Azure Security Center: Top 3 Best Practices
As cloud computing becomes more and more pervasive, so will threats toward the data stored within it. Many corporations cite data security as a primary concern with regards to cloud migration. After all, they're expected to migrate their customer's sensitive data to Azure, integrate existing software and APIs, and then train current employees — or hire new ones — to administer the cloud security environment.
Each of these steps can be rife with pitfalls, such as insecure APIs, access management intrusions, user error, and everything in between. While security concerns are warranted out of due diligence, Microsoft provides us with an incredible tool to combat every one of them: The Azure Security Center.
Let's discuss a couple of different security threats that can be identified and mitigated using the Security Center. This article will then walk through the three best practices regarding Azure Security Center—implementing secure governance, access control, and safeguarding data and resources.
Azure Security Center: A Brief Overview
The Azure Security Center is a one-stop-shop for all of your security needs. Virtually every service required for a production environment can be monitored here. For instance, let's say your company has just spun up five new virtual machines and needs to know which ones are currently encrypted, online, and installed with antivirus software. All of that information is located on the Azure Security Center dashboard. Here is an example of the dashboard:
As shown above, the Security Center provides a dashboard that will provide secure alerts, recommendations, most attacked resources, and much more. Speaking of attacked resources, let's discuss the most common attack against cloud environments: RDP Brute Force Attacks.
Threat #1: RDP Attacks
The list of potential network security threats to enterprise-level businesses is pretty long. One of the most common attacks against an IaaS (Infrastructure as a Service) environment are RDP (Remote Desktop Protocol) attacks. This is a form of DDoS (Distributed Denial of Service) attack where an attacker will continually try to RDP into a particular VM, thus clogging up the ports. The most common port target is port 22, which is the dedicated port for the SSH protocol. This attack will prevent regular users' ability to access company resources and significantly hinder productivity.
In the era of COVID, this vector of attack is particularly threatening. Luckily, Azure Security Center provides a method to mitigate this threat and strikes an excellent balance between convenience and security in the meantime.
Azure handles these types of threats through a nifty feature called Just-In-Time VM Access. JIT VM Access allows administrators to keep particular ports open only for a given time. For instance, we may only want specific ports open to provide admins enough time to log onto the virtual machines and perform required updates. Using JIT VM Access, we can configure the ports to be opened between 1:00 PM and 2:00 PM on Saturdays. In other words, it's all about the Golden Rule of IT Security: Least privileged access!
Threat #2: Data Breaches
A CEO's worst nightmare is answering a call in the middle of the night that begins with these three words: we've been hacked. Generally, the worst hacks are the ones that involve data integrity. In other words, the unauthorized insertion, deletion, and retrieval of production data. Preventing the loss of data is extremely important, especially customer data. Let's take a look at how we can use Azure Security to mitigate this threat.
First of all, data stored on Azure will more than likely be in Cosmos DB—a NoSQL database—or some flavor of SQL database. Either of these database types can easily be spun up on the cloud. Better yet, all data stored on Azure is encrypted at rest by default, so that is one less thing to worry about. However, once you or your software developer has transferred the data into your new database, make sure a SQL Vulnerability Assessment runs on the Azure Security Center.
The SQL Vulnerability Assessment (SVA) is an invaluable tool that will list all possible security threats to your database and its connections from highest to lowest. Not only does the SVA list out each security vulnerability, but it also provides actionable advice to mitigate the threats. For instance, in the image above, one High Vulnerability action item states that Server Principal Guest should not be a member of any role. Without getting too deep into the specifics, database roles are the primary method to separate Azure duties.
If a Guest principal were inadvertently part of an Admin role, an anonymous user could update, drop, and manipulate tables. Not good. Luckily the SVA finds this and many other types of security risks. Naturally, this isn't the only way for a data breach to occur. There are many ways this tragedy can occur. Thankfully, numerous broad actions can be taken to mitigate these threats as much as possible. Now that we've touched on a couple of specific threats, let's dive into which portions of cloud security the user is responsible for and the three best practices to mitigate events in general.
Azure Best Practices
Whether a corporation is leveraging Google Cloud, Azure, or AWS, there will always be a concept of shared responsibility. Shared responsibility is the idea that the cloud service provider handles certain security portions, and the other portion is the user's responsibility. Shared responsibility can boil down to a simple concept: the cloud provider maintains security of the cloud while the user provides security in the cloud.
While cloud security is vitally important, let's focus on the cloud user's three core responsibilities instead of the cloud provider. The first responsibility is to protect the employee and customers via identity access and management policies. This means ensuring the least privileged access to all employees. Secondly, it is the cloud customer's responsibility to protect the applications in which they are hosting. Lastly, all services are the sole responsibility of the cloud customer.
Let's look at how each of these responsibilities acts as a pillar for Azure's following three best practices.
A cloud in which the whole world could access would be a worthless cloud indeed. After all, it is a sacred bond between company and customer that their private data is kept confidential. Naturally, controlling which employees have access to different portions of the cloud is the first best practice to discuss.
MFA (Multi-factor authentication) should be implemented immediately — especially if you have a remote team. MFA ensures that an employee knows a password and has some device on their person to be used as additional authentication. The most common method is a phone number in which a passcode is pushed.
MFA is invaluable because it relies on three main principles: something you are (e.g., biometric data), something you have (e.g., a smart card), and something you know (e.g., a passphrase). For instance, if a hacker steals an employee's password, he would only have something the user knows. Therefore, MFA makes it far more challenging to access a system via theft or brute force algorithms. If you need to know which employees have not activated MFA, head over to the Azure Security Center to find out.
In addition to MFA, user identities must be secured using Azure Access Directory. Managing and maintaining user accounts, roles, and permissions is vital. Ensure that all access is managed in this single location. The AD permissions will cascade down to all related services.
Whenever managing Azure AD groups, always follow the principle of least privileged access. The best way to do this is to create a user with no access and then grant access pertinent to that employee's job role. Additionally, enable conditional access whenever possible. For instance, is there a reason why a software developer should be testing production API at 3 in the morning? Maybe, but probably not. So configure their AD group to only have access during business hours. T
his is one such example of controlling access via conditional requirements. Access control plays a pivotal role in a tightly run Azure environment, but let's see how to implement best practices regarding cloud governance and administration.
Implement Secure Governance
The most critical aspect of secure data governance is possessing well-trained employees. It is vital that experts oversee the vast amount of information located on the Azure Security Center. While that may seem rather obvious to have well-trained employees administer Azure Cloud, it can sometimes fall through the cracks for a couple of reasons.
One, a corporation may initially underestimate the level of complexity associated with cloud governance. Secondly, deadlines and skill shortages may impede their search for qualified candidates. In this case, recruiting from within may be a great choice. That being said, the first best practice of secure data governance is ensuring the Azure administrators have a thorough understanding of their duties.
Create Admin Accounts Proactively
Now that your company has qualified employees to work in the cloud, it is time to create the admin accounts. According to best practices, create two Azure admins that can act as Product Owners. This will ensure all critical decisions will have at least two pairs of eyes on them. It also eliminates any single point of failure in case of an emergency.
Speaking of emergencies, create a separate Azure account that can be used if the primary one becomes compromised. In the same vein as having two admin employees, this will prevent any heartache if the original admin account is deleted or locked.
Audit, Audit, Audit.
Last but certainly not least, make sure a separate employee has read-only rights to Azure audit logs. Doing so will make sure that any possible error by either of the admins will be promptly caught, in addition to finding any untoward activities. All of these logs can be found on Azure's Active Directory portal and can help determine if any data and/or resources have been compromised. On the subject of data and resources, let's talk about how these two assets can be secured in our final best practice.
Safeguard Data and Resources
Safeguarding data and resources is not just the responsibility of the administrator: it is everyone's responsibility. With that being said, there are plenty of steps that can be taken to mitigate any threat towards either of these assets.
Monitor Azure Secure Score
The first best practice is to monitor the Azure Security Center continuously. All possible threats and security events are accounted for on its dashboard. Make sure that each threat is resolved promptly. Generally, the best way to do this is to dedicate a team or persons to a specific type of threat. That way, there is no confusion or finger-pointing if a situation escalates.
In addition to outlining security threats, Azure Security Center has a dashboard card called Azure Secure Score. On a scale from 1 to 100, Azure will rate how secure your applications are. Ensure the Secure Score is turned on for all applications.
Inject Secrets at Run Time
In the wild west days of development, database or API passwords were placed directly into the application files. However, it is now a best practice to ensure this never happens. Any production password placed in an application file is a big violation of our customer's trust. Instead, make sure that the password (also known as the secret) is injected at run time.
This is a DevOps strategy that ensures that no one will actually know that password. Instead, when the application is built in Azure DevOps, an encrypted key will simply be decrypted, and access to the specific resource will be granted.
Web Application Firewalls
Lastly, I would be remiss to speak of best practices without mentioning Web Application Firewalls (WAF's). A WAF is configured directly on your Application Gateway in Azure and helps detect malicious requests sent to your web application. It will protect from numerous threats such as SQL injection and cross-site scripting (XSS) attacks. Also, an Azure WAF can protect up to forty websites, so don't worry about setting up one after another.
It also allows the user to filter all sorts of different requests. For instance, a company can block certain countries and regions from accessing their web application. It also comes with numerous other rules and is fully customizable. To configure a WAF, simply head over to the Azure Portal, and type it into the search bar.
If nothing else is remembered from this article, remember this: Azure Security Center. Live it, learn it, love it. All roads (with regards to security) lead right back to the Security Center. Large companies benefit the most from Azure Security, but Azure even offers Microsoft for Startups, which gives new companies access to technical resources, free cloud, and even marketing support.
Remember to always think about the three best practices: always control user access, implement secure governance, and safeguard data and resources. Control user access by leveraging the least privileged AD groups and MFA. Implement data governance by limiting the number of admins and always having a dedicated auditor. Safeguard data and resources by monitoring your security score like a hawk. And remember, a security score is only as useful as the number of resources it measures!
This article has barely scratched the surface of all the fantastic features in the Azure Security Center. However, by now, you may be convinced that it is a great tool and a one-stop-shop for all your cloud security needs. Learning these best practices can help your company have a cost-effective, easy-to-manage, and secure infrastructure.