It is quite necessary for every cloud security white-collars to have a firm understanding of responsibilities segregations between Azure consumers and Microsoft. The security of various resources hosted is of most significant importance, although overlooked by some organizations.
Microsoft provides a secure foundation across all physical, infrastructure, and functioning security. Physical security indicates how Microsoft takes some vital approaches to protect the datacenters. Network infrastructure, firmware, and hardware all as a whole accumulate up the Azure infrastructure.
For deployments, the user is responsible for protecting the confidential data, on-premises resources and the cloud components that are controlled by the user. Types of deployment:
- Data
- Endpoint
- Account
- Access Management
Below listed are the Azure security best practices, derived from consumers and Center For Internet Security (CIS) relevant recommendations for certain significant areas that everyone should follow:
Security Policy
The following should be set to virtual machines:
● ‘OS vulnerabilities’ is set on
When the setting is set to enabled, it analyzes operating system configurations to highlight all defects and the virtual system vulnerable to threats.
● Turn on ‘Endpoint Protection’
On enabling the said option, Azure security center recommends endpoint protection to be purveyed for all windows virtual machines so that it can detect remove viruses and malware
● Enabling ‘JIT Network Access’
On enabling the above option, the security center locks down unwanted traffic to all virtual machines.
Identify and Access Management
● Ensuring multi factor authentication is enabled to all users
Multi factor authentication needs a user to display two individual forms of authentication before access grant. This provides additional assistance for a user to gain access is who they actually claim to be.
● Ensuring apps containing company data is exposed to users
Users will be not be allowed to use the identity outside the cloud platform unit the individual is running a relevant Azure Active Directory as an identity provider
● Enabling the ‘restrict Access to AD admin portal’ to yes
All the non-admin users should be restricted to access Azure portal data as those are strictly confidential.
Storage Accounts
● ‘Secure Transfer Required’ set to Yes
The secure transfer accelerates storage account security by providing free passage to the storage account by a secure connection.
● ‘Storage Service Encryption’ set to yes
The storage service encryption option protects the user data when it is at rest. It encrypts data taken from users and decrypts accordingly for accessing the same.
SQL Services
● Set the ‘Auditing’ option on
Setting it on makes it possible to track database events and stores them to audit log files. It provides assistance in maintaining database activity and regulatory compliance
● Threat Detection
SQL threat detection provides an additional layer of security by which the customers understand to detect and respond to threats caused by malicious activities.
● Transparent Data Encryption
It helps in securing the AZURE database against malicious activities by real-time encryption and decryption of the same without any modifications of the original application.
Networking
● Disable Remote Desktop(RDP)
The drawback of using RDP is the attackers can use any technique to gain access to VMs. Once they gain access it can compromise all data on the virtual Azure network
● Disable SSH
This is somewhat similar to that of RDP. Once the mugger gets access, they can use the virtual system as an initiating point to grab the data of Azure network
● Disable Telnet
The above option should be disabled as doing so will restrict access to only that specific IP address that require in order to implement the principle of minimum privileges and thereby reducing the increasing possibility of a breach.
Virtual Machines
● Installing the endpoint protection of virtual machines
It provides real-time protection competence that helps in detecting and nullifying the viruses, spyware, and other malicious applications via certain alerts required to be installed.
● Enabling the Latest OS updates for VMs
The above option should be updated to certain checkpoints:
- Addressing and pointing out specific bug or defects
- Improving the OS stability
- Fixing system vulnerability
- Ensuring all the data disks are encrypted
Miscellaneous
● Subscription security
A secure subscription of an individual’s particular account provides the concrete platform on which development and deployment activities are carried out. A well capable team should be there to deploy and carry out the configuration of security in the relevant subscription.
● Pruning number of admins
The number of owners should be kept as low as possible as it will help in decreasing the creation of attack surface for the entire subscription.
● No access grant for external accounts
Non-Azure accounts are subjected to unpredictable and unwanted risks. So external accounts access should be nullified.
Security Advantages of PAAS cloud service model
Microsoft mitigates common risks and responsibilities. As the cloud is under continuous monitoring of Microsoft it is hard to breach. In the middle of the stack, there are no differences between PaaS deployment and services. The account management layer and application layer have similar risks.
The Azure platform provides strong DDOS protection by using network-based technologies. All types of various DDOS protection methods have limits on per-link and per data center basis. In order to avoid such anomalies, the Azure core cloud capability of enabling the user to wipe out the DDOS attacks comes into play.
Develop on Azure App Service
Azure app service is a PaaS based service that enables to create web and mobile apps for any device and connect and synchronize data in the cloud. App services include all the web and mobile capabilities that were previously separated as the AZURE website and mobile services. It also facilitates new capabilities for automatic business process and hosting cloud API. App service enhances all the rich capabilities of web, mobile, and integration platforms.
