Best Practices for Azure Security Solutions

December 18, 2019 | Comments(0) |

Are you confused with the many Azure Official documentation available at your fingertips? Don’t know how to channelize your search based on your requirements?

This blog lists all Azure security services on one page and mentions areas where Azure has provided security services.

Security is integral for the entire lifecycle of an application, from design and implementation to deployment and operations. An Organization faces many challenges with securing their datacenters and keeping pace with the volume and complexity of threats. One of the common attack factors is open internet expose endpoints.

Azure offers unified security management and advance thread protection of your resources, whether it is in the Cloud or on your datacenter or both. It provides a secure foundation across physical, infrastructure and operational security. Below Picture gives you an overview to build secure and compliant application infrastructure based on industry standards, using Azure services.

Best Practices for Azure Security Solutions

Figure: Defense-in-depth security layers

Azure offers many security-related services and technologies. Based on this, you can classify your type of security and identify your related security-services, which help you to select the right Cloud solutions for your organization.

Azure has many “Built-in security controls,” for services like:

  1. API Management
  2. Azure App Service
  3. Azure Resource Manager
  4. Azure Backup
  5. Azure Cosmos DB
  6. Azure Event Hubs
  7. Azure ExpressRoute
  8. Azure Key Vault
  9. Azure Load Balancer
  10. Azure Service Bus Messaging
  11. Azure Service Bus Relay
  12. Azure Service Fabric
  13. Azure SQL Database
  14. Azure Storage
  15. Azure Virtual Machine Scale Sets
  16. Linux Virtual Machines
  17. Windows Virtual Machines
  18. Azure VPN Gateway

For more details of each service, you can visit here.

Here are some of the area where azure is offering security-services:

  1. Data security
  2. Database security
  3. Networking security
  4. Identity and access management
  5. Backup and disaster recovery
  6. Internet of Things security

 Best practices for Data Security

  1. Protect data
    • At rest: Includes all information data that exist statically on physical media, whether magnetic or optical disk.And for protecting data at rest, encryption at rest is designed to prevent the attacker from accessing the unencrypted data by ensuring the data is encrypted when on disk.
    • In transit: Data which is transfer between components, locations or programs, are in transit. Examples are transferring data over the network, across a service bus (from on-premises to Cloud and vice-versa).Encryption in transit helps in protecting data that is transmitted across networks e.g., Transport-level encryption, Wire encryption, Client-side encryption.
  1. Choose a key management solution
    • Azure Key Vault is best for key management solution, which helps safeguard cryptographic keys and secrets used by Cloud applications and services. It creates multiple secure containers, called vaults, which are backed by HSMs. Using the Key Vault enables you to avoid writing storage keys in application configuration files. It also prevents exposure of keys to everyone with access to those configuration files.
  1. Secure email, documents, and sensitive data
    • In Azure, we have Azure Information Protection that helps an organization to classify, label and protect its documents and emails inside and outside company walls.

Best practices for Database Security

  1. Use firewall rules to restrict database access
    • Database or Servers are exposed to the internet and to avoid any unfortunate attempt IP firewall rules are required to provide access security and control access. To know more, visit here.
  1. Enable database authentication
    • SQL Database supports two types of authentication:
      • SQL Server authentication: SQL Database support environments with mixed operating systems and sometimes all users are not authenticated by a Windows domain. For solving this type of problem SQL Server authentication comes into the picture.There are two possible modes: Windows Authentication mode and mixed mode. Windows Authentication mode enables Windows Authentication and disables SQL Server Authentication.Mixed mode enables both Windows Authentication and SQL Server Authentication. Windows Authentication is always available and cannot be disabled.
      • Azure Active Directory (AD) authentication: Azure AD authentication is the authentication used to access Azure SQL Database and SQL database Warehouse by using identities in Azure AD. It is like one central location where we can manage the identities of database users and other Microsoft services.
  1. Use encryption and row-level security to protect your data
    Azure SQL Database transparent data encryption helps in encrypting and decrypting data in real-time. This Data might be the data of the database, associated backups and transaction log files at rest without requiring changes to the applications.
  1. Enable database auditing
    Enable database auditing of the SQL Server Database Instance involves tracking and logging events. It tracks the database events and writes them to an audit log in Azure storage account. Auditing helps you in maintaining regulatory compliance, understand database activity. It facilitates adherence to compliance standards but doesn’t guarantee compliance.
  1. Enable database threat detection
    Enabling database threat detection helps to monitor a dynamic database environment where changes are hard to track. Also, meet data privacy standards and regulatory compliance requirements. To know more, visit here.
  1. Enable Feature restrictions
    Data of your databases can be exposed to attackers using attack vectors that leverage database errors and query execution times. Enabling feature restrictions helps to protect from the same.

Best practices for Network Security

  1. Use strong network controls
    You can create a strong virtual network to control access. You can connect Virtual Network Interface card to Virtual network to allow TCP/IP-based communications between network-enabled devices. Governance of network security elements, which act as network virtual appliance function are ExpressRoute, virtual network and subnet provisioning, and IP addressing.
  1. Logically segment subnets
  1. Azure DDoS Protection
    DDoS is a type of attack that tries to exhaust application resources. Azure provides continuous protection against DDoS attacks. Azure DDoS Protection is integrated into the Azure platform by default at no extra cost.Azure has two DDoS services that protect from network attacks (Layer 3 and 4): DDoS Protection Basic and DDoS Protection Standard.
  1. Use virtual network appliances
    As we all know, user-defined routing and network security groups provide network security at the network and transport layer of the OSI model. But in some situations, we have to have better security at high levels of the stack. Azure network security appliances can give you better security than what network-level controls offer. These appliances include:

    • Firewalling
    • Intrusion detection/intrusion prevention
    • Vulnerability management
    • Application control
    • Network-based anomaly detection
    • Web filtering
    • Antivirus
    • Botnet protection
  1. Avoid exposure to the internet with dedicated WAN links
    Many companies use hybrid IT route as in, some of their components of service are running in Azure while other components remain on-premises. For this cross-premises connectivity, the offered solutions are:

Best practices for Azure Identity Management and access control security

Some of the best practices for Azure identity management and access control security is as follows:

  1. Treat identity as the primary security perimeter
    Azure Active Directory (Azure AD) is the Azure solutions for identity and access management. It combines core directory services, application access management, and identity protection into a single solution.
  1. Enable single sign-on
    Enabling Single Sign-On can provide access to company resources, domain-joined devices on one single sign-in launch. After that no need to sign-in again and again for every single domain service.
  1. Turn on Conditional Access
    Conditional Access policies at their simplest are if-then statements. For example, If a user want to access a resource, then they must complete an action.
  1. Enforce multi-factor verification for users
    Using this MFA method requires users to perform two-step verification every time they sign in and overrides Conditional Access policies.
  1. Use role-based access control
    Role-based access control (RBAC) has several built-in roles for Azure resources that you can assign to users, groups, service principals, and managed identities. If the built-in roles don’t meet the specific needs of your organization, you can create your custom roles for Azure resources.

All the above points could be your repository for gaining information on Azure security services. I hope the information above works for you.

To learn more about Azure Securities and Azure Services, kindly visit our website https://cloudthat.in/courses/

Recommended course for Azure Security

If you are preparing for AZ -500 (Azure Security Technologies), then CloudThat Technologies can be \the best platform to make you for the same.

Microsoft Azure Certification BootCamp for AZ-500 (Azure Security Technologies)

Reference:

https://docs.microsoft.com/en-us/azure/security/fundamentals/technical-capabilities

If you have any comment or question, then do write it in the comment.


Leave a Reply