Best Practices Guide

Azure Security Best Practices

December 31st, 2020 12 Minutes to Read

Cloud technology is constantly evolving, and so are its security requirements. As a cloud security administrator, you face three main challenges:

  1. Increasing workloads: With more users empowered to create services, software, and applications, it’s difficult to ensure that all solutions follow security protocol and best practices

  2. Highly sophisticated and improved attacks: With cloud usage skyrocketing, so are new threats. If you do not optimize your security per evolving requirements, it leaves your data vulnerable to attacks

  3. Shortage of skilled security administrators: The industry currently faces an acute shortage of administrators with the experience and skillset to implement the latest cloud security practices

With over a decade of experience as Azure administrators, we have compiled the 17 best practices you need to secure your cloud and protect your assets.

  1. Use the Azure Security Center

    Azure Security Center is a worthwhile investment to secure your cloud assets and view your security status. The portal uses machine learning and advanced analytics to detect existing and potential threats, and suggest preventative actions. With Azure Security Center, end users can:

    • Instantly implement Azure-native security solutions
    • Manage security policy and compliance
    • Continuously assess security status with real-time monitoring
    • Access a network map
    • Improve security by following recommended controls for each Azure service
    • Protect against threats on both infrastructure as a service (IaaS) and platform as a service (PaaS) environments

    How to use Azure Security Center:

    Define your security admins. This role handles alerts, Azure Defender, security policy, and the auto provisioning of log analytics and extensions (as a rule of thumb, developers should be classified as Security Reader).

    To review your security status using Azure Security Center, go to the Azure menu and select Security Center –> Overview. You will see:

    • Azure Secure Score, which measures the security status of your subscriptions (a higher score means lower risk level)
    • Azure Defender Status for any resource type it is enabled on
    • Inventory of resource health state
    • Regulatory compliance such as SOC TSP, ISO 27001, PCO DSS 3.2.1 (you can enable the platform’s out-of-the-box compliance controls or input custom controls)
    • High-impact security recommendations and the potential percentage increase in Azure Secure Score if implemented
  2. Enable Azure Defender

    Formerly known as Azure Advanced Threat Protection (ATP), Azure Defender protects enterprise environments from targeted cyber-attacks and insider threats. Part of Azure Security Center, Azure Defender detects threats throughout the phases of an advanced attack, including reconnaissance, credential compromise, lateral movement, privilege escalation, and domain dominance. Early threat detection enables you to halt an attack before it impacts your business.

  3. Follow the "Least Privilege" principle via role-based access control

    Instead of providing every user with full access to Azure resources, limit access based on need. The fewer access points to your data, the smaller the area of the threat attack surface.

  4. Use Azure Active Directory to manage identity and access to cloud applications

    Azure Active Directory (AAD) is a multi-tenant cloud directory and identity management service. AAD secures and simplifies user access to cloud applications with single sign-on. AAD also protects sensitive data and applications with Azure Multi-factor Authentication, an additional level of authentication, and machine learning-based reports, which identify inconsistent access patterns.

  5. Add a second layer of security by enabling Azure Multi-factor Authentication (MFA)

    Azure MFA verifies user identities via phone call, text message, or mobile app notification, replacing outdated username and password authentication. Because Azure MFA requires access to a user’s phone, the user’s data and applications are protected even if the user’s password is compromised. Organizations that do not add this extra layer of identity protection are more susceptible to credential theft.

  6. Assign resource access to Active Directory groups, not individuals

    Assign Azure resource access to a security group instead of individuals. By enabling group access, you simplify management and ensure that developers only have access to resources for their projects.

    Many organizations give individual developers access to resources such as Azure VMs or SQL Servers when they begin work on a project. When those developers move to a different project, it becomes difficult to keep track of access privileges that are no longer required. Individual permissions often remain active even when the individual is no longer assigned to the project. By assigning access to an Active Directory group, the owner of the group can ensure that only those who are currently assigned to the project have access to its data.

    Periodically review your Azure Active Directory groups. Assign roles based on minimum privilege policies, with subscription always restricted to a reader role.

  7. Use managed identity wherever possible

    A managed identity in Azure Active Directory (AAD) enables applications to easily access other AAD-protected resources such as Azure Key Vault. The Azure platform manages identities, eliminating the need to provision or rotate secrets.

    Managed identity also automatically renews service principals, which should always be enabled. Service principals are AAD application resources that perform unattended resource and service-level operations.

    If you want to build an application using… Source …that can access Target …without needing to manage credentials, then use managed identity
    Azure VMs Azure Services that support AAD authentication
    App services Azure Key Vault
    Functions Azure storage
    Container instances Azure SQL
    Kubernetes services Azure Cosmos DB
    Logic apps Azure machine learning service
    Other Azure sources Other Azure resources
  8. Implement an IP whitelisting approach (as applicable)

    Whitelisting IP addresses prevents unwanted or unauthorized machines from accessing the service. IP restrictions enable you to define which IP addresses can access your service. The “allow” list can include individual IP addresses or a range of IP addresses defined by a subnet mask. Do not assign allow rules with broad ranges (for example, allow 0.0.0.0 through 255.255.255.255).

    Always protect your Virtual network using Azure Firewall. Along with IP range, access should be restricted to limited ports.

  9. Use Azure Key Vault

    Azure Key Vault safeguards cryptographic keys and secrets used by cloud applications and services. With this feature, you can ensure applications never have direct access to keys. Developers manage keys used for Dev/Test and can seamlessly migrate keys managed by security operations to production.

    When using Azure keys, ensure you:

    • Only provision access to certificates, secrets, and keys to limited users and identities
    • Enable soft delete to retrieve objects that have been accidentally deleted from the key vault
  10. Use Azure Disk Encryption to encrypt Azure VMs

    By default, all managed disks in Azure VMs are encrypted via SSE with PMK, which is a server-side encryption with a platform managed key. For OS and data disks, enable Azure Disk Encryption (ADE). ADE uses Azure Key Vault to control and manage encryption keys and secrets in the key vault subscription.

    Similarly, always enable Transparent Data Encryption (TDE) on SQL databases to secure data at rest.

  11. Maintain platform hygiene

    Clean up your Azure subscription by removing deprecated identities, users, and resources. Periodically review access for existing users in your subscription.

    Follow Azure Security Center guidelines by ensuring no more than three individuals are identified as subscription owners.

  12. Turn off Azure services and servers when not in use and remove inactive resources

    Only turning on the services you are actively using enables you to reduce the surface area of security threats and reduce the cost of Azure services. You shouldn’t be paying for a service you aren’t using. We recommend you create runbooks to automatically turn resources on/off at scheduled times.

  13. Remove in-development copies of databases

    During the software development process, programmers create copies of existing databases to test their code. Additional backups are created during system software upgrades when installing new versions of applications. Over time, developers move on to new projects. Often, after moving to a new project, developers do not remove unused copies and files from previous systems. Leaving clutter on the server and file store is like leaving tools on the floor of a factory. Someone is bound to trip and get hurt.

    Security starts and ends with discipline. To keep track of your resources, create an automated runbook that informs admins of historical databases. Remove any resource you aren’t using to ensure your workspace is clean and organized.

  14. Use Azure Just-in-time and Privileged Identity Management (PIM)

    With PIM you can provide as-needed and just-in-time access to Azure resources, Azure AD resources, and other Microsoft online services like Microsoft 365 or Microsoft Intune. PIM provides time-based and approval-based role activation. This reduces the chance of a malicious attacker gaining access, or an authorized user inadvertently impacting a sensitive resource.

  15. Restrict access to management ports

    Management ports usually consist of the ports that you use to connect your Azure virtual machines (i.e. Remote Desktop Protocol (RDP - 3389) and the Secure Shell (SSH - 22) protocol). RDP – 3389 and SSH - 22 protocols are common management ports that enable admins to manage VMs from remote locations. However, using these protocols over the internet allows for attackers to use brute force techniques to gain access to VMs. To mitigate the risk, restrict access to management ports.

  16. Set up locks on your resource groups

    Locks safeguard the development teams from accidentally deleting resources.

  17. Update your system as often as possible

    In response to the evolving security threats of today’s internet landscape, Microsoft continually updates its products and services. Update your resources with the latest patches to ensure your security system is up to date and secure.

References

Microsoft offers additional documents that provide a high-level framework for best practices. We strongly encourage you to review the following: