Microsoft Azure operates a shared responsibility security model. Microsoft provides a secure infrastructure. It makes available tools and services to help users to build and manage secure cloud infrastructure deployments. But it is the responsibility of Azure users to manage their cloud infrastructure in line with security best practices.
It is possible to deploy secure infrastructure with Azure: national and local government agencies, including the U.S. Department of Defense, do just that. But it is also possible to deploy insecure cloud servers that lead to security breaches and data leaks. Configuration mistakes create vulnerabilities, and weak authentication and identity management can leave an organization open to attack.
In this article, we’ll look at 7 Microsoft Azure security best practices, including some of the Azure tools that can help your organization stay safe on Azure.
Implement a DMZ
The servers that host an organization’s applications and databases shouldn’t be accessible from the internet. Instead, there should be a layer of infrastructure between the internet and the organization’s assets. The purpose of the intermediate layer—referred to as a perimeter network or DMZ—is to control access to potentially vulnerable assets on the network.
The DMZ might comprise Azure Firewall or the Azure Application Gateway, as well as DDoS prevention infrastructure and intrusion detection software. The goal is to make sure that only legitimate requests make it through to the organization’s primary assets, reducing the likelihood that they’ll be compromised.
Disable External Access to Virtual Machines
It’s quick and convenient to access virtual machines with RDP or SSH, but a server is vulnerable if anyone on the internet can access those services. It’s more secure to disable external access. This advice also applies to database servers, which should only be accessible to users from within your network, and not to everyone who knows the IP address.
What if you want to make a configuration change on a server? A DevOps professional might answer that question with one word: don’t. Instead, deploy a new server with the desired configuration and remove the old server.
But, if you prefer to manage servers traditionally, there are alternatives to opening SSH and RDP to the internet. Microsoft suggests using a VPN Gateway to create a point-to-site or site-to-site VPN to authenticate users and encrypt their connection.
Keep VMs Updated
Users are responsible for making sure their VMs and the software running on them is patched. If an organization uses a DMZ, old software is less of a risk, but running software riddled with known vulnerabilities isn’t wise. It’s better to patch in good time.
Microsoft provides an Update Management tool—it’s part of Azure Automation—which can manage OS updates for both Windows and Linux servers. Update Management provides update assessments via Azure Monitor to inform users of required updates. It also allows users to schedule and run update deployments.
Monitor The Performance of Virtual Machines
Aside from the obvious benefits of checking that virtual machines are performing well, poor performance can be an indication of security issues. If virtual machines exhibit patterns of performance and resource use that differ from the norm, there is a cause. Without monitoring, an organization can’t know what normal or unusual resource use looks like.
Azure Monitor is a world-class monitoring tool that combines metrics and logs to provide comprehensive monitoring and alerts. It collects application, OS, and resource data, and presents that data in a useful format. Azure Monitor can be challenging to use, but it is an essential security tool for the Azure cloud.
For a more intuitive tool for managing, monitoring, and configuring alerts, take a look at the VIAcode Incident Management System (VIMS) for Azure. VIMS provides an intuitive dashboard and allows users to filter superfluous alerts and focus on actionable information.
Store Keys and Secrets in Azure Key Vault
Earlier this year, a research team from North Carolina State University discovered that 13 percent of GitHub public repositories contained API tokens or cryptographic keys. It’s often necessary to share secrets, but putting them in code that is then committed to version control platforms is a recipe for disaster.
Azure Key Vault helps organizations to securely store and share secrets such as passwords, keys, certificates, and API tokens. Organizations can grant access to specific users and groups, ensuring that secrets can be accessed only by those who need them, and not by malicious third-parties.
Encrypt Data at Rest
Ideally, bad actors will never see your data because network and server security best practices deny them access. But perimeter defenses are not enough. People make mistakes, and no infrastructure platform is perfect. Bad actors should not be able to read your data even if they can access it, and that means encryption.
Microsoft Azure provides several mechanisms for encrypting data in databases and Azure data storage services. Azure Disk Encryption encrypts VM disks and integrates with Azure Key Vault. Azure Storage Service Encryption (SSE) provides transparent 256-bit AES encryption for data in Azure Storage. Azure SQL Database transparent encryption does the same for the SQL Database and Data Warehouse services.
Use ARM Templates To Deploy Infrastructure
Running unknown infrastructure is one of the most significant security risks that businesses face in the cloud. It’s simple for an employee to spin up a server with an insecure configuration. The best way to mitigate the risk is to create and enforce policies that mandate how infrastructure should be configured, ensuring that employees only ever deploy servers with a secure configuration.
Azure Resource Manager templates are JSON files that allow organizations to define infrastructure in code. They can create templates that conform to security policies, and mandate that the templates are used when deploying new servers.
Azure Policy is a service that helps businesses to verify that their infrastructure does, in fact, conform to their security policies. Additionally, Azure Blueprints is a higher-level tool that allows organizations to define, in advance, resource groups, templates, and policies for large-scale deployments. Microsoft provides sample blueprints for compliance with several regulatory standards, including PCI DSS, ISO 2700, and the CIS Microsoft Azure Foundations Benchmark.
As you can see, Microsoft Azure offers a wealth of tools and services to help you secure your cloud infrastructure. If you would like to learn more about security on Azure or securely migrating your applications to Azure for free, fill out the form below for a free initial consultation.