Azure Cloud Security – Part 3
Enterprise-class intelligent security
UPCOMING WEBINAR: Best Practices for Securely Moving Workloads to Azure
In last week’s piece in our ongoing Azure Cloud Security series, we touched on Microsoft’s Cloud Operations and the people behind the scenes ensuring your data is kept safe.
This week we’re going to look at the technology that is built into the Azure environment to maintain the rigid security protocols. More specifically, we’ll be focusing across 5 areas where Microsoft has heavily invested in; identity and access management, apps and data security, network security, threat protection, and security management.
Identity & Access Management
User identity is now considered the primary perimeter for security. You need to have robust controls to manage access to your infrastructure and apps. Microsoft provides a leading solution to secure your identities, manage access across Azure or other clouds and on-premises resources and keep the modern perimeter protected against internal and external threats.
Centralize Identity Management. Microsoft starts with the best practice of centralizing your identity management solution across hybrid environments. With Azure Active Directory, you can manage and protect identities across infrastructure and apps. Organizations that don’t integrate their on-premises identity with their cloud identity can have more overhead in managing accounts. This overhead increases the likelihood of mistakes and security breaches.
Principle of least privilege with Conditional Access & Roles Based Access Control. Restricting access based on the need to know and least privilege security principles is imperative for organizations that want to enforce security policies for data access. You can use the built-in role-based access control (RBAC) to assign permissions to users, groups, and applications at a certain scope, making sure only required access is enabled for the appropriate user. Additionally, conditional access can help you restrict access to SaaS and Azure AD connected apps based on required conditions of user location, device or group.
Configuring multi-factor authentication and additional identity protection provided with Azure Active Directory like Privileged Identity Management or Identity Protection will help safeguard your infrastructure against new threats.
Apps & Data Security
Protecting your data throughout its lifecycle and wherever it resides is the most critical step in safeguarding your business.
Azure offers a breadth of options to ensure the privacy and security of your data. These built-in controls make it easier for you to protect data for services across the software as a service (SaaS), platform as a service (PaaS), and infrastructure as a service (IaaS) cloud models.
First let’s talk about your stored data
Data encryption at rest is a mandatory step toward data privacy, compliance, and data sovereignty.
Azure Disk Encryption enables IT administrators to encrypt Windows and Linux IaaS VM disks. Disk Encryption combines the industry-standard Windows BitLocker feature and the Linux dm-crypt feature to provide volume encryption for the OS and the data disks. Services like Azure Storage and Azure SQL Database encrypt data at rest by default, and many services offer encryption as an option.
Next let’s talk about data in transit.
This is where your responsibility comes in.
Organizations that fail to protect data in transit are more susceptible to man-in-the-middle attacks, eavesdropping, and session hijacking. These attacks can be the first step in gaining access to confidential data.
Microsoft recommends that you always use SSL/TLS protocols to exchange data across different locations. In some circumstances, you might want to isolate the entire communication channel between your on-premises and cloud infrastructures by using a VPN.
Next how do you secure data in use?
Security is a key concern, especially when you’re moving extremely sensitive IP and data scenarios to the cloud. There are ways to secure data at rest and in transit, but you need to protect your data from threats as it’s being processed. Now you can. Confidential computing adds new data security capabilities using trusted execution environments (TEEs) or encryption mechanisms to protect your data while in use. Azure, in partnership with Intel’s SGX technology, offers a new virtual machine series called DC that permits only authorized code to run in the TEE container and to access data, so code and data are protected against viewing and modification from outside of TEE.
At rest examples: Azure Storage Service Encryption & SQL Server Transparent Database Encryption (TDE)
In transit examples: HTTPS & TLS
Microsoft offers services that enhance the protection of your network at the level of your application, and within your application to reduce the attack surface.
Now, let’s talk about threat protection. This is in some ways the classical idea that many people have when they think about cybersecurity issues. The interesting thing about threat protection is that it’s really a means to an end. You want to make sure that you’re protected against threats because they are the way that hackers and other attackers are trying to get access to your information.
Managing security centrally helps you consolidate security controls, ensure organizational compliance quickly and monitor security state across cloud infrastructure in real time.
The last category that we’ll cover is security management. This is a tremendously important topic for users of the Azure Cloud.
The best outcome is lots to see, and nothing to do.
SMART governance: Enabling velocity through native controls
- Showing how policy, cost, arm security still allows the development teams to execute at the velocity that the need while IT manages as a custodian natively without getting in the way
- When it comes to cloud management platforms and brokers, we are approaching this differently. We are integrating the governance into the cloud, rather than a shim between the cloud and the customer.
Azure governance consists of 5 capabilities (Policy, Blueprints, Resource Graph, Management Group, Cost Management) to ensure you will have the right tools for your applications or workload teams, so they can use cloud resources in an accountable & responsible fashion.
With governance in place, you’ll want to review your security posture and take action on alerts as they arise, as well as security recommendations to improve your Secure Score.
Our recommendation: turn on Azure Security Center
Azure Security Center helps you simplify security management for your cloud infrastructure. It continuously assesses the security state of your cloud resources across Virtual machines, networks, applications, data services and even monitors server workloads running in other clouds and on-premises datacenters. It helps you visualize the security state and get insights on the configured security controls quickly through Secure Score- you get a numerical value for your current state and recommended action, helping you to prioritize the mitigations to improve your security posture. You can prevent common mis-configurations like exposure of sensitive resources to the internet or lack of encryption and missing updates or firewall for your cloud workloads with the best practice guidance and recommendations.
With Azure, you are also able to define a granular central policy to ensure compliance with your corporate standards and service level agreements. You can define policies for your Azure subscriptions or management group, which can represent an entire organization or business units within an organization. You can tailor them to your type of workload or the sensitivity of your data. For example, applications that use regulated data, such as personally identifiable information, might require a higher level of security than other workloads.
With compliance reports, you can gain visibility into your environment to see if various controls are configured to help you meet regulatory compliance requirement such as CIS, PCI, SOC, and ISO.
Core ASC points for visibility:
- Continuous assess security posture across your infrastructure. This includes on-premise and cross cloud security posture.
- Enterprise policy to help monitor security and compliance
- Regulatory compliance reports like pci compliance to help you meet your compliance requirements.
To recap, Microsoft invests in built-in controls across the layers.
Identity: With the industry leading solution for Identity and access management with Azure Active Directory, you can get greater control over protecting against identity threats. Capabilities like Role based access control, MFA or Identity protection will ensure the right users are getting the appropriate level of access and will help you minimize risks associated with identity thefts or misuse of admin privileges
App and Data protection: Ensure confidentiality and integrity of data by leveraging multiple encryption options for data at rest in virtual machines, databases and storage. Data encryption controls are built-in to services from virtual machines to storage, SQL, CosmosDB and Azure Data Lake. Azure Key Vault enables you to safeguard and control cryptographic keys and other secrets used by cloud apps and services.
Network security: You can establish secure connections to and within Azure using virtual networks, network security groups, VPN, and ExpressRoute. Protect and ensure availability of your apps, protect against network layer threats with services like Web Application Firewall, Azure Firewall and Azure DDoS Protection
Threat Protection and Security Management: Finally, it is equally important to assess security state continuously, especially as cloud workloads change dynamically. Azure Security Center will help you monitor security state of Azure resources and hybrid workloads. It will provide a dynamic security score card and recommendations to improve your security in a centralized console making security management easier across different resources. And you get advanced threat protection across many services like virtual machines, servers, apps, Azure SQL, Storage, containers on VMs – backed by Microsoft Intelligent Graph you are able to detect and respond to threats quickly across these services. Azure also offers a robust log management system and you can get lot more insights from Log Analytics.