Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.
The safety of your cloud environment—and the data and applications that your business runs on—depends on how well your teams understand and use the cloud security tools and services at your disposal.
What are the three must-use Azure Security Services?
Teams already building on Azure or those evaluating the platform for their next cloud deployments will want an understanding of how Azure handles the security of their organization’s Azure cloud environment, data, and applications. Azure provides a number of services that teams can employ to manage account access and to identify vulnerabilities. In this post, we’ll look at three services that should be part of your core security setup in Azure: Azure Active Directory, Azure Key Vault, and Azure Security Center.
Shared Responsibility Model
Before we jump into the specific services, it’s worth spending a minute discussing a concept fundamental to security in the cloud: the shared responsibility model. Public cloud providers like Azure and AWS operate under this shared responsibility model. When we put data on Azure or utilize Azure services, we’re trusting Azure to maintain the confidentiality, integrity, and availability of our valuable resources.
Indeed, for its part, Azure ensures the safety of physical data centers, provides failover and geographic replication of data and controls access to your data. It’s up to your team to actually put the appropriate security controls in place and actually use the services to keep your data and applications safe.
You’re responsible for how you set up and authorize users in terms of identity and access management, and you’re responsible for safely storing and protecting your data. Let’s now step through three security services you should be using, keeping in mind that it’s your responsibility to configure and use them properly.
Securing Access with Azure Active Directory
Protecting your accounts—how they are used and who can access them—is an important part of cloud security. Azure Active Directory (AD) is Microsoft’s cloud-based directory and identity management service.
Azure AD allows you to control access to subscriptions, resource groups, and individual resources. This can be done at the individual or group level, and by user role. The larger the company or the more complex the system, the more roles you’re likely to have. For example, business analytics team members may need access to read the data in the storage account, but they should never need to deploy or maintain the application itself. Azure allows you to create a second role for team members with read-access to the storage account but no access to the web application.
Microsoft’s Identity and Access Management solution adopts many industry standards such as SAML, WS-Federation, and OAuth in addition to multi-factor authentication (MFA). Functioning as the middle layer, Azure AD securely connects users and applications to cloud services such as Office 365 and other enterprise applications.
Role-Based Access and Control (RBAC) is how Microsoft allows administrators to limit user and group access to Azure resources. These resources can be anything from virtual machines, VNets, or even entire resource groups. Sample built-in roles include Owner (which has full control over everything and the right to delegate access to others) and Network Contributor, which can manage network-based resources. Each role is comprised of a set of permitted actions and scopes where the actions can be applied. The Network Contributor role is permitted to read, write, and delete all network resources in the assigned scopes, for example, in a resource group containing production resources. There are also built-in Reader roles, which provide read-only access. In addition to the built-in roles, you can also create fine-grained custom roles when the built-in roles don’t suit your needs.
It’s important to note that each subscription can grant up to 2,000 role assignments and create up to 2,000 custom roles. RBAC can be controlled through the Azure portal, PowerShell, the Azure CLI, and the REST API.
Hands-on Lab: Follow the principle of least privilege for users as you manage access to Azure with RBAC. You will use Azure PowerShell to create a custom role, learn how to assign roles to users, and get tips on how to define your own custom roles.
Managing Secrets with Azure Key Vault
Secret keys and digital certificates are used to establish the authenticity of users and cloud applications. Azure Key Vault is a pay-as-you-go service for managing secrets and digital certificates. Azure Key Vault represents a mind shift for developers who are accustomed to deploying database connection strings, passwords, and other secrets along with their code. Key Vault implements a clean separation of duties so that developers can code, release engineers can deploy apps and services, and security specialists can manage secrets and digital certificates.
With this model, services and application code retrieve the keys, passwords, and connection strings at runtime from Azure Key Vault instead of reading them from a local config file deployed with the application itself. This has a few obvious benefits:
- It reduces the risk and exposure of accidentally checking in config files containing sensitive secrets
- It simplifies changes to passwords, keys, and other secrets between deployments
- It supports a separation of duties in the operational model where the people in charge of writing and deploying code don’t need access to sensitive credentials
Key Vault can perform cryptographic operations on behalf of users. For instance, Key Vault can generate a certificate with a policy setting that prevents the certificate’s private key from ever being retrievable from Azure Key Vault. In this case, the private key can never leave Azure Key Vault. Why is this a good thing? The benefit is that you can ask Azure Key Vault to perform cryptographic operations on your behalf using those certificates, such as signing or decryption, without ever exposing the key to application code. Certificates created in this manner are not only inaccessible to you. Microsoft employees can’t access them either. Azure Key Vault natively supports disaster recovery scenarios and logs key access and updates.
Hands-on Lab: Use the Azure Key Vault service to store keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) used to encrypt an Azure Virtual Machine (VM).
Stay Up to Date Using the Azure Security Center
Azure Security Center provides configuration analysis and advanced threat monitoring to help detect threats and scenarios that could lead to security breaches. It also helps your organization keep up with your side of the shared responsibility model by reviewing how your existing resources are configured and recommending actions that you can take within the platform to keep your environment safe. It’s important to remember that when Security Center makes recommendations, it’s up to you to take action on the suggestions that are right for your environment.
Security Center serves as a reminder to do the things you learn about in Cloud Academy’s Azure Security Solutions course: apply missing operating systems patches, install anti-malware software, or enable a firewall to protect your virtual machines. It may recommend actions you can take for data storage, such as turning on auditing in Azure’s SQL database, turning on transparent data encryption, or enabling at-rest encryption for Azure storage.
The recommendations are typically actionable from the Azure Security Center portal itself. You can install anti-malware software on a virtual machine or enable encryption at rest for storage in just a couple of clicks. You can dismiss recommendations individually, or set policies that govern which recommendations are relevant for your organization.
While the core experience and features are Microsoft first-party services, they’ve done a nice job of integrating third-party services into the experience as well. You will see both first-party and third-party solution recommendations that you can add to your security configuration.
Hands-on Lab: Take advantage of automatic security audits and recommendations to mitigate security risks identified by Azure Security Center.
The Azure Services for Security Engineers Learning Path is the ideal step if you want to gain a full understanding of security in Azure, Azure Active Directory, Azure Key Vault, and Azure Security Center, and it includes the three Hands-on Labs that I have listed in this post.
NEW: Custom Hands-On Labs for Azure and Google Cloud Platform
Harvard Business Review recently estimated that some 90% of corporate training never gets applied on the job. Given the $200B training industry, that is a staggering amount of waste. One reason for the disconnect? Lack of context.Cloud Academy’s platform was built to make it extraor...
How to Become a Microsoft Certified Azure Solutions Architect
Microsoft Azure is the fastest growing cloud provider. Azure’s revenue grew an incredible 76% in the last quarter of 2018. As more and more businesses move their IT infrastructure to Microsoft’s cloud platform, the demand for Azure professionals keeps rising. Since there are relatively ...
What is Heroku? Getting Started with PaaS Development
So just what is Heroku? It's a service for developers eager to get their applications online without having to worry about infrastructure details.Metered, pay-as-you-go Cloud Computing services come in all kinds of flavors. Infrastructure as a Service (IaaS) offerings like AWS allow e...
Understanding Object Storage and Block Storage Use Cases
Cloud Computing, like any computing, is a combination of CPU, memory, networking, and storage. Infrastructure as a Service (IaaS) platforms allow you to store your data in either Block Storage or Object Storage formats.Understanding the differences between these two formats - and how ...
Azure Hybrid Identity Authentication Methods
The move to the cloud is picking up steam. As such, many corporations are beginning to find themselves supporting a mixture of on-prem apps as well as cloud apps. Users are finding that they need access to this mix of applications as well. As one would expect, this can become a challe...
Google Cloud Certification: Preparation and Prerequisites
Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...
Azure Stack Use Cases and Applications
This is the second of a two-part series covering Azure Stack. Our first post provided an introduction to Azure Stack. Why would your organization consider using Azure Stack? What are the key differences between Azure Stack and Microsoft Azure? In this post, we'll begin to answer bot...
Highlights from Microsoft Ignite 2018
Microsoft Ignite 2018 was a big success. Over 26,000 people attended Microsoft’s flagship conference for IT professionals in sunny Orlando, Florida. As usual, Microsoft made a huge number of announcements, ranging from minor to major in importance. To save you the trouble of sifting thr...
Planning for Microsoft Ignite 2018 Sessions: What Not to Miss
Cloud Academy is proud to be a sponsor of the Microsoft Ignite Conference to be held September 24 - 28 in Orlando, Florida. This is Microsoft’s biggest event of the year and is a great way to stay up to date on how to get the most from Microsoft’s products. In this post, I’ll help you p...
How to Optimize Cloud Costs with Spot Instances: New on Cloud Academy
One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...
What are the Benefits of Machine Learning in the Cloud?
A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...
How Does Azure Encrypt Data?
In on-premises environments, data security is typically a siloed activity, with a company's security team telling the internal technology groups (server administration, database, networking, and so on) what needs to be protected against intrusion.This approach is absolutely a bad idea...