Every day, we hear about security breaches across industries. Each new breach makes senior managers anxious about their enterprise data, motivating them to seek assurance about the state of their cloud security. Over the last decade, the industry has improved tools and operating practices to secure hardware and software environments.
Security Best Practices Guide - Exeliq
Systematic Approach,
Securing Your Cloud Environment
Eight years ago during the Azure public preview, we assured our customers and management that our cloud implementations were secure. Traditionally, for large corporations, databases and applications were placed behind a secure firewall. Securing internal networks from external threats was generally well understood and had been mastered over the previous decade. With public clouds, however, there are new concerns about security and public exposure to data and applications.
To secure our cloud environment, we continually implement the latest security tools and techniques. Every time we adopt a new technique or tool, our developers and operations teams resist the change. DevOps teams are reluctant to change because they do not want to break something that was working earlier. Regardless of pushback, maintaining the latest cloud security practices is essential in any modern enterprise environment.
Review the Azure Security Center
Azure Security Center portal provides a single place to check the security state of cloud resources. Security Center uses machine learning and advanced analytics to detect threats and suggest steps to prevent them. As of July 2018, Security Center costs $15 per node per month. A node is any Azure resource (VM, SQL Database server, and Azure Cloud Services) that is monitored by the service. Enabling Azure Security Center is one of the simplest and best investments for security.
To review the status of your security using Azure Security Center, select Security Center – Overview on the Azure menu. You will see:
Recommendations to improve the security of Azure subscriptions.
An inventory of Compute & Apps, Networking, Data Security, and Identity & Access Resources.
Once you have reviewed the state of your security, you can fix the issues with each resource to secure your cloud environment.
To review the status of your security using Azure Security Center, select Security Center – Overview on the Azure menu. You will see:
Recommendations to improve the security of Azure subscriptions.
An inventory of Compute & Apps, Networking, Data Security, and Identity & Access Resources.
Once you have reviewed the state of your security, you can fix the issues with each resource to secure your cloud environment.
Enable Advanced Threat Protection (ATP)
Azure ATP protects enterprise hybrid environments from multiple types of advanced targeted cyber attacks and insider threats. Azure ATP provides detection for the various phases of an advanced attack including reconnaissance, credential compromise, lateral movement, privilege escalation, domain dominance, and others. These detections identify advanced attacks before they impact your business.
Execute & monitor AzSK results
The Secure DevOps Kit for Azure is a collection of PowerShell based scripts, tools, extensions, and automation that caters to the end to end Azure subscription and resource security needs of DevOps teams. AzSK uses extensive automation and smoothly integrates security into native DevOps workflows.
Follow the principle of “Least Privilege”
Instead of giving full access on all Azure resources to every user, provide access to resources on a need basis. The larger the number of access points, the bigger the area of the threat surface. When providing access to a user, provide the “Least Privilege” possible.
Use Service Principal wherever possible
Service Principals are Azure Active Directory application resources used to perform unattended resource and service-level operations. Use Service Principals for code that needs to access or modify Azure resources. The Service Principals approach is preferable to running the app under user credentials because you can assign permissions to the app identity that are different from user permissions. Typically, these permissions are restricted to exactly what the app needs to do.
Turn off Azure services and servers when not in use and remove inactive resources to:
Reduce the surface area of security threats, especially when resources are not in use.
Reduce the cost of Azure services. There is no need to pay when you are not using a resource. We recommend a strategy of dynamically provisioning a resource only when it is required.
Reduce the cost of Azure services. There is no need to pay when you are not using a resource. We recommend a strategy of dynamically provisioning a resource only when it is required.
Implement an IP whitelisting approach as applicable
IP Restrictions allow you to define a list of IP addresses that can access your app. The ‘allow’ list can include individual IP addresses or a range of IP addresses defined by a subnet mask. Whitelisting is extremely helpful in scenarios where there are a limited number of app users (e.g., internal app, or your next great version). Whitelists prevent unwanted or unauthorized machines from accessing the app.
Use the Azure Key Vault
Azure Key Vault safeguards cryptographic keys and secrets used by cloud applications and services. You can control applications to never have direct access to keys. Developers manage keys used for Dev/Test and can seamlessly migrate keys managed by security operations to production.
Use Azure Disk Encryption to encrypt Azure VMs
By default, hard disks in Azure VMs are not encrypted. Use Azure Disk Encryption to ensure that all data in OS disks and data disks on Azure VMs is encrypted at rest using industry-standard encryption. Azure Disk Encryption uses Azure Key Vault to control and manage encryption keys and secrets in the key vault subscription.
Use Azure Active Directory(AAD) to manage identity and access to cloud applications
AAD is Microsoft’s multi-tenant cloud directory and identity management service. AAD secures and simplifies user access to cloud applications with single sign-on. AAD also protects sensitive data and applications with Azure Multi-Factor Authentication, an additional level of authentication, and machine learning-based reports that identify inconsistent access patterns.
Add a second layer of security by enabling Azure Multi-factor Authentication(MFA)
Azure MFA is a method for verifying user identities via phone call, text message, or mobile app notification, supplementing username and password authentication. Because Azure MFA requires access to a user’s phone, access to the user’s data and applications is protected even if the user’s password is compromised. Organizations that do not add this extra layer of identity protection are more susceptible to credential theft attack, which may lead to data compromise.
Assign access to Azure resources to Active Directory groups, not individuals.
Instead of giving Azure resource access to individual developers, we follow a practice to only assign access to a security group. This practice simplifies access management and ensures that developers only have access to resources for their projects.
Many organizations give individual developers access to resources such as Azure VMs or SQL Servers when they start work on a project. But when a developer moves to a different project, it becomes difficult for organizations to keep track of access privileges that are no longer required. Individual permissions often remain even when the individual is no longer assigned to the project. By assigning access to an Active Directory group, the owner of the group can ensure that only those who are currently assigned to the project have access.
Many organizations give individual developers access to resources such as Azure VMs or SQL Servers when they start work on a project. But when a developer moves to a different project, it becomes difficult for organizations to keep track of access privileges that are no longer required. Individual permissions often remain even when the individual is no longer assigned to the project. By assigning access to an Active Directory group, the owner of the group can ensure that only those who are currently assigned to the project have access.
Remove In-Development Copies of Databases
During the software development process, programmers create copies of existing databases to test their code. Additional backups are created during system software upgrades when new versions of applications are installed or, sometimes, just in case. Over time, developers move on to new projects. Often, after moving to a new project, developers do not take the time to remove unused copies and files from previous systems. The clutter on the server and file store is analogous to a factory where tools, oil, and unfinished parts are lying on the floor. Someone is sure to trip and get hurt.
In the end, security starts and ends with discipline. We need a disciplined team that thinks in a disciplined way and acts with discipline.
References
Microsoft offers additional documents that provide a high-level framework for best practices. We strongly encourage you to review the following documents:
- Azure Architecture Best Practices – MAQ Software, published July 26, 2018
- Azure Identity Management and access control security best practices – Microsoft Corporation, published April 26, 2018
- Azure security best practices and patterns– Microsoft Corporation, published February 16, 2018
- Azure Network Security Best Practices– Microsoft Corporation, published November 21, 2017