Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.
The safety of your cloud environment—and the data and applications that your business runs on—depends on how well your teams understand and use the cloud security tools and services at your disposal.
What are the three must-use Azure Security Services?
Teams already building on Azure or those evaluating the platform for their next cloud deployments will want an understanding of how Azure handles the security of their organization’s Azure cloud environment, data, and applications. Azure provides a number of services that teams can employ to manage account access and to identify vulnerabilities. In this post, we’ll look at three services that should be part of your core security setup in Azure: Azure Active Directory, Azure Key Vault, and Azure Security Center.
Shared Responsibility Model
Before we jump into the specific services, it’s worth spending a minute discussing a concept fundamental to security in the cloud: the shared responsibility model. Public cloud providers like Azure and AWS operate under this shared responsibility model. When we put data on Azure or utilize Azure services, we’re trusting Azure to maintain the confidentiality, integrity, and availability of our valuable resources.
Indeed, for its part, Azure ensures the safety of physical data centers, provides failover and geographic replication of data and controls access to your data. It’s up to your team to actually put the appropriate security controls in place and actually use the services to keep your data and applications safe.
You’re responsible for how you set up and authorize users in terms of identity and access management, and you’re responsible for safely storing and protecting your data. Let’s now step through three security services you should be using, keeping in mind that it’s your responsibility to configure and use them properly.
Securing Access with Azure Active Directory
Protecting your accounts—how they are used and who can access them—is an important part of cloud security. Azure Active Directory (AD) is Microsoft’s cloud-based directory and identity management service.
Azure AD allows you to control access to subscriptions, resource groups, and individual resources. This can be done at the individual or group level, and by user role. The larger the company or the more complex the system, the more roles you’re likely to have. For example, business analytics team members may need access to read the data in the storage account, but they should never need to deploy or maintain the application itself. Azure allows you to create a second role for team members with read-access to the storage account but no access to the web application.
Microsoft’s Identity and Access Management solution adopts many industry standards such as SAML, WS-Federation, and OAuth in addition to multi-factor authentication (MFA). Functioning as the middle layer, Azure AD securely connects users and applications to cloud services such as Office 365 and other enterprise applications.
Role-Based Access and Control (RBAC) is how Microsoft allows administrators to limit user and group access to Azure resources. These resources can be anything from virtual machines, VNets, or even entire resource groups. Sample built-in roles include Owner (which has full control over everything and the right to delegate access to others) and Network Contributor, which can manage network-based resources. Each role is comprised of a set of permitted actions and scopes where the actions can be applied. The Network Contributor role is permitted to read, write, and delete all network resources in the assigned scopes, for example, in a resource group containing production resources. There are also built-in Reader roles, which provide read-only access. In addition to the built-in roles, you can also create fine-grained custom roles when the built-in roles don’t suit your needs.
It’s important to note that each subscription can grant up to 2,000 role assignments and create up to 2,000 custom roles. RBAC can be controlled through the Azure portal, PowerShell, the Azure CLI, and the REST API.
Hands-on Lab: Follow the principle of least privilege for users as you manage access to Azure with RBAC. You will use Azure PowerShell to create a custom role, learn how to assign roles to users, and get tips on how to define your own custom roles.
Managing Secrets with Azure Key Vault
Secret keys and digital certificates are used to establish the authenticity of users and cloud applications. Azure Key Vault is a pay-as-you-go service for managing secrets and digital certificates. Azure Key Vault represents a mind shift for developers who are accustomed to deploying database connection strings, passwords, and other secrets along with their code. Key Vault implements a clean separation of duties so that developers can code, release engineers can deploy apps and services, and security specialists can manage secrets and digital certificates.
With this model, services and application code retrieve the keys, passwords, and connection strings at runtime from Azure Key Vault instead of reading them from a local config file deployed with the application itself. This has a few obvious benefits:
- It reduces the risk and exposure of accidentally checking in config files containing sensitive secrets
- It simplifies changes to passwords, keys, and other secrets between deployments
- It supports a separation of duties in the operational model where the people in charge of writing and deploying code don’t need access to sensitive credentials
Key Vault can perform cryptographic operations on behalf of users. For instance, Key Vault can generate a certificate with a policy setting that prevents the certificate’s private key from ever being retrievable from Azure Key Vault. In this case, the private key can never leave Azure Key Vault. Why is this a good thing? The benefit is that you can ask Azure Key Vault to perform cryptographic operations on your behalf using those certificates, such as signing or decryption, without ever exposing the key to application code. Certificates created in this manner are not only inaccessible to you. Microsoft employees can’t access them either. Azure Key Vault natively supports disaster recovery scenarios and logs key access and updates.
Hands-on Lab: Use the Azure Key Vault service to store keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) used to encrypt an Azure Virtual Machine (VM).
Stay Up to Date Using the Azure Security Center
Azure Security Center provides configuration analysis and advanced threat monitoring to help detect threats and scenarios that could lead to security breaches. It also helps your organization keep up with your side of the shared responsibility model by reviewing how your existing resources are configured and recommending actions that you can take within the platform to keep your environment safe. It’s important to remember that when Security Center makes recommendations, it’s up to you to take action on the suggestions that are right for your environment.
Security Center serves as a reminder to do the things you learn about in Cloud Academy’s Azure Security Solutions course: apply missing operating systems patches, install anti-malware software, or enable a firewall to protect your virtual machines. It may recommend actions you can take for data storage, such as turning on auditing in Azure’s SQL database, turning on transparent data encryption, or enabling at-rest encryption for Azure storage.
The recommendations are typically actionable from the Azure Security Center portal itself. You can install anti-malware software on a virtual machine or enable encryption at rest for storage in just a couple of clicks. You can dismiss recommendations individually, or set policies that govern which recommendations are relevant for your organization.
While the core experience and features are Microsoft first-party services, they’ve done a nice job of integrating third-party services into the experience as well. You will see both first-party and third-party solution recommendations that you can add to your security configuration.
Hands-on Lab: Take advantage of automatic security audits and recommendations to mitigate security risks identified by Azure Security Center.
The Azure Services for Security Engineers Learning Path is the ideal step if you want to gain a full understanding of security in Azure, Azure Active Directory, Azure Key Vault, and Azure Security Center, and it includes the three Hands-on Labs that I have listed in this post.
Watch this short video on Importing Encryption Keys with Key Vault, taken from the learning path
New Content: Platforms, Programming, and DevOps – Something for Everyone
This month our team of expert certification specialists released three new or updated learning paths, 16 courses, 13 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon....
New Content: Focus on DevOps and Programming Content this Month
This month our team of expert certification specialists released 12 new or updated learning paths, 15 courses, 25 hands-on labs, and four lab challenges! New content on Cloud Academy You can always visit our Content Roadmap to see what’s just released as well as what’s coming soon. Ja...
New Content: Get Ready for the CISM Cert Exam & Learn About Alibaba, Plus All the AWS, GCP, and Azure Courses You Know You Can Count On
This month our team of intrepid certification specialists released five learning paths, seven courses, 19 hands-on labs, and three lab challenges! One particularly interesting new learning path is Certified Information Security Manager (CISM) Foundations. After completing this learn...
Which Certifications Should I Get?
The old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and companies. With all that in mind, the s...
New Content: AWS Terraform, Java Programming Lab Challenges, Azure DP-900 & DP-300 Certification Exam Prep, Plus Plenty More Amazon, Google, Microsoft, and Big Data Courses
This month our Content Team continues building the catalog of courses for everyone learning about AWS, GCP, and Microsoft Azure. In addition, this month’s updates include several Java programming lab challenges and a couple of courses on big data. In total, we released five new learning...
WARNING: Great Cloud Content Ahead
At Cloud Academy, content is at the heart of what we do. We work with the world’s leading cloud and operations teams to develop video courses and learning paths that accelerate teams and drive digital transformation. First and foremost, we listen to our customers’ needs and we stay ahea...
New Content: AWS Data Analytics – Specialty Certification, Azure AI-900 Certification, Plus New Learning Paths, Courses, Labs, and More
This month our Content Team released two big certification Learning Paths: the AWS Certified Data Analytics - Speciality, and the Azure AI Fundamentals AI-900. In total, we released four new Learning Paths, 16 courses, 24 assessments, and 11 labs. New content on Cloud Academy At any ...
New Content: Azure DP-100 Certification, Alibaba Cloud Certified Associate Prep, 13 Security Labs, and Much More
This past month our Content Team served up a heaping spoonful of new and updated content. Not only did our experts release the brand new Azure DP-100 Certification Learning Path, but they also created 18 new hands-on labs — and so much more! New content on Cloud Academy At any time, y...
Constant Content: Cloud Academy’s Q3 2020 Roadmap
Hello — Andy Larkin here, VP of Content at Cloud Academy. I am pleased to release our roadmap for the next three months of 2020 — August through October. Let me walk you through the content we have planned for you and how this content can help you gain skills, get certified, and...
New Content: Alibaba, Azure AZ-303 and AZ-304, Site Reliability Engineering (SRE) Foundation, Python 3 Programming, 16 Hands-on Labs, and Much More
This month our Content Team did an amazing job at publishing and updating a ton of new content. Not only did our experts release the brand new AZ-303 and AZ-304 Certification Learning Paths, but they also created 16 new hands-on labs — and so much more! New content on Cloud Academy At...
Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More
This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...
New Content: AWS, Azure, Typescript, Java, Docker, 13 New Labs, and Much More
This month, our Content Team released a whopping 13 new labs in real cloud environments! If you haven't tried out our labs, you might not understand why we think that number is so impressive. Our labs are not “simulated” experiences — they are real cloud environments using accounts on A...