Advertisment

Security in Azure Cloud

Azure Security offers a comprehensive suite of tools and services to help organizations protect their data, applications, and infrastructure in the cloud.

author-image
DQINDIA Online
New Update
azure security

Azure Cloud Overview

Advertisment

Azure Cloud is a cloud computing platform from Microsoft with a wide range of services for building, managing, and deploying applications, data storage, analytics, and artificial intelligence (AI) tools. With 300+ data centres over 60+ regions globally, Azure offers extensive geographic reach and robust redundancy for cloud needs.

A high percentage of large enterprises utilize Azure for their cloud needs, indicating trust and confidence in the platform, here are some of the well-known companies using Azure Cloud,

● Samsung: Samsung uses Azure for a variety of purposes, including data analytics, artificial intelligence, and machine learning.

Advertisment

● Pixar: Pixar uses Azure to render its animated films. The cloud platform helps Pixar to create more complex and realistic images than ever before.

● eBay: eBay uses Azure to power its e-commerce platform. Azure helps eBay to scale its infrastructure to meet the demands of its millions of users.

● Boeing: Boeing uses Azure to design and manufacture its airplanes. Azure helps Boeing to collaborate with engineers around the world and to simulate the performance of its aircraft.

Advertisment

● Nestle: Nestle uses Azure to run its supply chain management system. Azure helps Nestle to track its products from farm to fork and to optimize its logistics operations.

● Pfizer: Pfizer uses Azure to conduct clinical trials. Azure helps Pfizer to recruit and manage patients for its trials and to analyse the results more quickly.

● Siemens: Siemens uses Azure to develop and deploy its industrial automation solutions. Azure helps Siemens to connect its machines to the cloud and to collect data that can be used to improve efficiency and productivity.

Advertisment

Driven by the surging demand for cloud computing, connected IoT devices, and AI, Azure is experiencing phenomenal growth. This surge is fuelled by attracting more enterprises who leverage Azure's diverse offerings to innovate, modernize their services, and stay ahead of the curve in a competitive business landscape. Growth expands the user base, data volume, workload complexity, and potential threat landscape, necessitating robust security across all workloads.

Azure Security Overview

Security in technology is a holistic approach comprising measures and practices designed to protect valuable data, applications, and infrastructure. These efforts guarantee authorized access, ensure adherence to regulations, safeguard business continuity, foster customer trust, and ultimately minimize potential risks.

Advertisment

Azure offers wide range of tools and controls to meet organization’s specific security requirements for protecting data, application, and infrastructure. Under Shared responsibility, both the Azure and Azure customer share responsibility for security. The Azure secures the underlying infrastructure & services, while customer is responsible for securing data and applications within that environment.

According to Microsoft, company invests $1 billion US dollars per year in security to protect customer data from cyberthreats. Organizations are too becoming more vigilant, investing to create awareness on evolving threats, implementing measures to prevent threats and increase security. Security is continuous process that requires constant vigilance and adaptation to ensure data and resources remain protected against existing and evolving threats. 

According to recent newsletter published by Cloud Security Alliance (CSA), about 77% of respondents feel unprepared to deal with security threats.

Advertisment

Many causes contribute to security vulnerability, below are some of the key root causes,

● Misconfiguration – Incorrect settings, permissions, or configurations of applications, databases, network devices, or security controls leaving vulnerabilities that attackers can exploit.

● Software Vulnerabilities – Software may have vulnerabilities, and attackers are constantly searching for new ones to exploit. These vulnerabilities can be in operating systems, applications, SDKs, Frameworks or even cloud services. Keeping software up-to-date with the latest patches is crucial to minimize this risk.

Advertisment

● Weak Secrets and Keys management – Easy to guess passwords and credential used across accounts; unencrypted or poorly stored API keys, access token and secrets; and lack of secret rotation leaves vulnerabilities that attackers can exploit.

● Lack of Security Awareness and Training - Many organizations lack adequate security awareness and training programs for their employees. This leaves them vulnerable to social engineering attacks and other threats. Continuous training and awareness campaigns are critical for improving security posture.

● Lack of Investment & Focus in Security: Some organizations simply don't prioritize security or invest enough resources in it. This leaves them vulnerable to attacks and can have severe consequences. Prioritizing security and allocating sufficient resources is crucial.

Leveraging Azure security to secure Azure solutions

Azure Cloud Engineers can utilize available security features and security best practices to implement security measures and controls to mitigate security threat and improve security.

azure security
Figure 1 - Azure Security Features

 

Security implementation is structured around general security guiding principles outlining strategy and key azure services/features helpful to implement robust security in azure cloud solutions,

1) Identity and Access Management (IAM)

Use strong authentication and authorization controls to manage access to your cloud resources. Microsoft Entra ID (formerly known as Azure Active Directory) is a cloud-based identity and access management (IAM) service.  It enables managing and securing identities, devices, networks, and workloads under Microsoft Entra portfolio.

Keys Services & Tools provided by Microsoft Entra ID,

a) Identity management: Create, store, and manage users (identities).

b) Single Sign-On (SSO): Allow users to access multiple applications and services with a single login, improving user experience and reducing password fatigue

c) Role-Based Access Control (RBAC): Defines roles with specific permissions assigned to users and groups.

d) Enhanced security: Protect data and systems with single sign-on (SSO), multi-factor authentication (MFA), and conditional access policies.

e) Unified central administration: Manage all Microsoft Entra multicloud identity and network access solutions in one place.

2) Zero Trust

Assume any access request could be malicious and verify every user, device, and application before granting access. Design Zero Trust strategy around below security principles by leveraging Azure Services,

a) Verify Explicitly: Always authenticate and authorize users, devices, and applications before granting access. Use multi-factor authentication (MFA) and conditional access policies.

b) Least Privilege Access: Grant users and applications the minimum access permissions needed for their specific tasks. Utilize Just-In-Time (JIT) and Just-Enough-Access (JEA) controls.

c) Assume Breach: Design your environment with the assumption that attackers might already be inside. Segment networks, minimize blast radius, and continuously monitor for suspicious activity.

Azure Services & Tools helpful in implementing Zero Trust Strategy,

a) Entra Id (formerly Azure Active Directory): Manage user identities and access control. Enable MFA, conditional access, and privilege access management.

b) Azure Sentinel: Aggregate security data from across Azure and provide comprehensive threat detection and analytics.

c) Microsoft Defender for Cloud: Secure access to SaaS applications and protect against data breaches.

d) Azure Network Security Groups (NSGs): Control inbound and outbound network traffic at the subnet and virtual machine level.

e) Azure Firewall: Provide centralized protection for your Azure virtual networks.

3) Least Privilege

The Least Privilege (LP) strategy minimizes the risk of unauthorized access and data breaches by grant bare minimum access permissions needed to perform their tasks. 

Azure Services & Tools to implement LP strategy,

a) Microsoft Entra ID: Use Role-based access control (RBAC) to assign specific roles with predefined minimum permissions to users, groups, and service principals. Leverage Privileged Identity Management (PIM) to enables just-in-time (JIT) and just-enough-privilege (JEA) access for privileged accounts

b) Azure Resource Manager (ARM): Assign roles with specific permissions at different scopes within ARM which includes access at subscription level, resource group level and individual resource level

c) Azure Policy: Define and enforce security policies at different scopes within your Azure environment. These policies can ensure least privilege is applied consistently by automatically restricting resource access or permissions beyond predefined limits

d) Azure Key Vault: With help of access control features in Key Vault, grant users, identities and services minimal permissions to access only the specific keys or secrets they require

4) Defense in Depth

Implement various controls at different levels, from physical infrastructure to applications and data. This includes physical security, network security, identity and access management, data encryption, threat detection and response, and more

Services & Tools to use for implementing security at multiple layers in Azure,

a) Azure Site Recovery: Provides disaster recovery for your on-premises applications and data to Azure. This helps ensure continued data availability and minimizes disruption even if your physical data centers are compromised.

b) Azure Virtual Network (VNet) & Network Security Groups (NSGs) - VNet segments your resources into a secure enclave, minimizing the attack surface and potential damage if a breach occurs. NSGs allow granular control over inbound and outbound network traffic, further restricting unauthorized access attempts.

c) Private Link: Private link enables resources access using dedicated Microsoft-managed connections within the Azure backbone, significantly enhancing security, and eliminating the need to expose resources to the public internet.

d) Entra Id Multi-Factor Authentication (MFA): Adds an extra layer of security by requiring a second verification factor, like a code from your phone, for login attempts.

e) Azure Role-Based Access Control (RBAC): Defines roles with specific permissions assigned to users and groups. This ensures users only have the minimum access required to perform their tasks.

f) Azure Key Vault: Securely stores and manages your encryption keys used to encrypt data at rest and in transit.

g) Data Encryption: Automatically encrypts your data at rest and in transit, discussed more later.

5) Patch Management

Patch management plays a critical role in defending your Azure environment against security vulnerabilities. It involves identifying, acquiring, and deploying updates for your operating systems, applications, and middleware running on your Azure resources.

Services and tools to leverage to keep your systems up-to-date and secure,

a) Azure Update Manager - Azure Update Manager is a comprehensive service that helps manage updates for all your machines, including those running on Windows and Linux, across Azure, on-premises, and other cloud platforms

b) Azure Automation Update Management - Part of Azure Automation, this service allows you to manage updates for your Azure VMs.

c) Azure App Service OS Patching - Specifically for Azure App Service, OS patching is managed automatically on both the physical servers and guest VMs running App Service resources.

6) Data Encryption

Data encryption is a critical security practice to protect data. It involves converting data from plaintext to ciphertext using cryptographic algorithms, protecting it both during transmission (in transit) and while stored (at rest). Encryption helps keeping confidential data secure, meet regulatory compliance requirements and reduce risk of potential damage caused by data breaches.

Below are the Azure Services & Tools to useful to handle data encryption,

a) Encryption at rest: Apply encryption for information stored persistently on physical media, whether it’s files, databases, or backups using following services,

● Azure Storage Encryption: Encrypts data at rest in Azure Blob storage and Azure Files. Both Microsoft-managed keys and customer-managed keys can be used for encryption

● Azure SQL Database Encryption: Azure SQL Database and other services like Azure Cosmos DB and Azure Data Lake offer data encryption at rest.

● Azure Disk Encryption: Encrypts the operating system and data disks of your Azure Virtual Machines (VMs) for Windows and Linux.

b) Encryption in Transit: Encryption in transit ensures that data remains secure while being transmitted between different components or services over public and private networks.  Azure uses Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols to encrypt data during communication for various services like App Service, Function Apps, Virtual Machines, Storage Accounts, SQL database, Key Vaults, Entra Id, Data Factory, Kubernetes Service, Logic Apps, Service Bus etc.

7) Keys and Secret rotation

Regularly rotating keys and secrets is a vital aspect of maintaining a strong security posture. It helps reduce attack surface and mitigate risk of breaches if keys and secrets are compromised.

Azure services and tools to automate and streamline the rotation process,

a) Azure Key Vault: Acts as the central hub for storing and managing your secrets and encryption keys. Offers automated scheduled rotation, triggered rotation and manual rotation

b) Azure Automation: Cloud automation service enables to automate routine tasks, including key and secret rotation. It can access and manage secrets for Entra ID applications, Function apps, Storage account, SQL Database and more

c) Managed Identity: Provides identities for Azure resources like App Services, VMs or functions, eliminating the need to embed & manage secrets like passwords directly in the application

d) Azure DevOps Pipelines: Continuous integration and continuous delivery (CI/CD) platform can integrate key and secret rotation steps within your CI/CD pipelines to ensure secrets are updated during deployments and releases

8) Continuous Monitoring and Logging

Continuous monitoring and logging are essential components of a robust security strategy for proactively collecting, analyzing, and reviewing security-related data to identify potential threats, investigate incidents, and maintain a comprehensive understanding of security posture.

Azure Services and Tools for Continuous Monitoring and Logging

a) Azure Monitor: Offers comprehensive monitoring and logging capabilities for Azure resources and services. Collects metrics, logs from your VMs, applications, databases, security events, network events and other resources. Provides customizable dashboards and alerts to notify of potential security issues.

b) Azure Sentinel: A cloud-native security information and event management (SIEM) platform that uses built-in AI to help organizations analyze large volumes of logs from various sources, including Azure Monitor. It provides attack detection, threat visibility, proactive hunting, and threat response to help stop threats before they cause harm.

Secure multicloud and hybrid environments

Microsoft Defender for Cloud is a Cloud-Native Application Protection Platform (CNAPP) designed to consolidate multicloud threat prevention and detection, offering comprehensive security from code to cloud.  

 

(Reference: https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-cloud)
(Reference: https://www.microsoft.com/en-us/security/business/cloud-security/microsoft-defender-cloud)

Its multi-layered approach to securing environment includes capabilities of,

a) DevOps Security Management: Defender for Cloud streamlines security management across multicloud and multiple-pipeline environments, enabling security teams to safeguard applications and resources from code to cloud. It integrates with platforms like GitHub, Azure DevOps, and GitLab, allowing correlation of DevOps security findings (such as Infrastructure as Code misconfigurations and exposed secrets) with other contextual cloud security insights for targeted code remediation.

b) Cloud Security Posture Management (CSPM): Microsoft Defender for Cloud acts as a comprehensive security guardian for environment. It scans your resources for vulnerabilities and misconfigurations, including VMs, databases, storage, and network setups. Based on its findings, it recommends best practices and improvements to strengthen your security posture and ensure compliance with security regulations. Additionally, it continuously monitors your environment to proactively identify and mitigate potential threats and risks

c) Cloud Workload Protection Platform (CWPP): Defender for Cloud shields your cloud workloads from malware, vulnerabilities, and advanced threats. It also includes Endpoint Detection and Response (EDR) capabilities for identifying and investigating suspicious activity within your virtual machines (VMs) and containers. Additionally, it provides workload identity protection to secure privileged identities and access controls within your cloud workloads. 

In addition, it supports capabilities for,

● Multi-cloud security: Provides native CSPM capabilities for Azure, AWS, and Google Cloud Platform (GCP), offering security insights across multi-cloud environment.

● Hybrid cloud security: Connects non-Azure workloads in hybrid scenarios using Azure Arc, extending security monitoring and protection beyond the cloud including on-premises workloads.

Microsoft Security Copilot

Microsoft Security Copilot, announced during Ignite event in November 2023, is an artificial intelligence (AI) powered security solution assisting security professionals to navigate the complex world of cybersecurity with greater efficiency and effectiveness.

copilot

Microsoft Security Copilot seamlessly integrates with existing security tools and offers expertise in various security disciplines, acting as an extension of your security team.

1. Efficiency at Machine Speed: By analyzing 65 trillion daily signals, Security Copilot delivers customized insights. It distills vast data into actionable guidance, enabling security teams to proactively detect threats amidst the noise.

2. Contextual Guidance: Security Copilot seamlessly integrates with Microsoft and third-party security products. It provides context-specific advice based on security-specific data sources. Whether it’s incident response, threat hunting, intelligence gathering, or posture management, Security Copilot empowers security professionals.

3. End-to-End Scenarios: From detecting incidents to assessing risks, Security Copilot covers the entire spectrum. Defenders can respond swiftly, stay ahead of adversaries, and strengthen their expertise

4. Embedded Capabilities: Security Copilot is embedded within Microsoft products like Microsoft Defender XDRMicrosoft Intune, and Microsoft Entra. It leverages specialized language models and security-specific features.

5. Natural Language Interaction: Users can ask Security Copilot questions in natural language and receive actionable responses. It assists in areas such as security operations, device management, identity protection, data compliance, and cloud security.

6. Holistic Defense: By correlating alerts and incidents across cloud resources, devices, and identities, Security Copilot provides a comprehensive view. It equips defenders to stay ahead of threats.

Conclusion: Security is continuous endeavour

Securing Azure environment is an ongoing process. Utilize Azure's diverse security services and tools to create a robust defense, mitigate risks, and ensure data protection. Embrace continuous monitoring, updates, and best practices to navigate the evolving threat landscape. With a proactive approach and Azure's security offerings, establish a secure and confident cloud foundation.

By Nilesh Hirapra, Principal Software Architect, Concentrix Corporation

Advertisment