Cloud-based services and their adoption into modern business workflows have created a need to manage security risks. It only takes a small misconfiguration to cause a data breach leading to a bad situation for the company. Microsoft has taken security seriously with the Azure platform and there are many services that both protect your data and advise best-practice configurations. In this article we’ll learn a little bit about Azure Trust Center, Compliance Programs, Azure Active Directory, MFA or multi-factor authentication, Azure Security Center, Key Vault, Azure Firewall, Azure Policies, and more.
Azure Security Center
We’ll kick things off with Azure Security Center. This Azure service offers a unified infrastructure security management system that strengthens the security posture of data centers both in the cloud and on Premise. ASC provides security guidance in the areas of compute, data, network, storage, app, and other services.
- Cloud security posture management Get continuous assessment and prioritized security recommendations with secure score, and verify compliance with regulatory standards
- Cloud workload protection for machines Protect Windows, Linux and on-prem servers. Protection includes: configuration and vulnerability management, workload hardening and server EDR
- Advanced threat protection for PaaS Prevent threats and detect unusual activities on PaaS workloads including App Service plans, Storage accounts, and SQL servers
Azure Key Vault
Azure Key Vault is a cloud service that securely stores sensitive information. For example, Key Vault is good for storing things like API Keys, passowrds, certificates, or cryptographic keys. Key Vault can be accessed in a number of ways including the Azure Portal, Azure DevOps, ARM Templates, Azure Powershell, or programatically via API. Safeguard cryptographic keys and other secrets used by cloud apps and services. Store, manage, and access SSL/TLS certificates for a corporate web app.
- Azure Key Vault – helps you safeguard cryptographic keys and other secrets used by cloud apps and services.
- Secrets Management – Store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
- Key Management – Create and control the encryption keys used to encrypt your data.
- Certificate Management – Provision, manage, and deploy public and private SSL certificates for use with Azure.
- Hardware Security Module – Secrets and keys can be protected by software or FIPS 140-2 Level 2 validated HSMs.
This tool is a cloud-native security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel has built in artifical intelligence. See and stop threats before they cause harm, with SIEM reinvented for a modern world. Azure Sentinel is your birds-eye view across the enterprise.
- Collect – Collect data across users, devices, applications, and infrastructure both on-premises and across multiple clouds.
- Detect – Sentinel recognizes previously discovered threats and reduces false positives by using analytics and threat intelligence.
- Investigate – Artificial intelligence can identify threats and mitigate malicious activity at scale.
- Respond – React to incidents with built-in automation processes and responses.
Azure Dedicated Hosts
Sometimes an application is so mission-critical that it is not feasible to use a shared architecture solution in the cloud. For this Azure offers Dedicated Hosts which are dedicated physical servers that can host one or more virtual machines in an Azure Subscription. IF the absolute pinnacle of security and performance is required, Dedicated Hosts are a good option. Azure Dedicated Hosts allow you to provision and manage a physical server within our data centers that are dedicated to your Azure subscription. A dedicated host gives you the assurance that only VMs from your subscription is on the host, flexibility to choose VMs from your subscription that will be provisioned on the host, and the control of platform maintenance at the level of the host.
- Physical server wholly used by a single customer.
- Must specify capacity up front.
- Guarantee of security, privacy, and underlying resources.
Azure Defense In Depth
Defense in depth is a concept that states one should take a layered approach to security. A layered approach therefore has several levels a hacker would need to get through before being able to inflict any damage. The defense in depth security approach does not rely on any one single method for the entire security solution.
Network Security Groups
A network security group (NSG) in Azure contains security rules that allow or deny inbound network traffic to, or outbound network traffic from various types of Azure resources. Each rule can specify source, destination, port, and protocol. Network security groups can be applied to a subnet or a network adapter. A network security group is deployed automatically when you deploy a virtual machine in Azure. Create a network security group with rules to filter inbound traffic to, and outbound traffic from, virtual machines and subnets.
- A virtual firewall at the subnet level
- Protects from unwanted Internet traffic
- Can be associated with a subnet or Virtual Machine
- Rules include Priority, Name, Source Port, Destination Port, Protocol, Source, Destination, Action
- NSGs are meant for filtering traffic in a single virtual network.
Azure Firewall is a Cloud-native, managed network security service that protects your Azure Virtual Network resources. Azure Firewall is fully stateful with built in high availability and unrestricted cloud scalability. Also known as a Firewall as a Service.
- Centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
- Uses a static public IP address for the virtual network resources which allows outside firewalls to identify traffic that originates from your virtual network.
- High Availability is built in with no additional load balancers required.
- Can configure during deployment to span multiple Availability Zones for increased availability.
- There is no additional cost for a firewall deployed in an Availability Zone.
- There are extra costs for inbound and outbound data transfers associated with AZs.
This service prevents against distributed denial of service attacks that unfortunately do happen on the public Internet. The standard tier DDoS service in Azure provides enhanced DDoS mitigation features to defend against these types of attacks. Azure DDoS also includes logging, alerting, and telemetry in the standard tier. These extras are not present in the basic tier.
The diagram below shows what a distributed denial-of-service attack is. It is a malicious attempt to disrupt normal traffic by flooding an Internet-connected service with huge amounts of fake traffic. This is done when the attacker sends remote commands to the computers they control. This is sometimes called a bot net.
Azure Information Protection
To protect documents containing sensitive customer data like personally identifiable information, one can use Azure Information Protection. This can be used to restrict access to only authorized personnel no matter where a document travels. AIP is used to classify and protect documents in this type of sceario.
Learn More About Key Azure Security Features
- Techgenix.com Azure Security Center (techgenix.com)
- Tutorialsdojo.com Azure Security Center (tutorialsdojo.com)
- Azure Key Vault An Introduction With Step By Step Directions (attosol.com)
- Intelligent Cloud Step By Step Guide To Deploy Azure Sentinel (infusedinnovations.com)
- Azure Sentinel And Its Components (xenonstack.com)
- Cloud Security Create Network Security Groups In Azure (aviatrix.com)
- The Guide to Azure NSG(cloudbolt.io)
- Getting Started With Azure Firewall (blog.ipswitch.com)
- Step Step Guide Azure Firewall (rebeladmin.com)
- Azure Security Fundamentals Overview (docs.microsoft.com)