Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.
The safety of your cloud environment—and the data and applications that your business runs on—depends on how well your teams understand and use the cloud security tools and services at your disposal.
What are the three must-use Azure Security Services?
Teams already building on Azure or those evaluating the platform for their next cloud deployments will want an understanding of how Azure handles the security of their organization’s Azure cloud environment, data, and applications. Azure provides a number of services that teams can employ to manage account access and to identify vulnerabilities. In this post, we’ll look at three services that should be part of your core security setup in Azure: Azure Active Directory, Azure Key Vault, and Azure Security Center.
Shared Responsibility Model
Before we jump into the specific services, it’s worth spending a minute discussing a concept fundamental to security in the cloud: the shared responsibility model. Public cloud providers like Azure and AWS operate under this shared responsibility model. When we put data on Azure or utilize Azure services, we’re trusting Azure to maintain the confidentiality, integrity, and availability of our valuable resources.
Indeed, for its part, Azure ensures the safety of physical data centers, provides failover and geographic replication of data and controls access to your data. It’s up to your team to actually put the appropriate security controls in place and actually use the services to keep your data and applications safe.
You’re responsible for how you set up and authorize users in terms of identity and access management, and you’re responsible for safely storing and protecting your data. Let’s now step through three security services you should be using, keeping in mind that it’s your responsibility to configure and use them properly.
Securing Access with Azure Active Directory
Protecting your accounts—how they are used and who can access them—is an important part of cloud security. Azure Active Directory (AD) is Microsoft’s cloud-based directory and identity management service.
Azure AD allows you to control access to subscriptions, resource groups, and individual resources. This can be done at the individual or group level, and by user role. The larger the company or the more complex the system, the more roles you’re likely to have. For example, business analytics team members may need access to read the data in the storage account, but they should never need to deploy or maintain the application itself. Azure allows you to create a second role for team members with read-access to the storage account but no access to the web application.
Microsoft’s Identity and Access Management solution adopts many industry standards such as SAML, WS-Federation, and OAuth in addition to multi-factor authentication (MFA). Functioning as the middle layer, Azure AD securely connects users and applications to cloud services such as Office 365 and other enterprise applications.
Role-Based Access and Control (RBAC) is how Microsoft allows administrators to limit user and group access to Azure resources. These resources can be anything from virtual machines, VNets, or even entire resource groups. Sample built-in roles include Owner (which has full control over everything and the right to delegate access to others) and Network Contributor, which can manage network-based resources. Each role is comprised of a set of permitted actions and scopes where the actions can be applied. The Network Contributor role is permitted to read, write, and delete all network resources in the assigned scopes, for example, in a resource group containing production resources. There are also built-in Reader roles, which provide read-only access. In addition to the built-in roles, you can also create fine-grained custom roles when the built-in roles don’t suit your needs.
It’s important to note that each subscription can grant up to 2,000 role assignments and create up to 2,000 custom roles. RBAC can be controlled through the Azure portal, PowerShell, the Azure CLI, and the REST API.
Hands-on Lab: Follow the principle of least privilege for users as you manage access to Azure with RBAC. You will use Azure PowerShell to create a custom role, learn how to assign roles to users, and get tips on how to define your own custom roles.
Managing Secrets with Azure Key Vault
Secret keys and digital certificates are used to establish the authenticity of users and cloud applications. Azure Key Vault is a pay-as-you-go service for managing secrets and digital certificates. Azure Key Vault represents a mind shift for developers who are accustomed to deploying database connection strings, passwords, and other secrets along with their code. Key Vault implements a clean separation of duties so that developers can code, release engineers can deploy apps and services, and security specialists can manage secrets and digital certificates.
With this model, services and application code retrieve the keys, passwords, and connection strings at runtime from Azure Key Vault instead of reading them from a local config file deployed with the application itself. This has a few obvious benefits:
- It reduces the risk and exposure of accidentally checking in config files containing sensitive secrets
- It simplifies changes to passwords, keys, and other secrets between deployments
- It supports a separation of duties in the operational model where the people in charge of writing and deploying code don’t need access to sensitive credentials
Key Vault can perform cryptographic operations on behalf of users. For instance, Key Vault can generate a certificate with a policy setting that prevents the certificate’s private key from ever being retrievable from Azure Key Vault. In this case, the private key can never leave Azure Key Vault. Why is this a good thing? The benefit is that you can ask Azure Key Vault to perform cryptographic operations on your behalf using those certificates, such as signing or decryption, without ever exposing the key to application code. Certificates created in this manner are not only inaccessible to you. Microsoft employees can’t access them either. Azure Key Vault natively supports disaster recovery scenarios and logs key access and updates.
Hands-on Lab: Use the Azure Key Vault service to store keys and secrets (such as authentication keys, storage account keys, data encryption keys, .PFX files, and passwords) used to encrypt an Azure Virtual Machine (VM).
Stay Up to Date Using the Azure Security Center
Azure Security Center provides configuration analysis and advanced threat monitoring to help detect threats and scenarios that could lead to security breaches. It also helps your organization keep up with your side of the shared responsibility model by reviewing how your existing resources are configured and recommending actions that you can take within the platform to keep your environment safe. It’s important to remember that when Security Center makes recommendations, it’s up to you to take action on the suggestions that are right for your environment.
Security Center serves as a reminder to do the things you learn about in Cloud Academy’s Azure Security Solutions course: apply missing operating systems patches, install anti-malware software, or enable a firewall to protect your virtual machines. It may recommend actions you can take for data storage, such as turning on auditing in Azure’s SQL database, turning on transparent data encryption, or enabling at-rest encryption for Azure storage.
The recommendations are typically actionable from the Azure Security Center portal itself. You can install anti-malware software on a virtual machine or enable encryption at rest for storage in just a couple of clicks. You can dismiss recommendations individually, or set policies that govern which recommendations are relevant for your organization.
While the core experience and features are Microsoft first-party services, they’ve done a nice job of integrating third-party services into the experience as well. You will see both first-party and third-party solution recommendations that you can add to your security configuration.
Hands-on Lab: Take advantage of automatic security audits and recommendations to mitigate security risks identified by Azure Security Center.
The Azure Services for Security Engineers Learning Path is the ideal step if you want to gain a full understanding of security in Azure, Azure Active Directory, Azure Key Vault, and Azure Security Center, and it includes the three Hands-on Labs that I have listed in this post.
How to Become a Microsoft Certified Azure Administrator
Microsoft Azure is one of the hottest cloud services on the planet, and it’s growing at a phenomenal rate. This rapid growth has created a huge demand for people who know how to administer and manage Azure implementations.To make it easier for employers to verify the skills of Azure...
Preparing for the Microsoft AZ-900 Exam
Microsoft has offered Azure certification exams for years, but until recently, they were all meant for technical IT professionals. Now non-technical professionals, such as salespeople and managers, can take the new AZ-900 exam to prove their understanding of Azure fundamentals. People w...
An Overview of Azure Storage (Part 2)
Archive StorageArchive Storage offers the lowest storage costs of all Azure storage. Its retrieval costs, however, are higher when compared to Hot and Cool storage. The archive tier of storage is designed for data that can tolerate several hours of latency when being retrieved. It’s a...
An Overview of Azure Storage (Part 1)
Welcome to part one of our series on Azure Storage. Stay tuned for the second part. An Overview of Azure StorageMicrosoft Azure Storage is a cloud-based storage offering that provides multiple storage solutions for organizations. In addition to a massively scalable object store for ...
NEW: Custom Hands-On Labs for Azure and Google Cloud Platform
Harvard Business Review recently estimated that some 90% of corporate training never gets applied on the job. Given the $200B training industry, that is a staggering amount of waste. One reason for the disconnect? Lack of context.Cloud Academy’s platform was built to make it extraor...
How to Become a Microsoft Certified Azure Solutions Architect
Microsoft Azure is the fastest growing cloud provider. Azure’s revenue grew an incredible 76% in the last quarter of 2018. As more and more businesses move their IT infrastructure to Microsoft’s cloud platform, the demand for Azure professionals keeps rising. Since there are relatively ...
What is Heroku? Getting Started with PaaS Development
So just what is Heroku? It's a service for developers eager to get their applications online without having to worry about infrastructure details.Metered, pay-as-you-go Cloud Computing services come in all kinds of flavors. Infrastructure as a Service (IaaS) offerings like AWS allow e...
Understanding Object Storage and Block Storage Use Cases
Cloud Computing, like any computing, is a combination of CPU, memory, networking, and storage. Infrastructure as a Service (IaaS) platforms allow you to store your data in either Block Storage or Object Storage formats.Understanding the differences between these two formats - and how ...
What are Azure Blueprints?
What are Azure Blueprints?Blueprints, in the traditional sense, are used by architects and engineers to design and build new things. They are used to ensure that the final products are built to specifications and in compliance with certain standards and requirements.Azure Bluepri...
Azure Hybrid Identity Authentication Methods
The move to the cloud is picking up steam. As such, many corporations are beginning to find themselves supporting a mixture of on-prem apps as well as cloud apps. Users are finding that they need access to this mix of applications as well. As one would expect, this can become a challe...
2018 Was a Big Year for Content at Cloud Academy
As Head of Content at Cloud Academy I work closely with our customers and my domain leads to prioritize quarterly content plans that will achieve the best outcomes for our customers.We started 2018 with two content objectives: To show customer teams how to use Cloud Services to solv...
Azure Internet of Things (Azure IoT) – An Introduction
IoT, or the ‘Internet of Things’, is an intriguing and rapidly growing technology that's bringing significant change to important elements of modern life. According to Gartner, IoT security spending alone is set to reach $1.5 billion during 2018.Like many newly minted terms, the def...