Azure Security. Securing cloud apps and infrastructure the right way
Half the battle with securing the cloud is understanding the services and how they differ to on-premises. In this blog I’m going to highlight some key areas to consider when securing your Azure based solutions.
Provide a baseline
The first step is to get the organisation on the same page regarding a security baseline. If all data must be held in the UK – people need to know about it. If a web application firewall must be used for all apps – Structure an onboarding processes to make that happen. Without the proper governance in place you’ll find resources springing up all over the place and quickly lose track.
- Use Azure policy to audit or enforce security standards but be careful to not be too restrictive.
- Use management groups and subscriptions for logical separation.
- Adopt DevOps and template the build process to ensure security requirements are met.
Watch your identity and secrets
With accessibility and mobility critical, there’s no doubt the focus for cloud security has shifted to Identity as the primary security perimeter. Disparate apps using different identity providers are as common as ever and bringing them together is critical to help you track threats and retract permissions easily.
Least privilege is a given, users should only have access to what they need but what about apps and infrastructure? For this, avoiding credentials being stored on workstations or in code should be the aim.
- Use manged identities to connect services such as App Service and Azure SQL and help remove credentials from code
- Implement Azure KeyVault into DevOps pipelines for secure storage of secrets, credentials and certificates.
- Use Azure AD authentication with Azure SQL to securely manage access to databases
Enabling managed identity on App service
Beware of Public IP addresses
Yes you can assign a public IP’s to a virtual machine but does that mean you should? Contrary to popular belief Azure does not provide a one size fits all security baseline by default. In-fact, with the creation and deletion of resources being so easy, it’s now possible to create an unsecure solution that’s here one minute and gone the next. This self-service approach is great for increasing productivity but just make sure you’re happy with the risks.
PaaS and serverless solutions are made up of publicly reachable endpoints designed to make networking simple. If you want to take advantage of this technology but are worried about security here’s a few options.
• Private link – Currently in preview, Private link gives your PaaS resources a private endpoint reachable from within your Virtual Network.
• Service endpoints – A redirect method that routes requests via the Azure backbone rather than the public internet.
• Provision private managed services such as App service environment (expensive!) or Azure Kubernetes service if your utilising containers.
Azure Private Link
Proactively Monitor & Test
If you don’t monitor your security, you’ll never have peace of mind or concrete evidence to support an audit. Unfortunately this is often ignored, with a finger in the air assessment being used to gauge the current state. Azure Security Center aims to assist you in the end to end monitoring process and reduce the manpower required. It’s an essential tool that assesses your environment and helps identify areas to improve.
- Some warnings are often acceptable due to technical requirements, so each should be considered carefully
- Use the standard tier to gain access to behavioural analysis, anomaly detection, security incidents, and threat attribution reports. A 30 day trial is available
- Take advantage of Security centre’s auto enrolment feature to auto deploy the required dependency’s to Virtual Machines
- Automate threat responses by using the workflow automation feature to respond as quickly as possible
Azure Security. Want to know more?
Please feel free to use the form below to contact us if you wish to speak to one of our experts.
We host regular events so please do check our schedule of current seminars, webinars and events. We also post regular blogs on the latest updates and expert advice on Microsoft 365, Cloud and Hybrid IT, User Adoption and the Power Platform, so please do follow us.