Security Best Practices Guide

Azure Security Center portal provides a single place to check the security state of cloud resources. Security Center uses machine learning and advanced analytics to detect threats and suggest steps to prevent them. As of July 2018, Security Center costs $15 per node per month.

Azure ATP protects enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats. Azure ATP provides detection for the various phases of an advanced attack including reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, and others.

The Secure DevOps Kit for Azure is a collection of PowerShell based scripts, tools, extensions, and automation that caters to the end to end Azure subscription and resource security needs of DevOps teams. AzSK uses extensive automation and smoothly integrates security into native DevOps workflows.

Instead of giving full access on all Azure resources to every user, provide access to resources on a need basis. The larger the number of access points, the bigger the area of the threat surface. When providing access to a user, provide the “Least Privilege” possible.

Service Principals are Azure Active Directory application resources used to perform unattended resource and service-level operations. Use Service Principals for code that needs to access or modify Azure resources.

Reduce the surface area of security threats, especially when resources are not in use. Reduce the cost of Azure services. There is no need to pay when you are not using a resource.

IP Restrictions allow you to define a list of IP addresses that can access your app. The ‘allow’ list can include individual IP addresses or a range of IP addresses defined by a subnet mask. Whitelisting is extremely helpful in scenarios where there are a limited number of app users (e.g., internal app, or your next great version).

Azure Key Vault safeguards cryptographic keys and secrets used by cloud applications and services. You can control applications to never have direct access to keys. Developers manage keys used for Dev/Test and can seamlessly migrate keys managed by security operations to production.

By default, hard disks in Azure VMs are not encrypted. Use Azure Disk Encryption to ensure that all data in OS disks and data disks on Azure VMs is encrypted at rest using industry-standard encryption. Azure Disk Encryption uses Azure Key Vault to control and manage encryption keys and secrets in the key vault subscription.

AAD is Microsoft’s multi-tenant cloud directory and identity management service. AAD secures and simplifies user access to cloud applications with single sign-on. AAD also protects sensitive data and applications with Azure Multi-Factor Authentication, an additional level of authentication.

Azure MFA is a method for verifying user identities via phone call, text message, or mobile app notification, supplementing username and password authentication. Because Azure MFA requires access to a user’s phone, access to the user’s data and applications is protected even if the user’s password is compromised.

Instead of giving Azure resource access to individual developers, we follow a practice to only assign access to a security group. This practice simplifies access management and ensures that developers only have access to resources for their projects.