Over the past year, we have noticed an increasing number of clients utilizing Microsoft’s cloud computing service, Azure.
We are seeing new projects in Azure, some existing projects being moved from on-premise or other cloud service providers (CSPs), and even some customers moving their digital office almost entirely into the cloud.
A common driver we have observed for this move is compliance, and certainly Microsoft has built many capabilities into Azure to support their customers’ compliance needs.
Given this noticeable upward trend in Microsoft Azure Security adoption, we thought it was time to explore a bit more about Microsoft Azure security, compliance, and its other rich capabilities. In this post we’ll just touch on big picture and what is important to securing your Azure environment.
In future posts we’ll dig deeper into certain areas and cover new major updates around Azure security as they are released; but first, let’s talk about the big rocks that need attention in any environment but look at them from an Azure angle.
If you’ve read any of our previous posts on cloud environment and specifically on Amazon Web Services (AWS), then you know a top priority is managing user access and credentials.
At the center of this is Azure AD (AD for Active Directory) for managing all access in Azure. As expected, complementary to this, Azure provides a full Role Based Access Control (RBAC) model, which is used by all services and resources in Azure. Included are many built-in roles for use right of the shelf, or you can setup roles as granularly as you would like down to the service or API level.
One significant advantage for many organizations is the ability to synchronize an on-premises directory (usually Active Directory) with their cloud directory (Azure AD). This removes duplication and extends the capability of the company’s existing directory. Key features supported by Azure AD that also should be strongly considered are:
- Single Sign-On (SSO) – allows users various SaaS application through their organizational account in Azure AD.
- Multi-Factor Authentication (MFA) which is recommended for all organization identities.
- Self-Service Password Reset (SSPR) to support securely resetting user passwords. This service also has full logging on reset attempts.
- Identity Protection which monitors and alerts on anomalous user logins and suspicious activity.
Note that some of the more advanced monitoring features are only available with paid Azure support subscriptions, but Microsoft clearly explains what capabilities are available at the different levels.
A key system baked into Azure is Security Center (SC). Security Center is an appropriate name as it’s your one-stop shop for everything in Azure around policy, compliance, vulnerability management, threat detection, etc.
Security policies are a powerful way to ensure the necessary compliance controls are in place for the resources within your environment. Microsoft provides numerous built-in policies, but you can define your own through policy builder. Key areas covered by security policies are:
- Data Collection
- Threat detection
- Email notifications
- Pricing tier (enforced for resources)
Microsoft’s built-in compliance capabilities extend the concept of security policies and monitor and report on your compliance status assessed against regulatory standards. Currently supported are:
- Azure CIS
- PCI DSS 3.2
- ISO 27001
- SOC TSP
In addition to the compliance rules built directly into Security Center, Microsoft also has Blueprints for several additional regulatory and security frameworks including HIPAA/HITRUST, FedRAMP and NIST SP 800-171.
Security Center and Detection
In addition to policy, compliance, and monitoring, Security Center also has several advanced threat detection capabilities. All VMs in Azure support an onboard agent which monitors for vulnerabilities and threats. This information is collected from across your environment to identify active threats.
The service is backed by a global integrated threat intelligence leveraged from Microsoft’s own product and services and industry threat data. What all of this means is activity detected in your environment can quickly be correlated against known bad actors providing low rate of both false positives and false negatives.
Backing this are behavioral analytics that apply known patterns to identify malicious behavior and can help detect new specific targeted attacks against your environment.
Data Collection and Storage
Another important consideration for Azure that our customers have noted is around Data Privacy, specifically how the data is collected and stored.
This is obviously important for anyone dealing with GDPR or the various other data privacy regulations popping up worldwide. Azure has several controls to support the data privacy needs of their customer starting with the previously mentioned security policies. Other key features are:
- RBAC model for storage accounts
- Shared Access Signatures (SA) and Stored Access Policies
- Transport-Level Encryption for in-transit encryption across all Storage resources
- Client-side Encryption for sole control of encryption keys
- Storage Service Encryption (SSE) for transparent encryption at-rest
- Storage Analytics to monitor authorization and access to the data
As touched on in my previous blog on Integrating Security into DevOps, the rapid pace and ease of application and service deployment in modern cloud environments has many benefits but can expose additional security risks. Microsoft is supporting you here as well with several technologies that support secure Continuous Integration and Deployment (CI/CD).
- Resource Manager – full Infrastructure as Code (IaC) capabilities for consistent, reproducible, securable environment setups
- Azure Pipeline – Full CI/CD supporting today’s common technology stacks with a wide range of deployment options including containers. Manage automated deployments through each stage.
- AzSK (open source) – Toolkit built by Microsoft leveraged by Microsoft for their own cloud application security.
If you are interested in our cloud security services including audits of Azure, feel free to contact us to learn more.
Operationalizing Security Controls