When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the utmost importance, though it is sometimes overlooked by companies new to Azure.
During the early stages of a company’s journey toward cloud adoption, it is often assumed that Microsoft secures the resources it hosts. While Azure helps with securing your business assets, a great deal of responsibility is shared and requires customers to do their part to secure their Azure cloud.
In this article, I’ll discuss my top nine Azure Security best practices. If you’re looking to dig deep into Azure Security, you might want to jump into Cloud Academy’s AZ-500 Exam Preparation: Microsoft Azure Security Technologies Learning Path. Even if you aren’t interested in becoming an Azure Security Certified Professional, these courses and hands-on labs will help you get started on your way to deploying and managing Microsoft Azure security technologies.
Now let’s dive right into my Azure Security best practices.
1. Understand the shared responsibility model
While I could go into a great amount of detail about the Azure shared responsibility model, I will briefly summarize the core principles. It is critical for cloud security professionals to have a firm understanding of the division of responsibilities shared between the Azure consumer (you) and Microsoft. The division of responsibility varies for each Azure service, but at a high level, you are responsible for your data and managing access to that data. Depending on what service you are consuming, you may have additional responsibilities as depicted below.
Source: MSDN Blog
If you would like to learn more about the shared responsibility for security in the cloud, I suggest that you review the Shared Responsibilities for Cloud Computing white-paper provided by Microsoft. The importance of understanding this shared responsibility model is essential for customers planning to move to the cloud. Cloud providers offer considerable advantages in security, but these advantages do not exempt the customer from protecting their users, applications, and services.
2. Read Azure Security Center suggested changes and alerts
Please allow me to begin by saying, nothing listed here is new. Every recommendation you see below you can find in Azure by using Azure Security Center, which is why I will begin there.
Azure Security Center is the perfect place for us to get started. Azure Security Center offers suggested changes and alerts for protecting your Azure resources. My first Azure Security best practice is to make the most out of Azure Security Center by checking the portal regularly for new alerts and take action to promptly to remediate as many alerts as possible. My second Azure Security best practice is to utilize Azure Security Center standard for every subscription, or at a minimum, every subscription with production resources.
The basic level of Azure Security Center that’s included with Microsoft Azure offers limited information. Azure Security Center Standard helps to find security vulnerabilities and offers a recommended solution. Microsoft offers a sixty-day trial of Security Center Standard at no cost.
“Security Center gives you defense in depth with its ability to both detect and help protect against threats…and it provides actionable recommendations for mitigating these threats.”
Source: Azure Security Center
3. Secure Identity with Azure Active Directory
Gone are the days that the first security boundary in the network is the Firewall. Identity is quickly becoming the primary security perimeter. In Microsoft Azure, this is truer than ever before. As a result, Microsoft has made several recommendations around securing Identity with Azure Active Directory. As Microsoft Azure relies on Azure Active Directory for authentication, these Azure Security best practices are also critical to the security of your Azure cloud.
Microsoft highly recommends that Identity be centralized into a single Authoritative source. In a hybrid identity scenario, an Azure Security best practice is to integrate your on-premises and cloud directories with the use of Azure Active Directory Connect. Integration will allow identities to be managed once, in one location. This “single source of truth” will increase clarity and reduce the likelihood of mistakes that cause security risks and configuration complexity.
Azure Active Directory also provides for Single Sign-On (SSO) when integrated with your on-premises Active Directory. SSO allows for one identity to be used to access all the resources required, whether on-premise or in the cloud. SSO reduces the exposure of having multiple passwords, which increases the potential of weak or reused passwords.
Once you are using Azure Active Directory, I highly recommend that two-step authentication (otherwise known as Multi-Factor Authentication) be implemented for any user that has any level of access to Microsoft Azure. Azure Multi-Factor Authentication (MFA) will increase security and protect access to Microsoft Azure resources while still allowing for seamless SSO.
4. Limit subscription owners
The Azure Security best practice here is very straightforward. There should be more than one Azure subscription owner, but there should not be over three users with owner permissions. Ideally, you want to have two trusted Azure Administrators or “Product owners” to act as the owners of the subscription(s), and if possible, one “break-glass” account for an emergency.
5. Control network access
As with any data center, network access in Azure must be tightly controlled. My recommendation is a “protection rings” approach, in which you establish multiple rings of security around (and between) protected resources. Applying this approach to Azure, the first ring (often referred to as the perimeter ring) is typically a Firewall such as Azure Firewall or a third-party virtual network appliance solution. At this ring you typically find Firewall policies, Distributed Denial of Service (DDoS) prevention, Intrusion Detection and Intrusion Prevention systems (IDS/IPS), Web Content Filtering, and Vulnerability Management such as Network Anti-Malware, Application Controls, and Antivirus.
The second ring is often a Network Security Group (or NSG) applied to the subnet. Network Security Groups allow you to filter network traffic to and from Azure resources in an Azure virtual network.
“A network security group contains security rules that allow or deny inbound network traffic to, or outbound network traffic from, Azure resources, subnets, etc.”
Source: Microsoft Azure Security Groups
Use a network security group to prevent undesired traffic from entering or leaving an Azure subnet. By default, all subnets in an Azure Virtual Network (VNet) can communicate freely. By using a network security group for network access control between subnets, you can establish a different security zone or role for each subnet. As such, all subnets should be associated with a properly configured Network Security Group.
With a virtual server, there is a third ring which is a Network Security Group (NSG) applied to the Virtual Machines network interface. As stated above, this NSG will allow for control of traffic to and from the Virtual Machine.
Lastly, avoid exposure to the internet with a dedicated WAN connection. Azure offers both site-to-site VPN and ExpressRoute for this purpose.
6. Disable remote access (RDP/SSH)
I recommend that you disable RDP and SSH access to Azure virtual machines from the internet. In fact, both RDP and SSH access should only be provided over a secure dedicated connection (such as VPN or ExpressRoute, mentioned above) using Just-in-Time (JIT) Virtual Machine access.
After enabling Azure Security Center Standard, I highly encourage you to enable Just-in-time virtual machine access. Just-in-time virtual machine access is utilized to control inbound traffic to Azure Virtual Machines, reducing brute force attack exposure while providing easy access to connect to virtual machines (VMs) via Remote Desktop or Secure Shell.
Per Microsoft, Brute Force attacks are one of the most common attack types. Just-in-time VM access leverages NSGs rules to provide a secure configuration and safely provide access to approved individuals. To accomplish this, the Just-In-Time VM access policy configures at the NSG to lock down the virtual machines remote management ports. When an authorized user requires access to the VM, they will use Just-In-Time VM Access to request access for up to three hours. After the requested time has elapsed, Azure locks the management ports down to help reduce susceptibility to an attack.
Just-In-Time VM access uses Azure Active Directory and Role-Based Access Control (RBAC) permissions that allow a user to successfully request access to a VM. As mentioned above, this is a perfect example of how identity is becoming the primary security perimeter.
7. Protect and update your virtual machine
You still need to protect your server operating systems as you would with an on-premise data center. You need to run antivirus and anti-malware. I recommend Windows Defender Advanced Threat Protection (ATP) and Microsoft anti-malware, both of which integrate with Azure Security Center to provide a single location to manage your VM security.
Microsoft still requires system updates for VMs hosted in Azure, and Azure offers the update management solution, which is an automated method to apply updates to Windows Virtual Machines. Azure Security Center will also identify missing critical security updates and can apply them for you.
8. Safeguard sensitive data
Safeguarding sensitive data — such as with keys, secrets, and certificates — is critical to protecting your data in the Microsoft Azure cloud. Azure Key Vault should be utilized to safeguard cryptographic keys and secrets that cloud applications and services use. Each vault has a unique access-control list that uses role-based access control (RBAC).
9. Enable encryption
In Microsoft Azure, protect all of your data, at rest and in transit, with Encryption. Sometimes, the encryption is enabled by default. In other cases, Encryption must be enabled manually.
Encryption at rest is achieved automatically for Managed Disks (created after June 10th, 2017) through Storage Service Encryption for Azure Managed Disks using encryption keys managed by Microsoft. I also recommend the use of Azure Disk Encryption, which is enabled manually, to encrypt any drive that will contain sensitive information.
Additionally, with Azure SQL, Azure SQL database transparent data encryption should be implemented to protect database files on disk.
Securing Azure can pose many unique challenges. But if done properly, it can be as secure as any top-tier data center. These Azure Security Best Practices will help to get you started, but truly mastering Azure Security will require both technical knowledge and hands-on training.
Cloud Academy can help you learn the theory — from the basics to advanced — and give you the real-world experience you need with hands-on labs and lab challenges. You’ll have full access to auto-provisioned Azure accounts to learn in both guided and non-guided lab environments. To try it out for yourself, sign up for a free 7-day trial.