Although it is important to secure your Azure environment as best you can, it is not possible to implement all the Azure security best practices at once. Consequently, Microsoft has prioritized seven Azure security best practices which it believes busy IT security professionals should do first.
1. Upgrade your Azure Subscription to Azure Security Center Standard
The free tier of Security Center that comes with an Azure subscription has limited capabilities, whereas the “Standard” tier extends these capabilities to on-premises and other clouds. Security Center Standard helps you find and fix security vulnerabilities, apply access and application controls to block malicious activity, detect threats by using analytics and intelligence, and respond quickly when under attack. The standard tier also includes System Center Endpoint Protection (SCEP) on VMs and physical servers.
Although there are costs attached to upgrading to the Azure Security Center Standard tier, it is possible to opt out of services if you are not going to use them or have existing solutions performing the same role. Furthermore, Microsoft gives you the opportunity to try the Azure Security Center Standard tier free for thirty days so you can evaluate the first of the Azure security best practices and its financially viability before committing to a permanent upgrade. (Details of pricing can be found here).
2. Store Keys in an Azure Key Vault (and not in your source code)
Cloud applications and services use cryptographic keys and secrets to help keep information secure. Azure Key Vault safeguards these keys and secrets. When you use Key Vault, you can encrypt authentication keys, storage account keys, data encryption keys, API keys, .pfx files, and passwords by using keys that are protected by hardware security modules (HSMs).
Within the key vault, IT professionals should create secure containers known as “Vaults”. Vaults help reduce the chances of accidental information loss by centralizing the storage of application secrets. They can also control access to anything stored in them and log when the vaults are accessed. Key Vault also provides a solution for certificate lifecycle management.
3. Install a Web Application Firewall and Integrate it with Azure Security Center
Web application firewalls (WAFs) are a feature of the Application Gateway tool that provides centralized protection of your web applications from common exploits. Web applications are increasingly targets of malicious attacks that exploit common known vulnerabilities, and a centralized WAF helps make security management simpler and provides assurance to application administrators against threats or intrusions.
When Application Gateway is integrated with the Azure Security Center, the Security Centers scans cloud environments to detect unprotected web applications. It recommends WAFs to protect these vulnerable resources - which you create directly from the Security Center. The WAFs then send alerts and health information to the Security Center that system administrators can use for reporting.
4. Enforce Multi-Factor Authentication for All Users
Businesses that don’t add extra layers of access protection - such as two-step authentication - are more susceptible to credential theft. Credential thefts are usually achieved by phishing or by planting key-logging malware on a user’s device; and it only takes one compromised credential for a cybercriminal to potentially gain access to the whole network.
Enforcing multi-factor authentication for all users is one of the easiest - yet most effective - of the seven Azure security best practices, as it can be done via Azure Active Directory within a few minutes. It is also possible to enforce “conditional” multi-factor authentication, which requires users to utilize a second identification method only when attempting to log in from beyond a defined range of IP addresses.
5. Encrypt Virtual Hard Drives
Full disk encryption has several benefits compared to regular file or folder encryption - for example, the decision of which individual files to encrypt is not left up to users' discretion. This is important for situations in which users might not want or might forget to encrypt sensitive files. Encrypting hard drives also enables immediate data destruction by destroying the cryptograph keys.
Microsoft recommends encrypting virtual hard disks to help protect boot volumes and data volumes at rest (after a snapshot is taken of the data in case any unexpected fails occurs during the encryption process). Businesses can use the Azure Disk Encryption tool to generate encryption keys and secure them in the Azure Key Vault.
6. Take Advantage of Azure Virtual Networks
Connecting Azure VMs to an Azure Virtual Network provides a similar level of security as LANs on an on-premises network. It enables businesses to create network access controls between subnets in order to protect against unsolicited traffic. Microsoft warns against creating too many virtual networks and subnets to reduce the management overhead of mapping security groups to each network or subnet.
Of the seven Azure security best practices, this is the one which requires most planning - especially for larger businesses with millions of resources deployed in the Azure Cloud. It is important not to assign allow rules with broad ranges, and place resources that belong to the same security zone or role in the appropriate subnets.
7. Protect against Distributed Denial of Service Attacks
Microsoft has multiple defenses against Distributed Denial of Service (DDoS) attacks at the network layer, but at the application layer (OSI Layer 7) businesses can be held hostage by cybercriminals who control the bandwidth and duration of an attack. Businesses have basic DDoS protection against application layer DDoS attacks via the Azure platform, but by upgrading to the Azure Security Center Standard tier (see #1) it is possible to better protect web apps from Layer 7 attacks.
The DDoS protection offered by the Azure Security Standard tier provides advanced intelligence that automatically configures and tunes DDoS protection settings. It does this by using intelligent traffic-profiling to learn application traffic patterns over time. If a DDoS attack occurs, the service will first alert system administrators to the fact, and then provide regular metrics and reports for administrators to make better informed decisions during and after the attack.
Help with Implementing Azure Security Best Practices
If you are a busy IT professional, and would like help implementing the 7 Azure security best practices, do not hesitate to get in touch. Our team of cloud security experts will discuss your existing security mechanisms with you and suggest which Azure security best practices should be prioritized. It may also be the case you need help gaining full visibility over your Azure environment to implement the best practices, in which case our team will organize a demo of our cloud management platform in order to better explain CloudHealth’s visibility capabilities.