Azure Security Best Practices
Tips and tricks to make sure your data is secure in Azure
The adoption of cloud services like Microsoft Azure is accelerating year over year. Around half of all workloads and data are already in a public cloud, with small businesses expanding rapidly and expecting up to 70% of their systems to be in a public cloud within the next 12 months. (Flexera State of the Cloud Report 2020)
While adoption is skyrocketing, another area follows the same pattern; data breaches and security vulnerabilities. Earlier this year, a cache of files in Azure Blob Storage was exposed, containing hundreds of thousands of documents filled with personally identifiable information (PII) and protected health information (PHI). Earlier in the year, a simple misconfiguration exposed millions of Microsoft customer records with an unsecured Elasticsearch database. Additionally, in 2017, one of the “big four” accounting firms, Deloitte, was the victim of a cyber attack and data breach caused by a compromised account with too much security access.
The global average cost of a data breach in 2020 was $3.86 million (IBM). Many companies move their workloads to the cloud without fully understanding the liability and altered threat model that comes with the territory.
Of the top challenges that companies listed regarding cloud adoption, Security, Governance, Compliance, and lack of resources/expertise are all in the top 8.
Let’s look through some basic threat modeling to consider and some best practices and tips to keep things secure in Microsoft Azure.
Threat Modeling
The first thing to dive into when building your security posture in the cloud is an accurate threat model to help you understand the areas of risk and the level of that risk. This is a non-exhaustive list of some of the threats commonly encountered.
Increased presence of business critical applications
Business-critical applications are those that would cause significant disruption and potential financial impact if they were down for an extended period of time. As these workloads move to the cloud, it’s important to identify them and document them as critical infrastructure.
Insider threats
These include intentional and unintentional actions by users that compromise security. It could be as simple as a misconfiguration of a web server set up by someone inexperienced. It could be as serious as a malicious employee or former employee downloading critical data and systems.
Compromised accounts with too much access
Like insider threats, a user with more access than is necessary for their job function can be compromised by a 3rd party through social engineering or other methods. This is a common avenue for data breaches to occur and can be challenging to detect when it’s happening.
Compliance and regulatory concerns
Many companies store Personally Identifiable Information (PII) or Protected Health Information (PHI) and are subject to HIPAA regulations. Others process payment information and need to worry about PCI compliance. More complicated are export regulations and Data Loss Prevention (DLP) policies that come with higher government work levels. All of these are threats to business continuity if not accounted for in your threat model.
Developers lack security awareness
The ease that developers can deploy new applications and code to Microsoft Azure and other cloud providers brings a wealth of benefits to overall developer productivity. The flip-side to this is that many developers aren’t educated in the various security threats. The applications they build and deploy are often created without proper controls and security reviews. Misconfigured and unmaintained servers are one of the most common avenues for a data breach.
Staff under educated in cloud features for security
IT operations staff typically have a great understanding of the security features and threats to the local network and infrastructure. Without proper planning and education around security, when a large infrastructure footprint moves to the cloud, it frequently results in misconfigurations or underutilization of built-in platform features that greatly increase your security posture.
Lack of cross-role documentation and knowledge
As the average company’s infrastructure grows, it’s increasingly important that those responsible for the infrastructure’s security are part of the conversation. Frequently, the people responsible for security are left unaware of new servers, new applications, changes in network configurations, or other important items because they were easy to set up. There is no change management procedure in place.
Security Best Practices
With a basic threat model understood, here is a list of best security practices in Microsoft Azure that will help reduce immediate threats and build a stronger security posture overall.
Planning is key
The single most important security practice is planning. A change management process and a strong documentation requirement are essential to keep a clear understanding of your security.
Any changes to the network, such as new devices, firewall rules changed, or user access changes, should be documented. User access updates need to be justified and documented.
Proactively creating standards for organizing resources, understanding their lifetime, intended usage, and creating a basic set of rules around security and monitoring will help you far more than any other individual practice.
User access
Strongly implement the “principle of least privilege,” meaning users should only have exactly the access they require and no more. It’s far too common that too many users have global administrative permissions where it’s not necessary.
Enforce 2-factor authentication (2FA) on all users. This is common amongst many cloud services now. Microsoft and others provide authenticator apps that make the process easy.
Disable ssh, telnet, and RDP access from the internet. It’s common for developers or others to leave these enabled because it’s faster to access the resources they create. Enforce using a VPN to get access to private resources and strictly control what is exposed to the internet.
Custom Applications
Enforce a security review of custom applications and require documentation of what services they utilize and what services they expose.
Verify the encryption of PII and PHI, ensuring to use encrypted communication and data at rest. This is a frequently overlooked item that can make a significant difference in a data breach.
Enforce Data Loss Prevention (DLP) policies. Oftentimes applications leak data through unsecured APIs, logs that end up having social security numbers or passwords, or poor security implementations. Document and understand these mechanisms in any application that is deployed to your infrastructure.
Secure Storage
The referenced data breach last month was due to an Azure Blob Container that allowed public access. Turn this off, require authentication for storage accounts, and turn on data encryption. These are all able to be done in the Azure Portal with low friction.
Secure data in Transit
Similar to securing the storage at rest, turn on features at the storage account to secure data in transit and require HTTPS communication for all services.
Lean on the platform for help
Use the Azure Security Center. It provides recommendations to improve the security of your environment. It can also provide vulnerability scans and call out areas where you are behind on system updates. It’s a great tool to get a quick overview of common security threats. It will even go so far as to tell you exactly what is needed to resolve the issue it finds and often will resolve them for you with a single click.
Make sure to understand the security feature of platform-native features you use. A good example is Transparent Data Encryption (TDE) for Microsoft SQL Server. Many platform tools have security features that you can enable by toggling a switch. These shouldn’t be overlooked.
Be proactive
Use a SIEM, install monitoring and collect metrics everywhere that you can. When investigating any unusual activity, it’s important to reconstruct and replay events as they happened both for determining the extent of an issue and for solving it.
Microsoft Azure has a built-in monitoring and alert system, don’t forget about it. It may take some time to set up and tune all of the alerts that you want to capture, but it’s worth it to have proactive notifications when things are not working according to your baselines.
Use automation to apply patching and updates. A common pathway for servers to be compromised is a simple lack of security patches. Microsoft provides tools to auto-apply updates to servers, organizing them into groups to try out updates and other features. These greatly simplify the manual effort required to keep your systems secure.
Wrap up
With the growing adoption of Microsoft Azure and other cloud providers, it’s important to keep an eye on security while taking advantage of the productivity gains that come with the platform. Being proactive and following the best practices outlined above will give you a great starting point for remaining secure as your adoption grows.
Frequently Asked Questions
Latest Posts
We’ve helped our partners to digitally transform their organizations by putting people first at every turn.
Effective discovery is crucial in software development to prevent budget overruns and project delays. By conducting discovery sprints and trial projects, businesses can align goals, define scope, and mitigate risks, ensuring successful outcomes.
In this article, we address the advantages and disadvantages of native apps and compare them to those of React Native apps. We will then propose one example of a ‘good fit’ native app and a ‘good fit’ React Native app. The article concludes with a general recommendation for when you should build your application natively and when to do so in React Native.
In this short article I would like to show you one example of High Cohesion and Low Coupling regarding Software Development. Imagine that you have a REST API that have to manage Users, Posts and Private Message between users. One way of doing it would be like the following example: As you can see, the […]
You’ve identified the need for new software for your organization. You want it built and maintained but don’t have the knowledge, time, or ability to hire and manage a software staff. So how do you go about finding a software development company for your project? Step 1: Search for Existing Software The first step in […]
Custom software is a great way to increase efficiency and revenue for your organization. However, creating custom software means more risk for you. Here are a few common problems to avoid when building your next mobile or web app. 1. Cost Overrun One of the biggest challenges of custom software development is gathering requirements. The process […]
So, you want to build some software. But where do you start? Maybe you’re not ready to take on the large task of hiring a team internally. Of all the options out there for building your software, two of the most common are staff augmentation and project-based consulting. So what’s best for you, staff augmentation […]
Failed implementing agile in your organization? Agile isn't the problem.
Are you ready to hire software developers? It might be worth more investigation.
Solve your next production issue with less headache and better insight.
How to use empathy to drive decisions around the platform for your future application.
