Few Azure Cloud Best Practices to Keep Your Cloud Secure- This article describes security best practices for Azure cloud. This recommendations are not limited to Azure but can also apply to other cloud platforms like AWS or GCP. The best practices are based on Azure recommendations as well as my experience in Azure. Azure have a set of best practices that are designed to help protect your workloads to keep them safe from constantly evolving threats. This blog will share the most important security best practices to help protect your resources.
Also refer below KB for additional resource specific best practices and recommendations:
==>> Azure Virtual Machine Recommendations and best practices
==>> Azure Storage Account – Best Practices and Microsoft Recommendations
==>> Azure KeyVault – Best Practices and Microsoft Recommendations
==>> Azure Log Analytics – Best Practices and Microsoft Recommendations
There are 3 different SQL options are available in Azure and each option has different recommendations as below :
1> Azure SQL DB – Best Practices and Microsoft Recommendations
2> Azure SQL MI – Best Practices and Microsoft Recommendations
3> SQL on Azure VM (IAAS) – Best Practices and Microsoft Recommendations
==>> Overall Azure cloud best practices to Keep Your Cloud Secure
1. Use Microsoft Defender for Cloud for Azure resources (formerly knows as Azure Security Center)
Microsoft Defender for the Cloud is a suite of tools that provides Azure resource including server/VM, Storage, SQL, Containers, App service, Keyvault, DNS, cosmos DB and DevOps) protection, monitoring and management of in-cloud workloads. You can use it to detect and investigate security issues, apply counter measures, and create custom alerts.
Microsoft Defender for the Cloud is Designed to protect multi-cloud and hybrid environments, Defender improves the security posture of cloud resources with features such as workload protection and vulnerability detection. It also suggests changes to protect your Azure resources.
- Microsoft Defender for Servers
- Microsoft Defender for Storage
- Microsoft Defender for SQL
- Microsoft Defender for Containers
- Microsoft Defender for App Service
- Microsoft Defender for Key Vault
- Microsoft Defender for Resource Manager
- Microsoft Defender for DNS
- Microsoft Defender for open-source relational databases
- Microsoft Defender for Azure Cosmos DB
- Defender Cloud Security Posture Management (CSPM)
- Defender for DevOps
2. Enable Encryption with Customer managed key:
Azure gives you the option to encrypt your data at rest using Azure Service Encryption which uses the Advanced Encryption Standard (AES) 256-bit encryption. Azure Storage encrypts all data in the storage account at rest. By default, data is encrypted with Microsoft-managed keys but you can select your own key to get additional control over encryption keys. Customer-managed keys must be stored in Azure Key Vault or Key Vault Managed Hardware Security Model (HSM).
Make sure you are encrypting all data in the storage account including VM managed storage.
3. Use Multi-Factor Authentication (MFA)
MFA adds an extra layer of security by requiring users to supply two sources of authentication to access a system. Some basics like complex passwords and multi-factor authentication help make your simple authentication process strong and secure. All users including Azure Active Directory admin access must also enable multi-factor authentication except breakglass accounts.
4. Restrict Administrator Access Using a ‘Least Access’ Approach
Accounts with all access are highly prone to risks i.e. global admin on Azure active directory or owner on subscriptions. You should frequently check accounts with administrative privileges at regular intervals.
Azure active directory roles/permissions – You should block/remove all unnecessary access to these accounts and use Privileged Identity Management (PIM) which help to facilitate Azure Active Directory service roles/permissions (manage, analyze and control access in your organization). Using this, users have to follow an activation process that will grant administrator rights for a limited time.
Azure resource roles/permissions with RBAC- In Azure, you can restrict administrator access using role-based access control (RBAC), a feature that lets you assign granular permissions to users, groups, and applications. you can create custom roles with only the permissions that are needed for a given task (e.g., Application Developer with app deployment permissions, App admin with read/write permission on all resources required for application, key admin with Keyvault key permissions etc.). RBAC assignment scope should be based on organization needs, if the billing team wants to manage billing for all azure resources then they should have billing management (custom role) permission on management group level so that they will get billing management permissions on all subscriptions under Management group but if the application team needs permission for their app resources then that should go on resource group or subscription level (with custom role) where all application resources are stored.
5. Identity and Access Reviews (IAM review)
When user access some data or resources, IAM starts with authentication, which is the process of verifying credentials/identity and MFA helps to make the authentication process stronger. Once authenticated, a user needs authorization to access specific resources. IAM ensures that only appropriate identities (users, software, machines) can access your data and that’s why its very important to review IAM.
It’s important to periodically review and adjust these permissions and ensure that they align with an individual’s current job responsibilities. Also review guest users and make sure that the Guest users dont have high level permissions on higher scope like management group.
6. Protect Sensitive Data
Data classification helps you understand the value of your data and how it should be protected. You should classify data based on its sensitivity, value, and how it’s being used. This will help you determine which security controls to put in place.
Sensitive data should always be encrypted, both at rest and in transit. Sensitive data should not be publicly accessible and should always be protected by limiting/restricting RBAC. Make sure you have a complete understanding of your most critical data-what it is, where it lives, and who has access to it-so you can implement the most appropriate level of protection.
7. Azure Network Security Best Practices
Systems and resources that are accessed directly via the Internet are more vulnerable to security threats. Therefore it is important to ensure the protection of these resources which may pose a threat to other resources.
In Azure, Network Security Groups (NSGs) are used to restrict access from all networks except for a few essential access points. You can also use Application Security Groups to group all application specific resources and then add them to the NSG rule. NSG can be implemented at the network interface and subnet level (or both) depending on the needs of the organization. Also, enable the firewall whenever traffic is leaving or coming from the Internet. Firewalls will save your day in case of accidental NSG misconfiguration.
Additionally it is recommended to disable public access to all Azure resources like key vault, storage account etc. and start using private endpoint to access the resources.
All open ports should be properly restricted and locked to minimize unauthorized access. By default, you should always block ports 22, 3389, 5985, 5986 and 445 as these are the most common ports that cause attacks. You can open RDP/SSH port within intranet but restrict it from internet using Azure policy.
8. Use Key Management
All the confidential information like passwords, app secret, storage key, sql connection string are encrypted and stored in safe place. Azure Key Vault allows storing the encryption and secure keys safely in HSM (Hardware Security Modules). For additional threat detection, monitor key usage by sending logs to Azure or Security Information and Event Management (SIEM).
Additionally, make sure that all secrets and keys are getting rotated periodically to prevent any misuse and loss of keys.
9. Disable public access for Azure resources and avoid Management over Internet
Historically, I have seen high number of Azure VMs including production workloads that had public IPs and their management ports (RDP/SSH) open for management purposes. Some customers were using an NSG, but that is only the last barrier that can protect the management port. Please avoid using public IP addresses for management purposes on Azure VMs. attackers can find out public ip with RDP/SSH port (via some tools like PortScanner) and the VM will be directly accessible to all kinds of Internet access including hackers, script kiddies and so on.
Additionally it is recommended to disable public access to all Azure resources like key vault, storage account etc. and start using private endpoint to access the resources.
10. Secure Ingress and Egress for Azure resources
Secure Ingress – Do not expose application resources directly over the internet. whenever you want some application hosted in Azure to be accessible over internet then it must go through web application firewall (WAF) with application gateway and firewall to application load balancer and then to your application frontend.
Azure Web Application Firewall (WAF) is built on top of the Application Gateway service and prevents OWASP 3.0 attacks. You can reduce the chances of attack by reducing the accessibility of your components on the public internet. Use a geolocation filter in Azure Traffic Manager (ATM) to lock down your web app if it is not required to be accessed internationally. So, make certain policies on your ATM to accept limited traffic and block unwanted or international traffic. Finally, make your Web Application Firewall ready only to accept traffic from Azure Traffic Manager (ATM).
Secure Egress – Egress (from application resources to internet) should be limited to required resources only and it should always go through firewall. you can use UDR on application subnet to route all internet traffic (0.0.0.0/0) to firewall and then define restriction on firewall to prevent all resources have access to internet.
11. Monitor Activity Log Alerts
It is recommended to enable diagnostics on all Azure resources and keep all logs in central SIEM store for longer duration.
Activity logs are important in finding any threats that may have occurred in the system. Any unknown event can lead to serious issues, so it is better to identify them beforehand. Create some activity log alerts in your system that will notify you about security threats. Here are some cases that are important for your safety. And it would be best if you create an alert on them.
- Changes or modifications in Security Solution and Security Policy and Policy Assignment.
- Any changes or modifications in Express route circuits, Virtual network, Network Security Group, NSG rules including deletion.
- Any changes or modifications in Firewall and rules.
- Any changes to Hub subscription or Vnet where you have all shared services and network connectivity.
- Any changes to shared service resources like DNS, ADDS, WSUS, Antivirus.
12. Cloud resource best practices
There are few best practices applicable for all Cloud-based resources and in it recommended to implement the same while creating resources or you can also use Azure policy to set restrictions on azure subscription/management group.
1> Disable public access and use private endpoint to access PaaS services (wherever applicable) .
2> Enable Encryption with Customer managed key
3> enable diagnostic setting to store all logs in central storage
4> Use Azure policy to set restrictions or remediate non-compliant resources
5> Consider HA/DR during application design and implementation
6> configure backup for the critical Azure resources like VM, storage account and so on.
7> Set least permissions on each Azure resources and use custom role for RBAC (wherever applicable)
8> Use azure security center or advisor to find resource specific recommendation and implement the same.
13. Prioritize Cloud Security
Cloud-based workloads can be particularly vulnerable to attack because they are often hosted on shared infrastructure and accessible from the public Internet. When you’re monitoring cloud workloads for security issues, you should pay attention to both the host and guest operating systems.
