Over the past year, we have noticed an increasing number of clients utilizing Microsoft’s cloud computing service, Azure.
We are seeing new projects in Azure, some existing projects being moved from on-premise or other cloud service providers (CSPs), and even some customers moving their digital office almost entirely into the cloud.
A common driver we have observed for this move is compliance, and certainly Microsoft has built many capabilities into Azure to support their customers’ compliance needs.
Given this noticeable upward trend in Azure adoption, we thought it was time to explore a bit more about Azure security, compliance, and its other rich capabilities. In this post we’ll just touch on big picture and what is important to securing your Azure environment.
In future posts we’ll dig deeper into certain areas and cover new major updates around Azure security as they are released; but first, let’s talk about the big rocks that need attention in any environment but look at them from an Azure angle.
At the center of this is Azure AD (AD for Active Directory) for managing all access in Azure. As expected, complementary to this, Azure provides a full Role Based Access Control (RBAC) model, which is used by all services and resources in Azure. Included are many built-in roles for use right of the shelf, or you can setup roles as granularly as you would like down to the service or API level.
One significant advantage for many organizations is the ability to synchronize an on-premises directory (usually Active Directory) with their cloud directory (Azure AD). This removes duplication and extends the capability of the company’s existing directory. Key features supported by Azure AD that also should be strongly considered are:
Note that some of the more advanced monitoring features are only available with paid Azure support subscriptions, but Microsoft clearly explains what capabilities are available at the different levels.
A key system baked into Azure is Security Center (SC). Security Center is an appropriate name as it’s your one-stop shop for everything in Azure around policy, compliance, vulnerability management, threat detection, etc.
Security policies are a powerful way to ensure the necessary compliance controls are in place for the resources within your environment. Microsoft provides numerous built-in policies, but you can define your own through policy builder. Key areas covered by security policies are:
Microsoft’s built-in compliance capabilities extend the concept of security policies and monitor and report on your compliance status assessed against regulatory standards. Currently supported are:
In addition to the compliance rules built directly into Security Center, Microsoft also has Blueprints for several additional regulatory and security frameworks including HIPAA/HITRUST, FedRAMP and NIST SP 800-171.
In addition to policy, compliance, and monitoring, Security Center also has several advanced threat detection capabilities. All VMs in Azure support an onboard agent which monitors for vulnerabilities and threats. This information is collected from across your environment to identify active threats.
The service is backed by a global integrated threat intelligence leveraged from Microsoft’s own product and services and industry threat data. What all of this means is activity detected in your environment can quickly be correlated against known bad actors providing low rate of both false positives and false negatives.
Backing this are behavioral analytics that apply known patterns to identify malicious behavior and can help detect new specific targeted attacks against your environment.
Another important consideration for Azure that our customers have noted is around Data Privacy, specifically how the data is collected and stored.
This is obviously important for anyone dealing with GDPR or the various other data privacy regulations popping up worldwide. Azure has several controls to support the data privacy needs of their customer starting with the previously mentioned security policies. Other key features are:
As touched on in my previous blog on Integrating Security into DevOps, the rapid pace and ease of application and service deployment in modern cloud environments has many benefits but can expose additional security risks. Microsoft is supporting you here as well with several technologies that support secure Continuous Integration and Deployment (CI/CD).