In order to understand the Azure security infrastructure first of all you have to step back and think outside of Azure itself, you have to look at a multi layer approach, so called defense in depth. This approach is critical for the modern security.
Think about large enterprise where you have to protect the entire platform that consists of the data center, the multi-tenancy network, the data encryption, the key management.
Then we have the operations on top of the platform. You have to have secure controls in place for the operations which includes the access policies and control, and ensuring that you are developing software using the security development lifecycle approach, operations security assurance, patch management, configuration management, anti malware application, and vulnerability scanning. These are part of the operational security layer.
And then you go to a higher layer, to the strategic standpoint, which is what we call the advanced cyber defense, security monitoring and analytics, and cyber defense operations center or SOC. It’s important to understand that at some point your system will be compromised. So you need to have in place a strategy and written procedures for rapidly response to that breach, because if you think that you have enough security controls in place and you create that false idea that you are so secure that no one will ever be able to penetrate in your environment, then you are creating a mentality that if something bad happens, you really don’t know what to do first, and second, you don’t even know why it happened because you don’t have the detection controls in place to identify potential breach.
Now let’s talk about the different controls. Let’s say you have a subscription, and you start to onboard some resources in your subscription. The first resource that you might onboard is the virtual machine. So when you are deploying virtual machine, you gotta think about the different security controls that you need to put in place for the virtual machine. You need to configure monitoring and export events for analysis. Events that are happening on that machine needs to be gathered so you can have analytics on top of those events.
The very first thing to achieve it is to enable Security Center. Second thing is make sure you configure a Microsoft anti malware solution, or anti malware solution from a partner. If you don’t have endpoint protection Azure Security Center will warn you about that. Then you should apply a corporate firewall using site-to-site VPN and configure endpoints.
This is applicable to situations where you have endpoints that are on-premise and they need to have connectivity to the cloud, or if you are deploying a VM to the cloud and that VM needs to have continued access to a different location, obviously then you need to have a VPN to protect that communication.
Make sure that you define access control between tiers and provide additional protection via the OS firewall. Do not think that only the network-level firewall is enough, you should also hardening the ports of communication from the host itself. And make sure that based on those analytics, that you are collecting, those events are being sent to your monitoring system.
After this part is done we can continue to the next layer, which is the network protection. We need to ensure that our network topology is secure, which a lot of customers miss, because they do not have the habit of hardening the Azure Virtual Network.
Unfortunately I’ve seen many scenarios where the network is not well-designed, it’s fully exposed to the Internet, so make sure that when you’re talking about networking that you can apply some important practices, which include hardening network traffic for Internet facing endpoints. You don’t want to leave your network widely open to the Internet.
- Properly configure network security groups.
- Use a network firewall, such as Azure Firewall. Ensure that if you need to expose services to the Internet that are available in Azure, that they are protected by Azure Firewall.
- Isolate network segments, make sure that you use some of the principles that are very well-established over the years, and network isolation is one of those.
- Ensure that you have NSGs between subnets.
- Ensure that you have isolated networks for different assets, for different level of privilege.
- Create your VLANs to operate in isolation mode.
- Use Azure Security Center Network Map to have full visibility of your Azure network topology.
Remember that one of the most common attacks against cloud resources is a DDoS, so make sure that you are utilizing the Azure DDoS.By default, Azure provides continuous protections against DDoS attacks as part of the Azure DDoS Basic, which is free of charge.
It’s very important that when you plan and you design your Azure security infrastructure, you take into consideration those different layers, and that you are applying those things that are built in Azure. Leverage those things. Protection of the data at rest is very important, and this can be accomplished via Azure protection of the storage via encryption.
So, ensure that you are using Azure Disk Encryption when you are encrypting the VM disk for your Azure VMs. Ensure that you also leverage Azure Storage Service Encryptions for the data at rest on the Azure Storage perspective, and that you are using Advanced Threat Protection for Azure Storage.
If you have storage accounts, and you want to make sure that you are monitoring against threats that are trying to take advantage of your storage account, you should enable advanced threat protection, ATP. If you want to do that for the entire subscription, the best way to do is your Azure Security Center. Identity is a part of Azure that is extremely important. You should be monitoring your identity very closely, and leveraging the capability that you have in Azure, which includes the Azure Identity Protection part of Azure AD. Make sure to use that, because it will give you some extremely useful analytics in threat protection for identity. Azure Identity Protection has a series of capabilities to detect potential identity-related vulnerabilities, suspicious actions related to users, related to the access, to the authentication pattern.
Azure AD Identity Protection will also stream the alerts to Azure Security Center, so there is a native integration there. Last but not least, logging. Well, logging is a very interesting subject, because throughout the years it has become more and more important to always have logs available, and when you are migrating to the cloud, you realize that the amount of logs can be gigantic, because there are so different dimensions, so it’s very important to understand what you are looking for.
This diagram here explains the different levels of logging, so let’s start from bottom to top. At he bottom there is the Azure Active Directory logs, this is a tenant-level log. That’s where you’re gonna obtain that information, from the tenant itself. Then you have a subscription, because remember, within a tenant you can have multiple subscriptions, so within the subscription itself, you have logs related to the resource manager, you have logs related to service health, and you have the Azure Security Center logs, which are based on the threat detections and prevention.
You go a little bit higher on the Azure resource itself, then you have the VMs that you are deploying, the storage accounts, the network security groups, and each one of those will have also its own series of logs. Now when you go inside the VM, which is the guest operating system, which could be Linux or Windows, then you have the logs within the VM itself. If you go even higher on this stack, on the application layer, then you have telemetry of the application, have the application logs.
Azure provides different sets of logs, and these logs will reflect different types of actions. Do not ever think that because you are collecting, let’s say, the Azure Security Center logs, that you cover all the scenarios. No, you will also have things that are happening on a different layer.
One question that is very common is, hey, “I would like to see who changed my Azure Security Center policy, which log should I look at”?
Well, the answer is that in this particular case we’re gonna look to the activity log that is looking to things on the subscription level.
*This article is based on Microsoft Press media, Pearson Education materials and Yury Doigines lectures