Infrastructure-as-a Service (IaaS) is expected to hit the $72 billion mark this year, making it not only a hot service, but also a hot target for cyber attacks. Computer Business Review reports a 300% increase in attacks in the past year, from Trojans to denial of service attacks (DoS). As recently as December 2019, hackers exploited an Azure vulnerability that allowed them to take over Microsoft Azure user accounts. This could cause loss of data, compromised servers, data manipulation, and even encryption of all data via ransomware. What are the Azure security best practices for companies to ensure they don’t fall victim to a malicious cyber attack?
Azure Cloud Security
Protecting your network from infiltration is something that Microsoft takes seriously. Microsoft Azure security includes several options like:
- The Azure Virtual Network allows you to containerize your deployments away from other customers.
- Network Access Control lets you limit connectivity with specific devices or subnets in your virtual network. This limits the use of your virtual machines to approved users and devices.
- The Azure Firewall offers scalability and security for your network traffic.
- Azure offers Secure Remote Access of your Azure resources.
- Availability is ensured with a variety of load balancing tools.
- Secure Name Resolution is critical to prevent hackers from redirecting requests from your site to a hacker’s site.
- Perimeter Network Architecture creates a buffer between the Internet and Azure services for added security.
- Azure DDoS Protection protects you from distributed denial of service attacks that seek to exhaust an application and make it unavailable to legitimate users.
- Azure Front Door helps you route and control the flow of web traffic.
- Traffic Manager is a load balancer that lets you distribute traffic across global Azure regions.
- Monitoring and Threat Detection helps you troubleshoot and identify security issues.
While these Azure cloud security features are crucial to data protection and key features of the environment, companies must also implement their own Azure security best practices to mitigate risk and lessen the impact of a data breach.
Corporate Microsoft Azure Security Best Practices to Implement
McAfee suggests the following best practices to implement to protect your Azure subscription, in addition to the security features it has baked right into the infrastructure. They include:
- Enable OS vulnerability recommendations for virtual machines. The setting runs a daily operating system check to look for areas that might be vulnerable to attack. It also recommends configuration adjustments to lessen the risk.
- Turn endpoint protection on for virtual machines. This provisions endpoint security to scan and remove spyware, viruses, or other malicious programs.
- Turn JIT network access on to use the Security Center to create an NSG rule that locks down inbound traffic. This can reduce your exposure to an attack should the unthinkable occur.
Access and Identity Management
- Enable multi-factor authentication is enabled for every user that has write access to Azure tools. This requires users to submit a minimum of two forms of verification before access is allowed.
- Set the consent for apps accessing company data to “No.” This will force end-users to get permission before using a non-approved app. This will keep employees from using their work identity with third parties.
- Say “Yes” to the “restrict access to Azure AD” administration portal. There is sensitive data that only administrators should have access to.
Storage and Accounts
- Enable secure transfer, which is data encryption when information is in transit, not just at rest. This will improve the security of your storage by only allowing links to secure connections (HTTPS).
- Enable storage service encryption, which is encryption for your resting data.
- Auditing should be turned on for your SQL servers. This will track database events and write them to an audit log.
- Turn on threat detection for SQL servers. This allows Azure cloud security features that alert you if they detect suspicious activity.
- Activate transparent data encryption prevents malicious activity by providing real-time encryption and decryption of transaction log files, the database, and backups.
- Disable RDP and SSH because hackers can use it to gain access to virtual machines and use it to launch attacks on other machines on the network.
- You should also disable Telnet (Port 23) and restrict access to only those IP addresses that need it.
- Enable endpoint protection for virtual machines, allowing real-time protection to identify and remove malicious software.
- Enable the latest OS patch updates to update against any bugs or flaws, improve the stability of the service, or fix a vulnerability.
- Allow disk encryption on data disks (non-boot volumes). This allows you to recover virtual machine data discs without a key.
- McAfee says to secure your subscription by using alerts, setting ARM and RBAC Security Center policies, Resources Locks, and more.
- Minimize the number of administrators and owners, decreasing the chances for an attack.
- Do not grant permissions for external accounts outside the native directory. Avoid allowing end-users to access the network with non-Active Directory accounts, such as Hotmail.
Using strong network controls is crucial for any architecture, including Azure. Centralizing management and governance of core network functions, including security, is an Azure security best practice that will help keep your data safe. Establishing a common set of security rules and management tools will foster a culture of cybersecurity in your organization.
Microsoft Azure cloud security best practices dictate what the organization calls a “zero trust approach” to keeping your data safe. While the assumption may be that any systems within the network are safe, today’s employees are more mobile. Bring Your Own Device rules dictate fresh approaches to end-to-end security, including working closely with firms like IES. Our team can help you set, balance, and manage access control policies while establishing and following Azure Security Best Practices.
Today, cybersecurity is more than device and app monitoring; it also requires a balance between productivity and IT rules. While Azure offers robust security protocols, external threats to your network are myriad. That’s why we believe IT networks must evolve away from traditional security perimeters, flex with the latest threat, and evolve to meet the challenges of the future.
Talk with IES about how we can partner with your team to add our expertise and keep you safe.