Guest Post by Gilad David Maayan
Two-thirds of all businesses are currently using some form of cloud storage, with many turning to Azure as their provider. Cloud services contain a significant amount of data and allow persistent Internet access. This makes clouds an appealing and valuable target for attackers.
To make sure that your data doesn’t fall victim to attacks, you should take steps to protect your cloud systems. The first step is learning how your data is vulnerable and what steps you can take to secure it. In this article, you’ll learn about security concerns specific to Azure and some best practices for addressing these vulnerabilities.
Azure Security Considerations
Azure is enterprise-focused, which can make it an appealing target for hackers. Potential attackers are often familiar with the Microsoft ecosystem because it has been the go-to system for enterprise users.
Unfortunately, long-standing use has given attackers more time to build malware attack tools than they have had for other cloud providers. For example, a known opening is through compromised blob storage, which is trusted by default in Microsoft products. Fortunately, Microsoft is aware of this history and often releases patches to fix such vulnerabilities.
Azure clouds frequently face identity-based attacks that take advantage of compromised credentials. For example, attackers often use compromised Office 365 accounts to gain access to a cloud. Attackers can obtain these credentials through email phishing or keyloggers. They can then use these credentials to sign onto cloud services through Single Sign On (SSO).
Although not specific to Azure, configuration issues are frequently a source of cloud vulnerabilities. Inadvertently providing administrative permissions to users or leaving data open to public access are just two examples. Although Azure offers much advice and many tools for securing your cloud, it is up to you to configure your services accordingly.
4 Best Practices for Securing Your Data In Azure
Despite the risks covered above, it is possible to keep your data secure in Azure.
1) Use Azure Native Tools
Azure includes many native services and features, most of which cost an additional fee to use. Native tools, created by Azure or through a partnership with others, integrate smoothly with existing services. These tools can provide extra features that are otherwise unavailable.
For example, Azure file storage services are available that enable the integration for hybrid cloud systems. This support and integration often make native tools, and their features, easier to secure and manage than third-party integrations. Azure includes two native tools that are particularly useful.
Azure Security Center
Security Center is a free or paid service designed to be a hub for security data and management. It works via an agent deployed to Azure-based or on-premises virtual machines.
With Security Center, you can configure alerts for issues and trigger runbooks from Azure Automation for addressing threats. Runbooks are scripts that define routine procedures to be taken at the time of execution. You can also use Security Center to apply policy and compliance standards as well as address regulatory compliance needs.
The Security Center service provides weighted security recommendations that combine into a security score. These recommendations are derived from an analysis of your cloud configuration. The score is based on how security changes might impact your system.
The paid tier offers additional features. It includes adaptive application controls that enable you to whitelist applications that are allowed on machines. Whitelisting can reduce the risk of malware infection. It also includes file integrity monitoring that enables you to track file changes.
Azure Monitor
Azure Monitor is a paid service that provides a centralized collection of notifications, logs and diagnostics for monitoring resources. It includes a service called Network Watcher. You can use this service to troubleshoot connectivity issues, analyze traffic flow, and evaluate VPN diagnostics and packet captures. Network Watcher creates flow logs that allow security teams to visualize attacks and access attack details, such as country of origin, IP address, or type of attack.
You can integrate data from Monitor with third-party tools, like System Information and Event Management (SIEM) solutions. SIEMs can enable you to automate the process of data analysis. With a SIEM, you can centralize logging and alerts across your entire system, making it easier to address security issues.
2) Encrypt Your Data
You should ensure that your data is encrypted both at rest and in transit. The easiest way to encrypt data in Azure is to use Azure Disk Encryption. The service uses BitLocker for Windows and DM-crypt for Linux. Encryption keys are stored in either Azure Key Vault or a private vault that you must manage.
To maximize your security, make sure to rotate your encryption keys periodically. Doing so can limit the damage that can be done with compromised keys. You should also encrypt drives before writing data to them for maximum protection.
To protect your data fully, use a combination of blob encryption, file encryption, and secure transfer. When data is in-transit you should always use SSL/TLS protocols. If you need extra security, you can isolate your communication channels using a Virtual Private Network (VPN) for greater protection. You can use either a site-to-site VPN or point-to-site. Use site-to-site for Azure access from multiple on-premises workstations and point-to-site for access from one workstation.
3) Limit Data Access
Only share data if you have to. If data does not need to be exposed to the Internet or network, keep it contained to minimize the chance of breach. A good practice is to restrict access to Secure Shell (SSH) and Remote Desktop Protocol (RDP) via Network Security Groups. Doing so can prevent attackers from gaining control of your systems. You should also limit the number of ports you have open. Limiting ports can restrict opportunities for attackers to enter your system.
When you do have to share data or files, consider using Azure Information Protection service. This service enables you to classify the security priority of files and protect them with persistent permissions filters. Information Protection will mark classified files in the header, footer, and with metadata for clear identification.
When combined with Azure Rights Management (Azure RMS) you get the added benefit of encryption and authorization policies. These policies remain attached to the files you’ve shared regardless of where the files are located, on your system or third-party’s. This means that only authorized users will be able to use the files, even after it is out of your direct control. RMS is already integrated with other Microsoft cloud services, like Office 365, making it easy to use.
4) Identity Management
For identity management, make sure to follow the principle of least privilege. This principle states that you should only give the minimum access needed. Consider creating separate roles for user tasks. These roles prevent one user from having comprehensive administrative privileges. Isolating permissions in this way can reduce the damage that attackers can cause compromised credentials.
You can use Role-Based Access Control (RBAC) to define the access and permissions of users. With RBAC, you can restrict permissions to an Azure subscription, resource group, storage account, or individual resource.
It’s important that you do not allow users to invite additional users. All new user accounts should be created by your security team. You should also create password policies to ensure sufficient password complexity and forbid duplication of passwords.
Conclusion
Azure, like any cloud provider, has its share of vulnerabilities. This does not mean that it cannot be the basis of a secure cloud. The right combination of tools and configuration can help keep your data safe. As a next step, check out the Open Web Application Security Project’s Cloud 10. The Cloud 10 list contains in-depth vulnerability descriptions as well as recommendations of best practices.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.