Tips and tricks to make sure your data is secure in Azure
The adoption of cloud services like Microsoft Azure is accelerating year over year. Around half of all workloads and data are already in a public cloud, with small businesses expanding rapidly and expecting up to 70% of their systems to be in a public cloud within the next 12 months. (Flexera State of the Cloud Report 2020)
While adoption is skyrocketing, another area follows the same pattern; data breaches and security vulnerabilities. Earlier this year, a cache of files in Azure Blob Storage was exposed, containing hundreds of thousands of documents filled with personally identifiable information (PII) and protected health information (PHI). Earlier in the year, a simple misconfiguration exposed millions of Microsoft customer records with an unsecured Elasticsearch database. Additionally, in 2017, one of the “big four” accounting firms, Deloitte, was the victim of a cyber attack and data breach caused by a compromised account with too much security access.
The global average cost of a data breach in 2020 was $3.86 million (IBM). Many companies move their workloads to the cloud without fully understanding the liability and altered threat model that comes with the territory.
Of the top challenges that companies listed regarding cloud adoption, Security, Governance, Compliance, and lack of resources/expertise are all in the top 8.
Let’s look through some basic threat modeling to consider and some best practices and tips to keep things secure in Microsoft Azure.
The first thing to dive into when building your security posture in the cloud is an accurate threat model to help you understand the areas of risk and the level of that risk. This is a non-exhaustive list of some of the threats commonly encountered.
Increased presence of business critical applications
Business-critical applications are those that would cause significant disruption and potential financial impact if they were down for an extended period of time. As these workloads move to the cloud, it’s important to identify them and document them as critical infrastructure.
These include intentional and unintentional actions by users that compromise security. It could be as simple as a misconfiguration of a web server set up by someone inexperienced. It could be as serious as a malicious employee or former employee downloading critical data and systems.
Compromised accounts with too much access
Like insider threats, a user with more access than is necessary for their job function can be compromised by a 3rd party through social engineering or other methods. This is a common avenue for data breaches to occur and can be challenging to detect when it’s happening.
Compliance and regulatory concerns
Many companies store Personally Identifiable Information (PII) or Protected Health Information (PHI) and are subject to HIPAA regulations. Others process payment information and need to worry about PCI compliance. More complicated are export regulations and Data Loss Prevention (DLP) policies that come with higher government work levels. All of these are threats to business continuity if not accounted for in your threat model.
Developers lack security awareness
The ease that developers can deploy new applications and code to Microsoft Azure and other cloud providers brings a wealth of benefits to overall developer productivity. The flip-side to this is that many developers aren’t educated in the various security threats. The applications they build and deploy are often created without proper controls and security reviews. Misconfigured and unmaintained servers are one of the most common avenues for a data breach.
Staff under educated in cloud features for security
IT operations staff typically have a great understanding of the security features and threats to the local network and infrastructure. Without proper planning and education around security, when a large infrastructure footprint moves to the cloud, it frequently results in misconfigurations or underutilization of built-in platform features that greatly increase your security posture.
Lack of cross-role documentation and knowledge
As the average company’s infrastructure grows, it’s increasingly important that those responsible for the infrastructure’s security are part of the conversation. Frequently, the people responsible for security are left unaware of new servers, new applications, changes in network configurations, or other important items because they were easy to set up. There is no change management procedure in place.
Security Best Practices
With a basic threat model understood, here is a list of best security practices in Microsoft Azure that will help reduce immediate threats and build a stronger security posture overall.
Planning is key
The single most important security practice is planning. A change management process and a strong documentation requirement are essential to keep a clear understanding of your security.
Any changes to the network, such as new devices, firewall rules changed, or user access changes, should be documented. User access updates need to be justified and documented.
Proactively creating standards for organizing resources, understanding their lifetime, intended usage, and creating a basic set of rules around security and monitoring will help you far more than any other individual practice.
Strongly implement the “principle of least privilege,” meaning users should only have exactly the access they require and no more. It’s far too common that too many users have global administrative permissions where it’s not necessary.
Enforce 2-factor authentication (2FA) on all users. This is common amongst many cloud services now. Microsoft and others provide authenticator apps that make the process easy.
Disable ssh, telnet, and RDP access from the internet. It’s common for developers or others to leave these enabled because it’s faster to access the resources they create. Enforce using a VPN to get access to private resources and strictly control what is exposed to the internet.
Enforce a security review of custom applications and require documentation of what services they utilize and what services they expose.
Verify the encryption of PII and PHI, ensuring to use encrypted communication and data at rest. This is a frequently overlooked item that can make a significant difference in a data breach.
Enforce Data Loss Prevention (DLP) policies. Oftentimes applications leak data through unsecured APIs, logs that end up having social security numbers or passwords, or poor security implementations. Document and understand these mechanisms in any application that is deployed to your infrastructure.
The referenced data breach last month was due to an Azure Blob Container that allowed public access. Turn this off, require authentication for storage accounts, and turn on data encryption. These are all able to be done in the Azure Portal with low friction.
Secure data in Transit
Similar to securing the storage at rest, turn on features at the storage account to secure data in transit and require HTTPS communication for all services.
Lean on the platform for help
Use the Azure Security Center. It provides recommendations to improve the security of your environment. It can also provide vulnerability scans and call out areas where you are behind on system updates. It’s a great tool to get a quick overview of common security threats. It will even go so far as to tell you exactly what is needed to resolve the issue it finds and often will resolve them for you with a single click.
Make sure to understand the security feature of platform-native features you use. A good example is Transparent Data Encryption (TDE) for Microsoft SQL Server. Many platform tools have security features that you can enable by toggling a switch. These shouldn’t be overlooked.
Use a SIEM, install monitoring and collect metrics everywhere that you can. When investigating any unusual activity, it’s important to reconstruct and replay events as they happened both for determining the extent of an issue and for solving it.
Microsoft Azure has a built-in monitoring and alert system, don’t forget about it. It may take some time to set up and tune all of the alerts that you want to capture, but it’s worth it to have proactive notifications when things are not working according to your baselines.
Use automation to apply patching and updates. A common pathway for servers to be compromised is a simple lack of security patches. Microsoft provides tools to auto-apply updates to servers, organizing them into groups to try out updates and other features. These greatly simplify the manual effort required to keep your systems secure.
With the growing adoption of Microsoft Azure and other cloud providers, it’s important to keep an eye on security while taking advantage of the productivity gains that come with the platform. Being proactive and following the best practices outlined above will give you a great starting point for remaining secure as your adoption grows.