Security is vital for enterprises relying on the cloud. When you think of Azure cloud security, you may be overwhelmed by not knowing where to begin. The good news is that Azure is no different from any other data center or cloud provider. However, securing Azure is not an easy task, as it poses many challenges.
Most people believe that as Microsoft provides Azure, its security also is taken care of by Microsoft by default. Azure helps to secure your assets; however, the responsibility has to be shared equally by enterprises by doing their part to fulfill security requirements.
Here are some essential tips on your Azure cloud security:
Realize that Responsibility Has to Be Shared
It would help if you impressed upon your cloud security personnel that responsibility has to be shared between the provider (Microsoft) and the consumer (enterprise). While the extent of sharing the responsibility can vary from one type of Azure service to another, at a higher level, the consumers are responsible for the company’s data. They have to be wary when sharing/managing access to the data.
The responsibility zones of the consumers include:
The data governance and rights management for Saas, PaaS, IaaS, and on-premise are the sole responsibilities of the consumer. The client endpoints and account and access management for the above are the consumers’ responsibility.
Some responsibilities that vary by the service type include:
Identity and directory infrastructure security responsibilities are shared equally by the provider and consumer. For application, network controls, and operating system, if it is on-premise, the responsibility rests with the consumer, and for the others, it is shared on mutual agreement.
Responsibilities of Azure Cloud Security provider (Microsoft)
When it comes to physical hosts, physical data centers, and physical networks, if it is on-premise, it is the consumers’ responsibility, and all the others are the sole responsibility of the provider.
Reading through Microsoft's shared responsibilities document will give you a better idea of Azure security responsibilities. Understanding your shared responsibilities before moving to the cloud is very important.
Changes and Alerts Suggested by Azure Security Center
While there can be more than one subscription owner according to Azure security best practices, the permission is restricted to a maximum of three. It is best to have no more than two administrators acting as "product owners" who will act as subscription owners and maintain Azure security.
Secure ID via Azure Directory
Firewalls are no longer in use as the primary security boundary for networks. The primary security preferred today is a secure ID, and this applies to Azure as well. Azure uses its active directory for authentication for maintaining best security practices.
The recommendations from Azure include centralizing the ID into a single source. Including your hybrid cloud ID scenario by integrating your on-premise and cloud directories with Active Directory Connect helps enhance your security. Multi-factor identification (using a two-step authentication) strengthens the security further.
Limiting Subscription Owners
While there can be more than one subscription owner according to Azure security best practices, the permission is restricted to a maximum of three. It is best to have no more than two administrators acting as “product owners” who will act as subscription owners and maintain Azure security.
Controlling Network Access
Network access has to be under tight control in Azure, as is the case for any other data center. Establishing several rings of security in between the protected resources is a recommended practice for Azure security.
Although it was mentioned earlier that Firewalls are almost obsolete, invariably, most data centers use Firewalls as the primary security ring, which can be an Azure Firewall or any third-party solution. Such Firewalls feature Intrusion Detection or Prevention Systems (IDS/IPS), Distributed Denial of Service (DDoS), Web Content Filtering, and Network Anti-Malware.
The second ring includes a Network Security Group (NSG), which allows filtering of the network to and from resources. A network security group helps prevent unwanted traffic from creeping into a secure Azure network.
In the virtual server, the third ring is an NSG applied to the Virtual Machines network interface, which helps control traffic to and from a Virtual Machine.
Disabling Remote Access
It is advisable to disable the Microsoft Remote Desktop Protocol RDP and Secure Shell SSH access to Azure virtual machines via the Internet. It is safer and more secure to grant access for both over a secure dedicated connection (VPN or ExpressRoute) with Just-in-Time (JIT) remote access.
Enabling Encryption
Encryption helps safeguard your data, whether in transit or at rest. In most cases, encryption is already enabled (default), failing which it has to be enabled manually. Azure cloud security can be achieved through Storage Service Encryption for Azure Managed Disks with encryption keys managed by Microsoft. Thanks to Azure SQL and Azure SQL database, it is possible to protect database files on disk.
Summing it Up
Although securing Azure poses several challenges, all of them can be managed if approached correctly. Following the above security best practices should help protect your data and applications, though security knowledge and training will undoubtedly help.
