Microsoft Azure is a global cloud infrastructure servicing 1000’s of clients. Azure is very similar to any other data center. Workloads, ranging from distributed Kubernetes clusters to .NET applications to Software-as-a-service (SaaS) products, run on Azure. Microsoft offers Azure as a cloud subscription.
As a result, knowing the ins and outs of Azure security best practices is a must for enterprises that depend on Microsoft’s cloud platform.
Azure Security Best Practices You Need to Know
Microsoft offers several security protection capabilities, including:
- Distributed denial of service attack protection
- Brute Force Attack prevention
- Firewall Protection Policies
- SQL Threat Detection
- Additional threat analysis, including malware and ransomware
- Email phishing attacks into O365
- Machine vulnerable attacks
Understand the shared responsibility model
It is critical for cloud security professionals to have a firm understanding of the division of responsibilities shared between the Azure tenant and Microsoft. The division of responsibility varies for each Azure service, but at a high level, you handle your data and manage access to that data. Depending on what service you are consuming, Microsoft will provide service-level agreements for the Azure instances.
A recommended reading when considering beginning a shared responsibility for security in the cloud is to review the Shared Responsibilities for Cloud Computing white-paper provided by Microsoft. Cloud providers offer considerable advantages in security, but these advantages do not exempt the customer from protecting their users, applications, and services. The tenant is always responsible for the data itself. Cloud providers, most times, will not offer data protection services.
Leveraging 3rd party pen testing for Azure Cloud
Microsoft does not perform pen testing against client’s applications. Microsoft focuses more around delivering a virtual private cloud instance, container instances via a hosted Kubernetes environment, along with access to several Microsoft hosted Azure services including O365, In-tune for mobile device management, and FEDRAMP certified cloud instances. Deployed Azure virtual machines come with several Microsoft best practices, including network access controls, Azure Active directory services, disk encryption. Security vulnerabilities exist in every system. As such, Microsoft recommends engaging 3rd party cloud pen testers to validate security within the virtual machines to look for any security risks, potential security issues, and verify all aspects of security prior to the application being installed.
Clients are ultimately responsible for performing normal security due diligence. For the Microsoft hosted applications, the company does patch their systems with critical security updates. Microsoft takes the client’s current cloud security posture seriously. Changing in security settings within the virtual environment still falls under the client’s responsibility. Items like database security, container security, and other basic security paradigm items will also fall under the client’s responsibility.
Microsoft offers several enhanced security options, including log management, event management, and security operations. In some parts of the Azure platform, Microsoft limits on client access. In many parts of the control plane within the cloud orchestration layer, clients will not have visibility in this area.
Compliance
What standards and regulations (e.g. PCI-DSS, ISO 27001, HIPAA) apply to your organization? Knowing what compliance frameworks you plan to align to helps in the initial design and deployment of services inside of Azure.
Using the Azure central Security Center, compliance dashboards, and Azure Security Benchmark help clients identify how close you are to comply based on a wide range of standards. Azure Security Benchmark provides recommendations you can follow to move closer to full compliance. Using these tools helps you simplify compliance in the cloud.
Knowing Microsoft Azure Security Center
Several security features are available within the Microsoft Azure Security Center for us to take advantage of. Every cloud environment offers clients a series of provisioning services, including SSH access, administrative access to the virtual machines, and Azure-AD based services. Clients access these features through the Azure central Security center.
Microsoft encourages clients to load other enhanced server and endpoint protection technologies within the virtual machines. Microsoft will load system monitoring agents on all virtual machines. Once the monitoring agent is enabled, Microsoft will make recommendation settings in the security policy.
Use a centralized security management system
Tenants should monitor servers for corrective updates, configuration, events, and activities that may be security issues. Clients will leverage the Azure central Security Center. The management center analyzes the configuration of the underlying infrastructure, such as network configuration and the use of virtual appliances.
Azure Security Center constantly evaluates the security status of Azure resources to identify potential vulnerabilities. Here is a list of proactive security measures and capabilities Microsoft recommends:
- Anti-malware software to identify and remove malware
- Configure private VLAN network security groups and access control rules to control traffic to virtual machines
- Provisioning web application firewalls against targeted attacks
- Update missing system updates on a regular cadence
- Remove Virtual machines prior to any repair on the operating system configurations
When to pen test your Microsoft Azure virtual instances?
As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a penetration test against Azure resources. It only related this process to Microsoft Azure, and is not applicable to any other Microsoft Cloud Service. As a best practice, client tenants should engage in a 3rd party before, during and after cloud deployment. Leveraging a full white box pen engagement would be the most ideal for a company’s first cloud deployment within Azure.
Why execute a pen test early?
Over 50 new vulnerabilities are discovered every day on average in 2020 and configuration errors are recurring, resulting in many initial application deployments to fail because of a poor cyber security preventive strategy. A continuous pen test strategy will reduce the attack surface on the cloud based applications.
