Three Must-Use Azure Security Services

Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.

The safety of your cloud environment—and the data and applications that your business runs on—depends on how well your teams understand and use the cloud security tools and services at your disposal.

What are the three must-use Azure Security Services?

Teams already building on Azure or those evaluating the platform for their next cloud deployments will want an understanding of how Azure handles the security of their organization’s Azure cloud environment, data, and applications. Azure provides a number of services that teams can employ to manage account access and to identify vulnerabilities. In this post, we’ll look at three services that should be part of your core security setup in Azure: Azure Active Directory, Azure Key Vault, and Azure Security Center.  

Shared Responsibility Model

Before we jump into the specific services, it’s worth spending a minute discussing a concept fundamental to security in the cloud: the shared responsibility model. Public cloud providers like Azure and AWS operate under this shared responsibility model. When we put data on Azure or utilize Azure services, we’re trusting Azure to maintain the confidentiality, integrity, and availability of our valuable resources.

Indeed, for its part, Azure ensures the safety of physical data centers, provides failover and geographic replication of data and controls access to your data. It’s up to your team to actually put the appropriate security controls in place and actually use the services to keep your data and applications safe.

You’re responsible for how you set up and authorize users in terms of identity and access management, and you’re responsible for safely storing and protecting your data. Let’s now step through three security services you should be using, keeping in mind that it’s your responsibility to configure and use them properly.

Securing Access with Azure Active Directory

Protecting your accounts—how they are used and who can access them—is an important part of cloud security. Azure Active Directory (AD) is Microsoft’s cloud-based directory and identity management service.

Azure AD allows you to control access to subscriptions, resource groups, and individual resources. This can be done at the individual or group level, and by user role. The larger the company or the more complex the system, the more roles you’re likely to have. For example, business analytics team members may need access to read the data in the storage account, but they should never need to deploy or maintain the application itself. Azure allows you to create a second role for team members with read-access to the storage account but no access to the web application.

Microsoft’s Identity and Access Management solution adopts many industry standards such as SAML, WS-Federation, and OAuth in addition to multi-factor authentication (MFA). Functioning as the middle layer, Azure AD securely connects users and applications to cloud services such as Office 365 and other enterprise applications.

Role-Based Access and Control (RBAC)
is how Microsoft allows administrators to limit user and group access to Azure resources. These resources can be anything from virtual machines, VNets, or even entire resource groups. Sample built-in roles include Owner (which has full control over everything and the right to delegate access to others) and Network Contributor, which can manage network-based resources. Each role is comprised of a set of permitted actions and scopes where the actions can be applied. The Network Contributor role is permitted to read, write, and delete all network resources in the assigned scopes, for example, in a resource group containing production resources. There are also built-in Reader roles, which provide read-only access. In addition to the built-in roles, you can also create fine-grained custom roles when the built-in roles don’t suit your needs.

It’s important to note that each subscription can grant up to 2,000 role assignments and create up to 2,000 custom roles. RBAC can be controlled through the Azure portal, PowerShell, the Azure CLI, and the REST API.

Hands-on Lab:
Follow the principle of least privilege for users as you manage access to Azure with RBAC. You will use Azure PowerShell to create a custom role, learn how to assign roles to users, and get tips on how to define your own custom roles.

Manage Access to Azure with Role-Based Access Control

Managing Secrets with Azure Key Vault

Secret keys and digital certificates are used to establish the authenticity of users and cloud applications. Azure Key Vault is a pay-as-you-go service for managing secrets and digital certificates. Azure Key Vault represents a mind shift for developers who are accustomed to deploying database connection strings, passwords, and other secrets along with their code. Key Vault implements a clean separation of duties so that developers can code, release engineers can deploy apps and services, and security specialists can manage secrets and digital certificates.

With this model, services and application code retrieve the keys, passwords, and connection strings at runtime from Azure Key Vault instead of reading them from a local config file deployed with the application itself. This has a few obvious benefits:

  • It reduces the risk and exposure of accidentally checking in config files containing sensitive secrets
  • It simplifies changes to passwords, keys, and other secrets between deployments
  • It supports a separation of duties in the operational model where the people in charge of writing and deploying code don’t need access to sensitive credentials

Key Vault can perform cryptographic operations on behalf of users. For instance, Key Vault can generate a certificate with a policy setting that prevents the certificate’s private key from ever being retrievable from Azure Key Vault. In this case, the private key can never leave Azure Key Vault. Why is this a good thing? The benefit is that you can ask Azure Key Vault to perform cryptographic operations on your behalf using those certificates, such as signing or decryption, without ever exposing the key to application code. Certificates created in this manner are not only inaccessible to you. Microsoft employees can’t access them either. Azure Key Vault natively supports disaster recovery scenarios and logs key access and updates.

Hands-on Lab:
Use the Azure Key Vault service to store keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) used to encrypt an Azure Virtual Machine (VM).
Azure key vault and disk encryption

Stay Up to Date Using the Azure Security Center

Azure Security Center provides configuration analysis and advanced threat monitoring to help detect threats and scenarios that could lead to security breaches. It also helps your organization keep up with your side of the shared responsibility model by reviewing how your existing resources are configured and recommending actions that you can take within the platform to keep your environment safe. It’s important to remember that when Security Center makes recommendations, it’s up to you to take action on the suggestions that are right for your environment.

Security Center serves as a reminder to do the things you learn about in Cloud Academy’s Azure Security Solutions course: apply missing operating systems patches, install anti-malware software, or enable a firewall to protect your virtual machines. It may recommend actions you can take for data storage, such as turning on auditing in Azure’s SQL database, turning on transparent data encryption, or enabling at-rest encryption for Azure storage.

The recommendations are typically actionable from the Azure Security Center portal itself. You can install anti-malware software on a virtual machine or enable encryption at rest for storage in just a couple of clicks. You can dismiss recommendations individually, or set policies that govern which recommendations are relevant for your organization.

While the core experience and features are Microsoft first-party services, they’ve done a nice job of integrating third-party services into the experience as well. You will see both first-party and third-party solution recommendations that you can add to your security configuration.

Hands-on Lab:
Take advantage of automatic security audits and recommendations to mitigate security risks identified by Azure Security Center.

Secure your cloud with azure security center
The Azure Services for Security Engineers Learning Path is the ideal step if you want to gain a full understanding of security in Azure, Azure Active Directory, Azure Key Vault, and Azure Security Center, and it includes the three Hands-on Labs that I have listed in this post.

Watch this short video on Importing Encryption Keys with Key Vault, taken from the learning path

Avatar

Written by

Logan Rakai

Logan has been involved in software development and research for over ten years, including four years in the cloud. At Cloud Academy, he is adding to the library of hands-on labs.


Related Posts

Avatar
Logan Rakai
— April 7, 2020

How to Effectively Use Azure DevOps

Azure DevOps is a suite of services that collaborate on software development following DevOps principles. The services in Azure DevOps are: Azure Repos for hosting Git repositories for source control of your code Azure Boards for planning and tracking your work using proven agil...

Read more
  • Azure
  • DevOps
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Avatar
Guy Hummel
— March 10, 2020

How to Become a Microsoft Certified Azure Data Engineer

Data engineering is one of the most sought-after skills in the job market. According to a 2019 Dice.com report, there was an 88% year-over-year growth in job postings for data engineers, which was the highest growth rate among all technology jobs. If you want to become a data enginee...

Read more
  • Azure
  • Data Engineer
  • DP-200
  • DP-201
  • Microsoft
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Avatar
Thomas Mitchell
— February 27, 2020

5 Steps to Vulnerability Management for Containers

Organizations have begun embracing containers due to their simplicity and to the fact that they allow for a faster development and deployment velocity. Although developers are thrilled with containers because they allow them to deliver solutions more quickly, security teams are sometime...

Read more
  • AZ-500
  • AZ-500 Exam
  • Azure
  • vulnerability management
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning
Alisha Reyes
Alisha Reyes
— February 7, 2020

New on Cloud Academy: Git Labs, CKA and CKAD Lab Challenges, AWS and Azure Learning Paths, AGILE, and Much More

We just kicked off our first Free Weekend of 2020. This means we've unlocked our Training Library for just 72 hours. Until Sunday at 11:59 pm (PST), you can get unlimited access to our industry-leading learning paths, courses, certification prep exams, and our most popular hands-on labs...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum
Alisha Reyes
Alisha Reyes
— January 31, 2020

How to Unlock Complimentary Access to Cloud Academy

Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cybersecurity, Information Security, Python, Java, or another technical skill? Then you'll want to mark your calendars. Starting Friday, February 7 at 12:00 a.m. PST (3:00 a.m. EST), Cloud Acade...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Alisha Reyes
Alisha Reyes
— January 6, 2020

New on Cloud Academy: Red Hat, Agile, OWASP Labs, Amazon SageMaker Lab, Linux Command Line Lab, SQL, Git Labs, Scrum Master, Azure Architects Lab, and Much More

Happy New Year! We hope you're ready to kick your training in overdrive in 2020 because we have a ton of new content for you. Not only do we have a bunch of new courses, hands-on labs, and lab challenges on AWS, Azure, and Google Cloud, but we also have three new courses on Red Hat, th...

Read more
  • agile
  • AWS
  • Azure
  • Google Cloud Platform
  • Linux
  • OWASP
  • programming
  • red hat
  • scrum