knowledge and hands-on training.

Cloud Academy can help you learn the theory — from the basics to advanced — and give you the real-world experience you need with hands-on labs and lab challenges. You’ll have full access to auto-provisioned Azure accounts to learn in both guided and non-guided lab environments. To try it out for yourself, sign up for a free 7-day trial.

 

Orion Withrow

Written by

Orion Withrow

Orion is a Sr. Solutions Architect, focused on Microsoft technologies for the last 15 years. He lives in Louisa, Virginia with his loving wife of 14 years, where they are devoted parents of four energetic, beautiful (and sometimes challenging) children. As parents and homeschoolers of an Autistic child, Orion and his wife are active in both Autism and Home School communities.


Related Posts

Avatar
Cloud Academy Team
— July 9, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— July 2, 2020

New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More

This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Joe Nemer
Joe Nemer
— June 19, 2020

Kickstart Your Tech Training With a Free Week on Cloud Academy

Are you looking to make a jump in your technical career? Want to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Kubernetes, Python, or another in-demand skill?Then you'll want to mark your calendar. Starting Monday, June 22 at 12:00 a.m. PDT (3:00 a.m. EDT), ...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Joe Nemer
Joe Nemer
— June 12, 2020

Azure Certifications: Our Experts Explain Which Is Best for You

How do you choose an Azure certification? It can be hard to get started when choosing an Azure certification. There are so many to sift through, so many interesting options, and it requires a time commitment to just understand the cert landscape.To help guide you through the select...

Read more
  • AZ-900
  • Azure
  • Certifications
Alisha Reyes
Alisha Reyes
— June 11, 2020

New Content: AZ-500 and AZ-400 Updates, 3 Google Professional Exam Preps, Practical ML Learning Path, C# Programming, and More

This month, our Content Team released tons of new content and labs in real cloud environments. Not only that, but we introduced our very first highly interactive "Office Hours" webinar. This webinar, Acing the AWS Solutions Architect Associate Certification, started with a quick overvie...

Read more
  • AWS
  • Azure
  • DevOps
  • Google Cloud Platform
  • Machine Learning
  • programming
Rebecca Willis
Rebecca Willis
— June 3, 2020

Azure vs. AWS: Which Certification Provides the Brighter Future?

More and more companies are using cloud services, prompting more and more people to switch their current IT position to something cloud-related. The problem is most people only have that much time after work to learn new technologies, and there are plenty of cloud services that you can ...

Read more
  • AWS
  • Azure
  • certification
Alisha Reyes
Alisha Reyes
— June 2, 2020

Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More

Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Alisha Reyes
Alisha Reyes
— May 11, 2020

New Content: Alibaba, Azure Cert Prep: AI-100, AZ-104, AZ-204 & AZ-400, Amazon Athena Playground, Google Cloud Developer Challenge, and much more

This month, our Content Team released 8 new learning paths, 4 courses, 7 labs in real cloud environments, and 4 new knowledge check assessments. Not only that, but we introduced our very first course on Alibaba Cloud, and our expert instructors are working 'round the clock to create 6 n...

Read more
  • alibaba
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— May 1, 2020

Introducing Our Newest Lab Environments: Lab Playgrounds

Want to train in a real cloud environment, but feel slowed down by spinning up your own deployments? When you consider security or pricing costs, it can be costly and challenging to get up to speed quickly for self-training. To solve this problem, Cloud Academy created a new suite of la...

Read more
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Java
  • lab playgrounds
  • Python
Alisha Reyes
Alisha Reyes
— April 30, 2020

Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More

  New articles by topicAWS Azure Data Science Google Cloud  Cloud Adoption Platform Updates & New Content Security Women in TechAWSBreaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Alisha Reyes
Alisha Reyes
— April 9, 2020

New on Cloud Academy: AWS Solutions Architect Exam Prep, Azure Courses, GCP Engineer Exam Prep, Programming, and More

Free content on Cloud Academy More and more customers are relying on our technology and content to keep upskilling their people in these months, and we are doing our best to keep supporting them. While the world fights the COVID-19 pandemic, we wanted to make a small contribution to he...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • programming
Avatar
Logan Rakai
— April 7, 2020

How to Effectively Use Azure DevOps

Azure DevOps is a suite of services that collaborate on software development following DevOps principles. The services in Azure DevOps are:Azure Repos for hosting Git repositories for source control of your code Azure Boards for planning and tracking your work using proven agil...

Read more
  • Azure
  • DevOps