Azure Spring Clean: My top 10 Azure Security Best practices

Salaam, Namaste, Ola and Hello!

Welcome to day 15 of the Azure Spring Clean ( https://azurespringclean.com/ )! Big thanks to Joe Carlyle (@wedoazure) and Thomas Thornton (@tamstar1234) for putting this learning initiative together! Today’s Azure Spring Clean post is on ‘My top 10 Azure Security best practices’

Before i get to the the good stuff, a quick point to make which is that the following list is my own opinion based on my experiences from my work and investigation into this subject matter.

Lets get this list started!!! In at No.10…

Number 10: Implement DDoS Protection & Mitigation

DDoS attacks have been around for a while and protecting your Cloud Infrastructure from this type of attack is something I feel is important. DDoS Protection brings massive DDoS mitigation capacity to every Azure region. You scrub traffic at the Azure network edge before it can affect the availability of your service.

The following features are available within the Azure DDoS Protection service:

  • Turnkey Defense
  • Adaptive tuning
  • Attack Analytics

No 9: Using Web Application Firewalls (WAF)

Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. SQL injection and cross-site scripting are among the most common attacks. Azure Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities.

The following are some core benefits Azure Web application firewall (on Application Gateway) can provide:

  • Protect your web applications from web vulnerabilities and attacks without modification to back-end code.
  • Protect multiple web applications at the same time. An instance of Application Gateway can host of up to 40 websites that are protected by a web application firewall.
  • The Application Gateway WAF is integrated with Azure Security Center. Security Center provides a central view of the security state of all your Azure resources.
  • Associate a WAF Policy for each site behind your WAF to allow for site-specific configuration

The following are some key features of the Azure Web Application Firewall:

  • SQL-injection protection.
  • Cross-site scripting protection.
  • Protection against crawlers and scanners.
  • Detection of common application misconfigurations (for example, Apache and IIS).
  • Configurable request size limits with lower and upper bounds.

No 8: Have a Firewall strategy

When it comes to a Firewall strategy you have two main options:

  1. User Azure Native controls
  2. Use 3rd party Virtual appliances

Azure Native Controls include the Azure Firewall and Web Application Firewall (already mentioned). These offer basic security that is good in some scenarios, with a fully stateful firewall as a service, built-in high availability, unrestricted cloud scalability, FQDN filtering, support for OWASP core rule sets, and simple setup and configuration

3rd party Virtual Appliances normally have more advanced capabilities and are available from the Azure Market Place by 3rd party vendors (WatchGuard for example). Network virtual appliances in the Azure Marketplace include familiar security tools that provide enhanced network security capabilities. Configuration is more complex, but allows you to leverage existing capabilities, and skillets.

No 7: Define Clear lines of responsibility

In many many companies it is common to split IT into different teams (Network team, Server team and so on). I feel it is an important security practice to define responsibilities with in Azure in a similar and use ‘Role Based Access Control’ to give members of the IT team access to only the areas which relate to there job function. Ensuring these responsibilities are clearly defined ensures consistency which helps avoid confusion that can lead to human and automation errors that create security risk.

No 6: Monitor Azure Resources

It is important to constantly monitor your Azure Infrastructure and setup alerting to ensure you are made aware of any potential threats as they occur, rather than when it is too late. For me some key services which should be monitored are:

  • VMs on Azure (Windows, Linux, and Installed Applications)
  • Azure Container and Azure Kubernetes Services (AKS)
  • Azure SQL Database and Azure SQL Data Warehouse
  • Azure Storage Accounts
  • IoT Devices
  • On-premises servers (via Windows Admin Center

No 5: Multi-Factor Authentication for all standard users

In my experience this is something that is very often not implemented until businesses have actually been affected by a security incident. Its is very important to implement MFA for all standard users across the tenant for access to any Azure/Microsoft 365 resources.

I go into MFA in more detail in my ‘Azure Advent Calendar’ Blog ( https://iamitgeek.com/2019/12/06/azure-advent-calendar-azure-multi-factor-authentication-mfa/ ) and YouTube Video ( https://www.youtube.com/watch?v=thep3IYzg2k ).

No 4: Ensure all IT staff follow strict ‘Change Control’ process

This best practice is something that very few follow and it can lead to a lot of misunderstanding and confusion when issues arise. Cloud platforms like Azure and Microsoft 365 have made it much quicker to make what use to be time consuming changes much faster, however if these types of changes are not documented, vetted and controlled it can cause major security risks.

Implementing strict change control when looking to make charges to settings (such as VM security rules, or a Firewall rule), if the steps the change implementer are documented and approved by a change board before hand it is much easier for other people to investigate any issues the change might cause, or roll back further down the line if required.

No 3: Implement a strict password policy

With the emergence of MFA, regularly implementing password changes is no longer a requirement or best practice. Rather than getting users to change passwords, I feel its better to implement a longer more complex password and only change it once every 365 days. Also ensure simple passwords are prohibited from being implemented, as well as ensuring users cant repeat use similar passwords (for example the same word but with a 1 at the end of it).

No 2: MFA for all Admin users

Regardless of whether you implement MFA for standard users it is even more important to ensure your Admins all use MFA to secure there access to resources. Although a standard user getting hacked is still bad, having a user with elevated privileges compromised has even worse consequences as they have much wider access to key resources which could compromise a business much quicker.

All staff that have any type of Admin access should be using MFA for accessing resources. Also Microsoft themselves recommend having no more than 5 global admin accounts.

No 1: Monitor Security Score

Assign stakeholders to use Secure Score in Azure Security Center to monitor risk profile and continuously improve security posture. In my time using Azure and Office 365, I have seen all to often that businesses do not pay attention to the Secure Portal.

This portal is designed to give you tips and recommendations on how you can improve security within your tenant and compares your score to other similar sizes business to help you understand where your security posture sits against them.

Hope you find this helpful, if you would like any more information feel free to tweet me @shabazdarr or ask a question in the comments section below! Keeping following the Azure Spring Clean until the end of February for loads more great content!!

Categories UncategorizedTags , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close