How to secure your Azure Environment
Our Azure Expert, Jeff Field, took the stage at Future Decoded 2019 to talk around Securing your Azure Environment. With security at the forefront of everyone’s minds, we thought we’d share a rundown of what Jeff covered.
Microsoft invests over $1 Billion per year in cybersecurity and has a global team of over 3,500 cybersecurity experts working to protect and secure the physical data centres and Microsoft Cloud environments. The Microsoft cloud is built on a secure foundation which consists of; Physical security, Operational security and Global cloud infrastructure that runs the Microsoft Cloud Services.
Microsoft has some of the world’s best physical security to provide secured data centre building environments and within those buildings, secure server environments which run the cloud systems. All-access to buildings and systems is fully audited and logged and operates with the most restrictive access.
Operational security is continually tested by Microsoft to make sure that any new vulnerabilities are found before exploited. You may have heard of the red and blue Microsoft security teams? The red teams are tasked with attacking Microsoft production resources and the blue team are tasked with detecting and preventing the attacks. This is ongoing work to constantly secure the environment you are working in.
Microsoft also analyses billions of data points every month from things such as cloud authentications, scanned emails and web pages. The output of all of this is used for Microsoft’s Intelligent Security Graph which is then utilized across the environment to add additional protection to cloud services
So Microsoft has a massive ongoing security investment, but it is down to you, the customer, to secure the resources you deploy on the platform. Let’s have a look at some of the options we have to do this…
Identity, Access and Governance
Jeff then went on to discuss the best practices for Identity, Access and Governance:
- It is generally best practice to sync on-prem Active Directory to Azure Active Directory using AAD Connect. You can then use Azure Active Directory as a single identity source across your Azure subscriptions.
- It may sound obvious but, only allow access to the Azure portal for specific users that need it. If they don’t need access for their role, don’t give it to them.
- Enable MFA for users that have access to the portal for an additional level of security and configure conditional access policies as required.
- Privileged Identity Management (PIM) is also available which requires users to request Just-In-Time (JIT) access for privileged permissions for Azure Active Directory and Azure roles. To access this, you require Azure AD P2, EMS or Microsoft 365 M5.
- Identify different user groups and duties within teams such as support and then use security groups to apply permissions for these specific roles at Management Group or Resource Group levels. This will allow you to effectively manage who has access to what.
- Azure Policy has a large number of pre-configured policies which audit and prevent certain deployments or configuration within the Azure environment. You can prevent resources from being deployed in regions, audit storage accounts which allow access from all networks. You’ll also have the ability to create customer policies.
- Use Azure Blueprints to deploy Resource groups, RBAC roles, ARM templates and policies in a repeatable manner – allowing you to speed up processes moving forward.
Azure Network Security
Azure Network Security is the process of protecting resources from unauthorized access or attack and applying controls to network traffic. The aim of Azure Network Security is to ensure only legitimate traffic is coming through. Jeff presented some of the options available to secure your Azure network.
Storage, Data and Encryption
Storage at rest is enabled by default for Azure storage such as storage accounts and virtual machine disks using encryption keys which are managed by Microsoft.
For additional security of Azure VM disks, you can encrypt disks using Bitlocker for Windows or DM Crypt for Linux machines. You encrypt the disks using an encryption key which you then store in Azure Key Vault. These keys can then only be accessed by you and not Microsoft.
Azure SQL / Managed Instance / Data Warehouse databases encrypted with Transparent Data Encryption (TDE) by default.
With a general move towards DevOps methodologies for the deployment of application and infrastructure, it is very important to be careful with what is being put into your code.
Beware of using credentials, secrets or SAS tokens in code stored in repositories. Public code repository being trawled by bots harvesting this information!!
Instead, use Azure Key Vault to store keys, certificates and passwords and make sure it is secured appropriately. These secrets can then be referenced programmatically directly from Key Vault at deployment time.
Azure Kubernetes Service Security
Jeff introduced Azure Kubernetes Services (AKS) and the importance of keeping AKS deployments secure. More businesses are taking an interest in Azure Kubernetes Service and Container Technology and have been exploring their capabilities.
Azure Kubernetes Service is Microsoft’s fastest growing Azure technology. Ever.
It’s important to make sure that your AKS environment is secured appropriately. By default, the Kubernetes API server is published on a public IP address. The API server is the single connection point for requests to perform actions within the cluster, therefore it is important to secure access to this. Azure Active Directory authentication can be integrated with your AKS cluster to provide the same central source of identity. Role-based access control and groups can then be created to assign permissions to the AKS cluster or specific namespaces – ensuring people have the access they need.
By default, traffic can flow between pods within Kubernetes – Consider the use of network policies to restrict this traffic flow by referencing labels or namespaces. Use Kubernetes secrets to store sensitive information such as DB connection strings or passwords. Secrets can then be referenced at deployment time without having to put plain text in manifest files. Updates to Kubernetes are frequent and it is best practice to regularly update the nodes in your cluster as newer versions are released as constant improvements to security and functionality are being made.
Azure Sentinel
Azure Sentinel is a security information event management (SIEM) and security orchestration automated response (SOAR) product which is currently running in public preview. Sentinel collects data from a variety of resources in Microsoft Cloud, other Clouds and on-premises via the use of agents and data connectors.
Sentinel allows:
- The collection of security data at scale
- Detection and investigation of threats using Microsoft’s analytics and AI technologies
- Rapid response to incidents with built-in orchestration and automation
It is important to note that Sentinel is not a replacement for Security Center it is an additional product to expand the security of your cloud and on-premises environments and enables you to detect and respond to security threats and anomalies.
If you would like to find out more about how you can start utilising the tools available to Secure your Azure Environment, simply get in contact with our experts today.