Security is among one of the focus areas of Azure’s service offerings. Azure gets its security advantages from a mix of global security intelligence, secure and hardened infrastructure and state of the art customer centric controls.
This combination of features ensures that the user’s applications and data are well protected and aptly supports any compliance efforts. A critical aspect for organizations is that it is cost-effective security designed for businesses irrespective of size.
Below, we go over 5 of the security-related best practices to follow when storing data on Azure.
Improve Security using Azure Identity Management
Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. This allows the user to authenticate using the same credentials to devices, apps, and services from anywhere regardless of whether the resources are on-premise or cloud. Using SSO mitigates certain risks involved with sharing password with third-parties and the common problem of password fatigue for the users.
Check out our list of 100 Best Free SEO Tools & Resources for Every Challenge
Azure AD allows for on-premises Active Directory to the cloud. This enables users to use their primary account for domain-joined devices, company resources, the complete web as well as SaaS applications that may be needed to complete their tasks.
SSO gives users access to their SaaS applications as required for their work or school account from within Azure AD. Interestingly, this applies not just to Microsoft SaaS apps, but also for Salesforce and other apps like Google Apps.
Enabling multi-factor authentication can help reduce the risk of the account being compromised. Since authentication is no longer limited to user credentials, a second layer of security is added. There are different ways to enable multi-factor authentication. The option that may suit you best depends on the Azure AD edition that you are using, your licensing program and your goals –
- Multi-Factor Authentication by Changing User State – A more traditional method, it works with both, the Azure Multi-Factor Authentication Server as well as the Azure Multi-Factor Authentication in the cloud.
- Multi-Factor Authentication with Conditional Access Policy – This allows two-step verification under predefined conditions via conditional access. This is the most flexible option for users.
- Multi-Factor Authentication with Conditional Access Policies After Evaluating the User and the risk to Azure AD Identity Protection. This method helps you identify potential vulnerabilities that can affect the organization and then configure automated responses to suspicious activities. Furthermore, you can investigate and take appropriate action to resolve suspicious incidents.
RBACs assign permissions to groups, applications, and users at a certain level. The scope of this access can be a resource group, subscription or a single resource.
In-built RBAC roles within Azure can be used to assign privileges at a need basis. If RBACs are not utilized, organizations may face the risk of compromising data by granting access to users who may be out of scope.
Azure’s Security Center sets up a security policy by default for each subscription. These policies contain recommendations that can be turned off or on based on the subscription’s security requirements. Here’s is how it can be done –
- In the main menu of the Security Center, select ‘Security Policy.’
- Choose the relevant subscription as follows:
- From the ‘Compute and apps, Network and Data’ menu, turn on each security configuration you need to monitor. Once you select the applicable policies, click ‘Save.’
Improve Security Score
Azure’s Security Center reviews security recommendations and prioritizes them for your action. This is a measurement tool that helps to improve your security so you can achieve a more secure workload.
The Security Center imitates the work done by a security analyst – it reviews your security recommendations and applies advanced algorithmic programs to understand the criticality of each proposal.
The security score is based on the ratio between your total resources and healthy resources. You get a maximum score of 50 if your healthy resources are equal to the total number of resources.
Security Center also gives you an overall Secure Score. This can be viewed across your management groups and subscriptions. You can follow the steps below –
- Click ‘Security Center’ followed by ‘Recommendations’ in the Azure dashboard.
- Your Secure Score will be displayed at the top of the page. This is a representation of the score per policies for each selected subscription.
- Below the table, you will see a column that represents the Secure score impact for each recommendation. This shows the potential improvement to your overalls score if the recommendations are followed.
A Security Center Standard upgrade gives users the advantage of advanced security management as well as threat protection for hybrid cloud workflows. Security Center Standard can be used for free for 60 days. The pricing page contains additional information.
The Security Center Standard package includes –
- Hybrid Security – A complete picture of security across all cloud and on-premises workloads.
- Advanced Threat Detection – Advanced analytics and Microsoft’s Intelligent Security Graph provides an advantage over cyber-attacks. Behavior analytics, as well as machine learning, helps identify incoming attacks and zero-day exploits.
- Access and Application Controls – Whitelisting recommendations can be modified to specific workloads. Network attack surface can be reduced with controlled access to administrative ports on Azure VMs
Forced Tunneling allows users to redirect internet-bound traffic back to the user’s on-premises location using a site-to-site VPN tunnel. Without forced tunneling, traffic bound for the internet can bypass Azure’s network infrastructure. This does not allow for inspections or the auditing of the traffic. The diagram below shows how forced tunneling works –
Using Virtual Network Appliance
For security at advanced levels of your stack, it is recommended that virtual network security appliances are deployed. These are provided by Azure partners.
Security appliances deliver a higher level of security compared to other network-level controls. The virtual network appliances offer firewall security, additional control over application, vulnerability management, web filtering, network-based anomaly detection, botnet protection etc.
The Azure Marketplace provides details on the available Azure virtual network security appliances. On the page, you can search for ‘network security’ and ‘security.
A perimeter network, or DMZ, is a physical and logical segment of a network that provides an added security layer between assets and the internet. Advanced network access control devices allow only desired traffic into a user’s virtual network.
DMZs are useful when the focus is on network access control management, logging, monitoring and reporting of devices at the very edge of a user’s Azure virtual network.
Azure policies can be used to set up conventions for resources in a user’s organization and create custom policies. Policies can apply to resources groups. VMs that are a part of a particular resource group inherits its policies.
If an organization has multiple subscriptions, Azure management groups help to effectively manage policies, access, and compliance for different subscriptions.
For additional assistance, Azure Monitor can be used to get visibility into the health of a resource. Its features include –
- Resource Diagnostic Log Files: Monitors VM resources and identifies potential issues
- Azure Diagnostics Extension: Provides monitoring as well as diagnostics capabilities on Windows-based VMs.
SQL Threat Detection allows users to identify and react to potential threats. Users receive alerts regarding suspicious database activities, SQL injection attacks, potential vulnerabilities and, unusual database access patterns. It also gives a recommended action.
To know more about setting up database threat detection, visit SQL Database Threat Detection page. This is free to use for 60 days.
SQL Database supports two kinds of authentication – Azure Active Directory Authentication and SQL authentication. Choose a strategy that fits your database security policy.
Azure Active Directory Authentication is an alternative to the usual SQL authentication that allows password rotation and stops proliferation of user identities across DB servers. It also lets you manage permissions using external groups and eliminates the need to store passwords. Unlike SQL authentication, applications can use token-based authentication and supports connections from SQL Server Management Studio including Multi-Factor Authentication (MFA)
SQL Authentication is recommended under the following circumstances:
● When SQL Azure supports mixed OS environments where users are not authenticated by a Windows domain
● When SQL Azure supports older applications or those shared by third parties
● When users are connecting from untrusted or unknown domains
● When developers need to share applications using a detailed permission hierarchy
TDE or Azure SQL Transparent Data Encryption assists in protection against malicious activity using real-time encryption of the DB, backups and transaction log files. TDE encrypts the complete DB storage via a symmetric key known as Database Encryption Key.
Azure recommends that you follow the steps below in conjunction with TDE –
- Enable DB level SQL authentication
- Enforce Azure AD authentication via RBAC Roles
- Have separate accounts for authentication of users and applications
- Implement DB-level security via fixed DB roles like db_datareader or db_datawriter. Custom roles can also be created for your application.
None of these best practices can alone secure an organization’s systems adequately. They must be used in conjunction with each other. When it comes to security, choosing the appropriate options based on an organization’s environments and requirements is vital.
While these best practices do lend a solid foundation, the security checkpoints are multiple and diverse. It is necessary to monitor rapidly evolving threats and changing environments continuously. Organizations need to favor preventive security over reactive measures to counter the new vulnerabilities that are being uncovered almost every day.