Saturday, August 1, 2020

Secure Azure Infrastructure Practices

Secure Azure Infrastructure Practices


Secure Cloud Infrastructure

In Year 2020 cloud computing outcomes show that enterprises continue to embrace multi-cloud (Azure, AWS and Google) and hybrid cloud strategies. While consider

Infrastructure-as-a-Service (IaaS) adoption continues its upward trend as the fastest growing public cloud segment than PaaS.

More adaptability may lead towards more security concern. Here I embrace few aspects which can be consider while managing Azure Infrastructure which is the rapid adoption of IaaS providers. A adequate action may turn to more secure environment and mitigation of potential impact of an attempted break.

n secure your Azure infrastructure.

Security for Azure resources are further categories as mentioned below: 

  1.          Azure Security Center(ASC)
  2.          Security for virtual machines
  3.          Azure Identity and Access Management(IAM)
  4.          Azure Storage
  5.          SQL Server Databases
  6.          Azure Network Security
  7.          Azure Monitor
  8.          Azure Key Vault
  9.          Azure Governance
  10.         Azure Private Link


1.      Azure Security Center (ASC) : ASC is a PaaS based security management solution for Azure subscription. It extends advanced threat protection for across hybrid clouds workloads for both cloud and on-premise workloads.

·         Strengthen security posture: Security Center assesses cloud environment and shares cloud resources whether they are secure or not.

·         Protect potential threats: ASC evaluates assesses workloads and raises threat prevention recommendations and security alerts.

·         ASC secure faster: In Azure ASC is natively integrated so deployment of ASC is very easier and faster.

    2. Security for virtual machines:

  • MDATP : ASC extends its workload protection using Microsoft Defender Advanced Threat Protection(MDATP). MDATP generates an alerts after notice attacker tools, techniques, also its sensors for VM’s collects vast verities of signals
  • Operating System vulnerabilities -> Enable OS vulnerabilities recommendations for virtual machines
  • Endpoint protection-> Enable endpoint protection for Azure Virtual machines and on-premises VMs  to remove viruses, spyware, and other malicious software. Use ASC for this purpose.
  • Adequate Implementation of NSG-> All network ports should be restricted on NSG associated to your VM.
  • Adaptive Network Hardening(ANH): ASC recommends network hardening should be applied on internet facing virtual machines and should be limited to specific ip ranges.
  • Deploying the Qualys built-in vulnerability scanner-> Microsoft ASC advises to enable the built-in vulnerability assessment solution on virtual machines (powered by Qualys)
  • Enable latest OS patch updates for virtual machines-> Ensure Latest Operating system  Patches for virtual machines.
  • Enable disk encryption on virtual machines. ASC always recommends for this as high Severity alerts and Azure Disk Encryption(ADE) protects data to meet an organizational security and compliance needs. ASC always recommends for this as High Severity alerts.

  3. Azure Identify & Access Management (IAM): Points of consideration are listed here

·         Secure multi-factor authentication is enabled for all users -> Though for Global administrator and other potential users has already MFA enabled however we should consider to enable MFA for those users who have write access to Azure resources and may gain access to harm infrastructure.

  • Ensure Privilege Identity Management (PIM) -> PIM must be reviewed on a certain interval to review users access. User must be granted only JIT.
  • Conditional Access Policy -> Conditional access policy must be applied for Hybrid joined users or AD users to avoid all vulnerabilities.
  • Less numbers of admins/owners -> Less numbers of Owner/Admin role always beneficial and mitigates unavoidable circumstances which may happens.

4. Storage Accounts: Data is always a key component for any organization and should not be breach at all so Ensure the following are set to enabled:

  • Enable Advanced Threat Protection: ATP enables an extra layer of security intelligence that detects strange and potentially harmful attempts to access or tap storage account.
  • Storage Secure transfer: HTTPS is always considered as secure transfer so enable https to connect to azure storage through secure transfer.
  •  Storage service encryption: Storage service encryption protects your data at rest. Azure uses symmetric encryption to encrypt and decrypt  data when its written to storage and whenever you access it.

5. Azure SQL Services: On SQL database or servers, ensure the following are set to on:

  • SQL Auditing
    Auditing embraces activity, compliance, anomalies and conflicting facts. Auditing goes after database events and writes them to an audit log in your Azure storage account. It can be helpful to identify suspected security concerns. So it must be enabled.
  • Transparent Data Encryption on SQL databases: Transparent Data Encryption on SQL databases, Managed instances and azure synapse analytics should be enabled.
  • Threat detection . It enables an additional layer of security intelligence that detects unusual and potentially harmful attempts to access or exploit SQL databases.

6. Azure Networking : Ensure the following are disabled on network security groups from internet:

  • Disable RDP and SSH:
    Ensure RDP and SSH are allowed to certain set of users and JIT must be enabled during  rdp and ssh over the Internet as an attackers can use various brute-force ways to get access to Azure Virtual Machines.
  • Azure Bastion : Azure Bastion furnishes secure and seamless RDP/SSH connectivity to VMs directly in the Azure portal over SSL. You don’t require public IP while connect to VM’s through  Azure Bastion.
  • Web Application Firewall (WAF): Web application are always a risk area and can be tempered with brute force or malicious attacks . Few well known vulnerabilities are SQL injection and cross site scripting attacks A centralized WAF protects against such web attacks without incurring an additional application changes.

7. Azure Monitor:

·         Enabled Diagnostic: Resource log is indeed helpful to get an insights about azure resource internal operation and can be beneficial for root cause analysis, so ensure that diagnostic settings for azure resource is enabled and sending telemetry to LogAnalyticsWorkspace or azure storage or Event hubs.

·         Azure Monitor Alerts: Enterprise application must be designed considering metric alerts activity alert, cost alerts and log analytics alert are configured adequately. These alerts send an alerts in case any potential threshold meet criteria for azure resource and further can be integrated to SIEM tool.

  • Web Application Firewall (WAF): Web application are always a risk area and can be tempered with brute force or malicious attacks . Few well known vulnerabilities are SQL injection and cross site scripting attacks A centralized WAF protects against such web attacks without incurring an additional application changes.

8. Azure Key Vault: Azure key vault is  hardware security modules (HSMs) based technique and provides access to token ,password and apikey. Key Vault greatly reduces the chances that secrets may be accidentally leaked. E.g. An application may need to connect to DB and that connection string can be stored in Key Vault and can be access over URI.

9. Azure Governance: It’s a process to maintain an application and resources in Azure. Few main characteristics of azure governance depicts below:

·         Apply RBAC to prevent and control user access permission to mitigate undesirable actions se Grant permission to set of users to access application and resources. Azure Policy manages policy definitions to enforce rules for your resources within infrastructure and can be applied to identify complaint resources and take adequate action against non-compliant resources.

10. Azure Private Link: An objective of Azure private link is to secure connection with azure PaaS offerings. It promises private connectivity from Azure VNet to Azure PaaS, customer-owned service over Azure backbone network and avoid transmission on public network.

Private Link supports the following services in GA:

§  Azure Storage

§  Azure Data Lake Storage Gen 2

§  Azure SQL

§  Azure Synapse

§  Azure Cosmos DB

§  Azure Database for PostgreSQL

§  Azure Database for MySQL & MariaDB

§  Azure Key Vault

§  Azure Kubernetes Services


I hope it will assist you to get an understanding about some security practice.

Kindly Visit my channel for all video's


Post a Comment