10 Steps to Azure Security Best Practice
Are you in the early stages on provisioning your cloud services and looking for a way to secure them? It seems like there can be so much work to do in terms of learning about cloud architecture for your infrastructure or applications but then you have to secure them too!? Urgh, what a pain. Yes, you can reach out to a consultancy company like Inverto to help you “take care of it” but that still takes up your time managing the implementation and defining your requirements. Whilst security is a must, you may not have time for it right now so if you follow these 10 Azure security best practice recommendations, you can ensure that you have at least some level of best practice in place to keep you going until you have time to further invest and protect your environment.
Click on the headings below to take you to a more detailed guide so we can secure your environment together!
MFA, everybody is doing it and so should you. If you aren’t aware of what MFA is all about then it is simply another step in the process for authentication. Typically entering your username and password and then being prompted by a code off your phone or some other method. Given that it is quite easy to implement on a small scale, this is one that you should go ahead with as compromising resources through identity is one of the most common methods of attack. Also, make sure this is enforced rather than just enabled so you can ensure that those critical accounts are protected. Personally, I prefer to use an app rather than SMS to protect against SIM jacking.
The linked guide shows you how to apply MFA to individual or bulk users. There are of course, multiple ways to enforce MFA through methods such as policy. The important thing is, that you have this enabled for critical accounts. We can also kick this this up a notch by implementing it with conditional access but let’s keep it simple for now.
Access reviews, specifically for storage containers are very important. You may be tempted to remove all restrictions on your storage as a “temporary” workaround to get something working. But like lots of temporary things in IT, it inevitably turns permanent and you could be left with egg on your face…or a legal case if you don’t secure your storage. Save yourself the hassle and don’t become another ABC by ensuring correct access controls are placed on storage.
Just like the BLOB access review, it is important to know who has access to your resources within Azure. Microsoft provide an extensive list of predefined roles which you can assign a user to perform the tasks that they need to do. So, following the best practice approach of least privilege, assign your team the roles that they need only instead of full access. For example, if they only need to manage backups then give them the backup operator role. This approach reduces your exposure should that user account become compromised or if they go rogue. A full list of RBAC roles can be found here but you can always customise if you need to.
Just remember that RBAC applies to operations at the control plane for tasks that you perform within Azure itself. It does not apply within your resources such as NTFS or DB permissions.
Encrypting virtual machine disks may seem redundant to some given that Azure Storage Service Encryption (SSE) encrypts storage at rest. However, should somebody gain access to the storage location for your VM disks, then they could simply copy the data out and have full access. So even if you don’t have a compliance requirement, you should still consider using Azure Disk Encryption (ADE) along with SSE which is enabled by default.
If you are new to Azure, then this would also be a good introduction to Azure Key Vault. We wont jump into it much here but some basic exposure to another service is always great when you are getting a feel for the platform.
The linked guide shows you how to apply encryption to disks using Microsoft managed keys but if you have a preference or requirement to manage your own, then ADE supports this.
5. Region Deployments
One of the problems in moving to the cloud is that you can lose control of data, quickly. As systems and services are spun up to host applications, files, servers and so on, you can find yourself in a bit of a pickle when it comes to applying control. Luckily, there are multiple options available from Microsoft when it comes to controlling where your data is stored and for the sake of Azure, we will focus on Policy. The policy itself is quite simple to implement and will help you keep control and maintain any compliance required within the business. It can also go some way to saving you money too and who doesn’t like that!? For example, deploying an application in Australia South East and a SQL DB in US West could lead to some needless data egress charges.
Resource locks are a nice little feature on the Azure control plane that can be easily implemented. Coming in a couple of flavours of delete and read-only, the functions are quite self-explanatory. Apply the delete resource lock to prevent users from deleting resources in which the lock is applied to. Apply the Read Only lock to make your resources are…ummmmm…read only. Be careful with the latter though as it may cause some unexpected effect such as the inability to start a VM or list storage keys. Personally, I keep it simple with the delete resource lock and only apply Read Only where necessary. Be sure to also document your application of locks as you apply them.
Once you have created and setup your virtual machines the way you want to, the last thing you need is somebody coming along and installing an extension you don’t want or need. Not only can this create a ‘messy’ server, increase costs or cause resource strain, it may also be sending server data to a location you don’t know about. This could result in data loss or compliance breach. Lucky for us, there are a number of ways to go about controlling server configuration with options such as DSC and GPO. However, we will focus on the use of Azure Policy as you have already gained exposure to this feature within the region deployments task and this article is all about quick (ish) measures for you to take.
Seems obvious right? There dozens, if not hundreds of ways to generate alerts and implement monitoring across your Azure environment. So much in fact we built an entire service offering around it! For now, as you start to build out your Azure environment and validate solutions, ensure you have basic alerting in place should Azure detect any compromised resources that may affect you.
From there, we can implement additional services such as Azure monitor, Sentinel and Security Centre Standard.
NSG’s are great for applying network level protection within your environment but I would never suggest they be used as a firewall. We say this because many use NSGs as firewalls but they do lack the features of something like a virtual Fortigate\Palo Alto or an Azure Firewall itself.
With that said, if you are deploying virtual machines then implementing NSGs from the start is a great way to increase security and restrict access to your services based on traffic such as source, port, protocol and destination. Given that they don’t cost anything to provision gives you even more reason to go ahead with an NSG.
Follow the attached guide to implement a basic NSG to get yourself started. We can then apply flow logs to improve network visibility further down the track.
Ok, so not so much of a security feature applied directly to a resource but Azure secure score is a good way of giving us a ‘feel’ for how we are progressing when it comes to security improvements. Secure score can be found with the Azure Security Centre (free version) and is calculated based on the total amount of recommendations you have vs how many you have implemented. For example, if you have 5 recommendations that give you a score or 20 per recommendation, and you implement 1 recommendation. Then your score will be 20 out of 100. The more resources you provision, the higher your potential score.
I like to use Azure Secure Score to help find some quick wins and give some visual representation on progression. With that said, do not get lost trying to achieve every recommendation as there are many improvements outside of the secure score scope that can have a big impact.
And there you have it. 10 free (ish) ways to implement some Azure security best practice measures for your environment. After all, you wouldn’t want to spend thousands of dollars on a security solution only to leave the backdoor open with public access to your storage? Just implementing these 10 will put you ahead of most using Azure so its time to celebrate!!