Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.
The safety of your cloud environment—and the data and applications that your business runs on—depends on how well your teams understand and use the cloud security tools and services at your disposal.
What are the three must-use Azure Security Services?
Teams already building on Azure or those evaluating the platform for their next cloud deployments will want an understanding of how Azure handles the security of their organization’s Azure cloud environment, data, and applications. Azure provides a number of services that teams can employ to manage account access and to identify vulnerabilities. In this post, we’ll look at three services that should be part of your core security setup in Azure: Azure Active Directory, Azure Key Vault, and Azure Security Center.
Shared Responsibility Model
Before we jump into the specific services, it’s worth spending a minute discussing a concept fundamental to security in the cloud: the shared responsibility model. Public cloud providers like Azure and AWS operate under this shared responsibility model. When we put data on Azure or utilize Azure services, we’re trusting Azure to maintain the confidentiality, integrity, and availability of our valuable resources.
Indeed, for its part, Azure ensures the safety of physical data centers, provides failover and geographic replication of data and controls access to your data. It’s up to your team to actually put the appropriate security controls in place and actually use the services to keep your data and applications safe.
You’re responsible for how you set up and authorize users in terms of identity and access management, and you’re responsible for safely storing and protecting your data. Let’s now step through three security services you should be using, keeping in mind that it’s your responsibility to configure and use them properly.
Securing Access with Azure Active Directory
Protecting your accounts—how they are used and who can access them—is an important part of cloud security. Azure Active Directory (AD) is Microsoft’s cloud-based directory and identity management service.
Azure AD allows you to control access to subscriptions, resource groups, and individual resources. This can be done at the individual or group level, and by user role. The larger the company or the more complex the system, the more roles you’re likely to have. For example, business analytics team members may need access to read the data in the storage account, but they should never need to deploy or maintain the application itself. Azure allows you to create a second role for team members with read-access to the storage account but no access to the web application.
Microsoft’s Identity and Access Management solution adopts many industry standards such as SAML, WS-Federation, and OAuth in addition to multi-factor authentication (MFA). Functioning as the middle layer, Azure AD securely connects users and applications to cloud services such as Office 365 and other enterprise applications.
Role-Based Access and Control (RBAC) is how Microsoft allows administrators to limit user and group access to Azure resources. These resources can be anything from virtual machines, VNets, or even entire resource groups. Sample built-in roles include Owner (which has full control over everything and the right to delegate access to others) and Network Contributor, which can manage network-based resources. Each role is comprised of a set of permitted actions and scopes where the actions can be applied. The Network Contributor role is permitted to read, write, and delete all network resources in the assigned scopes, for example, in a resource group containing production resources. There are also built-in Reader roles, which provide read-only access. In addition to the built-in roles, you can also create fine-grained custom roles when the built-in roles don’t suit your needs.
It’s important to note that each subscription can grant up to 2,000 role assignments and create up to 2,000 custom roles. RBAC can be controlled through the Azure portal, PowerShell, the Azure CLI, and the REST API.
Hands-on Lab: Follow the principle of least privilege for users as you manage access to Azure with RBAC. You will use Azure PowerShell to create a custom role, learn how to assign roles to users, and get tips on how to define your own custom roles.
Managing Secrets with Azure Key Vault
Secret keys and digital certificates are used to establish the authenticity of users and cloud applications. Azure Key Vault is a pay-as-you-go service for managing secrets and digital certificates. Azure Key Vault represents a mind shift for developers who are accustomed to deploying database connection strings, passwords, and other secrets along with their code. Key Vault implements a clean separation of duties so that developers can code, release engineers can deploy apps and services, and security specialists can manage secrets and digital certificates.
With this model, services and application code retrieve the keys, passwords, and connection strings at runtime from Azure Key Vault instead of reading them from a local config file deployed with the application itself. This has a few obvious benefits:
- It reduces the risk and exposure of accidentally checking in config files containing sensitive secrets
- It simplifies changes to passwords, keys, and other secrets between deployments
- It supports a separation of duties in the operational model where the people in charge of writing and deploying code don’t need access to sensitive credentials
Key Vault can perform cryptographic operations on behalf of users. For instance, Key Vault can generate a certificate with a policy setting that prevents the certificate’s private key from ever being retrievable from Azure Key Vault. In this case, the private key can never leave Azure Key Vault. Why is this a good thing? The benefit is that you can ask Azure Key Vault to perform cryptographic operations on your behalf using those certificates, such as signing or decryption, without ever exposing the key to application code. Certificates created in this manner are not only inaccessible to you. Microsoft employees can’t access them either. Azure Key Vault natively supports disaster recovery scenarios and logs key access and updates.
Hands-on Lab: Use the Azure Key Vault service to store keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) used to encrypt an Azure Virtual Machine (VM).
Stay Up to Date Using the Azure Security Center
Azure Security Center provides configuration analysis and advanced threat monitoring to help detect threats and scenarios that could lead to security breaches. It also helps your organization keep up with your side of the shared responsibility model by reviewing how your existing resources are configured and recommending actions that you can take within the platform to keep your environment safe. It’s important to remember that when Security Center makes recommendations, it’s up to you to take action on the suggestions that are right for your environment.
Security Center serves as a reminder to do the things you learn about in Cloud Academy’s Azure Security Solutions course: apply missing operating systems patches, install anti-malware software, or enable a firewall to protect your virtual machines. It may recommend actions you can take for data storage, such as turning on auditing in Azure’s SQL database, turning on transparent data encryption, or enabling at-rest encryption for Azure storage.
The recommendations are typically actionable from the Azure Security Center portal itself. You can install anti-malware software on a virtual machine or enable encryption at rest for storage in just a couple of clicks. You can dismiss recommendations individually, or set policies that govern which recommendations are relevant for your organization.
While the core experience and features are Microsoft first-party services, they’ve done a nice job of integrating third-party services into the experience as well. You will see both first-party and third-party solution recommendations that you can add to your security configuration.
Hands-on Lab: Take advantage of automatic security audits and recommendations to mitigate security risks identified by Azure Security Center.
The Azure Services for Security Engineers Learning Path is the ideal step if you want to gain a full understanding of security in Azure, Azure Active Directory, Azure Key Vault, and Azure Security Center, and it includes the three Hands-on Labs that I have listed in this post.
Watch this short video on Importing Encryption Keys with Key Vault, taken from the learning path