Microsoft Azure is a cloud platform used by many businesses to host data and run applications. However, the popularity of cloud services makes them often a frequent target for cyber attackers. While Azure has a robust infrastructure and OS-level security by default, organizations are responsible for the security of any applications and data they run on the platform. There are many challenges and risks when it comes to cloud security. In this guide, we’ll build on the fundamentals of Azure security by looking at some best practices to protect your endpoints and data in the cloud.
Understanding Azure Security
Azure is a cloud platform and infrastructure provider that maintains numerous data centers and sells computing resources to individuals and organizations. Microsoft manages the data centers, taking care of the hardware and the OS-level security. It uses Azure hypervisors to manage the virtual machines (VMs), which are rented out to users, but the hypervisor isn’t accessible to the public. The host layer runs a hardened version of Windows Server, configured with only the components required to host VMs. Customers are given access to virtual machines running on top of the hypervisor. Each virtual machine is firewalled, and users control which ports are accessible via the firewall. Similar statements can be said for Platform as a Service offering like Azure SQL, Azure Files and more.
Customers are responsible for keeping their accounts secure and for the security of any applications they run on their machines. Microsoft manages the physical and network layers of security and provides tools for perimeter security. Users are responsible for endpoint, application and data security, as well as preventing breaches through phishing or other forms of user error.
Key Security Challenges in Azure
As with other cloud platforms, Azure is often a target for cyber attackers. Some common threats and security challenges include:
- Smishing, phishing and other social engineering attacks (such as those used by threat group UNC3944)
- Denial of Service attacks (such as the recent attacks by Storm-1359)
- Zero-day attacks on software hosted on the platform
- Data breaches/unauthorized access through insecure endpoints
Azure Security Best Practices
Azure security requires a multipronged approach that covers identity and access management, technical threats, intrusion detection, mitigation, and backup and recovery. The details of any security implementation will vary depending on the nature of the services you’re running on the platform. We’ve provided an Azure security best practices checklist to help you plan your security measures.
Below, we’ll explore each of these areas of security in more depth.
Identity and Access Management
Microsoft provides a number of ways to protect your data via identity and account management. Azure Active Directory can be used for role-based access control (RBAC), limiting users to only the systems they need to do their jobs. Microsoft Entra ID is a powerful tool for Privileged Identity Management (PIM), allowing systems administrators to manage who has access to which systems, as well as how they authenticate to those systems.
It’s wise to follow Azure AD security best practices by using granular controls to assign rights and privileges to users based on their roles and ensuring the use of strong passwords, alongside multifactor authentication, to prevent account breaches.
Network Security
Maintaining network security on Azure requires careful planning. Microsoft lays out some Azure network security best practices that can help improve your Azure security. Some best practices include:
- Define the virtual networks your Azure virtual machines will belong to, and use Virtual Network Service Endpoints to route traffic within the Azure network.
- Segment large address spaces into subnets, and define access control rules for these subnets. Don’t use rules based on very large blocks of IP addresses.
- Keep subnets sensibly sized. Making subnets very small has limited security benefits and could make it difficult to add devices at a later date.
- Use private endpoints to connect to Azure services securely.
- Combine firewalls and other security tools with monitoring and logging as part of a comprehensive approach to endpoint security.
- Take advantage of traffic monitoring, telemetry and Azure’s DDoS Protection tools to protect public endpoints from denial-of-service attacks.
Data Security
Azure offers its own storage encryption, which uses 256-bit AES encryption to protect data in Azure Storage. It also offers the Azure Key Vault, which is designed to protect API keys, cryptographic keys, certificates, passwords and other valuable assets. It’s important to take advantage of these features. Don’t store important credentials in an unencrypted form on a VM file system.
The ability to place data in a write once read many (WORM) state via immutability feature sets are also a critical consideration for sensitive data stored on Azure. Azure offers Immutable storage for Azure Blob Storage, easily configurable with time-sensitive retention or legal hold policies. Immutable storage is a fundamental tenet of Zero Trust and backup and recovery, meaning once backups have been committed to the storage, they cannot be encrypted, altered or deleted by bad actors.
Developers can also take advantage of a variety of SQL database security features, including both row- and column-level protection, auditing and authentication systems. Following Azure SQL security best practices can reduce the risk of data breaches from both within and outside the organization. Using Veeam Azure SQL Backup and Recovery as an extra layer of protection can also protect against data loss.
Monitoring and Logging
According to a 2020 report by IBM, it takes an average of 207 days to detect a security breach and 73 days to contain it. Azure provides many useful monitoring and logging tools that can shorten this timescale, giving organizations a better chance to mitigate security breaches. These tools include:
- Azure Monitor: Monitors activities and resource usage and configures alerts if usage is outside of certain parameters
- Azure Security Center: Collects events from Azure resources and logs from configured non-Azure resources, and it allows you to view network maps and receive security recommendations based on those logs
- Azure Sentinel: A Security Information Event Management (SIEM) tool to aid in threat detection, investigation and response.
Compliance and Governance
Government organizations are faced with strict regulatory and compliance needs. Azure Government is a cloud services platform built with the mission-critical needs of these organizations in mind. It uses physically isolated data centers located in the United States and has strict access requirements, ensuring only vetted individuals from qualifying entities can access the service.
If your organization qualifies for Azure Government, you can request an account via the Azure Government Portal. Once you’re on board, you can use the Azure Policy regulatory compliance built-in initiatives to help you assess your compliance with government standards, such as DoD IL4, DoD IL5, and FedRAMP High, etc. Azure Blueprints and Azure Policy can only give a partial view into your compliance status, but they’re a valuable starting point, and following the guidance provided alongside Azure cloud security best practices can help your team avoid common pitfalls.
Secure Development Practices
Following secure development practices is essential when migrating to a cloud platform. A useful process to follow when migrating to Azure Cloud is:
- Assess the workloads and plan the migration
- Deploy services, replicating on-premises resources to Azure
- Manage costs and billing
- Once the services are optimized and tested, release them to production
To ensure a smooth migration, it’s a good idea to focus on small batches of workloads at a time. Start with ones that aren’t mission-critical, so you have a chance to learn the platform, test your systems and maximize performance before moving on to the next workload.
Azure DevOps Security
Securing the environment and having effective access control systems in place are key elements of Azure DevOps security best practices. In particular, it’s important to limit access to projects and repositories and to prevent users from creating public projects.
Azure offers a number of tools for account management, code reviews, merges and CI pipelines. Following these best practices can help ensure the security of your assets and codebase.
Container Security
Kubernetes is a powerful tool for container orchestration and management. However, it’s important to follow Azure Kubernetes security best practices to ensure containers are properly isolated, images are properly validated and pulled only from secure sources, and any credentials used by containers are kept in secure vaults. Azure provides tools and guidelines to help with this, along with monitoring tools to allow you to watch the health of your containers.
Application Security
Poor application security is a common cause of data breaches. The OWASP API Security Top 10 lists some of the most common security issues with API endpoints. Reviewing any applications you deploy with a view to these vulnerabilities and following Azure API Management security best practices can help reduce the risk of an application being breached by opportunistic attackers looking for common vulnerabilities.
Disaster Recovery and Business Continuity
Preventing security breaches from occurring is the ideal goal, and Azure’s high availability architectures offer peace of mind when it comes to outages. However, it’s important to plan for the worst-case scenario. Having a robust disaster recovery plan makes it easier to ensure business continuity in the event of a ransomware attack, severe outage or other unforeseen incident. Veeam Azure Backup and Recovery offers automated tools to generate isolated, secure backups of your essential data.
Making backups is the first step toward business continuity. However, it’s important to test your disaster recovery plan to ensure it works and covers everything you need it to. Veeam Orchestrated Recovery can help with deploying backups quickly and efficiently, so you can get back up and running quickly in a crisis.
Incident Response and Management
As previously mentioned, Azure offers some useful tools for security incident response in the form of Azure Sentinel, which provides SIEM and SOAR features. This, along with third-party SIEM tools, can form the basis of a Cybersecurity Incident Response Plan (CIRP). A full plan would ideally include:
- Triage and categorization
- Escalation and decision-making
- Technical response
- Post-incident review
Azure Security Tools and Resources
By default, Azure provides many security tools and resources. In addition to these resources, we recommend using tools such as Veeam Azure Backup and Recovery for added peace of mind. The core tools for Azure security include:
- Azure Security Center: Provides security insights, recommendations and dashboards
- Azure Policy: A compliance dashboard to help organizations assess compliance and enforce standards
- Azure Key Vault: For storage of important credentials, keys and other assets
- Azure Sentinel: A SIEM and SOAR tool to assist with threat detection and incident response
- Azure Security Documentation and Training: A variety of resources covering all aspects of Azure security best practices
Case Studies
One recent example of an attack against Microsoft Azure is the breach by UNC3944, which was detected by researchers at Mandiant Intelligence. The attackers gained access to the Azure administrator account via a SIM swap attack and were able to gain full access to the Azure tenant, thanks to the global privileges afforded to this account. Once inside the account, the attacker used the Serial Console to run commands on the VM. They also deployed a number of well-known remote access tools, so they could maintain access to the system.
Because the attackers used well-known tools with legitimate uses, they were able to avoid detection via automated tools for some time. However, Mandiant notes there are several local events and Azure Monitor events that could serve as a warning sign of an attack. Setting up alerts for these events, and disabling the serial console if it’s not something you use, could make it easier for you to detect a breach of the Azure administrator account.
Because this was a breach of a security research team’s systems, the attackers didn’t obtain valuable data or do lasting damage. However, the level of control gained over the systems makes this kind of breach a serious issue for other businesses.
Conclusion
If your organization makes use of the Azure platform, it’s vital to follow best practices when it comes to security. This means using robust access controls and MFA to protect user accounts, as well as maintaining good network and data security. Any custom applications you deploy should follow best practices to protect against common vulnerabilities. These measures should be backed up by continuous logging and monitoring, alongside a business continuity and disaster recovery plan. Cyber threats are constantly evolving, so your Azure security plan should be a living document approached with a philosophy of continuous monitoring and improvement.
Make Azure Backup and Recovery a part of your data security plan. Deploy it free for up to 10 instances or try our hybrid/multicloud service on a free trial and take advantage of our automated, flexible and secure tools to protect your data.
Related Resources
- Secure Cloud Backup Best Practices
- Conversational Azure Backup Best Practices 3rd Edition
- Cloud Connect Enterprise Backup
- Azure Data Protection Solutions Explained
- Azure Stack HCI Modern Data Protection
- Archiving to Azure Blob with StarWind VTL
